Category: Cyber Security
Financial Trade Groups Write to House Leaders in Support of Data Breach Notification Bill
The associations expressed support for draft legislation released by Reps. Blaine Luetkemeyer (R-Mo.) and Carolyn Maloney (D-N.Y.) that would create a level playing field of nationally consistent data protection standards and post-breach notification requirements. This bill would not create duplicative standards for financial institutions which are already subject to robust standards, but rather extend similar expectations to other sectors that handle consumer data.
“The goal of the bill is simple — raise the bar so that all companies protect data similar to how banks and credit unions protect their data, and create a common-sense standard to ensure consumers receive timely notice when a breach does occur,” the groups wrote.
The draft bill contains a provision that recognizes the existing, effective regulatory framework for covered financial sector entities. While the provision was intended to prevent banks and credit unions from being subject to duplicative notification requirements, it has been the target of recent negative campaigns circulated by the National Retail Federation and the Retail Industry Leaders Association, which incorrectly suggested that banks do not notify customers of breaches on their computer systems and The ads from the retailer groups also mischaracterize and exaggerate the share of data breaches occurring at banks and credit unions while omitting their members’ (higher) share of data breaches.
The financial trades refuted the notification assertion, noting that “banks and credit unions have long been subject to rigorous data protection and breach notification practices for financial institutions to follow,” and that in the event of a data breach, banks and credit unions work continuously to communicate with customers, reissue cards and enact measures to mitigate the effects of fraud. They added, however, that “no solution will work unless everyone has an obligation to take these steps.” For more information, contact ABA’s Jess Sharp.
Words all bound to who we claim to be – How do we identify ourselves on the Internet or in Cyberspace?
Identifier – Something you create or are provided to digitally identify yourselves. Identifiers are things like an alias, user name, email address are examples.
Identity – This is who we are or wish to represent ourselves to be. These are attributes and information about: where we live, who we work for, which banks we have relationships with, who our friends are, which clubs we belong to, our certified skills, what schools we graduated from, which country(s) we are citizens of, our LinkedIn profile, Our Twitter handle, our Facebook identifier, our phone number … . It is the sum of the attributes we can and will share with others, be they individuals, governments, entities or organizations; as we establish relationships and prove to them who and often what we are.
Authentication – The method we employ to assure that you, based on the identifier presented, are who we (the relying parties) thinks you are. You are the person the relying party accepted when you registered that Identifier as how you would digitally identify yourself. By itself the method of authentication should not allow another party to be able to determine anything about your identity. Privacy is the goal. FIDO Alliance and W3C have defined standards to support authentication.
Verification – The process of confirming that the secret or biometric match the secret or biometric that where originally registered to that Identifier.
Identification – A means of authentication that is bound to your identity. A EMV payment instrument “Chip and PIN”, a PIV card, an electronic passport, a membership card, a drivers license, a national ID are all forms of identification issued by a party that should be trusted to have performed a proof of the individuals Identity, based on a defined and often published criteria.
This particular word, for many, has an alternate meaning. In the biometric community they see Identification as the ability to use a biometric to determine ones Identity. This is achieved by performing a one (the person present) to many match (persons registered). The goal is the same, bind Identity to the mean of Authentication by using the Biometric as the Identifier.
Proof – The method a relying party or an individual uses to validate your claim of a specific Identity. In many cases this is achieved by relying on knowledge of another party. The relying party accepts the due diligence to proof your claimed identity was done to their satisfaction by another party. This other party is often referred to as a Trusted party. This effort to proof the identity of an individual is linked to words and acronyms like KYC “Know Your Customer”, ID&V “Identity and Verification” and Self Sovereign Identity. We classically assume that documents provided by a Government e.g. drivers License and Passports are a solid proof of the claims asserted on those same documents.
In a digital world this is the most important element of a how we as people, entities, governments and corporations can be assured that you are who we believe you to be.
I am once again am reminded of the 1994 New Yorker Cartoon
The challenge of voice recognition and the need for multiple modalities to the question of authentication
A Good Mimic Can Bypass Voice Recognition Authentication, Research Suggests
The idea of voice many see as one of the more interesting biometric solutions as seen from an ergonomic perspective and something that can readily enhance the call center consumer experience and related security. The user simply needs to say something into a microphone (telephone) and presto they can be identified or authenticated.
But is it a safe and secure approach or simply the starting point for the identification and therefore associated with additional authentication processes.
Personally I am not convinced a voice is a good solution to the challenge of authentication. Yes, as one element of a multi-factor multimodal approach it is an excellent modality. But not as the only biometric modality. My fear emerged from a conversation with a sound engineer. She told me they could, at the level of a single vowel, splice and change the intonation of a word in a movie sound track.
