The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, and with that, everyone has been worrying about the collection, usage and storage of personal data.
It makes sense, as the regulation adds strict new standards around these actions – and particularly around consumers’ rights to control their own data, even going so far as to request its total erasure from an organization’s system.
However, according to Karl P. Kilb III, CEO, Boloro, there is a chance that everyone has missed the forest for the trees. Instead of getting stricter about how consumer data is handled, what if organizations just didn’t collect it at all – and didn’t need to?
Today, there are a number of reasons for collecting data, and not all of them tie back to the profitable business of ad targeting; sometimes data collection is done for the consumer’s own good. The right data can create a profile so precise that algorithms can immediately tell the difference between a legitimate customer and a fraudster who is holding all the right credentials to pose as the person, just by detecting behavioral attributes like cursor movements and clicking habits.
However, under GDPR, it’s all about consent, so if consumers want to take back their data, organizations cannot retain or use it, even to protect them.
GDPR isn’t the only challenge. As data breaches pile up, it’s more likely than not that any given individual’s sensitive information is floating around somewhere out there on the dark web. If that data has already been exposed, then taking it back from organizations doesn’t do much good – there needs to be a way to tell, in the moment of the transaction, that a customer is legitimate rather than a criminal who has gained access to their static credentials, such as birthdate, address and Social Security number.
A multi-channel, multi-factor process can provide definitive security advantages, Kilb said, even without any stored consumer data. In a recent interview with PYMNTS, Kilb explained Boloro’s approach and why he believes it should be the future of security everywhere.
Cutting Out the Internet
The biggest problem with online authentication is that it’s, well, online.
“Anytime there’s a single point of failure – and the internet is one – it’s easy for fraudsters to intercept a PIN or password,” Kilb said.
The internet, he noted, is inherently insecure, created to facilitate fast and widespread data access; it was never built to facilitate and protect financial transactions.
As that use case has become more prevalent, workarounds have been necessary to provide consumers with at least some level of protection against those who would steal and abuse their credentials – but it’s clear those methods are falling short.
The internet, said Kilb, is littered with personal data that was supposedly secured by encryption. One-time passwords sent via SMS text message feel secure because they introduce friction, but they, too, can be intercepted.
According to Kilb, the answer is to divorce authentication from the transaction, keeping any identity verification components safely offline where they can’t be hacked.
Instead of using the internet, Boloro looked to the secure signaling layer of the mobile phone, which is what the government uses to push out Amber alerts. With this, a flash text message can be delivered even if the phone is not being used.
Kilb explained that Boloro uses the flash text message to briefly describe the transaction that is taking place and asks the user to authenticate using his or her memorized PIN. The flash text then disappears forever, leaving no trace of its contents or the user’s PIN on the device.
That means in order for a transaction to be completed, a user must have more than just credentials, such as name, address, date of birth, Social Security and credit card number. The user’s specific device must also be present, and the final, knowledge-based layer must be provided – so even if a fraudster managed to get his hands on the right device, he would still be barred from doing any damage without the user’s PIN.
End User Experience
Kilb described this method as an “ATM approach.” That is, the user arrives at the point of transaction and must enter a memorized PIN to continue. It feels familiar, he said, and that increases user comfort.
It also doesn’t ask for much effort on the user’s end, so even though it’s technically a “new” transaction flow, Kilb believes it can strike that difficult balance between security and seamlessness.
If a consumer is asked to authenticate using a one-time password, Kilb said, security aside, the process can be cumbersome, because it requires toggling between the transaction page and the text message containing the password. By comparison, a PIN is quicker and easier to use because the consumer already has it memorized, so he can just plug it right into that flash text and go back to completing the transaction.
The flash text provides just enough friction for users to feel secure, said Kilb, yet it asks so little of them that, were this authentication approach to go mainstream, it likely would not meet much resistance from the consumer base.
If they do embrace it, added Kilb, leveraging secure signaling for authentication could potentially stamp out eCommerce fraud altogether – or, at least, force fraudsters to find a new path of least resistance.
GDPR requires companies to demonstrate that they have received permission from users before they collect, use, and store personal data. Kilb said there are two ways the ATM approach could help.
First, it could assist with obtaining that permission. Companies could send a flash text over the secure signaling layer to guarantee that it reaches the intended recipient, and the user would then consent to data collection by entering his memorized password.
As with the transaction use case, an internet-based message – whether SMS or email – can be intercepted, said Kilb, and fraudsters don’t need to know a thing to click “Accept” or “Reject.”
Using a device’s secure signaling layer instead means the specific user and his specific device must both be present for permission to be obtained, and the organization then has a time-stamped record that can be used to demonstrate its compliance.
Second, if permission is not granted, if consumers exercise their right to erasure under the GDPR or if their personal data has already been compromised, Kilb said the ATM approach can still protect them at each transaction going forward by requiring the device and PIN to be present.
Staunching the Data Breach Wound
Kilb noted that switching from internet-based authentication to authentication via secure signaling could stem the tide of data compromise, first by offering protection to the many millions whose credentials have already been compromised, and second by creating stronger protections around data that has not yet been compromised before fraudsters can get their hands on it.
Consider the Social Security number. Following last year’s data breach at consumer credit reporting bureau Equifax, millions of these are now floating around the internet for fraudsters to obtain and use as they wish. This has led many to say it’s time to retire the SSN as a bullet-proof measure of identity, as that is clearly no longer the case.
But imagine, said Kilb, that the SSN were tied to a device and PIN so that the rightful consumer would receive a flash text to authenticate any time his credentials were being used. Thus, he said, the SSN would not need to be retired as an identifier; it would just require authentication over the secure signaling layer to use it for any transactions.
Kilb said that’s just one example of where internet-free authentication could help staunch the data breach wound by avoiding data collection altogether.
“The spirit of GDPR is to avoid unnecessary collection of personal data,” Kilb said. “The best way to prevent data from being misused is not to collect it at all.”