This month is National Cybersecurity Awareness Month. Let me be blunt. If you don’t think you are responsible for cybersecurity – you are wrong.

Think about the footsteps you leave in the digital sand, your digital persona, information that you would consider private, valuable and vital. Now, think about how those bits and bytes of data can be used against you, can be taken from you and put to serve nefarious purposes. This is not a science fiction dystopia – this is our world.

To illustrate, let me paint a picture. You have a doctor’s appointment. You show up to the office and check-in on your smartphone, confirming your identity, the time of the appointment and the ailment for which you are being seen. You sit down and – while waiting – you open up your social media platform of choice to pass the time.

Your social media profile lists your friends, their birthdays, the things you like, your political preferences and on and on and on.

While browsing, an ad is presented for something you’re interested in. This ad was served up based on your interests, browsing history and ads that you have clicked on in the past. As such, you are very interested in what is being offered, but you aren’t sure if you can afford it. So before you buy, you open up your banking application to check your balance.

The banking app shows you your current balance in your checking account, your savings account, how much you owe on your credit cards, a long list of recent transactions, where and for how much they were for. You see you have enough for the purchase, flip back over to the advertisement and buy the product. You get called into the office for the doctor and a few days later, your package arrives at your door.

Simple, right? Amazing. It’s the miracle of the modern age.

Now, imagine going through all of that – but rather than it taking place on the privacy of your own screen, it is over the phone and the phone is on speaker. Your ailment is announced to the waiting room. As are the names of all of your friends and your political preferences. Your interests – both private and public – are announced and the things that you want to buy become public knowledge. Your bank account, recent purchases, credit card number and debt are also provided to anyone within the sound of your voice.

Without encryption, without security, without paying attention to the way in which your data is hoovered up, collected and distributed – any passing person who speaks binary can steal, copy, exploit and change your personal information.

That is why this month is important. Your data is YOUR data. It is vital that you are aware of how to protect it. If you have a device that connects – it needs to be protected and YOU are the one responsible for making sure that happens.

This month we look forward to having unfiltered conversations about cybersecurity. We will post our thoughts on how the pandemic has changed the concept of secure perimeter-based security, how the proliferation of small devices connecting to the greater web – as valuable as they are – has increased the attack vectors that we need to monitor and where we all may be headed in the future.

We invite you to join us in this discussion. But even if you don’t, we compel you to remember: The most important person responsible for your cyber security is you. Take that responsibility seriously.

It is not a surprise to say that passwords are broken. They were not designed to secure today’s connected economy. As an inventor of FIDO standards, we knew that the key to replacing passwords was a privacy-by-design specification that championed interoperability and decentralized the security topography.

The Nok Nok™ S3 Suite goes beyond the standards. It is the most widely deployed FIDO-certified solution on the planet. It has powered billions of consumer authentication events for banks like BBVA and Standard Bank, for telcos like T-Mobile and NTT DOCOMO, and for a variety of other industries like physical security, government and insurance. We have deployed the Nok Nok solution, at scale, more times than any other purveyor of FIDO certified servers. Our level of experience delivers a better product, a better team, a swifter and more stable integration, and a collection of benefits we are excited to share in this new release of the Nok Nok S3 Suite.

Adaptive Policies
Existing authentication systems are robust – but most have been deployed using username and passwords as their foundational layer. We know that passwords do not make a firm foundation. In order to shore up that weakness, new systems have been bolted on to make the passwords more complex, to ask personal questions, to generate and distribute one-time-passcodes or harvest device details in order to lower the probability of fraud (just a little!). Risk-engines were devised to collect and analyze these data points. Regulations have been created mandating the use of these additional methods. As we move into a passwordless future, some of these requirements persist and will still be needed.

With the Nok Nok S3 Suite you can power large scale passwordless deployments – deployments which can be paired with existing risk engines, behavioral biometrics, or other systems. With our new release, we simplify the integration and add an engine capable of dynamically adapting to the context of an authentication event. This allows our customers to select appropriate risk factors and implement them without writing a single line of code. By including authentication context, we help enable compliance with the requirements of PSD2 SCA, and other privacy and security regulations. The new, simplified integration accelerates time to deployment and provides the tools necessary to address the most pressing financial industry requirements.

Expanded Device Support
Since the beginning, FIDO standards have been about interoperability. We worked tirelessly in the early days to make sure the standard integrated with handset manufacturers like Fujitsu and Samsung, secure silicon providers such as Qualcomm, and authentication providers for facial and fingerprint recognition. Nok Nok was the first to bring FIDO authentication support for the Apple Watch and today we are happy to let you know we now also support WearOS (formally Android Wear). But our work is not done. As new devices and solutions come to market, we are eager to expand our support and bring more choices to the consumer. Through our API and SDKs, the same user experience and security can be provided, regardless of channel or device.

