Biometrics: the death of the password?

by James Holt, Senior Consultant, Financial Services

Passwords… passwords have been around since the dawn of computing, and used even before then to allow or prevent access. The concept of a password is simple but the more our personal data is moved online, the more value this shared secret protects. In the early days of the internet, a password might have granted you access to a simple message board, but now passwords protect vast databases of your personal information: from family photos to medical records, via bank accounts and cloud storage.

Passwords… upon reading that word your brain probably jumped to fussy sign-up screens asking for an inane combination of special characters, numbers and letters, with requirements differing from website to website. You probably thought back to countless password resets and security questions which could be bypassed with a quick Google search. We have been told we shouldn’t use the same password for multiple sites, but we do. Companies mandate a password change for employees every few months, with the same stringent requirements each time.

So what do we do? We make patterns, we reuse or – whisper it – we write down. All behaviours which might make life easier for us but which circumvent the very thing complicated password requirements are trying to create – security.

In their current form, passwords give the illusion of security; it is something we know, something we are familiar with. The starred out field cloaking our favourite sports team, the asterisks covering our last holiday destination. But what else is that field hiding… it is hiding an uncomfortable truth – passwords are hard for us to remember, but easy for computers to guess.

Hackers can attempt to crack passwords using dictionary words and previously leaked passwords to speed up the process. To make matters worse, most passwords are not unique – from a survey by SplashData in 2015 the most popular were “123456” and “password”.

Even if a strong password is chosen, advances in computing power mean they can be cracked in a diminishing period of time. We are playing into the hands of the hackers. But there is another way, a better way…

Biometric authentication is the process of controlling access using something you are: something you always carry with you and something that is unique to you. This could be your face, your voice or your fingerprint, or a combination of these.

Signing in using a biometric identifier is quick, taking a second or two. This is especially relevant in a mobile environment, where typing out a password on a small or virtual phone keyboard can often be slow and inaccurate. Biometrics also offer flexibility to the user – different identifiers can be used in different situations. You wouldn’t want to use voice recognition on a crowded train, and you wouldn’t be able to use face recognition in a darkened room, so by offering multi-modal biometrics, the user can stay secure without any inconvenience.

Multifactor authentication is the process of using more than one identifier to log-in. This is often implemented as a password plus a one-time code sent to your device. This approach significantly improves security and is increasingly being adopted by online services and corporations. Biometrics can integrate perfectly into this multi-factor approach – with a biometric being either the primary or secondary authentication factor. In addition, thanks to the speed of the biometric authentication process, customers could be asked to ‘step-up’ security to perform certain functionality. For example, a customer could log-in to online banking using a 4 digit PIN, which would provide only simple functionalities: the account balance and last transactions. However, to make a payment or set up a new payee, the customer could be prompted for a fingerprint, voice or face sample to provide the required additional security.

A customer’s biometric can also be combined with behavioural analytics to further strengthen security. Behavioural analytics takes user metadata like location and typical log-in times to determine the likelihood that an action is genuine. But more on that in another post…

Biometric authentication has applications beyond simple integration into a mobile application. A voice recognition function could be introduced in a call centre environment to verify customers before they are put through to an advisor, removing the need for lengthy security questions. This technology is smart too: analysing different aspects of a customer’s voice – pitch, emphasis, pronunciation, even throat and mouth shape. In addition, this technology can detect if the caller is speaking under duress or panic. It can be implemented in a passive and non-intrusive way – a customer is authenticated in the background whilst having their conversation with an advisor.

Biometric technology also has a significant use-case for authorising online payments. Currently, just knowing the card details can be enough to defraud a consumer, with a ‘3D Secure’ password prompt like SecureCode (MasterCard) and Verified by Visa only happening in certain situations. According to a MasterCard survey of 10,000 people, 53 percent of shoppers forget crucial passwords more than once a week, losing more than 10 minutes while they reset their accounts. As a result, more than a third of people abandon an online purchase, while 60% said that having to reset a password led to missing a time-sensitive transaction like buying concert tickets. More than half of people want to see passwords replaced by something more convenient, but which still delivers the same levels of protection and peace of mind.

