Embed Size (px)
Citation preview
White Paper – Identity, Trust and Communication
What is our identity?
One of the many definitions of identity is
“the characteristics, feelings or beliefs that make people different from others”.This is particularly relevant in an ever changing and diverse cultural landscape, however demonstrating our identity is one of the most key factors in creating trust in our personal and professional relationships.
When we engage with companies, financial institutions or other individuals one of the first hurdles we will encounter will be proving the identity and legitimacy of the other party. This is easier if you hold a personal relationship however the very nature of our online world continues to create a personal disconnect in these circumstances. Consequently, securing the identity of the people we interact with is critical to protecting ourselves from fraud and attack.
Protecting one’s identity in an online world takes many forms including biometrics built in to our phones and computers, voice recognition, passwords, passcodes and two-factor authentication messages which are sent to your mobile phone.
All of these methodologies have their pro’s and con’s and individually none are completely infallible however when used in combination they become more powerful. This is good news for protecting our identity but when we put them together in the wrong combination we make it too difficult to use, putting up barriers between us and those people and entities we want to communicate with.
The single biggest challenge to identity in our world today is that of immediacy. We all expect to be able to complete our transactions quickly and simply with a minimum of fuss. Consequently, when challenged to prove our identity we often become irritated or angry because we know who we are!
Should we think more carefully about protecting our most important asset, our identity? Clearly the answer is simple – Yes. We must take responsibility for protecting our ourselves as others will often exploit any vulnerabilities for their own benefits.
Great – So you are now responsibly protecting your identity but what happens when somebody attacks the most fundamental part of our personal interactions - the very medium of communication.
Since the beginning of time we have always relied on a courier or service to transmit our communications. Historically these might have been a personal courier sent by horse, stagecoach, ship or even the unfortunate messenger on foot. All of these fell victim to attacks by unsavoury individuals.
Whilst we might assume that the use of technology has mitigated some of these issues, phone calls can still be intercepted, postal mail stolen, and emails or electronic interactions intercepted in their transmission across the internet.
Clearly if we are going to learn from history, protecting our identity is founded on two key factors – proving our identity and protecting our communications from attack ……
Worldwide email volumes
2018 2019 2020 2021 2022
340
320
300
280
260
240
How unique is our identity?
Every single day of our lives we deal with IDENTITY, whether proving to others we are who we say we are or verifying that others are who they claim to be!Daily usage of our mobile phones might be the most obvious and frequent example we have of proving our identity, in many cases using the biometric capabilities built into our smart devices.
Biometrics
According to a leading global technology supplier, the probability that a random person in the population could unlock your mobile device using Face ID is approximately 1 in 1,000,000, with our fingerprints offering lower levels of ‘uniqueness’ at a ratio of around 50,000 to 1.I recently discovered something interesting in the use of biometrics...
I’m lucky enough to have two great sons, one older than the other by just over three years. Whilst naturally they differ in appearance, there are of course family resemblances but...my eldest son can open his brothers’ phone with Face ID!
I suspect that the tech supplier references to a random person in the introductory words might be because they are also aware of this phenomenon!
We continually identify those with whom we converse, a process that the human brain is ingenious and unique at achieving. Our brains perform incredible levels of processing in the blink of an eye, utilising all our senses, sight and hearing being the main two, but in some cases smell too!
Identity at a distance
Of course, life becomes more complicated when we are remote from the party we are seeking to identify, and we are called upon to resort to fewer of our senses.
Recognising someone’s voice on the phone, by way of example, might leave us open to higher levels of risk and misinterpretation!
Remote Identity – putting words in our mouths?
Recently a BBC reporter demonstrated that he could successfully fool the voice ID authentication service of a high street bank when his non-identical twin was able to access his account. Advancements being made by projects such as Google’s DeepMind Wavenet or LyreBird, have demonstrated how artificial intelligence can, within minutes, synthesise our voices to a very high degree of accuracy. Combining both these examples understandably raises concerns as to the integrity of voice authentication.When dealing with our clients remotely, whether communicating on the phone or via email, we must exercise a much higher degree of caution.
... over 280 billion emails are sent and received each day!
Our flag is our identity, and we can’t disrespect or let anyone else disrespect our identity.
Gautam Gambhir
Telephone banking
A prime example of reducing the risks associated with remote identity, is that used in telephone banking.
When a bank’s representative engages with you, the bank must seek to ensure that the representative themselves cannot harvest enough information about you to subsequently misrepresent themselves as you.