Nok Nok™ Quick Authentication
Bandwidth is crowded, especially now that more of us are online with multiple devices. Phones are connected to earphones, watches, computers and more. Each wireless interaction carries a network cost and introduces delay and latency to the customer experience. Some networks are not as robust as others and this inconsistency of experience can create frustration and friction for users.

Following our history of designing “beyond the standard”, today we are introducing Quick Authentication with this latest release. Nok Nok™ Quick Authentication performs secure FIDO authentication in a single network round trip. Organizations can now significantly reduce their network traffic. End-users get both speed and security with this update.

Going Beyond
While FIDO standards are a leap forward towards a passwordless world, the Nok Nok S3 Suite takes you there and beyond. Our latest technology is built to address the authentication needs of companies wrestling with regulatory complexity, without adding friction to the user experience. Customers expect privacy, and regulations – such as CCPA and GDPR – have strict rules and significant penalties for privacy violations. The Nok Nok S3 Suite eliminates the need to centrally store biometric customer data for authentication and – as mentioned – it follows a privacy-by-design approach. With strong, multi-factor authentication, the ability to comply with FFIEC, PSD2 SCA, HIPAA and other regulations is enabled. In addition, support for EMVCo 3DS2’s requirement for transaction confirmation of high value transactions is already included.

We view authentication as the front door to the connected economy. That door should be frictionless, yet secure. It should provide the security an organization and regulatory body requires while not turning away the end-user. We have deployed our solution to customers with tens of millions of users and we know how to build and integrate a scalable solution.

Simple. Secure. Scalable – was what we committed to 8 years ago and what we continue to deliver today.

For more information on the Nok Nok S3 Suite, please download the product brief here, or reach out to our team who will be happy to answer any questions.

As we wrap up another year (and another decade), my thoughts are turning to 2020 and what we need to keep an eye out for next year as we put our plans together. 2019 has been one to remember from big data leaks like last week’sTrueDialogue blunder to groundbreaking new technology like the first-ever standards-based authentication for wearables.

The countless data leaks and breaches that plagued many during the past year will bring an increased interest in personal privacy as user data becomes more valuable than ever. With rising demand from consumers and regulatory bodies, organizations will need to evolve their authentication practices to stay afloat and succeed. Here are my top three “truths” for 2020 as we approach the next wave of reliance on strong authentication protocols.

Cyber policy and data privacy will receive double the airtime this election season vs. in ‘16

As we approach the 2020 election, candidates will more aggressively and thoroughly build data privacy and cybersecurity into their platforms alongside more traditional hot-button topics like healthcare, tax reform and more. In order to legitimize their candidacy, they will need to demonstrate a deep understanding of cyber and privacy that impact everyday citizens. Voters will scrutinize candidates on how equipped they are to tackle these pressing challenges and then cast their vote accordingly.

Value of data continues to rise, what was once silver is now platinum: The bounty on privacy will soar

As digitization continues in 2020, data will become more valuable than ever before. Information that may have previously seemed trivial to the everyday consumer will actually hold significant value for stakeholders and hackers across the spectrum. Adversaries or real-life “data bounty hunters” will hunt for new ways to exploit it, governments will seek better ways to access it, enterprises will adopt stronger security measures to protect it and end-users will demand better privacy to secure their personal information. Furthermore, with the rise of AI and machine learning, crucial data that impacts how medical decisions are made, where/how autonomous cars move, and more will become increasingly more mainstream — and increasingly more lucrative to threat actors pining for the information.

The entire globe will need to step up their authentication game

From first world countries pioneering digital transformation efforts to developing ones in the early stages of adoption, more and more people are transacting online and exposing their identities unwillingly. With every device in hand having the ability to access critical personal, financial and healthcare information, comes larger risks and the greater need for a global focus on authentication. European regulations such as PSD2 and GDPR are leading the charge, but 2020 will bring a more dire need for innovation in standards-based protocols and authentication. In order to strengthen security, enable more commerce and allow for widespread adoption of new technologies worldwide, new key sectors such as manufacturing, energy, healthcare and more will adopt robust authentication protocols to provide safety and security to the citizens relying on them.

While the authentication industry has made great strides in recent years, there is still a long way to go to ensuring that identities are truly secure. I believe that 2020 will bring great progress in this fight. I wish each and every one of you a very happy holiday season and a 2020 with much success.

Did you know the Payment Services Directive 2 (PSD2) directive (Directive2015/2366/EU) starts out with 113 introductory recitals?  You can check them out for yourself.

