Reenvisioning CyberSecurity Infrastructure: The Key to Safeguarding Sensitive Corporate and Consumer Information
Frances Zelazny, CEO of Anonybit
It is National Cybersecurity Awareness Month and, inevitably, another massive data breach has made major headlines, this time involving compromised account data affiliated with the biggest U.S. cryptocurrency exchange, Coinbase. The company, with its 68 million verified users, recently discovered a devastating hack that took place between the months of March and May of this year. Using compromised email addresses, passwords, and phone numbers linked to the affected Coinbase customer accounts, hackers exploited a flaw in the company’s SMS account recovery process to gain access to roughly 6000 customer accounts and transfer funds to crypto wallets not associated with the company.
This incident alone is an urgent reminder for corporations to reimagine the ways in which personal data is managed. Account recovery and step-up procedures involving PINs, passcodes, device IDs, email addresses, and other Knowledge-Based protocols are all weak substitutes for actual identity, which is something that hackers target and exploit. The Coinbase hack is just the latest reminder that the systems currently responsible for safeguarding our personal assets are not adequately equipped to do so on a consistent basis.
That being said, these lapses in cybersecurity span well beyond the continued use of insufficient authentication systems and are instead dependent on a larger conversation around privacy, security, cost, and consumer convenience. Currently, American corporations are not universally equipped with systems that allow them to ensure users are who they say they are when attempting to access sensitive information. The fact is, to do it right involves introducing a lot of friction to the user experience and for organizations to hold on to and manage a lot of personal data that they do not want to own.
For consumers, completing a full identity verification prompt every time they’d like to access their bank account can be unpredictable, repetitive, and frankly, bothersome. On the corporate side, managing passwords and access to corporate networks is also tedious and frustrating but making changes to legacy applications is not so easy. Simply put, as stated before, there is a constant tradeoff between privacy, security, cost, convenience and now we can add privacy to the mix.
With little compromise to be found between having full autonomy over personal user privacy and employing universally secure systems to protect sensitive information, many companies have opted for the reliance of device-based biometrics, in other words, the FaceID or the TouchID on most smartphones. With this model, biometric information is placed directly in the hands of consumers, resulting in a revolutionary level of convenience that allows users to access systems anywhere at any time using their biometric as their entry ticket. The smartphones validate the holder and send a response as to whether there is a match or not, but they do not confer an authorized identity against a known system or root of trust.
Knowing that enterprises aren’t able to truly verify who is behind a given transaction, hackers are able to exploit vulnerable systems by mining for user information that is needed to impersonate victims, thereby circumventing security protocols, which is exactly what the Coinbase hack demonstrates.
So, what is the solution? In what ways can companies still protect themselves and their consumers without necessitating countless hoops to jump through for something as simple as accessing bank accounts to check account balances? Leading security experts and innovators are advocating for a few things, primarily in the realm of decentralizing data and increasing levels of security so that models based on a 6 digit passcode or knowing your mother’s maiden name or what street you grew up on aren’t the first line of defense against hackers.
These emerging models are based on decentralized biometrics, where the storing and matching of the data is done in the cloud, but in a way that gives cybercriminals nothing to find and nothing to steal, while eliminating the risk of impersonation or the need to use PINs, passcodes or knowledge based authentication as a fallback. These decentralized frameworks can also be used to store and retrieve real secrets, striking an unprecedented balance between privacy preservation and digital security. Corporate security infrastructures could stand to phase in these new frameworks for a few reasons, with the first being that it reduces the cost of password management without opening up new risks coming from managing personal management.
Secondly, connecting these models to the rest of the identity ecosystem that an enterprise manages, ensures that a person who presents a device is the bonafide person to whom access should actually be granted. This distinction is particularly crucial when a hacker takes over a device or circumvents the process completely by claiming a new device. In the case of Coinbase and other cryptocurrencies, these models align very well with the mission for anonymity with full security.
Adopting these new infrastructures are not easy tasks for enterprises caught up in a realm of other major digital transformation initiatives. But they are critical elements to the future of our business and our societal fabric. Using the principles of data minimization, Privacy by Design best practices, and a corporate commitment to protecting identity, companies can delve into implementing secure, privacy-preserving systems that best serve their intentions and consumers. Maintaining these kinds of infrastructures should be prioritized as something of a form of Corporate Social Responsibility (CSR), all in an effort to safeguard private information and prevent further cyberattacks. Of course, there is a role for privacy legislation and regulations as well, to drive accountability and best practices on all ends of this issue.
The ongoing debate over where corporations should stand on a spectrum that has airtight digital security at one end and privacy preservation at the other is an understandable one, but with the introduction of decentralized data and the use of biometrics, this discussed tradeoff suddenly becomes obsolete. These emerging models ensure a healthy balance between the two extremes, providing various solutions for all kinds of enterprises, government agencies, corporations, cryptocurrency exchanges and more, to enhance digital security and prevent cyberattacks without ever infringing on consumer or employee privacy. And as we know, there is no better time to pursue this balance than right now.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.