Cross border payments firm Brightwell survived shutdowns, $3M heist

Most businesses suffered during the pandemic, and many that survived the shutdowns had to deal with an increase in fraud and crime.

By nature of their industry, few unlucky firms were hit double by both threats, and of those, fewer still survived.

Brightwell, an international payments firm, was nearly KO’ed by a double uppercut, but they survived and grew to thrive. At the onset of public shutdowns, Brightwell enabled the cruise ship industry to pay thousands of migrant workers across the globe: and in March 2020, when the ports shut down, Brightwell was nearly out of a job.

Then, things went from bad to worse when a new type of attack hit the firm: someone gained access to their banking data through a brute force attack and drained about $3 million from the firm’s accounts in less than three hours.

Bad to worse

Enter CEO Larry Hipp, who took office in April of 2020, right when the ship hit the fan. He described the event as some of the worst days in his professional career but having weathered that tempest Brightwell is now poised to help protect any card issuer from the same vulnerabilities.

Hipp has 18 years in the financial space and said he’s “moved everything but gold and bitcoin, and there’s still time for crypto, but I don’t know about gold.”

“Folks that work on cruise ships come from all over, like Indonesia, India, Philippines. There is about every country represented on a cruise ship,” Hipp said. “In the early days, the industry was paid via cash. If you needed to get paid and you’re on a cruise ship, you went down to the casino cage and got your paycheck.”

So what Brightwell did, was make that process digital, help turn what once were casino chips into paychecks, and from there connect with Western Union, Money gram, and move payments across borders; he called Brightwell a neobank before neobanks were “a thing.”

“So it’s been a pretty fun ride, and it has helped us identify the cruise industry as a pretty awesome place to build systems,” Hipp said. “But, at its core, we are a cross-border payments company: we grew up in the prepaid card space, moving money around the world for people that work on cruise ships.”

Then came the shutdown

“The cruise industry was hit real hard. It is the only industry in the United States that the federal government shut down,” Hipp said. “In March of 2020, the CDC took over the ports and no longer allowed cruise ships to come into a U.S. port. In March of 2020, this industry shuts down, and it was initially listed as ‘for 30 days,’ and then went to ’90 days.'”

Hipp graduated from COO to CEO during the catastrophe and said the first thing he had to do was lead the firm through the storm and let employees go.

“It was the worst day of my professional career; I’ll tell you that. Looking people in the eye and saying, we got to cut some costs here,” Hipp said. “I was tapped to move up; the company got a brand new CEO though everybody knew me because I’ve been there for years at the time. As a CEO, as a leader of a company, people are looking to you to make the right decisions that are keeping their family safe.”

Hipp said that, at the very least, there were still thousands of Brightwell customers across the planet that were stranded just like they were by the shutdowns: there were still people that needed help with cross-border payments.

If there were a positive externality that came out of the ports shutting down, Hipp said that existing teams still at the firm redeployed to other projects.

Brute force attack nets $3M for hackers

Unfortunately, the teams would need to be ready to build new solutions: Just a couple of weeks after Hipp took office and the virus came, they nearly lost everything.

“If the world wasn’t looking crazy enough for us in March of 2020 when the cruise industry shuts down: in April of 2020, we wake up in the morning, and $2.7 million had been taken from our users in three hours,” Hipp said. “Now, this was not a security breach; it actually never even touched our code; it wasn’t a failure of our software.”

A new type of attack began plaguing the fintech industry in 2020, Hipp said, a brute force attack using a stolen merchant acquiring system.

A team or individual had taken over a local merchant system, like a terminal or personal computer that has access to their merchant database.

The fraudsters used that gateway like a slot machine: flooding hundreds of thousands of guesses to discover matches to actual customer payment data.

brightwell fraud
An AI rendition of “credit card hack.”

“Credit card numbers, CVVs, and expiration dates, Every single combination until they find a match,” Hipp said. “And then they’ll sit there it’s a computer algorithm to like try, try try. They threw over 100 million authorization attempts that are cards in a matter of a few hours. This was a new type of attack that we’re starting to see in the card industry, where fraudsters will take over some merchant acquiring system.”

An absolute nightmare, all hands went to work running the system back and returning all of the lost funds, Hipp said, attributing the success at securing funds to the resistance of the Brightwell system in the first place.

“We were able to find all that money and funnel it back on its way to our users and us,” Hipp said. “But you got to imagine, right, if you’re one of these users, one of these crew members, you don’t know what’s going to happen in the world in the next 30 days, and then you wake up in the middle of April, and all your money’s gone? It’s a big problem.”

Brightwell’s solution: Build one

How do they make sure it never happens again? Hipp and the team went out after the threat subsided to find security tech that could have prevented this, but he said they couldn’t find anyone with a product.

“We couldn’t find any piece of software to buy,” Hipp said. “If you go out there and scan the major card networks of major processors or the startups working on these types of fraud problems, which are massive numeration attacks: Nobody’s got a solution for it.”

So the Brightwell team built their rough-around-the-edges solution, and after they refined it a bit after using it in-house, they decided to sell it out as an API and SDK. Hipp said card issuers or fintech’s not set up to deal with payment processing or cross-border payments can use Britghwell’s proprietary solution. They can plop the Brightwell API into a mobile app or web app, and “like chameleon skin, it will look just like yours,” Hipp said.

White-labeled across border

“We know how to do this type of thing. When Russia and Ukraine have a conflict, sanctions appear, and people start changing their money movements from Ukraine to Poland,” Hipp said. “We’re experts in the compliance and regulations around that: We’re offering to fintechs out there: ‘tap into our software, and we’ll take over all the compliance for you.'”

Brightwell added “Arden,” its AI risk detection engine, to its list of other b2b products, alongside the “ready remit” remittance platform and the “navigator” global payroll suite.

“When you take the layers and look at who we are, we’re a cross-border payments company. That’s what we do; we move money worldwide,” Hipp. “In pre-COVID, we were moving a billion and a half dollars a year around the globe. We’ve developed through the COVID era to enable other fintech that look a lot like us to move money across borders.”

Brightwell’s top three products going into 2022
  • Kevin Travers

    Intensely energetic news reporter asking questions covering the collision between Silicon Valley, Wall Street, and everywhere in-between. Studied history at the University of Delaware, learned to write at the Review, and debanked.