It includes such gems as:

#29: “‘authentication’ means a procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalised security credentials”

 #30: “‘strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”

#72: “the payment service provider is to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency of the service provided by the payment service provider.”

And even; #100: “competent authorities are granted the necessary power, including the power to impose penalties, where the payment service provider does not comply with the rights and obligations laid down in this Directive, in particular if there is a risk of re-offending or another concern for collective consumer interests.”

The driving force behind PSD2, which is focused on governing electronic and non-cash payments, is a drive for Strong Customer Authentication (SCA) – a process that makes online payments more secure and reduces fraud while increasing authorization rates. 

3D Secure 2 (3DS2) provides an easy way to merchants to implement PSD2 SCA compliant flows when they make an online purchase. This allows the merchant to “authenticate” both the customer’s identity and that they are the valid holder of the credit card they’re using to complete the purchase

Because of this, merchants need to build additional authentication capabilities into their checkout flow in order to continue to process transactions once PSD2 goes into effect. And that date is coming fast. PSD2 was previously slated to start this month, September 2019, but has been pushed back to early 2020 to accommodate unprepared service providers – and likely – to get Brexit in the rear view mirror.

It’s a foregone conclusion that PSD2 is going to start impacting merchants very soon.  The questions now revolve around how many merchants will suffer, how seriously and what will happen to UK merchants once card issuers start declining payments that require SCA but which have not been authenticated via 3DS.

Feeling the pressure?  Here are three steps to take in Q4 2019 to be PSD2 ready in 2020.

Merchants need to simplify or build

Well the good news is that if you are able to operate on a major payment service provider like PayPal or Stripe, you are going to be compliant, as they already put in the engineering effort. The bad news is that most merchants with significant transaction volumes are not using those payment service providers (PSPs) for their full checkout process.  

Those merchants need to build authentication into your checkout flow. Whether you want to retain control over the checkout experience directly, or you use a different PSP, you’ll have to implement 3D Secure 2.0 into your payment flow yourself. But once you do, you’ll be compliant.

Banks need to capture the PSD2 disruption and turn it to their advantage

While PSD2 is ostensibly about authentication, it also provides a major challenge to the banking industry. Banks are now required to provide (non-bank) PSPs with direct connectivity to customer account data. While this seems to be a major step towards commoditization in the EU banking sector, it also opens potentially lucrative opportunities for banks to monetize insights from their proprietary data sets.  

A recent report from McKinsey suggest that fast moving banks “could retain their role as trusted financial anchor, as customers would not find it attractive to provide third parties access to their data or accounts.”

Banks that can provide a technology platform and SCA services to merchants and even other less sophisticated banks can stand out in the opportunities that drive in a post PSD2 world.

Merchants and Banks can accelerate their SCA compliance with FIDO

It may come as a surprise, but there is an easy button for PSD2 compliance. It’s called FIDO – the Fast Identity Online. FIDO is not a company, but an open industry standard for SCA compliance.

FIDO Authentication is available to any organization to implement freely, and once deployed, banks and PSPs may accept a variety of FIDO-compliant authenticators that meet the SCA requirements of PSD2. The FIDO architecture offers a true “best of both worlds” solution to the problems that drove the creation of multi-factor authentication requirements.

With asymmetric cryptography, biometrics, and cryptographic privacy, the result is a single-gesture, multi-factor authentication event packaged for consumers in a very simple user experience that fulfills both merchant and banking needs for PSD2 SCA.

When, and where to turn for solutions?

PSD2 is on a 5+ year odyssey of bringing modern consumer authentication strategies and protections to European consumers. Delayed twice already, it’s unlikely to be delayed further. Banks and merchants who have not made appropriate investments need to move with precision to ensure they are compliant and not subject to fines.  

Fortunately, SCA  solutions can be tested and deployed in a timely manner at a reasonable price. Nok Nok Labs, a founder of the FIDO Alliance and holder of more than 100 patents in the space, provides a ready-to-deploy authentication system that delivers SCA compliance today. We look forward to sharing our process for rapid testing and deployment so you can reach your PSD2 objectives.

The Guardian and Forbes reported that researchers traced a massive leakage of 28 Million biometric and personal records to a company whose products are used worldwide for physical access control to a UK based company. The leak included centrally stored fingerprint, facial recognition, photos, unencrypted usernames and passwords, logs of facility access, security levels and clearance and personal details of staff and comprised over 23 gigabytes of data. The breach reinforces the problem with server-side biometrics and adds to a series of such prior breaches such as the OPM data breach that leaked the biometrics and personal information of US Govt. employees.

This leak points to an “anti-pattern” that security professionals and corporations should understand clearly. A pattern is an idea of how to solve a problem within a class of problems, that repeats itself. An anti-pattern is an idea of how not to solve it because implementing that idea would result in bad design.

