For those worried about the security of identity in the age of mobile, the last few weeks have not exactly been an encouraging time to be reading the headlines. Google’s Project Zero, an in-house team tasked with finding and publishing security and privacy vulnerabilities it finds in public software, released a blog post detailing major security holes it had discovered in iPhone software going back two years.
The flaws have been fixed since February, but industry watchers were bewildered that such exploits had sat out there for so long and that Apple had needed an outside team to discover it.
Also, bewildering was the fact that Google finding a hole in Apple’s security was the second most attention-grabbing security failure last week. The unfortunate distinction of first place went to Twitter CEO Jack Dorsey, who was a victim of a SIM Swap attack that left his Twitter account spewing racist invective for about 20 minutes.
It was a hard week to feel particularly secure on a mobile device, Karen Webster observed in a recent conversation with Boku CEO Jon Prideaux, as it was easy to get the feeling that an identity thief is hiding around every corner — and perhaps in every text message or Tweet to boot.
Moreover, while Prideaux agreed that the never-ending hit parade of clever hacks is scary, the most important thing to keep in mind is that none of this is new. Since the days of desktop computing there has been an arms race between cybercriminals and cybersecurity teams. There are always going to be “day zero” security flaws — and there are still going to be those out there set to profit off them.
“Software is a messy business, there are a lot of interacting parts and occasionally exposures will be found,” Prideaux said. “There is no single fix that will solve every issue for all times. What we have a responsibility to do is keep things up to date and adopt the best practices for locking the bad guys out.”
So those best practices, he noted, aren’t necessarily about building the highest possible wall. Increasingly they are about finding ways to make the cleverest possible lock.
Security With Simplicity
The problems with identity theft and account takeover (ATO) fraud are real and seriously need to be addressed. SIM swap attacks of the kind Dorsey went through, Prideaux noted, are new and in the public eye this week because of whom they most recently targeted — but they belong in the broader classification of the crime known as identity theft that has been on the rise for most of the 2010s. That trend is something that should worry the entire payments and commerce marketplace.
However, he said, that isn’t justification for overreacting and deciding the best way to defeat the problem is by adding layer upon layer of security stutter steps where one stops a transaction to ask for another proof of identification. Or to decide that every consumer needs to be holding onto multiple devices for multiple life functions to keep things separate and secure.
“We have to admit that ship has sailed. Consumers want to have access to their data when they need it and how they need it and they don't want to carry 15 devices. The challenge is on the software and hardware makers to develop a process that supports them so they can do business how they want to and feel secure while they are doing it,” Prideaux said.
The data is clear on this subject: for every security hoop a customer has to jump through, conversion levels fall. For some transactions — particularly large ones — consumers are open to a little friendly friction because it acts as a security blanket. However, for everyday transactions, what they want is secure convenience that doesn’t bother them or slow them down.
It is why Boku, he said, has focused its security efforts around the phone hardware itself. Phone companies, to bill consumers, need a high level of security around authentication. It means they've built a very comprehensive security architecture around a set of unique keys within their devices that are incredibly difficult to hack or spoof. For Boku, the goal is to create a system that detects the phone number from which a mobile transaction is issuing, and match the data to the transaction.
“If we can detect the SIM is right, we can provide that magic formula of security without inconvenience,” he said. A phone’s identifying data is sufficient to tell a merchant that they are either almost certainly dealing with the customer they think they are, or that there is something unusual going on, and to add more fiction or the process.
The best security process, the one Boku wants to build, is based around a no-friction baseline that only adds in hurdles like passwords selectively when there is a reason to suspect a transaction.
The Challenge of the Global Last Mile
Boku’s solution may sound intuitive and straightforward — use a secure and hard to hack identifier as the cornerstone of an authentication process — but as is the case with many ideas that sound simple, the reality of delivery is much more complicated. There are about 150 telecoms in the world with over 10 million members, which means it is fragmented from the start. Also, even though telecoms worldwide have “standards and regulations coming out of their ears” on a variety of subjects, they have almost none around sharing data. Anyone who is thinking about this as an authentication method, Prideaux said, is taking on 150 separate negotiations of 150 different integrations. The barriers for entry are unbelievably high, he said, noting Boku only found itself in this line because it had previously developed carrier billing products for a host of global telecoms, and realized the same technology could be directed toward authentication in general.
“We had 90 carriers … To try to build it from nothing, it would take a long time and an awful of money,” he said.
To get as far as it has, Prideaux said, it’s taken Boku about 10 years and some $100 million. Using telecom data for authentication may seem simple and obvious — actually doing it is anything but.
However, he noted, progress is being made. A system of telecom data-linked authentication is maximally effective when all 150 of those major telecoms are actively in the system — but efficacy is not quite that all-or-nothing. Once a firm has one or two of the major carriers in a market, he said, it can begin demonstrating to merchants that it can both prevent more fraud and pass through more viable transactions.
Moreover, the good thing about things that work, he pointed out, is that they have a habit of catching on, particularly in the world of cybersecurity where the arms race is ongoing, and any edge against hackers is valuable.
“Today this is still among early adopters,” he said. “But the pattern is clear, and I think sooner than you think this will progress to just being an industry-standard way to verify identity.”