As we wrap up another year (and another decade), my thoughts are turning to 2020 and what we need to keep an eye out for next year as we put our plans together. 2019 has been one to remember from big data leaks like last week’sTrueDialogue blunder to groundbreaking new technology like the first-ever standards-based authentication for wearables.

The countless data leaks and breaches that plagued many during the past year will bring an increased interest in personal privacy as user data becomes more valuable than ever. With rising demand from consumers and regulatory bodies, organizations will need to evolve their authentication practices to stay afloat and succeed. Here are my top three “truths” for 2020 as we approach the next wave of reliance on strong authentication protocols.

Cyber policy and data privacy will receive double the airtime this election season vs. in ‘16

As we approach the 2020 election, candidates will more aggressively and thoroughly build data privacy and cybersecurity into their platforms alongside more traditional hot-button topics like healthcare, tax reform and more. In order to legitimize their candidacy, they will need to demonstrate a deep understanding of cyber and privacy that impact everyday citizens. Voters will scrutinize candidates on how equipped they are to tackle these pressing challenges and then cast their vote accordingly.

Value of data continues to rise, what was once silver is now platinum: The bounty on privacy will soar

As digitization continues in 2020, data will become more valuable than ever before. Information that may have previously seemed trivial to the everyday consumer will actually hold significant value for stakeholders and hackers across the spectrum. Adversaries or real-life “data bounty hunters” will hunt for new ways to exploit it, governments will seek better ways to access it, enterprises will adopt stronger security measures to protect it and end-users will demand better privacy to secure their personal information. Furthermore, with the rise of AI and machine learning, crucial data that impacts how medical decisions are made, where/how autonomous cars move, and more will become increasingly more mainstream — and increasingly more lucrative to threat actors pining for the information.

The entire globe will need to step up their authentication game

From first world countries pioneering digital transformation efforts to developing ones in the early stages of adoption, more and more people are transacting online and exposing their identities unwillingly. With every device in hand having the ability to access critical personal, financial and healthcare information, comes larger risks and the greater need for a global focus on authentication. European regulations such as PSD2 and GDPR are leading the charge, but 2020 will bring a more dire need for innovation in standards-based protocols and authentication. In order to strengthen security, enable more commerce and allow for widespread adoption of new technologies worldwide, new key sectors such as manufacturing, energy, healthcare and more will adopt robust authentication protocols to provide safety and security to the citizens relying on them.

While the authentication industry has made great strides in recent years, there is still a long way to go to ensuring that identities are truly secure. I believe that 2020 will bring great progress in this fight. I wish each and every one of you a very happy holiday season and a 2020 with much success.

Did you know the Payment Services Directive 2 (PSD2) directive (Directive2015/2366/EU) starts out with 113 introductory recitals?  You can check them out for yourself.

It includes such gems as:

#29: “‘authentication’ means a procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalised security credentials”

 #30: “‘strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”

#72: “the payment service provider is to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency of the service provided by the payment service provider.”

And even; #100: “competent authorities are granted the necessary power, including the power to impose penalties, where the payment service provider does not comply with the rights and obligations laid down in this Directive, in particular if there is a risk of re-offending or another concern for collective consumer interests.”

The driving force behind PSD2, which is focused on governing electronic and non-cash payments, is a drive for Strong Customer Authentication (SCA) – a process that makes online payments more secure and reduces fraud while increasing authorization rates. 

3D Secure 2 (3DS2) provides an easy way to merchants to implement PSD2 SCA compliant flows when they make an online purchase. This allows the merchant to “authenticate” both the customer’s identity and that they are the valid holder of the credit card they’re using to complete the purchase

Because of this, merchants need to build additional authentication capabilities into their checkout flow in order to continue to process transactions once PSD2 goes into effect. And that date is coming fast. PSD2 was previously slated to start this month, September 2019, but has been pushed back to early 2020 to accommodate unprepared service providers – and likely – to get Brexit in the rear view mirror.

It’s a foregone conclusion that PSD2 is going to start impacting merchants very soon.  The questions now revolve around how many merchants will suffer, how seriously and what will happen to UK merchants once card issuers start declining payments that require SCA but which have not been authenticated via 3DS.