The old proverb goes, “Why did Willie Sutton rob banks?….because the money was there!” Biometrics that are transported and aggregated centrally on the server for storage and matching are the worst kind of anti-pattern. They create stores of secrets on the server-side that are attractive for hackers to breach. The possibility of a scalable attack is large, the economic returns are very attractive, and remediation is very complicated.

By contrast, biometrics that work only on your personal device and are never shared, stored or matched on the server are an effective and secure pattern. By distributing the sensitive information and protecting it with extraordinary security, there is no central repository to attack. In other words, Willie Sutton would be out of business as a bank robber and instead be reduced to trying to pick pockets – not a scalable endeavor.

Apple, Samsung and others have proven that by distributing and localizing biometrics to a personal device that is in your control and by placing extraordinary controls around the biometric capture and matching, you can use biometrics as an effective secure pattern. In this case, the data is distributed, and you can at best try a targeted attack on individuals, one at a time – even that is so difficult that the economic incentives are not attractive.

Nok Nok Labs believes deeply in the idea that for privacy, security and the prevention of catastrophic failures like the breach above, corporations should only use the client-side-only biometric pattern as implemented by reputable vendors. We believe this so deeply that we incorporated this as a basic design principle in the creation of the FIDO protocols at the FIDO Alliance that we founded in 2013. The protocols created a more resilient distributed security pattern and are backed today by industry leaders such as Google, Microsoft, Intel, ARM, Samsung, Lenovo, VISA, MasterCard and others who have joined the alliance.

The FIDO protocols represent a good pattern to solve the problem of server-side secret aggregation. Users can leverage a method of authentication that is natural and convenient such as the client-side-store-and-match biometrics on a personal device including a phone or a physical token such as a USB or Bluetooth dongle. The standard ensures that there are no aggregations of secrets (as would be the case with passwords) and is designed to mitigate scalable attacks of all kinds such as phishing, interception by Man-in-the-Middle or compromises of a central repository of passwords. Developers get a simplified interface to implement this, and operators can rely on a single backend infrastructure regardless of device, method of authentication or security requirements. In other words, the standard ensures simplicity for the user, developer and operator.

It’s a well-kept secret that FIDO is already deployed widely and used daily by nearly a billion users at major brands such as Intuit, Bank of America, T-Mobile, Cigna, Google and Microsoft in the US and across Asia at DOCOMO, Softbank, Yahoo! Japan, and some of the largest banks in the region. It is expected to be deployed by most forward-thinking brands by 2020.

The Economic Times reported Wipro as saying “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign. Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.”

From the news so far, it seems the intent of the attackers was to use Wipro as a staging ground for attacks on Wipro’s customers, effectively entering through a trusted door. If the Verizon Data Breach Report is any indication the odds are better than 80% that the breach targeted employee and administrative credential compromise as the attack vector of choice.

Some of the most respected brands such as Wipro spend money on the best training for anti-phishing and attack detection in the misguided belief that this is an adequate measure. The fact is that security measures that rely on end-users to make the distinction on a legitimate request vs. a fraudulent one are doomed to failure. Too often, companies like Wipro and their service provider community rely on post-attack detection rather than investing in preventative measures such as phishing-proof authentication such as those based on the FIDO standards.

Ironically, earlier in April, the US National Counterintelligence and Security Center (NCSC) launched National Supply Chain Integrity Month to raise awareness about growing threats to the supply chains of the private sector and U.S. Government.

“Foreign intelligence entities and other adversaries are increasingly exploiting supply chain vulnerabilities to steal America’s intellectual property, corrupt our software, and surveil our critical infrastructure,” said NCSC Director William R. Evanina.

“Bypassing our security perimeters, they’re infiltrating our trusted suppliers to target equipment, systems, and information used every day by the government, businesses, and individuals. The cost to our nation comes not only in lost U.S. innovation, jobs, and economic advantage, but also in reduced U.S. military readiness,” he added.

If we can learn anything from history, it would be that the Wipro attack is the tip of the iceberg. A few years ago, Google was attacked by “Operation Aurora”, a wide-ranging compromise of Google’s systems aimed at altering source-code, infiltrating administrative accounts with the goal of accessing accounts of dissident Chinese activists. Given the increasing reliance on cloud and infrastructure service providers, such attacks will continue to grow because they represent a “scalable” attack vector that involves a large payoff.

We strongly recommend both customers and service providers invest deeply in modern authentication that is phishing resistant, multi-factor, standards based and widely supported as well as proven at scale. The FIDO standards pioneering by Nok Nok Labs are one such essential building block of a preventative approach to security that is needed to mitigate the catastrophic consequences of attacks on providers like Wipro.