Category: Access Control

If you work in the banking or payments industry, then no doubt you would have heard about the new Proposed Services Directive… also known as PSD3.

But what does the new proposed regulation mean? How does it differ from PSD2? When does it come into force?

We’ve summarised all you need to know below.

What is PSD3?

PSD3 is a proposed set of rules that will regulate electronic payments and the banking system in Europe. This includes non-bank payment service providers (PSPs).

It amends and updates the existing PSD2 framework –with the aim of addressing new challenges and opportunities in the digital payments landscape.

What impact will it have?

PSD2 was a major new piece of legislation so it was inevitable that incremental updates would be required, particularly in the fast-paced banking and finance industry. Industry players continue to innovate at an incredible pace – with recent years seeing strong growth in digital payments and open banking.

And while PSD2 brought about changes and digitization, it also revealed gaps in legislation due to various developments in the market.

PSD3 aims to address these gaps, prevent fraud, and encourage innovation. Financial institutions, banks, and payment processors are advised to proactively explore ways to adapt their systems to meet the requirements of PSD3 once it becomes law in the EU.

Some of the key revisions in PSD3 are designed to:

  • Promote fair competition: PSD3 aims to create a level playing field between banks and non-banks. It enables non-bank payment service providers to access all EU payment systems while ensuring appropriate safeguards and securing their rights to a bank account.
  • Advance Open Banking: PSD3 focuses on improving the functionality of open banking. It aims to remove remaining obstacles to the provision of open banking services, giving customers more control over their payment data and facilitating the entry of innovative services into the market.
  • Enhancing cash availability: PSD3 addresses the availability of cash in shops and ATMs. It will allow retailers to offer cash services to customers without requiring a purchase and provides clearer guidelines for independent ATM operators.
  • Improving consumer rights: PSD3 seeks to improve consumer rights, particularly in situations where their funds are temporarily blocked. It also enhances transparency on account statements and provides clearer information regarding ATM charges.
  • Streamlining Regulation and Enforcement: PSD3 strengthens harmonization and enforcement by enacting most payment rules through directly applicable regulations. It reinforces provisions on implementation and penalties, ensuring a consistent and effective regulatory framework.

What’s the timeline?

The exact timeline for implementing PSD3 is not yet known, but finalized versions may be available by late 2024.

Once approved, member states will have two years to incorporate the new standard into national legislation. Companies will then have an additional two years to comply with the regulations. This gives businesses within the European Economic Area (EEA) enough time to adapt their systems and operations.

The final word

PSD3 represents the evolution of payment services in Europe and aims to tackle emerging challenges and leverage opportunities in the digital payments landscape.

Through consultation and stakeholder input, the European Commission intends to create a strong framework that protects users, fosters innovation, and ensures secure electronic payments.

The finance industry will need to adapt to these regulatory changes to remain competitive and compliant in the evolving payments ecosystem.

Please contact us if you want to discuss how PSD3 will impact you.

The post PSD3: What is this new regulation and how does it impact payments in Europe? appeared first on Cybersecurity Insiders.

Cybercrime is something we can no longer avoid. On a regular basis, we hear about companies we have used experiencing a data breach, or a friend or family member who has fallen victim to online fraud. We may even fall victim ourselves – losing money or experiencing stress or disruption.

There’s no shortage of statistics to demonstrate the scale of this problem – and none of them make for easy reading. Here are just a few recent ones, announced ahead of cyber security month:

  • The global average data breach cost was $4.35 million in 2023
  • Half of global organisations experienced fraud in the past two years, the highest level in 20 years of research
  • 48% of organisations reported an increase in ransomware attacks in the past 12 months
  • In the UK, over £2,300 is stolen through fraud every minute

Securing online identities

At the same time as cybercrime has been on the rise, with the dematerialisation of services available online 24/7, we now need to prove our identities or share attributes remotely.

Think of various incidents where you must prove who you are. That could be providing your passport and social security number when starting with a new employer, presenting bank statements and proof of address when applying for a mortgage or loan, or even proving your vaccination status when travelling – just to name a few.

In most of these instances, having to provide these documents online is not just commonplace – it’s the norm. And unless safeguards are put in place, this could further put consumer data at risk.

Convenience causes risky behaviours

Digital means of proving identity are the way forward and provide a number of benefits; customer convenience being one of them. However, if not done in a secure way – it could put the end user’s data at risk.

