Cybersecurity and the road to biometrics

By Philippe Le Pape, VP Partnerships and Presales • Safran Identity & Security

June 06, 2016

This week, Visa Europe presents a three-part series on a subject that is dominating the headlines: biometrics. We have invited Safran, the leading supplier of technology for security as well as aerospace and defence, to give us its perspective on why biometrics is such a hot topic today and where they see the industry heading.

Last February, not coincidentally on “Safer Internet Day,” US President Obama announced the Cybersecurity National Action Plan (CNAP),a new initiative intended to strengthen US government and private-sector cybersecurity. The announcement came after an epidemic of data breaches and cyber-attacks on government and private networks.

Online fraud in the form of malware and phishing is engulfing the internet. In 2015 security company Kaspersky Labs detected over 100m malicious objects such as scripts, exploits, executable files, and so on. A worrying aspect of the criminal activity behind online fraud is the ease by which stolen identities and compromised accounts can be monetized. What’s more, there is considerable evidence of increased sophistication in the forms of attack used by fraudsters, as noted by security company Symantec in their annual security threat report.

Identity theft occurs when a criminal gains access to personal information to steal money or other benefits, such as access to tax refunds. Using false, or falsely obtained, documents for identity theft is not a new crime, and the authentication and protection of these documents is a long-standing problem. With the rapid growth of online services, digital exchanges and payments via the Internet have broadened the types of identifiers that can be used for impersonation and fraud. Accordingly, the needs of individuals, organizations and banks have changed and continue to evolve; security and convenience are essential for individuals when making payment transactions.

In recent history, the situation has been exacerbated by the all-conquering rise of mobile devices; today, the vast majority of online transactions are now initiated on a smartphone or tablet. Research last year by the US Federal Reserve found that 71% of US mobile phones are Smartphones and that over half of these use their phones to access banking services. In the EU, KPMG found that around 38% of those with a bank account use mobile online services to access it. In addition, eGovernment initiatives around the world (spurred on by the UN eGovernment programme) are driving citizens to access services from voting to tax returns online. And this is increasingly via a mobile device, which implies on-the-go, small screen, wireless connectivity and a host of other less than secure environmental conditions. Symantec state that data breaches in the financial sector alone accounted for 23% of all identities exposed by hackers. Security experts believe identity theft to be an even greater threat in the mobile world, as the constraints of the form-factor and continuous handset connectivity makes them more vulnerable to abuse.

How then, to stay secure in our mobile, connected, digital world?

Building Trust In the Digital Economy

In the digital world, trust is rooted in knowing precisely with whom or what you are interacting; strong authentication functions facilitate this by proving that the user – whether an individual, entity or object – is in fact who or what they claim to be. In order for digital exchanges and the digital economy to thrive, there must be trust between the players involved, namely individuals, organisations, as well as the hardware and software that connect them.

In other words, at what point is there sufficient evidence that the user’s identity is really who they claim to be, enabling the transaction to proceed? While the CNAP Fact Sheet clearly refers to ‘multi-factor authentication’, the US government’s CIO has spoken specifically about two-factor authentication. This technique verifies user identity by means of combining two different components. These components may be something the user knows, something the user possesses or something inseparable from the user. An everyday example of two-factor authentication is the ATM; only the correct combination of a bankcard (something the user possesses) and PIN (personal identification number, something the user knows) enables cash to be withdrawn.

Two-factor authentication services have been extended to include verification by mobile phone. Several popular email and cloud storage providers now use this type of verification as standard. However there are still weaknesses with this system and the first is the humans involved: we simply aren’t very good at creating or remembering passwords, even with the help of password management software. During the recent ‘Star Wars’ film hype, research found that ‘starwars’ became a worldwide popular password – but far more worryingly, ‘123456’ and ‘password’ remain the two most used passwords. This reflects the constant battle going on in our lives between security and convenience.

The fundamental point is that the password is no longer the best way to authenticate users. This raises two questions: Why do we still rely on the archaic alphanumeric password for authentication and what other method(s) could render it finally obsolete?

This series examines those questions in the next two instalments, starting with “Look! No PIN” published on Wednesday, followed by “The Mobile-Powered Planet” due Friday.

Share this post

Like this post

Related Articles

Not a token gesture

February 22, 2016

This year’s Mobile World Congress again featured the world’s leading handset manufacturers, software developers and service providers. With hundreds of companies displaying products, visitors were amongst the first to see new devices and services that will change the way we’re entertained, manage our daily routines and even the way we interact with our car and home.

Sandra Alzetta Read More

How strong should customer authentication be?

February 16, 2016

Offering payment solutions is high risk. Moving money always was and always will be. The development of card payments 55 years ago started with an embossed card and paper slips. It didn’t have great security, but it was fit-for-purpose.

Peter Bayley Read More

Gen Z: The Biometric Generation

January 20, 2015

For Generation Z – those now aged around 16-24 – passwords are a natural part of the way the world works. Whether for smartphones, social media accounts, or payment cards, Generation Z has grown up with having numerous logins and passwords to get by in their everyday lives.

Jonathan Vaux Read More

Working together for friction-free shopping

November 05, 2015

There is one dilemma that online retailers the world over share in common: the constant battle between convenience and security.

Peter Bayley Read More

PSD2 Position Paper: Authenticating online payments

November 16, 2015

Life would be so simple if the answer to every question was either “yes” or “no”. “Go” or “stop”. “All” or “nothing”. But life’s more complicated than that. It involves context, nuance, degrees, and increments.

Marc Temmerman Read More

Money2020: Visa Europe Collab talks wearables and authentication

May 06, 2016

We were excited to be part of the Money2020 conference place earlier this year. Collab Innovation Partner Mike Philpotts took part in a panel talking about the evolution of wearables and authentication systems and shared some highlights with industry news site Finextra, as well as talking about some of Visa Europe Collab’s work exploring the space.

Mike Philpotts Read More