Feeling the pressure?  Here are three steps to take in Q4 2019 to be PSD2 ready in 2020.

Merchants need to simplify or build

Well the good news is that if you are able to operate on a major payment service provider like PayPal or Stripe, you are going to be compliant, as they already put in the engineering effort. The bad news is that most merchants with significant transaction volumes are not using those payment service providers (PSPs) for their full checkout process.  

Those merchants need to build authentication into your checkout flow. Whether you want to retain control over the checkout experience directly, or you use a different PSP, you’ll have to implement 3D Secure 2.0 into your payment flow yourself. But once you do, you’ll be compliant.

Banks need to capture the PSD2 disruption and turn it to their advantage

While PSD2 is ostensibly about authentication, it also provides a major challenge to the banking industry. Banks are now required to provide (non-bank) PSPs with direct connectivity to customer account data. While this seems to be a major step towards commoditization in the EU banking sector, it also opens potentially lucrative opportunities for banks to monetize insights from their proprietary data sets.  

A recent report from McKinsey suggest that fast moving banks “could retain their role as trusted financial anchor, as customers would not find it attractive to provide third parties access to their data or accounts.”

Banks that can provide a technology platform and SCA services to merchants and even other less sophisticated banks can stand out in the opportunities that drive in a post PSD2 world.

Merchants and Banks can accelerate their SCA compliance with FIDO

It may come as a surprise, but there is an easy button for PSD2 compliance. It’s called FIDO – the Fast Identity Online. FIDO is not a company, but an open industry standard for SCA compliance.

FIDO Authentication is available to any organization to implement freely, and once deployed, banks and PSPs may accept a variety of FIDO-compliant authenticators that meet the SCA requirements of PSD2. The FIDO architecture offers a true “best of both worlds” solution to the problems that drove the creation of multi-factor authentication requirements.

With asymmetric cryptography, biometrics, and cryptographic privacy, the result is a single-gesture, multi-factor authentication event packaged for consumers in a very simple user experience that fulfills both merchant and banking needs for PSD2 SCA.

When, and where to turn for solutions?

PSD2 is on a 5+ year odyssey of bringing modern consumer authentication strategies and protections to European consumers. Delayed twice already, it’s unlikely to be delayed further. Banks and merchants who have not made appropriate investments need to move with precision to ensure they are compliant and not subject to fines.  

Fortunately, SCA  solutions can be tested and deployed in a timely manner at a reasonable price. Nok Nok Labs, a founder of the FIDO Alliance and holder of more than 100 patents in the space, provides a ready-to-deploy authentication system that delivers SCA compliance today. We look forward to sharing our process for rapid testing and deployment so you can reach your PSD2 objectives.

The Guardian and Forbes reported that researchers traced a massive leakage of 28 Million biometric and personal records to a company whose products are used worldwide for physical access control to a UK based company. The leak included centrally stored fingerprint, facial recognition, photos, unencrypted usernames and passwords, logs of facility access, security levels and clearance and personal details of staff and comprised over 23 gigabytes of data. The breach reinforces the problem with server-side biometrics and adds to a series of such prior breaches such as the OPM data breach that leaked the biometrics and personal information of US Govt. employees.

This leak points to an “anti-pattern” that security professionals and corporations should understand clearly. A pattern is an idea of how to solve a problem within a class of problems, that repeats itself. An anti-pattern is an idea of how not to solve it because implementing that idea would result in bad design.

The old proverb goes, “Why did Willie Sutton rob banks?….because the money was there!” Biometrics that are transported and aggregated centrally on the server for storage and matching are the worst kind of anti-pattern. They create stores of secrets on the server-side that are attractive for hackers to breach. The possibility of a scalable attack is large, the economic returns are very attractive, and remediation is very complicated.

By contrast, biometrics that work only on your personal device and are never shared, stored or matched on the server are an effective and secure pattern. By distributing the sensitive information and protecting it with extraordinary security, there is no central repository to attack. In other words, Willie Sutton would be out of business as a bank robber and instead be reduced to trying to pick pockets – not a scalable endeavor.

