• United States




Financial enterprises look to decentralization to reduce the risk of a massive breach

Mar 27, 20186 mins
Data and Information SecurityData BreachSecurity

Centralized repositories of consumer data at enterprises have continuously proven to be coveted targets for hackers.

wan bank networking finance2
Credit: Thinkstock

With an estimated 30 billion devices connected to the Internet of Things (IoT) by 2020, ensuring they are properly secured is more important than ever, as many of these will be payment-enabled. Criminals are constantly challenging the progress of cybersecurity measures as their attacks become more sophisticated.

Following last year’s string of mass credentials breaches, it’s clear that conventional methods to secure passwords, PINs and biometrics are falling short of safeguarding the sensitive information used for authentication and payment authorization. Centralized repositories of consumer data at enterprises have continuously proven to be coveted targets for hackers. Without a paradigm shift in authentication — and with banking, financial, and other business activity becoming more digital — data breaches are only expected to persist. Consider alone the growth of ecommerce and m-commerce, and therefore less EMV protection that’s only found at POS systems, created by Sears and now, Toys“R”Us.

Native biometrics and passwords are not enough to authenticate true users

For this reason, many online service providers are beginning to offer the use of native biometrics features such as Apple’s Touch ID and FaceID, Samsung Pass or the myriad sensors of third-party vendors. Biometrics are often more desirable because they are convenient and can more accurately authenticate users than a typical password/PIN combination, which in the hands of another can serve as the keys to the kingdom once account access is granted. Native and third-party biometrics do have their flaws, however. Some merely unlock the device or act upon passwords still in use and stored at the service provider, essentially using a fingerprint scan to paste in the password. Others, especially third-party ones, have more explicit vulnerabilities, storing biometric templates centrally at the service provider, making them no safer than passwords.

Centralized databases are an easy, appealing target for fraudsters, since the many records hackers obtain caters to their wholesale fraud model. As Yahoo, Equifax, FedEx and other breaches have proved, stolen credentials are sold on the dark web for only a few dollars, yet millions of such records unfortunately demonstrate that fraud is a profitable endeavor. Centralizing data also creates a single point of failure in a system designed to protect privacy and financial assets. This is something enterprises are starting to realize is counterintuitive and unnecessary now that advances in mobile devices make it reasonable to conclude that most people are carrying around biometric keys with the ability to store encrypted templates on them.

Consumers are concerned about the security of the technology in use when fully adopting mobile banking and/or payments. Recently the Federal Reserve Bank conducted research noting 24 percent of the mobile phone users surveyed believed their personal information is “somewhat unsafe” while 18 percent believed that it’s “very unsafe.” A mere 8 percent said the security of the technology was “very safe.” Consumers are savvy and know that when they give up their private data to a service provider, that information is no longer personal. Put simple when data is stored centrally in this manner it is not a matter of if, but when, it will be breached.

Despite this, businesses continue to store customer data in these centralized systems. Security teams instinctively want to keep assets under their watch since they are responsible for their safety – for instance, financial enterprises still keeping much of their information on premise, rather than in the cloud. What’s more, most financial enterprises employ usernames and passwords – often combined with PINs, or layers of insecure SMS codes, or costly labor-intensive call center activity – as a login and payment method. These create management headaches, and because the root of the authentication scheme is bearer tokens (something that can be used by anyone) these service providers are trapped in a race to the bottom with hackers to thicken firewalls around information that, with help, will find its way onto the dark web.

Decentralized solutions will pave the way for secure payments across devices

The needed paradigm shift is decentralized authentication, which safely stores sensitive data on users’ devices rather than in a database on an enterprise’s central server. It eliminates the single point of failure, reducing the attack surface and the risk of a mass credentials breach. A properly deployed decentralized authentication solution also gives enterprises the level of control to which they are already accustomed, without the drawback of holding the user login and payment information that hackers want all on one identifiable, accessible server. If a financial enterprise is not in possession of those credentials, they cannot be stolen from it. With decentralized authentication fraudsters are forced to move on to another strategy, such as going from device to device in the hopes of obtaining sensitive data – a more difficult, un-scalable fraud model.

As we quickly transform into a fully connected world, it is more important than ever to bring secure authentication to devices and payments across the IoT. Today’s mobile devices are already equipped with security features such as biometrics to authenticate securely and to deliver superior user experiences. However, the IoT will inevitably bring about connected vehicles, homes and more. What is sorely needed are solutions ready for payments across connected devices and associated third parties.

Decentralization solutions of the kind the Fast Identity Online (FIDO) Alliance promotes, or FIDO-like solutions, ensure that the service provider such as a bank, insurer, or payment network does not store sensitive data used for authentication. It employs public-key cryptography (PKI) to ensure that the user owns her or his credentials and presents an encrypted depiction of their identity at the time of service. Such a token is useful for all kinds of authentication and payment authorization. Tokenization itself has been around for a long time but hasn’t been married with the great experiences made possible by modern-day mobile devices (e.g. great cameras, microphones, touch sensors) until recent years.

Shifting to a new way of authenticating users for account login and payment authorization is on the rise. The emergence of open standards such as those put forth by the FIDO Alliance are one reason. Another is the actions of forward-leaning financial enterprises like Mastercard, which has adopted decentralization as a way to increase security and accelerate transaction speeds.

Consumers stand to benefit from decentralized authentication because they are the ones holding their information for authentication and payments. This includes profiles such as biometrics, PINs, and passwords as well as other static forms of identity such as credit card information. Tokenization of this information is far safer than presenting the raw information each time, and with decentralization the certitude that different modes such as Touch ID plus facial or “selfie” recognition provide bring us to a new level of both security and usability. Decentralization will not only pave the way for more effective security measures that will ultimately protect users from major breaches, it will also deliver improved customer journeys and — finally — privacy by allowing them to take back ownership of information they reasonably expect to be personal even while useful.


George Avetisov, co-founder and CEO of HYPR, a provider of enterprise-facing decentralized authentication solutions, is a seasoned cyber security veteran with over a decade of experience battling identity theft and cyber fraud. He has experience in developing cyber fraud and e-commerce security for Fortune 500 companies and continues to work across the technology space for connected devices.

The opinions expressed in this blog are those of George Avetisov and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.