Andrew Churchill, our guest blogger, reflects on the evolving regulatory framework for cyber crime and identity assurance in the EU and the UK, as previously discussed in his article for Privacy Laws & Business, and looks at the efficacy of some mooted solutions.
Much has been made of the importance of the forthcoming EU Data Protection Regulation in both harmonising and improving the manner in which data is handled. As the finishing touches to the final Regulation are being applied, it is timely not only to explore the ramifications of these changes from a procedural perspective, but also to examine if the mooted penalties for egregious non-compliance will prove to be a game-changer in both public and private sector attitudes to how their data is secured against unauthorised access.
Data breach notification
Whether the Regulation ultimately settles for a notification period of 24 hours, 72 hours or some other period, the introduction of a more robust reporting regime will certainly increase the volume of data breaches being reported in the media, with the inevitable follow-on clamour for greater efforts to prevent such breaches. Having led the way in the introduction of data breach notification requirements, the United States has announced major breaches, in particular of credit card data, on a regular basis. This also explains why the cyber insurance market has taken off to a far greater extent in the US (albeit with many of the policies being managed through London).
I was recently asked by an American organisation why they have rarely heard of such major data breach cases coming from the EU. I came to the conclusion that while the lower prevalence of credit cards across most EU member states is one factor, the simple lack of reporting of such breaches is by far the greater factor. Equally, this US organisation seemed proud that they were finally catching up with the EU in the move to adoption of EMV, and were rather surprised when I opined that they might as well not bother, as it wouldn’t solve most of the underlying issues, which is why some of us are well advanced in designing the next generation.
In the UK, credit card usage is relatively high per capita, and the Treasury Select Committee chairman, Andrew Tyrie, has recently announced an investigation into whether banks are deliberately underreporting the scale of the problem for fear of frightening the customer. The UK card fraud figures have become an interesting annual staple each spring, and for over a decade security researchers have looked to assess the trends in fraud since APACS (the Association for Payment Clearing Services, now UKPA, the UK Payments Administration Ltd) first launched them.
To the lay person, annual losses of around half a billion pounds may seem substantial (even if this were a fully reported figure, let alone if this figure is being massaged downwards for reputational purposes). But whether the actual losses to card fraud are half, three quarters, or a billion pounds is perhaps not the main point from a data protection standpoint, nor is it likely to be the factor that triggers a major change in attitude within the industry over the next few years.
Criminal versus regulatory risk appetites
From a banking perspective, card fraud losses are well within the banks’ risk appetite. The losses are borne by the bank, or charged back to the merchant, with very few consumers being held liable or taking any of the loss, so few complaints emerge from the end-user. What’s more, banks have excellent defences against card fraud, through such systems as the FICO Falcon Fraud Manager, which evolve to meet new threat metrics
Under the new Data Protection Regulation, however, the regulatory risk facing the banks now dramatically outweighs the criminal risk. Data protection will become a business-critical issue of significance to the Board, frightening the organisation’s shareholders. Furthermore, consumers may begin to realise how vulnerable their personal data is in the current ecosystem, and regulators may view bank risk appetites to be unacceptable.
Beyond the breach
The majority of data breaches cause serious damage in large part due to underlying weaknesses in the payment systems themselves. Knowledge of the numbers printed on the card gives criminals access to the use of the card online, until such a time as the card is cancelled and reissued. This is an expense directly caused through fraud, as is the cost of reissuing of physical cards. This is the essential problem with using ‘static’ data (the data on the cards themselves), both from a security and a privacy perspective. In this light, much has been made of tokenisation recently, an area that has a great deal of potential, though only when the major flaws in current implementations and models are addressed. (I will leave this topic for another blog.)
But the underlying issue of static date explains the moves over the last decade towards considering dynamic data, whether at login or to verify transactions, such as the American Express Safe Key. But even where dynamic data is being used, it is not always sufficient.