Apple, Samsung and others have proven that by distributing and localizing biometrics to a personal device that is in your control and by placing extraordinary controls around the biometric capture and matching, you can use biometrics as an effective secure pattern. In this case, the data is distributed, and you can at best try a targeted attack on individuals, one at a time – even that is so difficult that the economic incentives are not attractive.

Nok Nok Labs believes deeply in the idea that for privacy, security and the prevention of catastrophic failures like the breach above, corporations should only use the client-side-only biometric pattern as implemented by reputable vendors. We believe this so deeply that we incorporated this as a basic design principle in the creation of the FIDO protocols at the FIDO Alliance that we founded in 2013. The protocols created a more resilient distributed security pattern and are backed today by industry leaders such as Google, Microsoft, Intel, ARM, Samsung, Lenovo, VISA, MasterCard and others who have joined the alliance.

The FIDO protocols represent a good pattern to solve the problem of server-side secret aggregation. Users can leverage a method of authentication that is natural and convenient such as the client-side-store-and-match biometrics on a personal device including a phone or a physical token such as a USB or Bluetooth dongle. The standard ensures that there are no aggregations of secrets (as would be the case with passwords) and is designed to mitigate scalable attacks of all kinds such as phishing, interception by Man-in-the-Middle or compromises of a central repository of passwords. Developers get a simplified interface to implement this, and operators can rely on a single backend infrastructure regardless of device, method of authentication or security requirements. In other words, the standard ensures simplicity for the user, developer and operator.

It’s a well-kept secret that FIDO is already deployed widely and used daily by nearly a billion users at major brands such as Intuit, Bank of America, T-Mobile, Cigna, Google and Microsoft in the US and across Asia at DOCOMO, Softbank, Yahoo! Japan, and some of the largest banks in the region. It is expected to be deployed by most forward-thinking brands by 2020.

The Economic Times reported Wipro as saying “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign. Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.”

From the news so far, it seems the intent of the attackers was to use Wipro as a staging ground for attacks on Wipro’s customers, effectively entering through a trusted door. If the Verizon Data Breach Report is any indication the odds are better than 80% that the breach targeted employee and administrative credential compromise as the attack vector of choice.

Some of the most respected brands such as Wipro spend money on the best training for anti-phishing and attack detection in the misguided belief that this is an adequate measure. The fact is that security measures that rely on end-users to make the distinction on a legitimate request vs. a fraudulent one are doomed to failure. Too often, companies like Wipro and their service provider community rely on post-attack detection rather than investing in preventative measures such as phishing-proof authentication such as those based on the FIDO standards.

Ironically, earlier in April, the US National Counterintelligence and Security Center (NCSC) launched National Supply Chain Integrity Month to raise awareness about growing threats to the supply chains of the private sector and U.S. Government.

“Foreign intelligence entities and other adversaries are increasingly exploiting supply chain vulnerabilities to steal America’s intellectual property, corrupt our software, and surveil our critical infrastructure,” said NCSC Director William R. Evanina.

“Bypassing our security perimeters, they’re infiltrating our trusted suppliers to target equipment, systems, and information used every day by the government, businesses, and individuals. The cost to our nation comes not only in lost U.S. innovation, jobs, and economic advantage, but also in reduced U.S. military readiness,” he added.

If we can learn anything from history, it would be that the Wipro attack is the tip of the iceberg. A few years ago, Google was attacked by “Operation Aurora”, a wide-ranging compromise of Google’s systems aimed at altering source-code, infiltrating administrative accounts with the goal of accessing accounts of dissident Chinese activists. Given the increasing reliance on cloud and infrastructure service providers, such attacks will continue to grow because they represent a “scalable” attack vector that involves a large payoff.

We strongly recommend both customers and service providers invest deeply in modern authentication that is phishing resistant, multi-factor, standards based and widely supported as well as proven at scale. The FIDO standards pioneering by Nok Nok Labs are one such essential building block of a preventative approach to security that is needed to mitigate the catastrophic consequences of attacks on providers like Wipro.