We previously surveyed consumers from across Europe and found that many people are engaging in risky behaviours when it comes to sharing their identity credentials.

While many see digital IDs as a convenient means of carrying and showing something that needs to be used frequently – only 27% have an official Digital ID. A far higher proportion of consumers rely on screenshots, digital photos or a scan of their physical ID or similar official document.

Even a sizeable majority of those who have official digital IDs admitted that they have these copies or scans on their phones. With malware attacks on consumer devices on the rise, important and incredibly sensitive information is at risk – leaving consumers open to fraud and identity theft.

The move towards EU ID Wallets

We’ve discussed the move towards EU ID wallets and the countdown to eIDAS2 before, highlighting how it’ll impact the everyday lives of citizens, as well as highlighting what consumers want from a wallet.

Progress is being made and, in 2021, the EU announced that an EU Digital Identity Wallet will be made available to all 450 million citizens of the EU free of charge. After pilot phases in 2024, each member states will notify its digital ID Wallet in 2026 to the EU commission as deployments will commence. The wallet will provide users with full control over their personal data and 80% of EU citizens are expected to be equipped by 2030.

One of the biggest drivers behind this scheme is to ensure that every person eligible for a national ID card has a digital identity that is recognised anywhere in the EU. It will provide a simple and safe way to control how much information you want to share with services that require sharing of information.

The shift to sovereign cloud

To accompany digital ID wallet initiatives and the unrelenting shift towards the digitalisation of credentials and personal data, many governments around the world are seriously looking at sovereign cloud.

A sovereign cloud ensures digital and data sovereignty. It is a means to maintain physical and digital control over strategic assets, including data, algorithms, and critical software. It helps ensure that data remains free from external jurisdiction control and provides the right protection from foreign legislatively enforced access.

At Thales, we believe digital ID wallet ecosystems are the future of digital identity. They will enable smooth and trusted proof of ID and entitlement anywhere, anytime while enabling data privacy to move to the next level by offering the most convenient user experience and compliance with the most stringent security and cyber privacy requirements.

For further reading, please check out the below:

The post Cybersecurity month: Why we need to talk about online identities appeared first on Cybersecurity Insiders.

Access control is at the heart of IT security, evolving over the years to adapt to the rising challenges and demands of an ever-complex digital landscape. One company at the forefront of this evolution is PlainID. In a recent conversation with Gal Helemski, co-founder and CTO/CPO of PlainID, we discussed the evolution of access control, the role of policy-based access control, and how the current cybersecurity landscape is shaping up.

The Evolution of Access Control

Access control’s story is one of constant change. From rudimentary methods that revolved around physical barriers to more complex role-based systems and beyond, it has always been about ensuring that the right people have the right access at the right time.

In the early days, Identity and Access Management (IAM) systems primarily centered on defining, managing, and authenticating identities. However, as Helemski mentioned, the IAM journey didn’t end there. “The identity journey is not completed. It’s not enough just to manage the identity. And to have the identity authenticated in a very well and secured manner.” Comparing the situation to giving someone a key to a house, she inquired, “Can they go everywhere they want in that house? Can they open the fridge, take whatever they want? No, they can’t. And that’s authorization.”

This gap in authorization management and control was the driver behind the founding of PlainID. The company’s vision was clear – address the missing link in the IAM journey.

Policy-Based Access Control (PBAC) vs. Role-Based Access Control (RBAC)

The shift from role-based access control (RBAC) to policy-based access control (PBAC) is significant. While RBAC focuses on the identity context, PBAC provides a holistic view, considering both the identity and the assets it accesses in the business context. Helemski elaborated, “Policies consider both what we know about the identity and what the identity is trying to access, and on top of that, any condition like environmental factors, time of day, and risk metrics which are currently in play.”

This comprehensive approach allows for dynamic, context-rich decisions about access, providing a much-needed solution to the limitations and complexities of traditional role-based systems. The policies governing policy-based access are flexible and can be defined or adjusted based on various attributes, including user attributes, resource attributes, and environmental conditions.

Flexibility & Scalability

One of the strengths of PBAC is its inherent flexibility. Whether it’s a change in job roles, introduction of new services, or organizational restructuring, PBAC can easily adapt without requiring a massive overhaul. This adaptive nature ensures that PBAC systems are scalable, catering to both small startups and vast multinational corporations.