As the European Network and Information Security Agency (ENISA) noted in its 2010 report on eID and Banking credentials, man-in-the-middle and man-in-the-browser attacks were a possible threat to online banking or access to other online services. ENISA concluded that this was not a very high-level threat, due to the perceived complexity of such attacks. This took some security commentators by surprise, and it was not unexpected when, two years later in July 2012, ENISA issued an alert on the back of High Roller (a browser-based attack against online banking, predominantly targeting the Netherlands). This alert was a warning to ‘assume compromise’ of an end-user’s machine, and urging banks to consider using other means of ensuring they could correctly identify their customers, and could ensure that it was their customer’s requests that were being processed, not a transaction manipulated by an attacker.
But if attackers can gain access to such sensitive banking data with such ease, surely other types of sensitive information held within the public sector, such as medical records and tax returns, are also at risk.
Fortunately, and to complete the perfect storm now surrounding data issues, we have also now seen the launch of eIDAS (eIDentity, Authentication, & Signatures) regulation from the EU, and the launch of Verify for access to government digital services in the UK. eIDAS seeks to harmonise acceptance of various member states’ eID credentials to enable smoother access to services for EU citizens moving around the EU, and aid the interoperability of the various means of authentication utilised across the 28 member states.
This month’s announcements on bilateral arrangements between the UK and US for government digital services, and cyber wargaming for banks and other infrastructure between New York and London, build on Obama’s October executive order on securing access to online services, making this a truly global challenge.
In the UK, Verify is the culmination of the Cabinet Office’s Identity Assurance Provider (IDAP) process with multiple organisations offering to enrol citizens and then act as an identity ‘broker.’ These brokers would authenticate citizens for online government services as a Single Sign On (i.e., authenticate once to your chosen Identity Assurance Provider, and then hop across from Her Majesty’s Revenue and Customs to the Department for Work and Pensions without needing to re-authenticate).
Interestingly, recent demonstrations of this Verify authentication process use a form of Out of Band Authentication, using static username and password to assert a claim of identity to the IDAP, which then sends a one-time password (OTP) to the registered user’s mobile phone (often referred to as a Mobile Transaction Authentication Number or MTAN). At the launch of eIDAS in Brussels in October, it was also interesting to note that EU Commissioner Neelie Kroes, in electronically signing her letter to EU Commission President Jean-Claude Juncker on the importance of digital services, also used a MTAN to sign the document.
The theory behind a MTAN security process is that the genuine user will have their mobile with them when logging in, and that therefore only they will receive the OTP to securely authenticate themselves.
The problem with this theory, leaving aside the ability of intercepting the number by diverting the OTP, is that, as ENISA finally acknowledged in July 2012, one must assume that the user’s computer itself could be compromised, most likely via infection. So in effect the OTP, however generated or distributed to the genuine user, is being handed directly to the attacker, reducing any level of multi-factor authentication — what you have (i.e., card/token), what you know (i.e., PIN, password), what you are (i.e., biometrics) — into a single factor, which the criminals intercept.
Two visions of the future
On the one hand, we could see a depressing scenario where data breach notifications start to arrive on the doorstep every morning, and the newspapers have to start publishing daily data breach supplements. People start to lose trust in the online world, abandon online banking and e-commerce and retreat to using cash. The society is poorer for it. The only winners are the cyber criminals and the regulators levying ever-increasing fines.
Alternatively, the prospect of intensive regulatory scrutiny and huge regulatory fines could persuade businesses, and governments, to finally take a proper look at how to secure customer data, and move beyond current sticking-plaster approaches to tackling the underlying risks of the nature of the data itself. I am actively advising in this space right now, and the challenges of rendering data useless other than for the purpose for which it was originally provided, whilst not inconsequential, are not insurmountable.
In either case, for those of us working in the data protection or cyber security fields, it will be a very busy couple of years as we work towards our new regulatory regime and its impacts!
Author: Andrew Churchill is a consultant and researcher at Technology Strategy, and independent consultant and professional advisor to FICO. Email: Andrew.firstname.lastname@example.org.