As verifying your identity using a biometric is so quick, it is a natural fit for online transactions. Furthermore, with many modern phones featuring biometric hardware such as a fingerprint sensor, consumers are already comfortable with the process. MasterCard has recently announced their ‘IdentityCheck’ app which authenticates payments using either facial or fingerprint biometrics. Pilots in August last year proved successful with a global rollout happening early 2017.

When new technology reaches consumers, is it often adopted by the young, tech-savvy demographic who are more accustomed to learning abstract interfaces and complex operations. However, with biometrics, the process is intuitive and simple, making life easier whatever your age group or background. There is also the equality and accessibility angle – biometric identifiers provide options for those who are unable to remember passwords or struggle to type on their mobile devices.

If the user experience is slick and easy, customers are more likely to use a service and access it more frequently. With registration/signup commonplace on many websites, users have lots of passwords to remember: this represents a substantial opportunity for a biometric authentication solution.

At the end of 2014, USAA – a Fortune 500 company – offered biometric authentication to 1.4 million customers and by October of the following year, over 1 million had registered to use it. Their headline statistic shows how popular the option has become – 80% of customers have now chosen to authenticate using a biometric identifier over a PIN.

User expectations of banking are changing. Consumers expect functionality to be available using mobile apps, without the need for traditional, face-to-face banking. Security guards and vaults provide peace of mind in the physical world, but maintaining security in the digital world is more challenging. Biometrics provide the means, the assurances and the simplicity for better authentication, safeguarding our future.

What do you think?  Leave a reply below or contact James by email.

Read more about Sopra Steria’s Biometrics offering.

 

Always-on, always prepared: the cyber security questions Financial Services organisations need to ask

Financial institutions continue to grapple with the ever increasing complexities of cyber security. As online services across all channels grow, so does the security risk. The underlying questions are – how do organisations modernise the legacy platforms that were not designed for the open, connected world of today’s demanding consumer base, and provide the services and interfaces in a secure manner?

The continual growth and competitiveness in digital services continues to disrupt the market. Whether they like it or not, financial firms and their customers will always be seen as targets and those that take this lightly, or avoid the gravitational pull of online services due to security concerns, will be left behind.

That being said, many organisations are trying to put the right protection in place. The key responses to any security incident are monitoring, reacting and remediating. We have seen from recent breaches that the way that a financial institution reacts and addresses its customers that have been affected can make all the difference. Admitting that a security breach has happened is never easy but your customers are more likely to stay loyal to your brand if you openly discuss the security breach, what information or even money was taken and the remedial activities that you are promptly taking.

Open Banking is getting closer – are you ready?

This August, the Competition and Markets Authority published the final report on its retail banking market investigation. By requiring banks to implement Open Banking by 2018, it has reinforced the UK’s transition to a transformed banking landscape based upon a foundation of Open Banking. While certainly a positive step, Open Banking raises more questions around security. Financial institutions need to look at the security around their APIs, covering both internal and external protection layers – what data is exposed through the APIs, and who may be calling the API? In moving to this new world, what competencies in the organisation exist to create and test these new services? The IT organisation that was designed around creation of services for a customer must now address service management and governance of an estate that exists in a digital always-on connected ecosystem of consumer and business relationships.

Data and information are new focal points for the industry, and this is being highlighted by the new General Data Protection Regulation (GDPR) which will be introduced in 2018. The days have gone where we have one, two or three front doors. We now have multiple connections in and out of networks with services being hosted in cloud, hybrid and SaaS services.

Do you know where your information assets sit – especially your most critical and vital assets?

General Data Protection Regulation – honesty and openness

Looking to 2017 and 2018, notification of breaches will look quite different for a large number of financial institutions. Unlike the directive in the Data Protection Act which was silent on the issue of data breach, GDPR contains a definition of “personal data breach,” and notification requirements to both the supervisory authority and affected data subjects.

This notification to the authority must “at least”:

  1. Describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected;
  2. Provide the data protection officer’s contact information
  3. Describe the likely consequences of the personal data breach
  4. Describe how the controller proposes to address the breach, including any mitigation efforts.If not all information is available at once, it may be provided in phases.