Integration and Real-time Evaluation

Modern PBAC systems are designed to integrate seamlessly with other enterprise systems, such as HR or CRM platforms. This integration ensures that any change in a user’s status, like a job change or department transfer, can be immediately reflected in their access permissions. Real-time policy evaluation ensures that users have the right access at the right time, enhancing security without compromising on user experience.

Granularity and Context Awareness

PBAC excels in its ability to make context-aware decisions. Whether it’s distinguishing between access requests made from a secure office network versus a public Wi-Fi, or between regular working hours and unusual late-night requests, PBAC considers it all. This granularity ensures that access decisions are not just binary but are based on the comprehensive context surrounding the request.

Simplifying the Complex

While PBAC can handle complex policy definitions, it actually simplifies access management. Traditional systems might require defining and managing thousands of roles, leading to ‘role explosion’. In contrast, PBAC, with its dynamic policies, reduces the need for such extensive role definitions, making management more straightforward and more efficient.

Continuous Compliance and Audit

In an era where regulatory requirements are stringent, PBAC shines in ensuring compliance. Its detailed logging capabilities provide clear insights into who accessed what, when, and based on which policy. Such detailed audit trails not only help in regulatory compliance but also in internal reviews and investigations.

Insider Threats and Access Control

One of the considerable advantages of a policy-based approach is its nuanced understanding of risk. By considering the dynamic context of an access request, PBAC systems can respond to high-risk situations effectively. Helemski explained, “If the identity is trying to access from the office itself at 10:00 AM, that’s a low-risk access. But if they’re trying to access from a different country at 8:00 PM, that’s a high-risk access.”

Such a dynamic and granular approach is invaluable in managing insider threats, ensuring that risk metrics are continually updated and relevant.

PlainID and Zero Trust

The Zero Trust model posits that trust needs to be re-established at every point, from network access right down to data access. While many companies focus on network-based Zero Trust, PlainID believes in extending the model. “PlainID enables you to make those decisions dynamically and granularly. It does not end at the network. It continues all the way through applications, APIs, services, data and so on,” Helemski said, emphasizing the need for a comprehensive Zero Trust approach.

Recommendations for Organizations

For organizations seeking to enhance their security posture, Gal Helemski’s top three recommendations are:

  • Awareness of Visibility Gaps: Recognize that as digital space grows, there’s a pressing need to detect where digital identities are and their capabilities.
  • Provision of Tools: Equip application owners with the necessary tools to ensure consistent and secure authorization across the board.
  • Embrace the Zero Trust Program: Remember, Zero Trust is an ongoing journey. It’s essential to set clear foundations and objectives, gradually onboarding more applications to reduce overall risk.

Looking Ahead

As the digital landscape continues to evolve, the need for dynamic, context-aware access control mechanisms like PBAC becomes even more apparent. By focusing on policies rather than static roles, PBAC provides a forward-thinking approach to access control, ensuring that organizations remain secure in an ever-changing digital world.

For more information, visit https://www.plainid.com/

The post The Evolution of Access Control: A Deep Dive with PlainID’s Gal Helemski appeared first on Cybersecurity Insiders.

While quantum computing is still very much in its early stages, it’s important that companies are already thinking about this evolving technology – and more importantly implementing and stress testing much needed solutions suitable for a post-quantum world.

In this blog series we have already discussed the evolving threat that is quantum computing, the need for Post Quantum Cryptography, and how security standards are evolving. In this final instalment we’ll be looking at the examples of PQC already in development.

Thales is actively engaged in research and development (R&D) efforts in the field of post-quantum cryptography. Recognising the potential impact of quantum computing on current cryptographic systems, our team is dedicated to developing and advancing secure solutions that can withstand the power of quantum computers.

One of our key objectives is to identity and evaluate the most suitable post-quantum algorithms for different applications and scenarios. This involves thorough analysis and testing to determine the algorithms’ effectiveness against quantum attacks while considering their performance characteristics and compatibility with existing cryptographic infrastructure.

We’re actively collaborating with academic institutions, research organizations, and industry partners to foster innovation and exchange knowledge in the field of post-quantum cryptography.

