Strong user authentication could enable big companies to get insurance from cyber crime

 cyber-crime

This is day 4 of Digital Identity Week.

This post is about the theory of the “insured Internet”.

Most people who track cybersecurity agree on: 

  1. Anything that is digital can be hacked. Nothing is secure. It does not matter whether you are a Fortune 500 company, Government, US Presidential candidate, mega Bank or payment network. You will get hacked. It is an arms race that the good guys are losing because every solution, no matter how clever and expensive,  has a shelf life until the bad guys find a way around it (and the payoff for the bad guys is big enough and the Crime As A Service networks use the full power of digitization). Your identity can be stolen with ease and with a valid but stolen identity all the KYC & AML processes are useless.
  1. This is a Board level issue in big companies. They are willing to spend whatever is needed because the cost of a breach is so high. This is an existential threat for the biggest companies on the planet.
  1. User authentication is the key. Eliminating static passwords is essential. That is why the biggest tech companies in the world came together to create the FIDO Alliance. This is too big for one company and is critical to all.

The idea of the “insured Internet” is that the security of a customer’s data is protected to a level that it can be insured at a reasonable price.

Trusona

The company who can deliver this fully secure authentication with one time passwords today is Trusona (one of the members of FIDO Alliance).

You can see their demo on their home page, which only takes a few seconds. They unveiled this at Finovate Fall 2016 (where they won Best of Show). The founder was able to give the demo 4 times during the 7 minutes allocated by Finovate, while still leaving room for a relaxed, jokey talk to make the point about how easy this will be for every mainstream user. This is grand-parent friendly.

For the story behind the dongle based technology, which is free to users, read this post on NetworkWorld.

“The TruToken dongle is the miniaturization of anti-ATM-card cloning technology made by MagTek that reads not the digital data recorded on cards’ magnetic strips but rather the arrangement of the pattern of the barium ferrite particles that make the strips magnetic. The particles are so numerous and so randomly placed that no two strips have identical patterns, says Ori Eisen, Trusona’s CEO. That also makes the strips unclonable, he says.

In order to use the authentication system, the Trusona app on the user’s device connects to Trusona’s cloud. The user plugs in the dongle, and if the dongle ID and device ID have been paired, the user is prompted to swipe a card with a magnetic stripe that has also been paired with the user. That can be a credit card, driver’s license, library card, etc. The barium ferrite particles must match.”

Before starting Trusona, Ori Eisen was worldwide fraud director at American Express. So he knows why credit card companies have to charge so much – combatting fraud is expensive.

This is particularly important in America as it makes the transition from mag stripe cards to EMV (we covered the implications in our August 2015 post).

I imagine the Trusona sales pitch to SWIFT will be well received after the hacks they recently suffered (which we covered here).

Over a year ago we wrote that the only way out of the cyber security nightmare is to move off centralized data centers to a fully decentralized Blockchain based network.

“For Banks to seize this opportunity, they have to discard the notion that centralization = secure. Putting it all in one place with a great big lock has been the accepted way since banks started. Decentralization sounds wild, almost hippy, with echoes of anarchic P2P services such as Napster.”

There are many reasons why the Internet will return to its decentralized roots, but telling a Fortune 500 board that their only hope is to move off centralized data centers to a fully decentralized Blockchain based network would get you some odd looks. A Trusona pitch would be much easier.

Swiss Grand Parents may be first

If you live in Switzerland, you may already use a dongle with one time passwords. Many Banks insist upon it. But each dongle is bank specific and can be rather unfriendly to use, making onboarding harder. So the mass market rollout could happen first in Switzerland.

Not only is it easier for onboarding, but as the Network World article explains, the Trusona dongle adds an additional layer of security.

“The way the card is pulled through the card reader on the TruToken is also a unique identifier, Eisen says. People pull them through at different speeds, at different angles and from different directions in a manner that is readable and unique, he says.”

John Le Carre can explain

In October 2015, we wrote about how tokenization could be the trojan horse that will break the credit card rails.

“tokenization enables the one time password that a student of cold war espionage stories would recognize. If you steal the token/one time password, you can steal the contents of that message/payment and only that message. That is fundamentally different from stealing the Primary Account Number (PAN). If you steal the PAN (by physically stealing a card or reading the mag stripe encoded data from a merchant) you can steal a lot of money.”

Implications for InsurTech

This affects everything that happens online. If customer data is insecure, all the business models based on social, media, analytics, cloud and ecommerce are threatened. Securing data through strong user authentication makes the Internet viable. It is as dramatic as that.

Trusona happens to be first to market with some clever technology, but secure user authentication is much bigger than one company. That is why FIDO Alliance is backed by the biggest global Fin companies and the biggest global Tech companies.

One of the Board Members of FIDO Alliance is Abbie Barbir, who is a Senior Security Adviser at Aetna.

As this article in CIO points out:

“Cybersecurity insurance transfers some of the financial risk of a security breach to the insurer. But it doesn’t do a good job of covering the reputation damage and business downturn that can be triggered by a security breach. “

Also the cost of Insurance is totally dependent on your level of security. Imagine your car insurance premiums if you had to tell the Insurance company that you always left the doors open with the key in the ignition (and the title deeds in the glove box).

As CIO puts it:

“Cyberthreats are so broad that the cost of protecting against them all would be prohibitive.”

This will be a big market for insurance and, being new and tech enabled may leave room for an InsurTech innovator.

Image source

Daily Fintech Advisers provides strategic consulting to organizations with business and investment interests in Fintech & operates the Fintech Genome P2P Knowledge platform.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s