Tag Archives: #cyber-security

Trust in Digital IDs

Posted on by
Reply

Or: “Whose identity is it anyway?”

Over the past few years, there have been a significant number of serious data breaches among among banks, utilities, telcos, insurers and public bodies. As a result, hackers are able to access the confidential data and financial records of millions of customers, leading to ransomware demands, wide dissemination of private information, identity theft, and multiple phishing attempts and similar scams.

What most of these hacks reveal is the vulnerability of centralised systems as well as the unnecessary storage of personal data – making these single points of failure a target for such exploits. Worse, the banks and others seem to think they “own” this personal data once they have obtained it, as evidenced by the way they (mis)manage it.

I fully understand the need for KYC/AML, and the requirement to verify customers under the 100 Points of Identification system. However, once I have been verified, why does each bank, telco and utility company need to keep copies or records of my personal data on their systems? Under a common 100 Points verification process, shouldn’t we have a more efficient and less vulnerable system? If I have been verified by one bank in Australia, why can’t I be automatically verified by every other bank in Australia (e.g., if I wanted to open an account with them), or indeed any other company using the same 100 Points system?

Which is where the concept of Self-Sovereign Identity comes into play. This approach should mean that with the 100 Points system, even if initially I need to submit evidence of my driver’s license, passport or birth certificate, once I have been verified by the network I can “retrieve” my personal data (revoke the access permission), or specify with each party on the network how long they can hold my personal data, and for what specific purpose.

This way, each party on the network does not need to retain a copy of the original documents. Instead, my profile is captured as a digital ID that confirms who I am, and confirms that I have been verified by the network; it does not require me to keep disclosing my personal data to each party on the network. (There are providers of Digital ID solutions, but because they are centralised, and unilateral, we end up with multiple and inconsistent Digital ID systems, which are just as vulnerable to the risk of a single point of failure…)

But of course, banks etc. insist that not only do they have to ask for 100 Points of ID each and every time I open an account, they are required to retain copies or digital versions of my personal data. Hence, we should not be surprised by the number of data hacks we keep experiencing.

The current approach to identity in banking, telcos and utilities is baffling. Just a few examples I can think of:

1. In trying to upgrade my current mobile phone plan with my existing provider, I had to re-submit personal information via a mobile app (and this is a telco that experienced a major hack last year, resulting in me having to apply for a new driver’s license). If I have already been verified, why the need to ask for my personal data again, and via a mobile app?

2. I’ve lived at my current address for more than 5 years. I still receive bank statements intended for the previous occupant. I have tried on numerous occasions to inform the bank that this person is no longer living here. I’ve used the standard “Return to Sender” method, and tried to contact the bank direct, but because I am not the named account addressee or authorised representative, they won’t talk to me. Fair enough. But, the addressee is actually a self-managed superannuation fund. Given the fallout from the Banking Royal Commission, and the additional layers of verification, supervision and audit that apply to such funds, I’m surprised that this issue has not been picked up the bank concerned. It’s very easy to look up the current registered address of an SMSF via the APRA website, if only the bank could be bothered to investigate why the statements keep getting returned.

3. I have been trying to remove the name of a former director as a signatory to a company bank account. The bank kept asking for various forms and “proof” that this signatory was no longer a director and no longer authorised to access the account. Even though I have done this (and had to pay for an accountant to sign a letter confirming the director has resigned their position), if the bank had bothered to look up the ASIC company register, they would see that this person was no longer a company officer. Meanwhile, the bank statements keep arriving addressed to the ex-director. Apparently, the bank’s own “systems” don’t talk to one another (a common refrain when trying to navigate legacy corporate behemoths).

In each of the above, the use of a Digital ID system would streamline the process for updating customer records, and reduce the risk of data vulnerabilities. But that requires effort on the part of the entities concerned – clearly, the current fines for data breaches and for misconduct in financial services are not enough.

Next week: AI vs IP  

 

Monash University Virtual Demo Day

Posted on by
Reply

Last week I was invited to participate in a Virtual Demo Day for students enrolled in the Monash University Boot Camp, for the FinTech, Coding and UX/UI streams. The Demo Day was an opportunity for the students to present the results of their project course work and to get feedback from industry experts.

While not exactly the same as a start up pitch night, each project presented a defined problem scenario, as well as the proposed technical and design solution – and in some cases, a possible commercial model, but this was not the primary focus. Although the format of the Demo Day did not enable external observers to see all of the dozen-plus projects, overall it was very encouraging to see a university offer this type of practical learning experience.

Skills-based and aimed at providing a pathway to a career in ICT, the Boot Camp programme results in a Certificate of Completion – but I hope that undergraduates have similar opportunities as part of their bachelor degree courses. The emphasis on ICT (Cybersecurity and Data Analytics form other streams) is partly in response to government support for relevant skills training, and partly to help meet industry requirements for qualified job candidates.

Industry demand for ICT roles is revealing a shortage of appropriate skills among job applicants, no doubt exacerbated by our closed international borders, and a downturn in overseas students and skilled migration. This shortage is having a direct impact on recruitment and hiring costs, as this recent Tweet by one of my friends starkly reveals: “As someone who is hiring about 130 people right now, I will say this: Salaries in tech in Australia are going up right now at a rate I’ve never seen.” So nice work if you can get it!

