SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Now is the time to hit the digital trust reset button
Mon, 16th Jan 2023
FYI, this story is more than a year old

There is a reason digital identity technology is in demand right now, and that’s because digital trust is broken. Both trust and identity are easy to establish offline. However, establishing identity and trust is entirely different in the digital world. The fallibility of how we identify individuals online and the lack of digital trust in these methods is being used to swindle, manipulate, corrupt, and defraud enterprises and people at an industrial level.

The current scourge of online scams and fraud is because of unverified identities online, and if we don’t know beyond doubt who we are interacting with online, we can’t trust that interaction or that person.

Even with the arrival and integration of new technologies enabling digital transformation, digital trust is fundamental in ensuring economies can move forward.

Technological advancements have brought a wealth of opportunities that are a stone’s throw away. From artificial intelligence to Big Data, cryptocurrency to Blockchain, we’re constantly reminded of the imminent technological revolutions, game-changers and disruptive technologies.

But, to reap the rewards of these technologies and enable Asia Pacific economies to sprint forward, we must first fix trust.

In the physical world, establishing trust with a company is straightforward. We do this by meeting the employees, visiting their offices or shops and seeing how the physical products work before purchasing. All this builds confidence and trust in the company and people before we decide to buy.

Over in the digital world, establishing trust is complex and remains the biggest issue today. Yet despite all the investment, new technologies, and trust mechanisms, we are in a vicious Catch-22 situation, and no one is pressing the reset button.

Right from the dawn of the digital world, trust mechanisms used to identify ourselves online were simply duplications of the physical world. We switched from signatures to usernames and passwords as a representation of ourselves online.

This initially worked, and then fraudsters caught on and exploited these trust mechanisms, so companies added another layer of security, such as asking for personal information like pin codes or pets’ names. When fraudsters found a way through again, we just added another layer, more recently in the form of SMS OTPs.

This pattern has never changed, and this is the root cause of why digital identity (and therefore digital trust) is a challenge today - because a password and username is unable to prove the user’s real identity.

The outdated technologies and the process of adding additional layers to authenticate and verify people has been considered normal. It’s one reason enterprises have multiple (sometimes hundreds) security tools in their tech stack.

Rather than fix the root cause of the issue, we’ve just treated symptoms, and this makes little sense.

Here’s why.

Pressing the reset

In the physical world, to protect our homes, we can install burglar alarms, smoke detectors, door locks, and call for help if there is a burglary or fire. When CCTV cameras became cheaper, homeowners installed them. As home protection technologies improved, old equipment was removed and newer, smarter, and trusted technology replaced them.

Over in the digital world, we are still using technologies designed for the analogue world, and this is a hangover from the Internet’s early days when passwords and usernames became digital identities.

A prime example of this is the reliance on SMS one-time passwords delivered by digital providers; this is a well-known vulnerability. Another example is the belief that a mobile phone belonging to a customer is not prone to theft, an SS7 attack, SIM swapping etc. Attacks are further hardened by fraudsters using social engineering techniques to manipulate, trick and fool their victims.

What is needed is a fundamental shift away from outdated mechanisms and instead, a focus on building trusted digital technologies, processes, systems, and regulations within the Asia Pacific region.

The pattern of fraud has remained unchanged for decades. No one is pressing the reset button. Without dramatic action, the ‘fraud, apology, add a security layer, fraud, apology, add a security layer, fraud’ pattern will continue.

What will a digital trust reset look like?

A step in the right direction of establishing digital trust was made with the introduction of facial recognition, which has made its way onto millions of digital devices. As an authentication tool to access the device, internet banking, and, increasingly, other apps, facial recognition does offer some protection to consumers and their information.

But there is an alternative which prevents fraudsters manipulating liveness tests, circumventing step authentication methods, and which is less privacy intrusive.

Behavioural biometrics are passive signals that determine if the genuine user is in control of their phone through the way they hold their device, swipe the screen, and type on the keyboard. All data points are obfuscated, protecting the privacy of the use, and they don’t add friction to the use journey as they are collected at specific interaction points. Behavioural biometrics are unique to the user and unable to be replicated by a fraudster.

Introducing behavioural biometrics will help prevent account takeover fraud and authorised fraud through social engineering. They can remove the necessity of sending one-time passwords via SMS to prove the identity of a user because the behavioural signals prove the correct user is using the device.

If the ongoing fraud escalation in the region is anything to go by, we must collectively move away from outdated identity mechanisms to build trust, scrap old technologies and processes and hit the shiny red reset button to rebuild digital trust from the ground up.

Otherwise, we can expect the situation as it stands today to continue with more fraud, more reliance on outdated technology, reputation loss, trust loss, and financial loss. No one wants this. We are way beyond the ‘it’s not too late for change’ stage and, instead, have a golden opportunity to rebuild digital trust by introducing non-evasive technologies such as behavioural biometrics to authenticate and verify identities.