The last sentence will undoubtedly give some pause for consideration and needs to be thought through. Whilst being open and honest with customers following a breach is essential, how much information is satisfactory to release, and under what circumstances should some information be held until the precise nature of method and impact is understood?

We find ourselves in an information conundrum. We know that open and honesty following a breach are important, but that full clarity on a situation is not always instantly available. Security breaches can take place and it can take time before a complete story is put together – but the longer it takes, the greater the concerns from customers that a security breach is not being effectively managed. It’s why it is essential to prepare in advance and have processes in place in the event of a breach. Testing of these plans and creating play books of certain scenarios is something a lot of organisations are doing.

Criminals work at Christmas

Financial organisations have had to adjust to the requirements of their customers who want services online 24/7. We have seen high street financial institutions opening at weekends, evenings and even Sundays. The world of internet banking allows customers to access financial systems all day, every day.

On the other side of the coin, cyber criminals don’t mind at working weekends, holidays or Christmas Day. An organisation’s incident plan needs to be able to react to whatever, whenever, and in a way that is adequate to develop one or a number of alternative approaches. The Security Operations Centre (SOC) needs to be sufficiently resourced with access to on-call technical expertise, and they in turn need to be able to have access to evidence and activities.

Most people feel confident that their SOC is 24/7 – but it goes further than this. Imagine that you have had a breach on Christmas Day. Can you pull together a legal representative, someone who can talk to the press, the CEO and other important members of staff within your organisation?

We all have business continuity plans and disaster recovery plans, but it’s time we started thinking about security incident response plans that are truly organisational wide.

If you’re interested in finding out more about our Cyber Security offerings you can visit our website, or email us at info.uk@soprasteria.com.

This blog was first published on Finextra.com, 11 November 2016

Digital security: battening down the hatches in a sea of data

by Torsten Saemann, Sopra Steria GmbH

Digitalisation without the use of modern technologies? Inconceivable! With cloud computing, the Internet of Things is rapidly becoming part of our everyday life. It seems like magic that we can call up practically everything known to man with tools that fit in our pocket. With a few clicks we can summon items to our front door that are produced at the other end of the world. So far so good. However, nobody seems to be interested in the fact that the technological structures of the digital world are shaky and insecure.

This is precisely how Frank Rieger of the Chaos Computer Club (CCC) sees things. On Spiegel Online he explains the fragility of the foundations of Industry 4.0 by means of the following comparison:

The pillars of the world in the dawning digital age are crumbling. The technologies on which the networking of everyday life and the flows of information that drive the economy are based are more like temporary wooden frames than solid steel constructions. Generally everything functions – provided no-one jolts on the boards or saws through a beam.

Avoid flying blind during digitalisation

These digital wooden frames result in all sorts of security loopholes. They are the result of poorly written software. Programmers make errors – this much we know. However, it is frequently the case that IT management in German companies is, consciously or sub-consciously, heading towards unknown risks. Our study on the topic of digital security proves this. One third of all IT decision-makers in Germany are even implementing technologies when the IT risks are completely unknown.

Dr. Gerald Spiegel, Head of Information Security Solutions at Sopra Steria Consulting finds this insight shocking: “The fact that such a large number of IT decision-makers are, as it were, flying blind in their approach to digitalisation is worrying. The behaviour within the manufacturing sector is particularly rash – and this in spite of the fact that industrial plants increasingly fall victim to cyber attacks.” The prospects facing a digitalised economy are far from good if German companies are exposed to the danger of cyber attacks, in some cases with no protection whatsoever.

Digital negligence in German companies

The lack of initiative in many companies when it comes to protection against cyber attacks is disastrous. According to our study, this is the opinion of 85 percent of IT decision-makers. The fact that it is in particular board members and managing directors that play down the risk of cyber attacks is, given the liability risk, incomprehensible. Here the companies are fully aware of the digital weak points. And it is conceivable that their dependency on digital systems will continue to grow exponentially. Maintaining a high rate of innovation while simultaneously reducing IT costs just doesn’t work.

Adjusting investment in digital security to suit the rate of innovation

But how can you convert wooden structures into steel? When driving forward the digitalisation and automation of processes, companies should err on the side of caution. This includes pushing the introduction and implementation of a company-wide IT security strategy. This strategy must lay out the most important information security objectives and the principles for their implementation.