As for the Demo Day projects themselves, these embraced technology and topics across Blockchain, two-sided marketplaces, health, sustainability, music, facilities management, career development and social connectivity.

The Monash Boot Camp courses are presented in conjunction with Trilogy Education Services, a US-based training and education provider. From what I can see online, this provider divides opinion as to the quality and/or value for money that their programmes offer – there seems to be a fair number of advocates and detractors. I can’t comment on the course content or delivery, but in terms of engagement, my observation is that the students get good exposure to key tech stacks, learn some very practical skills, and they are encouraged to follow up with the industry participants. I hope all of the students manage to land the type of opportunities they are seeking as a result of completing their course.

Next week: Here We Go Again…

Personal data and digital identity – whose ID is it anyway?

Posted on by
Reply

In an earlier blog on privacy in the era of Big Data and Social Media, I explored how our “analog identities” are increasingly embedded in our digital profiles. In particular, the boundaries between personal/private information and public/open data are becoming so blurred that we risk losing sight of what individual, legal and commercial rights we have to protect or exploit our own identity. No wonder that there is so much interest in what blockchain solutions, cyber-security tools and distributed ledger technology can do to establish, manage and protect our digital ID – and to re-balance the near-Faustian pact that the illusion of “free” social media has created.

Exchanging Keys in “Ghostbusters” (“I am Vinz Clortho the Keymaster of Gozer”)

It’s over 20 years since “The Net” was released, and more than 30 since the original “Ghostbusters” film came out. Why do I mention these movies? First, they both pre-date the ubiquity of the internet, so it’s interesting to look back on earlier, pre-social media times. Second, they both reference a “Gatekeeper” – the former in relation to some cyber-security software being hijacked by the mysterious Praetorian organisation; the latter in relation to the “Keymaster”, the physical embodiment or host of the key to unleash the wrath of Gozer upon the Earth. Finally, they both provide a glimpse of what a totally connected world might look like – welcome to the Internet of Things!

Cultural references aside, the use of private and public keys, digital wallets and payment gateways to transact with digital currencies underpins the use of Bitcoin and other alt coins. In addition, blockchain solutions and cyber-security technologies are being deployed to streamline and to secure the transfer of data across both peer-to-peer/decentralised networks, and public/private, permissioned/permissionless blockchain and distributed ledger platforms. Sectors such as banking and finance, government services, the health industry, insurance and supply chain management are all developing proofs of concept to remove friction but increase security throughout their operations.

One of the (false) expectations that social media has created is that by giving away our own personal data and by sharing our own content, we will get something in return – namely, a “free” Facebook account or “free” access to Google’s search engine etc. What happens, of course, is that these tech companies sell advertising and other services by leveraging our use of and engagement with their platforms. As mere users we have few if any rights to decide how our data is being used, or what third-party content we will be subjected to. That might seem OK, in return for “free” social media, but none of the huge advertising revenues are directly shared with us as ordinary end consumers.

But just as Google and Facebook are facing demands to pay for news content, some tech companies are now trying to democratise our relationships with social media, mobile content and financial services, by giving end users financial and other benefits in return for sharing their data and/or being willing to give selected advertisers and content owners access to their personal screens.

Before looking at some interesting examples of these new businesses, here’s an anecdote based on my recent experience:

I had to contact Facebook to ask them to take down my late father’s account. Despite sending Facebook a scanned copy of the order of service from my father’s funeral, and references to two newspaper articles, Facebook insisted on seeing a copy of my father’s death certificate.

Facebook assumes that only close relatives or authorised representatives would have access to the certificate, but in theory anyone can order a copy of a death certificate from the UK’s General Register Office. Further, the copy of the certificate clearly states that “WARNING: A CERTIFICATE IS NOT EVIDENCE OF IDENTITY”. Yet, it appears that Facebook was asking to see the certificate as a way of establishing my own identity.

(Side note: A few years ago, I was doing some work for the publishers of Who’s Who Australia, which is a leading source of biographical data on people prominent in public life – politics, business, the arts, academia, etc. In talking to prospective clients, especially those who have to maintain their own directories of members and alumni, it was clear that “deceased persons” data can be very valuable to keep their records up to date. It can also be helpful in preventing fraud and other deception. Perhaps Facebook needs to think about its role as a “document of record”?)

So, what are some of the new tech businesses that are helping consumers to take control of their own personal data, and to derive some direct benefit from sharing their personal profile and/or their screen time:

  1. Unlockd: this Australian software company enables customers to earn rewards by allowing advertisers and content owners “access” to their mobile device (such as streaming videos from MTV).
  2. SPHRE: this international blockchain company is building digital platforms (such as Air) that will empower consumers to create and manage their own digital ID, then be rewarded for using this ID for online and mobile transactions.
  3. Secco: this UK-based challenger bank is part of a trend for reputation-based solutions (e.g., personal credit scores based on your social media standing), that uses Aura tokens as a form of peer-to-peer or barter currency, within a “social-economic community”.

Linked to these initiatives are increased concerns about identity theft, cyber-security and safety, online trust, digital certification and verification, and user confidence. Anything that places more power and control in the hands of end users as to how, when and by whom their personal data can be used has to be welcome.

Declaration of interest: through my work at Brave New Coin, a FinTech startup active in blockchain and digital assets, I am part of the team working with SPHRE and the Air project. However, all comments here are my own.

Next week: Investor pitch night at the London Startup Leadership Program