So how do does the bank seek to secure their telephone banking experience?
Initially, the bank’s representative will ask for light ID parameters which they use to narrow the field as far as the caller’s identity is concerned. Commonly, this will be the caller’s full name and a home postal code against which they hope to identify the caller’s bank records.In order to ensure that the caller is the ‘right party’, the bank’s representative is then presented with a series of questions that are randomly pulled from a longer list of ID challenges set up by the bank and account holder at the outset of their relationship. Each of the caller’s answers are keyed into the bank’s system for verification and, assuming the caller can satisfactorily answer the pre-agreed challenges, the bank can then allow the caller to transact their business.
The bank’s representative does not know if the individual answers provided are correct or otherwise, they only know that all the challenges have been satisfied. The theory being that no representative should be able to collect enough information during the exchange to profile the caller and allow them to potentially use such information to misrepresent themselves as the caller.
Of course, this is not infallible, but it emphasises the importance that should be placed upon the ID parameters themselves, given that they are the sentinel.
Beyond trust – securing email and identity
Email has remained largely unchanged since its introduction over 30 years ago. Basic email messages sent today still look very similar to those sent in the early 1970s, however the volume of emails could not be more different.
Over 280 billion emails are sent and received every day, this number is predicted to rise to around 1/3 trillion per day within 2 years.
Whilst proprietary systems may use non-standard protocols internally, all use Simple Mail Transfer Protocol (SMTP) when sending to or receiving email from outside their own systems, a protocol that has no built in security features at all.
Therefore, the default state of all email services is unencrypted and open to attack, putting crucial information at risk. Even where email is secured, in many cases there is no control or authentication that the party opening the communication is indeed the intended recipient.
When you email highly personal information, there’s absolutely no guarantee that your message is protected in transit or in the recipient’s inbox. Equally as worrying is that there is no ability to take back an email sent to a recipient if something in the content was wrong, or indeed you sent it to the wrong person. Most people reading this will be able to cite examples of where this has happened to them!
Email is often compared to sending a postcard, containing sensitive information, by way of the traditional postal service. This comparison is more accurate than you might imagine given that, like an email bouncing from one server to another on its journey, our post might pass through several sorting offices and individuals before it hopefully arrives at its intended destination.
The content of the postcard or email can be read by anyone at any point!
Of course, we seal sensitive information within envelopes with the aim of ensuring that only the intended recipient opens it but sadly, like a normal email, such communications are sometimes opened and read by parties other than the intended recipient.
The postal service offers products that seek to solve this problem in the form of Recorded Delivery or perhaps even the Post Offices ‘Document Certification’ process – both come at considerable expense and inconvenience and are similarly not necessarily 100% reliable. Secure email solutions might employ various techniques to verify an intended parties identity ranging from a PIN code, also sent in email, to somewhat more sophisticated approaches. One must consider which might truly enable the verification of an identity in fear of infringing the stringent legal and regulatory requirements that surround this topic.
Identity and fraud
The BBC recently published its latest article set against the massive and continued cyber-criminal activity targeting businesses across the globe.
https://www.bbc.co.uk/news/technology-49857948
Business Email Compromise (BEC), as referenced in the BBC article, remains amongst the largest areas of financial loss attributable to cyber-criminal activity around the world.
This type of fraud has taken a number of different forms and already carries several descriptive names and acronyms including BEC, EAC (Email Account Compromise), CEO fraud (impersonation of a senior company executive in order to divert payments for goods and services into a fraudulent bank account) or whaling (a highly targeted phishing attack - aimed at senior executives).
All are largely based upon the same fundamental fact that normal email remains unsecure and open to abuse in connection with the lack of ID verification.
According to a global report by RiskIQ, over £2.2M is lost to cyber crime every minute. This means over £1.1 Trillion is lost annually.
Homebuyer and invoice fraud
Increasingly frequent incidents involving identity related fraud are reported on a daily basis.
Homebuyer fraud is when individuals are tricked into making a payment to a cyber-criminal rather than their solicitor in a house purchase transaction. Invoice fraud is where an organisation similarly direct funds to cyber-criminals as opposed to the intended party in satisfying an invoice request.
This topic is the subject of various research outputs and puts the annual cost to UK businesses of such cyber-criminal activity at anything between hundreds of millions and billions of pounds.
