After years of dire predictions, the problems caused by weak identity management could be about to catch up with businesses across the UK.
Their fears have not been caused so much by the criminals as by the bureaucrats, law makers and politicians who have spent years honing the General Data Protection Regulation (GDPR), the much-discussed piece of EU legislation now hitting the business inbox.
Among the GDPR's many complex implications, one of the most important is its effect on how data breaches are handled. In the UK until now reporting such incidents has been up to the affected organisation as a matter of best practice, with little legal compulsion to inform individual customers.
The GDPR changes all this. If an individual's rights and freedoms are likely to have been breached, potentially nasty fines can be handed out to businesses that have fallen foul of the rules. It's not hard to understand why businesses are worried, given the number of channels through which sensitive customer data can leak into the public domain.
In the UK, as elsewhere, data used to be mostly stolen from poorly secured internet-facing databases – think TalkTalk's 2015 compromise of 157,000 users' financial details thanks to an SQL injection attack. Two years later, data was compromised through insecure third parties in other countries, as TalkTalk found out to its cost.
Then there are the incidents that haven't happened but spread alarm, for example the announcement by shipping company Clarkson's in late 2017 that attackers might be about to release unspecified data after a ransomware attack.
A PwC report showed that enforcement actions by the Information Commissioner's Office doubled to 35 during 2016. The fines it imposed that year may sound like peanuts at £3.2m, but they could reach the billions when administered under the tough rules of the GDPR.
If only it were as simple as doing a bit more due diligence on data partners, patching up developer database fails and remembering not to leave customer data sitting on open Amazon S3 buckets.
GDPR Article 5F shows how there might be more to the idea of customer data than many anticipated. It states that data shall be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality')."
In the old world, a data breach was an incident in which a single tranche of data entered the public domain either by accident or as a result of a criminal act. GDPR expands this to include the loss of all data, even if it happens to be the result of a criminal action such as criminals taking over an online bank account.
It's an unfamiliar world. Until now account takeovers achieved through phishing and credential theft, a sign of weak computer security, are rarely reported as breaches.
But weak security encompasses the entire process, including identity verification and authentication – precisely the parts of the security chain that many organisations have been struggling with.
Sloppy coding + huge PSD2 changes = Lots of late nights for banking devs next yearREAD MORE
An additional pressure for businesses is the arrival of the EU’s revised Payment Service Directive (PSD2), which also makes its debut in 2018. Under PSD2, the banks’ will no longer have a monopoly over their customers' data, which third parties will be able to access through a series of open APIs.
Strong customer authentication (SCA) becomes a pressing requirement in ways that will be impossible for providers of identity verification and know-your-customer (KYC) technology to dodge.
GDPR Recital 64 makes it abundantly clear: “The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.”
In effect an identity breach, even of a single customer, counts as a data breach in miniature.
It's difficult to adjust to this possibility in a world where customers must authenticate themselves through technologies that run from old knowledge-based authentication to a bewildering mash up of multi-factor authentication options.
A big hassle for any authentication system is the account reset process, an everyday chore that the cybercriminals long ago spotted as a weakness.
One example is the epidemic of SIM-swap frauds, where criminals persuade a mobile network to deactivate the live SIM, by claiming it is lost, say, and reactivating it to a SIM in their possession. From that point one-time passwords are sent to the criminal, not the genuine customer.
As of January 2016, the US Federal Trade Commission took note of a reported 2,600 cases of SIM swap fraud, but this was likely to be a significant underestimate. Later that year, the US National Institute of Standards and Technology suddenly deprecated SMS authentication, since when many providers have bailed from the technology.
What might patch this? Companies crave alternatives that are not only secure but avoid delay or are not too complex for customers to cope with.
It's asking a lot: any system doing its job in a GDPR-compliant age must be able to integrate user onboarding, KYC compliance and identity verification, and somehow stop account takeover scams, all in one shot.
The traditional solution has been for banks to enable layers of security as they come to market, as did HSBC's First Direct when it embraced Apple's Voice and Face ID to verify customers. By 2018 the bank had enabled Pay by Siri, again backed by the authentication technology baked into Apple products.
Impressive, but it’s still a model in which the identity verification is done on a case-by-case basis, with customers using a variety of different providers’ technologies. One answer is for the customer, not the provider, to determine which verification is used.
OnlyID from FIS and Equifax, for example, allows customers to onboard or authenticate themselves to e-retailers that are part of the network. What matters with this approach is less the underlying predictive analytics and biometrics than the concept of identity-as-a-service overcoming technological fragmentation.
Another method is for online companies to pair the use of some type of government-issue ID with a reliable form of verification and authentication.
For now, GDPR has an air of unreality but that will change when the fines start flying and companies flock to the simplest, cheapest solution they think customers will use. Meanwhile you can assume there will be trouble ahead. ®