Some examples of projects, research and initiatives that we are currently involved in include:

Piloting the first successful Post-Quantum phone call

Post quantum threats hold significant implications for situations involving highly sensitive information, such as the exchange of classified data during encrypted phone calls. To address these concerns, Thales helped developed a proof of concept to evaluate the scalability and effectiveness of its quantum-protected mobile solutions.

In this pilot our team successfully experimented end-to-end encrypted phone calls, tested to be resilient in the Post Quantum era.

The pilot was performed with the Thales ‘Cryptosmart’ secure mobile app and 5G SIM cards installed in today’s commercial smartphones, testing a mobile-to-mobile call, voice/data encryption, and user authentication.

Any data exchanged during the call is set to be resistant to Post Quantum attacks thanks to a hybrid cryptography approach, combining pre-quantum and post-quantum defence mechanisms.

PQC Signature Tokens

Thales has been working on PQC Signature Tokens, a revolutionary smart card that incorporates a quantum-resistant digital signature algorithm. This feature can provide organizations with a powerful tool to ensure the integrity and authentication of their data files.

The smart card can securely store the private keys necessary for generating digital signatures. When a user wants to sign a data file, the token utilizes the private key to internally process and create a signature based on the file’s digest. This ensures that the signature is unique to the file and cannot be tampered with or replicated.

To enable verification of the signature, the PQC Signature Token also includes associated public keys. These public keys are certified by a trusted certification authority, allowing recipients of the signed files to check the signature’s validity. By verifying the authenticity and integrity of the file through the certified public keys, organizations can have confidence in the legitimacy of the data.

The certificates associated with the public keys can either be stored within the token itself or accessed from a server in the cloud. This flexibility provides convenience and scalability for organizations, allowing them to manage and distribute the necessary certificates according to their specific requirements.

The TDIS PQC Signature Token represent a significant advancement in data security, particularly in the face of quantum computing threats. With its integration of quantum-resistant algorithm and secure key management, this smart card empowers organizations to protect their data files, maintain data integrity, and establish trust in digital transactions.

We are already involved in two internationally funded projects with the TDIS signature token:

Securing Medical Data with Moore4Medical

Moore4Medical creates connected health products, including connected mattresses – designed to use real-time data and IOT to monitor patient health data and ultimately improve patient outcomes.

However, health data is sensitive and can cause harm if it ends up in the wrong hands – creating security and privacy issues. There is a need for a technical solution that are secure by default, ensuring a true end-to-end data security of the patient data.

We’re collaborating on this EU-funded project to create a quantum resistant e-Passport for sensitive medical sensor data, which will provide enhanced identity and authentication of patients, achieving the necessary performance and functionality levels while guaranteeing security and long privacy protection for this sensitive data.

Securing the Future of Electric Power and Energy Storage with ELECTRON

ELECTRON aims at delivering a new generation EPES platform, capable of empowering the resilience of energy systems against cyber, privacy, and data attacks.

EPES platforms refer to a combination of technologies and infrastructure used for generating, distributing, and storing electrical power. EPES systems are designed to enhance the efficiency, reliability, and sustainability of power delivery and energy management.

This project has received funding from the European Union’s Horizon 2020 research and innovation programme and has the following four task forces:

  1. Shielding the EU borders: Addressing and Mitigating Cyberattacks and Data Leaking in Ukraine
  2. Looking ahead: Providing a Resilient Electric Vehicle Ecosystem
  3. Protecting the Renewables Energy Chain from Cyberattacks and Data Leaking
  4. Proactive Islanding Meets Efficient Threat Detection: Addressing & Mitigating Cyberattacks in the Romanian Energy Chain.

We’re working on the second task help improve privacy and security by adding digital signatures and an auditing mechanism ensure that information come from trusted sources and protect against attacks.

To achieve this, we use a system called TDIS Quantum Cryptography OS to help make the system resistant to attacks from quantum computers. Our team will select the best algorithms for creating signatures on smart tokens. We’ll then show how these algorithms work on smart tokens and EPES systems. We’ll also keep improving the system’s performance and make it compatible with existing methods.

These are just a summary of some of the projects we’re working on in this field. The arrival of quantum computing poses an unprecedented challenge for the global cybersecurity community. Building defences against future threats may seem daunting, but it is an urgent task we must tackle head-on. While the post-quantum era is still a few years away, the increasing prevalence of quantum computing demands immediate action. By actively engaging in pilot programs and trials, Thales and its customers are proactively practicing crypto agility, preparing ourselves for the imminent arrival of this game-changing technology.