Invoices can arrive at a business in a multitude of forms ranging from a ‘hard copy’ in the traditional post, or electronically via a portal, uploaded directly into an accounts system or potentially via email. Consequentially, there are a multitude of ways for criminals to corrupt an invoice or the invoice process in a potential scam.
Scandals continue to hit the headlines and many are rooted in a weak approach to securing information in email and the connected identity processes, or lack of them.
According to a July FBI report last year, the global cost of Business Email Compromise (BEC), another form of the same type of fraud, had resulted in losses equating to $12 billion in 2018.
Can Technology Help?
Technology is a double edged sword, it has created opportunities for fraudsters and criminals to hijack email traffic carrying sensitive data but can also be used to protect by adding advanced levels of security, control and audit over electronic communications.
The ability to ensure that only the intended recipient can open an email, and any associated attachments, and for the sender to also verify that an authenticated identity has received and opened an email, can be very powerful.
Whilst most of us might not like to admit it, I’m sure that many have inadvertently sent an email to the wrong person, an error that can prove not only very embarrassing but potentially very damaging! As such, the ability to fully revoke such an email can be advantageous.
‘GDPR One Year On’
The BBC recently broadcast ‘GDPR One Year On’, a documentary focusing upon the lack of transparency our devices exhibit, sharing data with multiple parties all over the world; the emphasis on exercising caution and control over our communications has never been greater.
The show included an interesting insight into customers exercising their rights under GDPR in the form of Subject Access Requests (SAR’s). SAR’s allow an individual to request that a company provides all information held in their name and yet, over a year on, many companies are yet to consider how they comply with such a request. Clearly, delivery of such sensitive information to someone other than the right party will itself infringe GDPR and might carry with it immeasurable damage, financially and reputationally.
Proving our identity – the cost
It’s worth bearing in mind that many of the ID processes we have become familiar with have their shortcomings – when we are issued with PIN’s for our credit cards these are often sent to us in the normal post. What guarantee is there that only the intended party opens and reads this communication?
Is a passport still a robust means of proving we are who we say we are, particularly if we are trying to do so remotely?
The Senior Managers Regime (SMR), which came into effect in March 2016, is a part of UK financial regulation aimed at increasing personal accountability of senior people in the financial services industry. Data issues, such as those noted above, are captured within this regime so senior managers may find themselves responsible for any failings in the context of SAR delivery.
As such, the question we must ask ourselves when communicating is “How do we secure such information whilst taking a robust approach to the dilemma of identity, particularly when dealing with a ‘remote’ end user?”
Identity might be described as an uncertain, impermanent shifting concept given that varying parties are likely to have a different opinion of the values and attributes that they are satisfied can be used to help prove our identity.
The government’s VERIFY initiative set out to describe how companies might identify clients, thereby encouraging secure transactions and communications.
In an age when legislation allows us to be ‘forgotten’, it is likely to become increasingly difficult for companies to access information capable of providing a robust ID verification methodology.
Identity and trust
Legislation continues to evolve, seeking to afford us the ability to decide who holds what information about us - after all, in the broadest sense, our identity is prized beyond all other things.
We revel in the idea of freedom and greater anonymity and yet, as ‘online consumers’ we are faced with an identity conundrum when insufficient information is available to verify ‘we are who we say we are’.
Technology
Enforcement of access control and encryption can be achieved using technology.
When we send a message containing sensitive information it should be cryptographically signed and verified as a matter of course.
The idea of sending such communications using unencrypted emails that can’t be revoked or controlled should be considered as antiquated as an old telephone party line.
Security, privacy and control need to be a priority and normal email needs an upgrade to achieve these ambitions, whether you are motivated to act because of the security of your business or the service efficiencies that can be gained through ‘Digital Recorded Delivery®’.
Beyond EncryptionGloster CourtWhittle AvenueFarehamPO15 5SH
Tel: 0208 123 [email protected]
beyondencryption.com
In summary
Identity – the heart of Beyond EncryptionIdentity is at the heart of the Beyond Encryption platform as well as it’s values and mission. Users of it’s Mailock solution are empowered to leverage decades of knowhow in securing their customers data, protecting their businesses and addressing the increasingly complex area of regulatory requirements.
Mailock – securing customers, businesses and addressing regulatory requirementsMailock affords unique levels of control over identity verification processes and, importantly, its technology uniquely affords absolute control over communications data and identification parameters, both remaining sacrosanct in any communications strategy.
