While hacks have been nearly endemic over the last several years, they have, at this point, mostly faded to the level of background noise for the average consumer. Sure, the aftermath of having a card compromised is often annoying and involves changing cards stored in digital wallets and with subscription sites, but consumers know that their bank has their back. So, it’s not like it’s the end of the world or anything.
And then, the end of the world showed up. The digital world anyway — for a few hours last Friday (Oct. 21).
Waking up Friday morning, those who tried to log into Netflix, PayPal, Amazon or Twitter got something of a nasty shock — hackers had managed to break the parts of the internet that everyone really, really likes to go to.
And they couldn’t even tweet to complain about it.
The good news is that, by the afternoon, the problem had been mostly fixed: Tweets were flowing, payments were happening and binge watching on Netflix resumed mostly without incident.
But as media sources have been noting all weekend, the scary part of this pre-Halloween spooky digital story isn’t what happened; it’s how it happened and what could happen next.
The reason that large sections of the web went down in flames was wave upon wave of distributed denial-of-service attacks that rocked servers with so much excess traffic that users could not access those sites all the way from the U.S. into Europe. Where did those attacks originate? Millions of internet-connected machines, including webcams and other household devices, such as thermostats, that were turned into bots — the malicious kind.
Yes, those DVRs that we wonder why they still occupy the bookshelves in our family rooms turned on us — thanks to a hacking group calling itself the New World Hackers (original naming is apparently not a strong suit). The question of the day is how to prevent NWH — or a likeminded group — from turning our devices more efficiently against us in the future.
And while there are no easy silver-bullet answers on offer 72 hours out, Visa and Intel today have jointly announced a big step forward. Said simply, Visa and Intel want to create robust security for the Internet of Things and make it easier to instantly and correctly authenticate all those devices and encrypt payment data so that NWH or any of the other bad guys with similar ambitions can’t turn them against us.
When Capacity Grows Faster Than Security
The IoT is growing at a rate so fast it is hard to actually conceptualize, Visa SVP of Risk and Authentication Mark Nelsen told Karen Webster in a chat before the official launch of the Visa-Intel pair-up. It took Visa 50 years to build up to 3 billion cards in the worldwide marketplace. By contrast, he pointed out, the average analyst estimates that there will be 38 billion connected devices in the marketplace within the next four years.
And as Friday’s events showed, all of that enthusiasm for the IoT doesn’t necessarily mean the same level of consideration has been given to securing it.
“Security is often an afterthought when getting the devices out there,” Nelsen noted. “When consumers buy them, there is not a seal that says, ‘This is a secure device.’ There are just no formal standards for the IoT, and so, we are expecting that a lot of these devices are going to have their vulnerabilities. That is going to be especially true of lower-end devices that do not spend the money on that.”
But Visa — in partnership with Intel — is hoping to address those vulnerabilities by baking secured encryption right down into the chip level of the hardware. Going forward, Nelsen noted, Intel-powered devices will have encryption capabilities built in to encrypt payment data when in transit as part of a transaction.
Bad guys may still get in, but what they’ll get will be “useless data” without the decryption key needed to make it usable.
All this will happen through Intel’s DPT (Data Protection Technology) — but with Visa’s addition of format preserving encryption. Regular encryption, he noted, would take a 16-digit card number and turn it into a 64-bit alphanumeric that can’t be used in a commerce transaction. Visa’s format preserving encryption in the system allows for more efficient transmission of data, Nelsen explained.
And Visa and Intel are also thinking a bit more deeply about the machine and how authentication should happen in a world where tens of millions of new devices are showing up to become part of the IoT commerce reality that is now upon us.
Baking Authentication In
Apart from issues of data being lifted from systems, merchants have a new issue coming their way, which is a wave of devices looking to transact that are very different than what has come before.
“We also have device-level authentication happening in the chip, “ Nelsen told Webster.” When you buy something today from your phone or laptop, merchants are using third-party software solutions to provide clarity on the device and how safe it is. That software is good, but we think we can do better by actually putting some of that technology directly into the chip hardware itself.”
The practical application of that, Nelsen explained, is that new Intel chips will generate an ID that will authenticate that device that can then be sent onto Visa (for decryption) and then onto issuers. The more often that device is seen without issue, the more trusted it becomes.
Hackers will, of course, keep on hacking, and with 38 billion devices to choose from entering the market, it is unlikely they will get bored soon. But as surprised as the average consumer felt on Friday, the teams at Visa and Intel mostly saw something they’d been anticipating and had already built a product to fight.