November 21, 2017
Digital Identity: A Global Economic Imperative
Posted June 28, 2017
The WannaCry ransomware attack in May that hit more than 200,000 computers worldwide and caused havoc in parts of the National Health Service (NHS) in the UK was arguably the most high-profile cybercrime campaign in recent memory.
And for those who run ransomware operations, that’s a big problem.
That’s because ransomware has been a “nice little earner” for cybercrime gangs for years. They’ve made millions (dwarfing the amounts earned by the WannaCry attack), and yet their crime sprees have stayed out of the headlines. Why? Because some businesses believe it’s easier just to pay a small ransom and move on, and many don’t report it to the police or data protection authorities.
Therefore, this low-margin, high-volume cybercrime has received little attention from politicians and insufficient effort from law enforcement.
Meanwhile, ransomware stoked the coffers of an increasingly professional underground network of organized crime. Botnet creators got rich selling their networks to spread the ransomware. Virus writers earned big bucks creating new twists (for example, threatening victims with having their personal files published online if they refused to pay up).
The folks behind this industry were previously engaged in banking fraud. When banks got better at spotting it, the fraudsters simply moved on to ransomware. They are almost certainly already working on their next innovation.
At the heart of so much of this, depressingly, is the humble yet ubiquitous email address — still the principal attack vector for hacking campaigns. And that’s because the email address is still the most useful token of identity and the issue that percolates through all cybercrime.
There is now a shadow trade in identities, with sites such as leakedsource offering access to billions of records for a small fee. And the email address is the most sought-after component, the key that potentially unlocks access to social media accounts, passwords and, of course, the inbox itself.
There is much businesses can do to reduce the flow of stolen personal data into criminals’ hands — responsible and prompt reporting to the police and data protection authorities; dark web scanning to spot leaks as they happen; informing customers and forcing password changes; and, of course, not letting in hackers in the first place.
But even if the data is successfully stolen and traded, that need not necessarily mean game over for the user whose information has been pinched.
We’re seeing a raft of innovations that go beyond a simple email and password check to verify users’ identities. Browser and device fingerprinting, behavioral analysis, geographical information and biometrics all offer promising advances.
But even once an identity is established, there’s the thorny question of who stores and manages that identity. The UK Government’s current approach is a federated one, whereby private companies will compete to be users’ identity provider. This raises difficult questions about liability: for example, if my social security payments are fraudulently accessed, to whom do I complain? The government or my identity provider? Unless the answer is clear, public confidence in such schemes will wane.
And it’s public confidence that’s ultimately going to drive the emerging identity industry. Worryingly, when cybercrime hits the news, I often hear of people abandoning the Internet or, at the very least, eschewing online banking, contactless cards, or any other emerging tech where convenience may give way to crime.
With every hacking headline, confidence in our emerging digital economy ebbs a little. Therefore, developing smart technology to tackle the identity issue is not just a technical challenge, it’s a global economic imperative.