The above article clearly identifies real world examples of voice biometrics being fooled and concludes by remind us that a multimodal solution is essential.
Classic Multi-Factor Authentication wants to pair multiple unique and none replicable elements together.
- Some thing you have
- Some thing you know
- Something you are
When I think about multi-factor authentication I wonder what would happen if the object “what you have” can be stolen. This therefore means the second factor must to assure that only the legitimate user is presenting the object. If a mime can replicate a voice, after stealing the object, then, this combination of factors can be compromised.
EMV, when implemented as Chip and PIN, matches a unique chip card (what you have) with a PIN (what you know). Apple Pay is EMV and stores the secrets and executes the cryptographic functions, inside hardware, the Secure Enclave (what you have) and combines this with a sensor to capture the Biometric (what you are). The electronic passport ICAO use similar chips and carries within it a facial image. The US PIV & CAC cards uses the same style Chip and are paired it with a fingerprint and sometimes also requires the user to enter their PIN.
Yet are they truly secure? We know Apple X’s, facial recognition, as currently implemented, can be fooled. We know that Touch ID was spoofed. Without liveness testing, most if not all biometrics, will accept a clone or replica of the biometric it employs.
The challenge is establishing the appropriate benchmarks for the various biometric implementations such that enterprises, governments, merchants and corporations can select and implement a consumer experience that satisfies the needs of security and convenience.
Acronyms like FRR, FAR and PAD become critical to selecting the appropriate implementation of a biometric solution.
- The False Reject Rate or FRR is all about convenience and not refusing the legitimate user. Perfection is a ratio of 0 in ∞
- The False Accept Rate or FAR is all about not approving a transaction or event by an imposter. Perfection is a ratio of 0 in 1
- The Presentation Attack Detection or PAD is all about addressing the reality that anything can be duplicated; therefore it is essential to make sure the biometric presented in alive and genuine. Perfection is a ratio of 0 in 1.
The challenge is establishing a balance between the cost and the acceptable FRR, FAR and PAD.
Measuring and establishing the test results of a particular element of a multi-factor solution is not cheap. EMV, PIV, ICAO software and “Secure enclave” / “Chip Card” / “Secure Element” suppliers spend 100’s of thousands of dollars developing and certifying the functional and security characteristics of the “what you have” element of these solutions. We know that passwords and PIN can and have been compromised with Phishing attacks and hidden cameras.
When we think about biometrics there is complexity in the read and match processes. When the user established their identity and their biometric the reference template is create. This reference template is then used in the matching process to identify if template resulting from the biometric just presented, is the same. Unfortunately reality dictates that each presentation of the user’s biometric will generate a unique result. This unique result will never absolutely match the reference template. Hence the need to understand and test the sensor and establish its FRR, FAR and PAD. The more foolproof the match must be, dictates the complexity of the solution and the number of different individual needed during the test process to establish the sensors FRR, FAR and PAD.
Therefore selecting the most appropriate solutions means quantify the risk of the event or transaction and measuring it against the cost and certified characteristics of the authentication mechanisms.
A layered approach that combines two or more factors must also considered including multiple modalities for at least the “what you are modality” is what we must consider. Using cryptography and hardware to address what you are, Passwords and demographic information to match what you know and layering various elements like location, behavior and some set of biometrics to understand who you are, will offer the highest level of security with the lowest degree of inconvenience.
Bottom Line Multi-Modal & Multi Factor
Authentication of Identification is what we must implement
Always mindful a modality will lose its ability to assure uniqueness
Deciphering Digital – Your Phone is Your Wallet
Today Wednesday October 18, 2017. I had the opportunity to provide the closing keynote to the EPCOR Annual Payments conference. Today, I was reminded of the reality that payments is not only about cards it is the engine that fuels the revenue of a financial institution. ACH, Wires, Cards, checks, transfers and even cash are revenue earning services; our community banks call payments.
My speach was about the future and focused on the evolution of our phone in this new digital age we all must learn to embrace.
Citizen Bill of Cyber Bill of Rights
Created in December of 2011 as I reflected on the emergence of the Cyber Risk
My identity is mine electronic or otherwise
I will be prudent in its use
I understand if I enter into an agreement that you can prove it was me
Then I am responsible
I will carry with me an object that can be kept safe from intrusion and can easily be remotely destroyed
You, those entities human and other that I enter into a relationship with
Can offer me anything I am willing to opt-in to
Using a defined set of cryptographic relationships
I agree that a digital contract can be signed and agreed and has the full force of the law behind it
You will recognize that I am your human equal and will,
Save for acts of God and Nature,
Endeavor to provide quality and service