The post Getting your organisation post-quantum ready appeared first on Cybersecurity Insiders.

In our previous blog we discussed the emerging technology that is quantum computing, the benefits it brings, but also the risks it can pose to digital identities.

In this next blog we’ll be taking a closer look at Post Quantum Cryptography, and the measures being taken by the industry to secure digital identities in the post quantum era.

Why is this so important? 

Quantum computing poses several risks to digital identities due to its ability to break certain cryptographic algorithms that currently underpin secure communication and digital identity systems. Some of the risks include:

  • Compromising Digital Certificates: Quantum computers could break commonly used encryption and signature methods like RSA and Elliptic Curve Cryptography. These methods are important for secure communications and digital seals. Digital certificates help verify the identity and integrity of digital identities in applications like secure web browsing. Quantum computers can undermine the security of these certificates and allow attackers to create fake ones, pretend to be legitimate entities, and carry out malicious activities.
  • Decrypting Past Interceptions: Quantum computers can potentially decrypt encrypted data that was intercepted in the past. If an attacker stores encrypted communication until a quantum computer is available, they could use quantum algorithms to decrypt the information. This puts previously intercepted data at risk of being exposed.
  • Identity Theft and Fraud: Quantum computing can enable attackers to break the encryption protecting personal information like passwords and credit card numbers. This could lead to identity theft, fraud, and unauthorized access to personal accounts or systems.

Several industry standards are currently being developed and evaluated for post-quantum cryptography. Although the field is still evolving, these are some of the major organizations and initiatives that are actively contributing to the development of industry standards for post-quantum cryptography. Their efforts aim to provide new guidelines, new algorithms, and updated protocols that will ensure the security of digital systems and communications in the presence of powerful quantum computers.

NIST Post-Quantum Cryptography Standardization: The US National Institute of Standards and Technology (NIST) is leading the standardization process for post-quantum cryptography. NIST initiated a project in 2016 to evaluate and select quantum-resistant cryptographic algorithms. Multiple rounds of evaluations and public feedback have been conducted. NSIT has selected four algorithms it will standardize as a result of the Post-Quantum Cryptography (PQC) Standardization Process: CRYSTALS–KYBER, along with three digital signature schemes: CRYSTALS–Dilithium, FALCON, and SPHINCS+.

Internet Engineering Task Force (IETF): The IETF is actively working on standards related to post-quantum cryptography. The Quantum-Safe Cryptography Working Group within the IETF focuses on developing specifications for quantum-resistant cryptographic algorithms and protocols, as well as providing guidance on transitioning to post-quantum cryptography.

European Telecommunications Standards Institute (ETSI): ETSI is also involved in the standardization efforts for post-quantum cryptography. Their Quantum-Safe Cryptography Technical Committee is working on developing standards and guidelines to ensure the security of cryptographic systems against quantum attacks.

International Organization for Standardization (ISO): ISO has established a working group, ISO/IEC JTC 1/SC 27/WG 2, dedicated to the standardization of quantum-resistant cryptographic algorithms. The working group is responsible for developing and maintaining international standards in the field of information security, including post-quantum cryptography.

In part three, we’ll be taking a closer look at the industry examples of post quantum cryptography already in action.

For further reading, please check out the following:

The post Preparing Digital Identity for the Post-Quantum Era appeared first on Cybersecurity Insiders.

Digital identities have had a significant impact on the way we interact, transact, and explore the world around us. However, there is still a limited understanding of what they are and the benefits they have.

In our latest piece for Computer Fraud & Security Magazine, we addressed some of the common misunderstandings around digital IDs, and outlined the potential for enhanced security, efficiency, and simplicity across the digital landscape. Here’s a flavour of some of the key takeaways…