The IT security strategy should also address trends and new technologies. And this must take place on a continuous basis. The IT department must ensure that a security concept is submitted to the specialist department prior to an application or IT system “going live”. Furthermore, security-relevant programming errors can be avoided through the use of secure programming languages. Penetration tests for applications and IT systems – following a release change for example – are another important security component.

Digital excellence built on digital security

The digitalisation of the economy brings with it new and far-reaching challenges regarding the digital security within a company. Cyber attacks on IT infrastructures are becoming increasingly more complex and professionally executed. And they happen on a daily basis. Defensive measures are costly and require time. However, they are beneficial and necessary. Promoting a slower, but more digitally secure approach within IT departments and in front of board members certainly isn’t cool, but in the long term it is definitely the better strategy.

What are your thoughts? Leave a reply below or contact me by email.

Discover more about our experience in delivering secure services to protect information, applications, infrastructures and people.

Securing the Net – Quantum Cryptography

Since the early 2000s, private industries, government and defence agencies alike have been hiding behind the steel wall of encryption offered by the Advanced Encryption Standard, otherwise known as AES, a specification for encryption so secure a brute force attack, even by China’s Tianhe-2, the world’s fastest supercomputer, would be unable to break the cipher of AES256 encryption before the universe is to reach its eventual heat death. However, now there’s a new technology that could turn everything we have come to know about encryption on its head, and that technology is quantum cryptography, but before we get into that, a little more about encryption.

Encryption and cryptography is the process of encoding a message so that information, even if it has been intercepted, cannot be read by unauthorised parties. But how do they work? A great explanation comes from the team at Numberphile who explain that the system is akin to the bank providing you with a lock to store your sensitive data, but both the box and the key is held by the bank alone, so if someone steals your box or tries to open the lock, they will have no key. Imagine you wanted to share secret information with your bank. The keys are made up of two numbers, the first is an RSA number. These numbers are area known as ‘semi-primes’, which are numbers with exactly two prime factors (i.e. are divisible by two prime numbers, no more, no less). These RSA numbers are publicly available and can be accessed by anyone, but the second number is held only by the second party, the bank in this example, and is created by multiplying together two huge prime numbers.

To decode this key, the only practical system is to know the two prime numbers used.  If you don’t have these prime numbers, you will need to factorise this number, and that can take a very long time. So long in fact, that even the most power supercomputers would be unable to break the current level of encryption used by banks before the death of our universe!

So what’s the risk?

There’s a paradigm shift in computing on the horizon. A type of computer which does not abide standard ‘bits’, the ‘0’s and ‘1’s that the computers of today are built upon. These computers introduce the possibility of ‘qubits’ which not only accept these ‘1’s and ‘0’s, but also any possible superposition of these states.  These are quantum computers.

Our present day encryption methods rely upon the belief that a computer will have to carry out huge numbers of processes sequentially.  Each process should take a certain length of time to complete, and the number of processes that it’ll need to complete will take so long that cracking the key in this way becomes effectively impossible.

Quantum computers however do not need to carry out these processes in sequence. Instead, when posed with such a question, they consider all the possible answers simultaneously to arrive at the right answer in what is in essence one process, meaning that it could crack any conventional form of encryption in moments rather than millions of years.

So what can we do?

Fortunately, that same technology which threatens to render our current encryption obsolete also offers us a solution. Quantum Encryption makes use of the strange properties of qubits to create the key which is used to access private information, and these keys can be designed in the same way as our encryption is today, to take thousands if not millions of years for a quantum computer to be able to break the code.

Furthermore, a system for sharing these keys, known as ‘Quantum Key Distribution’ is in development, allowing for the key to be shared between two parties without a third party being able to know anything else about the key, even if the message is intercepted, by encoding the key as quantum data.

Quantum computing looks set to change our cyber security landscape and, I for one am hoping that we get the encryption right before the hackers create any exploits.  I think this technology will revolutionise how we keep our information secure, avoid the recent high-profile attacks repeating themselves and improve national security.

What are your thoughts? Leave a reply below or contact me by email.