In Cybersecurity today, you will be hearing about many acronyms and buzzwords being bandied about. Some of these include the likes of HIPAA, GDPR, CCPA, along with the some of the others I spewed out in yesterday’s blog about the some of the important KPIs that a CIO and/or CISO must pay attention to these days.
Probably one of the man buzzwords you will be hearing about this year, and especially as some of the heavy-duty conferences soon take place (such as that of RSA), is that of 2FA, and MFA.
Respectively, both of these acronyms stand for “Two Factor Authentication”, and “Multi Factor Authentication”. Both of these instances refer to at least two or even more layers of security being used to confirm your identity before you are allowed to gain access to whatever you are seeking. A good, commercial example of this is the iPhone.
With the newer models out, you need to enter not only your PIN or password, but your identity must also be confirmed with the use of either Fingerprint or Facial Recognition (the brand names for these are “TouchID” and “FaceID”).
I have written numerous blogs and articles on both of these hot button topics, and personally myself, I like to use the MFA approach. This is technically where, at least three or more layers of authentication are used (in other words, it makes it harder for the Cyberattacker to break through your iPhone).
A critical component of both 2FA and MFA is that of Encryption. This is a field of the world known as “Cryptography” and has been around since the days of Julius Caesar. This can actually be a very complex field, as it is widely dependent upon the use of very high-level mathematics (want to know more about this stuff? Wait for my upcoming book, I’ve got a whole chapter just devoted to it).
Simply put, Encryption is simply rendering your Personal Identifiable Information or PII, into a garbled state so that in case it would were to be heisted by a Cyberattacker, there is not much that can be done with it. Take for example once again your iPhone.
The passwords, PIN’s and the Fingerprint or Facial Recognition Templates that are stored in there are in a garbled state (or encrypted) so that in case you lose your iPhone or it is stolen, there is nothing much that can be done with it until you execute a Remote Wipe command to your iPhone.
Since this kind of PII remains the same for periods of time, this type of Encryption can be known as “Static”. Then there is also what is known as “Dynamic Encryption”. This is best exemplified when you make a purchase at an online store.
Once you have selected the product or services you want to purchase, you obviously proceed to the next step, which is the checkout. At this point, you enter your credit card and shipping address information, as well as your relevant contact info.
Once this transmission has finished processing, more than likely the PII that you have submitted will remain in the database of the online merchant, and of course will be Encrypted. The primary reason for this is for convenience, so you do not have to keep entering in your PII all of the time you make new purchases. But of course, there are security risks with this kind of approach as well.
The reason why this is called “Dynamic Encryption” is that when your PII is being processed, it is done through a secure website which is protected by a protocol known as the “Hypertext Transport Protocol Secure”, also known as “HTTPS” for short. The next time you make an online purchase, and if you use Chrome, pay attention to the very left-hand side of the URL bar. You will notice a tiny padlock; this is your clue that you are on a site makes of HTTPS.
But here is the shortcoming. Even while you are on this secure protocol, your PII is still technically in a cleartext format – it is only encrypted after the transaction is complete and your PII is stored into the database. Thus, this is a huge vulnerability that a Cyberattacker can easily break into (well, depending upon their level of sophistication) and steal your PII while it is still in a decipherable format.
So, you may be asking at this point, what can be done about it??? Well, there is yet another area of Cryptography, which is known technically known as “Homomorphic Encryption (HE for short)” which can actually render your PII into a garbled state while it is being processed.
So for example, as you enter your credit card information to an online merchant and eventually hit the “Make Payment” button, at that very moment, that data will be encrypted as it is being processed (processing in this case means that the online merchant will be contacting your credit card company in order to confirm the validity of your card and post the transaction).
Because of this, your PII is at least theoretically safe at all times, because it is always in a garbled state.
The concepts surrounding, HE is actually nothing new, its research actually goes back all the way to the early 1970s. But however, it was not until about 2009 when a scientist at IBM, Craig Gentry, created the first true HE based algorithm, based upon the structures of mathematical lattices.
Now, for the first time, this very same algorithm is being tested, and to some degrees even being deployed into a production environment, by a financial institution known as “Banco Bradesco, S.A”, based out of Brazil.
They have been working in close conjunction with IBM Research in this endeavor and have even been able to implement Machine Learning (ML) into the HE algorithm as well. It is very important to note here, that at some point in time, when your credit card information and PII is transmitted to the credit card company (back again to our example of the online store purchase) it has to be Decrypted (in other words, rendered back into a decipherable format) so that information and data can be matched up on both sides.
This is part of the transaction is still yet another weak point and poses yet another venue for the Cyberattacker to crack into. But by using the HE algorithm, all of your PII remains actually Encrypted, and remains that way permanently.
But in order to make this work, both the sending and receiving parties (which is the online merchant and the credit card company) have to have this specialized algorithm deployed and ready to go on their sides.
My Thoughts On This
In the world of Encryption, it very often takes the set of two keys to both Encrypt and Decrypt the PII (or for that matter, another form of message or data) that is being transmitted from the sending party to the receiving party and even vice versa. To get a little bit more complex, this takes the use of a Public Key (which is used for Encryption) and a Private Key (which is used for Decryption). This yet another area of vulnerability in which the Cyberattacker can penetrate into as well.
But from what it sounds like, there is no need to have these keys with the HE algorithm. Once again, everything remains Encrypted, and permanently stays that way until the PII is permanently discarded. This will become especially useful as the concepts of Machine Learning and Artificial Intelligence (AI) start to get fully deployed.
These are tools that can be used to predict end user behavior, as this was one of the primary objectives for this financial institution by doing it in a Cybersecure fashion, when it came to the customer needing a loan or making withdrawals from their checking and/or savings account, and even predicting fraudulent activity.
The HE algorithm will become, in my view, of paramount importance as the Internet of Things (aka “IoT”) starts to take off this year and well into this decade. This is where all of the objects that we interact with both in the physical and virtual worlds are all connected together, in order to make life convenient for us.
But, while this does have its advantages, the main flipside to this is that it only increases the attack surface for the Cyberattacker, which means our PII are at even far greater risk. This is a specific instance where the HE algorithm will be needed greatly.
Finally, it is not just banking the sector where this algorithm can be used . . . it can be pretty much be applied to any industry, market segment, or business that needs to Encrypt and store information/data in a safe manner.