  • Anyone can use them – not just digital natives: Contrary to popular belief that digital identities are exclusively for the tech-savvy, they boast an incredibly user-friendly interface. From a smartphone’s digital wallet, credentials and identity data can be easily pre-loaded, activated via biometric authentication (e.g., facial recognition or fingerprint scanning), and presented as a QR code for swift verification.
  • They’re highly secure and private: With robust biometric authentication and encryption layers, digital wallets provide multi-layered security, guarding your data from unauthorised access. Likewise, with passwords being an outdated form of authentication for online systems, biometrics provide a more resilient means of proving that you are who you say you are.
  • They’re a frictionless and efficient way to prove who you are: The current identity verification landscape is highly fragmented, with various platforms, services and systems complicating user experience. Digital identities offer a seamless solution by centralising authentication, sparing people the hassle of retrieving many different forms of identification from both digital and physical sources.
  • You only need to share the bare minimum of information: While your digital ID may securely host a wealth of information about you, it takes a more granular and controlled approach to data sharing. It will only reveal essential details necessary for specific transactions, and always based on the consent of the user, safeguarding your privacy.
  • They have the potential to be used anywhere: Industries spanning finance, retail, travel, voting, real estate, law enforcement, and online services are embracing the concept of digital IDs. They all hold different forms of identity, from driving licences to boarding passes, qualifications, loyalty cards, and employment status. These all are very different use cases, but all would operate under the same principles.

By building a better understanding of digital IDs, we can accelerate their rollout and maximise their potential to enhance everyday processes.

Learn more here: https://www.thalesgroup.com/en/markets/digital-identity-and-security/digital-id

 

The post Digital identity: Dispelling the myths appeared first on Cybersecurity Insiders.

The potential of the Internet of Things (IoT) is huge, with connected devices around the world holding the promise of a better, greener and safer future.

This makes events like IoT Tech Expo Europe even more important. On the 26th and 27th of September 2023, enterprise leaders from around the world will come together to explore the latest innovations, implementations and strategies – helping them to realise the benefits of IoT and drive their business forward.

So, as 5,000 attendees gather in Amsterdam, what themes should they be looking out for? GSMA’s Global Trends Report provides some insight into the latest developments in IoT that we’ll be watching closely at this year’s event…..

1)      IoT deployments driving the digital transformation agenda: IoT deployments are part of a wider digital transformation agenda for nearly two thirds (63%) of enterprises, according to the GSMA, with revenue generation and cost savings emerging as equally important priorities. This means that in 2023 we can expect to see an incredible two billion new IoT connections globally, with 1.4 billion of those coming from enterprise use cases. Indeed, in 2024 enterprise will surpass consumer in terms of connections.

2)      The evolution of 5G: The vision of a connected world will only become a reality following a successful rollout of 5G-Advanced. IoT devices are putting pressure on current networks, impacting speed and reliability, and driving operators to evolve their strategies. The GSMA’s research found that low-cost IoT is one of the top priorities for 5G-Advanced, with nearly a quarter (24%) of operators saying this was the most important feature to support their network transformation priorities. This reflects a continued push towards B2B services.

3)      Growth in the cellular IoT space: While cellular networks currently serve 15% of total IoT connections, the explosion of the IoT market provides significant room for growth in the cellular IoT space. In fact, according to the GSMA’s research, the number of licensed cellular IoT connections will reach 5.3 billion globally by 2030, up from 2.6 billion in 2022. Within the cellular IoT space, cellular M2M will continue to support IoT devices that require mobility (with 5G enabling lower latencies and higher data transfer speeds for URLLC), while licensed LPWA will support devices previously served by legacy cellular networks (2G/3G).

4)      eSIM technology looking to scale: eSIM technology has long been recognised as a significant enabler of IoT deployments across various industries. The potential for growth is significant, with the GSMA research revealing that 83% of enterprises consider eSIM an important technology to achieve success in their IoT deployments, with best-in-class security and scalability the top eSIM benefits. This presents an opportunity for operators and other providers of eSIM and IoT solutions to meet demand from enterprises. In 2023, the focus will be on advancing eSIM adoption beyond automotive, while demonstrating how eSIM supports the green imperative.

5)      Synergies between IoT and private wireless networks: Enterprises that want private wireless networks also want IoT. Remarkably, around 70% of operators claim that enterprise customers who buy private wireless (4G/5G) also request IoT services occasionally or very frequently, indicating an important synergy between the two services. It is therefore likely that growth in private wireless networks will drive renewed interest and further growth in enterprise IoT.

With innovation in this field accelerating at pace, this year’s event is a good opportunity for enterprise leaders to stay up to date with the latest trends and identify new growth opportunities. The sharing of knowledge and information will ultimately help to pave the way for more robust digital transformation strategies.

