Nine months in, and the European Union’s General Data Protection Regulation (GDPR) is gathering steam, with fines accruing. Google’s $57 million fine on data protection violations, levied in January, stands as one recent example of what can happen when companies run afoul of its mandates.
The handling of data is entering uncharted waters, where the ways companies go about processing, storage and transparency are changing.
Amid it all, commerce is going ever digital, online, mobile and always on. The challenge for firms transacting with companies in a manner that is anything but face-to-face is that it’s hard to tell whether a consumer (and, thus, a transaction) is legitimate, or whether the data being presented has come from the Dark Web and that the bad guys are about to make off with some ill-gotten gains.
One need only scan the headlines of recent breaches to see the damage done, with hundreds of millions of individuals’ data compromised, and untold billions of dollars’ worth of financial havoc wreaked.
Only As Good As The Weakest Link
Online authentication is only as good as its weakest link. Karl Kilb, CEO of Boloro, noted in an interview with Karen Webster that the weakest link is the internet itself — where PINs, passwords and any number of data points are floating in the ether, and can be up for grabs or sale.
“The internet has become the platform for absolutely everything that we do,” said Kilb. “This includes eCommerce, online banking, payments and, of course, all the devices connected through the Internet of Things [IoT]. But the internet is inherently insecure. We see dramatically increasing levels and sophistication of fraud happening every single day. … From a security point of view, while the internet is great for a mass distribution of information, the internet was never designed for secure transactions.”
Against a backdrop where transactions are on the rise, but have a weak foundation, it makes sense that authentication should be done separately — indeed, wholly disconnected — from the internet, said Kilb.
He contended that no matter what layers firms offer in terms of authentication, as money or sensitive data are loved across the internet, “you are asking for trouble. And that is the issue with in app authentication, or any type of authentication that relies on the internet or the operating system.” He recounted the daily occurrences of snooping, and malware that too often finds its way into a user’s phone.
The Future Is Offline
Thus, Kilb maintained, in the pursuit of the best authentication methods, there should exist a secure lock and key — but one that he said “is offline and out of band.”
He added that Boloro relies on the secure signaling layer that is tied to the mobile device, used by the government to broadcast “AMBER alerts” to users. Flash texts requesting authentication ask for PINs. In the wake of confirmation, the transaction goes through, but the PIN and text disappear, never having been stored in the phone.
Kilb stated that the process marries a series of defenses against fraudsters, where credentials are part of the picture. For example, those credentials span names and Social Security numbers, the specific device that must be used in the transaction and the PIN itself. Boloro operates across a licensing and subscription model, layered on top of the bank’s app through a separate channel, all done through API.
“Now that we have proven our technology in other markets [such as India and the Middle East], we’re looking to bring it to Europe and the Americas at a time when banks in Europe and the Americas are trying to figure out how to address the payment services directive (PSD2), and are asking, ‘How do we also comply with data protection and privacy regulations worldwide?’”
Kilb continued, “To us, the best way to avoid any problems with personal data is not to collect it to begin with,” then he added that “the only requirement is that you have your phone and that you remember your PIN.”