Find us at IoT Tech Expo 2023 at stand 120: https://www.iottechexpo.com/europe/partners/thales-dis-france-sas/

 

 

The post Trends to watch at this year’s IoT Tech Conference appeared first on Cybersecurity Insiders.

Cyber threats have grown increasingly sophisticated in recent years, with an expanding attack surface, today’s hybrid work environment and new vulnerabilities introduced by the IoT are a few of the challenges. Despite this evolving landscape, most organizations have yet to modernize their authentication security to effectively prevent password-based attacks and related vulnerabilities. With the most recent DBIR finding that compromised credentials are behind more than 50% of breaches, it’s imperative that companies act now to bolster authentication security.

To understand more about this issue, Enzoic recently commissioned a survey of over 480 cybersecurity professionals. The State of Authentication Security Report underscores that—despite the passwordless hype—username and password combinations remain the primary authentication mechanism, with nearly 70% of companies utilizing this method. By contrast, only 12% of organizations are deploying passwordless strategies.

Legacy Approaches Weakening Password Security

Unfortunately, many companies are failing to evolve password management to reflect the current threat landscape. What’s more, the majority of those surveyed continue to follow legacy practices that have actually been found to weaken credential security.

For example, 74% of companies require forced resets every 90 days or less. Not only does this generate more work for employees and IT alike, it also fails to align with NIST’s updated password policy recommendations. The latter, along with Microsoft and other leading organizations, have found that employees typically select easy-to-remember credentials or swap out one letter or character when faced with frequent resets—resulting in a weak credential that threat actors can easily exploit.

The Dark Web Dilemma

Password reuse is another problem contributing to authentication security challenges, with Google finding that employees reuse a single password an average of 13 different times. The volume of breaches means that the Dark Web has become a treasure trove of this information; hackers can easily find and obtain lists of compromised credentials to fuel ongoing password-based attacks.

Our research highlights that most companies are aware of this vulnerability, with 84% of respondents concerned about weak and compromised passwords. However, many fail to grasp the extent of the threat—46% estimate that less than 1/5 of their passwords could be found on the Dark Web, while another 26% are unsure what percentage might be available there.

The Case for Credential Screening

This underscores the importance of modernizing authentication security to incorporate screening for compromised credentials—something that less than half of the respondents in our survey are currently doing. Enzoic helps companies protect against this threat by screening password and username combinations against its proprietary database of billions of exposed credentials. We maintain the latter using a combination of proprietary automated processes, submitted contributions, and research from our threat intelligence team. Because our database is automatically updated multiple times per day, organizations can be assured that their password security reflects the latest breach intelligence.

Another key benefit of our credential screening solution is that it eliminates the IT helpdesk burden of frequent resets and other legacy approaches while offering a more frictionless user experience. Because the screening happens automatically in the background, non-compromised users gain efficient access to their accounts and services. Should a compromise be detected, organizations can automate their response with a range of actions, including the immediate disabling of the account in question.

The Path Forward

While there are many unknowns in cybersecurity, there is one universal truth: hackers will continually hunt for new ways to exploit companies for financial gain and other nefarious purposes. With the DBIR and other studies repeatedly pointing to compromised credentials as a common threat vector, it’s imperative that organizations act today and shore up authentication security.

You can read more about this issue and other findings from the State of Authentication Security Report here.

The post Bringing Authentication Security Out of the Dark Ages appeared first on Cybersecurity Insiders.

Digital identification has rapidly become an integral part of our day-to-day lives, simplifying processes for both individuals and businesses.

What was once considered technology exclusive to “tech-savvy digital natives” has now become more mainstream, with large parts of the population embracing digital IDs. This shift has been significantly accelerated by the Covid-19 pandemic and associated lockdowns, which acted as a catalyst for the adoption of digital identity solutions.

Nowadays, using a smartphone to board a plane, store bank cards, or prove vaccination status has become second nature to many of us. The concept of digital identification is fast becoming well-established and has seamlessly integrated into various aspects of our lives, streamlining daily routines and interactions.

Concerns over insecure DIY approaches

Despite the adoption of digital IDs around the world, a Thales survey revealed a troubling trend. Nearly half (45%) of Europeans are currently relying on insecure, unofficial, “DIY” (do-it-yourself) scans and photos of their cards and documents to prove their identity and entitlements.

Storing scans of your official ID documents (such as a passport or a driver’s license) on your devices creates significant privacy and security risks. For example, if your device is lost, stolen, or hacked, then these DIY scans containing all your personal information are vulnerable.

These unofficial ‘DIY’ versions of ID are also susceptible to a specific type of cyberattack – Infostealer. designed to steal sensitive information from infected devices.

One of the biggest risks here is around compromised log-in credentials. Infostealers can steal log-in credentials, usernames, and passwords to access email accounts, which is where scans of a user’s ID documents are frequently found. ID scans stored in photo libraries on mobile phones can also be exploited.

Further to this, the sensitive and personal information contained in these unofficial IDs could be used by bad actors to commit identity theft and financial fraud.

The security versus convenience paradox

Results from Thales’ study revealed some conflicting attitudes towards security among digital ID users. Even though security is of paramount importance, a significant proportion are still taking unnecessary risks by storing scans of official documents on their devices.

This contradiction highlights the need for a comprehensive and universally accepted Digital ID solution that ensures both convenience and security.

The three pillars of trusted digital identity

At Thales, we believe that trusted digital identity relies on three key pillars: convenience, security, privacy.

As digital ID becomes increasingly integral to our lives, it is crucial to address the security concerns and replace insecure DIY practices. The growing threat of “infostealers” – alongside the contradictory priorities towards security – reinforces the urgency of a robust and reliable Digital ID infrastructure.

By embracing secure digital identity solutions, we can safeguard sensitive information, protect individuals and businesses from cyber threats, and foster a safer and more digitally integrated society.

 

 

The post Unofficial digital IDs – what are the risks? appeared first on Cybersecurity Insiders.

How biometrics can help to make our world a safer place

We’ve recently been exploring biometric technologies on this blog and how they have become a part of our everyday lives, helping us to move, travel and pay more seamlessly. Indeed, fingerprints, retinal scans, voice identification and facial recognition have all become invaluable tools to help us access essential services and experience the world around us.

But it’s important to remember that the benefits of these technologies extend far beyond convenience; they also play a crucial role in ensuring our safety and protection. Here are three ways biometric technologies can help to ensure public safety…

  • Criminal forensics and the identification of suspects: Biometric technologies can speed up the identification of criminals. Indeed, fingerprint identification systems have been relied upon by law enforcement agencies for over a century. In the United Kingdom, for example, the Metropolitan Police has been using biometrics for identification since 1901.

Over the years, criminal investigations have grown to include other biometric technologies including DNA, palmprint, face, and iris – further helping to expediate the identification process. And now, multi-biometric identification solutions allow crime scene investigators and forensics experts to analyse physical evidence from the field. They are available wherever frontline staff are, right in the palm of their hands, to simplify and accelerate the process.

Ultimately, faster and more accurate identification of repeat offenders will help to take criminals off the streets, contributing to a safer society.

  • Efficient border security: Biometric-enabled self-service kiosks and eGates have revolutionised border control. They allow border agencies to adequately face the challenge of processing an increasing number of travellers – without compromising security.

The inclusion of biometric data provides a faster and more accurate means of making sure all persons entering or leaving the territory are who they say they are. This helps to counter illegal immigration and terrorism, thereby reinforcing the country’s borders and keeping citizens safe.

  • Preventing identity theft: Biometric technologies also offer enhanced protection against impersonation and identity theft. By integrating biometric data such as fingerprints into ID documents, or by using electronic identification (eID) that embed a digital version of the user’s photograph, issuers can make it significantly more challenging for fraudsters to compromise or forge official forms of identification. This leads to fewer fraudulent documents – which would have been used for profit or criminal activities – and the securing of citizens’ identities.

Looking ahead, law enforcement agencies will need to adopt biometrics more widely to support efficient operations. However, this is an area where responsibility must always come before innovation. With biometrics relying on the access and use of citizens’ most personal information, these deployments must be handled with the utmost sensitivity and strong ethical principles.

Thales brings decades of experience in secure identity management, biometrics, and cybersecurity. Our global leadership in data protection helps us to make sure citizens can experience the world safely and securely.

Read more about our approach to biometrics and how we build trust with both consumers and service providers here: https://www.thalesgroup.com/en/worldwide/group/magazine/thales-true-technology-responsible-biometrics

The post Biometrics in law enforcement appeared first on Cybersecurity Insiders.