Category: Access Control

You don’t have to look very far to find evidence of a rise in cybercrime. It seems we can’t go a month without some news of a large data-breach.

There’s no shortage of statistics either – and none of them make for easy reading. Here are just a few recent ones, announced in time for cyber security month:

Globally, 30,000 websites are hacked daily.

64% of companies worldwide have experienced at least one form of a cyber-attack.

There were 22 billion breached records in 2021

The latest Anti-Phishing Working Group (APWG) “Phishing Activity Trends Report” for the second quarter of 2022 found 1,097,811 observed phishing attacks, the most the group has ever measured in its history.

Dematerialization of identity

Set against this backdrop, there has also been a dematerialization of proving ones identity – which could further put consumer data at risk.

What do we mean by the dematerialization of identity? Think of various incidents where you must prove who you are. That could be providing your passport and social security number when starting with a new employer, presenting bank statements and proof of address when applying for a mortgage or loan, or even proving your vaccination status when travelling – just to name a few.

In most of these instances, having to provide these documents online is not just commonplace – it’s the norm.

Convenience causes risky behaviors

Digital means of proving identity are the way forward and provide a number of benefits; customer convenience and ease being one of them. However, if not done in a secure way – it could put the end-user’s data at risk.

We surveyed consumers from across Europe and discovered that many are engaging in risky behaviors when it comes to sharing their identity credentials.

While many see digital IDs as a convenient means of carrying and showing something that needs to be used frequently – only 27% have an official Digital ID. A far higher proportion of consumers rely on screenshots, digital photos or a scan of their physical ID or similar official document.

Even a sizeable majority of those who have official digital IDs admitted that they have these copies or scans on their phones. With malware attacks on consumer devices on the rise, important and incredibly sensitive information is at risk – leaving consumers open to fraud and identity theft.

The move towards EU ID Wallets / eIDAS2

We’ve discussed the move towards EU ID wallets and the countdown to eIDAS2 before, highlighting how it’ll impact the everyday lives of citizens, as well as highlighting what consumers want from a wallet.

One of the biggest drivers behind the EU commission, governments and authorities for eIDAS2 is for all citizens to have means of accessing a wallet that is both convenient and easy to use, as well as secure.

In fact, the security credentials of EU ID wallets came to the forefront again this summer when a MEP called for the wallet to follow security by design principles. The draft regulation put forward stated that “it shall be technologically impossible to receive any information on the use of the Wallet or its attributes”.

In addition, personal data should only be stored and processed in the territory of the European Union, where Union and national law apply; such as GDPR. Other stipulations state that user consent needs to be explicitly given in order to store information from the wallet in the cloud.

The shift to sovereign cloud

To accompany digital ID wallet initiatives and the unrelenting shift towards the digitalization of credentials and personal data, many governments around the world are seriously looking at sovereign cloud.

A sovereign cloud ensures digital and data sovereignty. It is a means to maintain physical and digital control over strategic assets, including data, algorithms, and critical software. It helps ensure that data remains free from external jurisdiction control and provides the right protection from foreign legislatively enforced access.

At Thales, we believe digital ID wallet ecosystems are the future of digital identity. They will enable smooth and trusted proof of ID and entitlement anywhere anytime while enabling data privacy to move to the next level by offering the most convenient user experience and compliance with the most stringent security and data privacy requirements.

For further reading, please check out the below:

• Digital ID – Day in the life of a digital citizen after eIDAS2
• What citizens want from a Digital ID Wallet
• All your ID credentials at hand: welcome to the Digital ID Wallet

The post Digital ID : The Cyber Security Imperative appeared first on Cybersecurity Insiders.

Smart meters have grown in popularity over recent years. In an environment where climate change and sustainability have never been higher on the agenda, smart meters allow individuals and organisations alike to get a better sense of energy consumption. The data and insights they generate allow end-users to make more informed decisions about their own energy consumption (something that has become vital among the current cost of living crisis). In addition, it can help utilities and smart grid managers better make data driven decisions about energy demand, best energy mix and when to scale services.

The EU aims to guarantee accessible, affordable, secure and sustainable energy for all Europeans and to be climate neutral by 2050. A large roll out of smart meters is part of that drive, with the European Commission predicting that 266 million smart meters will be installed by 2030.

That said, while the benefits of smart meters are evident and numerous, they also pose a serious cyber security threat.

In this blog we’ll be looking at what utilities and smart meter vendors alike can do to secure the industry from risk.

Cybersecurity risks

As with any connected technology, despite carrying huge benefits, they also pose opportunities for hackers.

If we look at the individual consumer implications of a hacked smart meter – hackers could get access to private consumption data and household habits, as well as other devices connected to the same network. Beyond data privacy breaches, hackers can also manipulate data and readings – causing consumers to make decisions against their best interests. Not only this, but consumers will also lose trust in the technology which could ultimately build up a resistance to smart meter deployments.

There’s also the wider scale risk of the smart meter grid becoming compromised. If a hacker were able to override individual meters so they appear to increase demand simultaneously, they could bring down an entire grid, and create large-scale power outages. As cities become increasingly connected, a compromised grid could impact many other applications like smart lights, traffic systems etc.

Challenges of securing the smart grid

It’s clearly an imperative that the smart grid, and smart meters are secured, but there are several challenges and obstacles in play:

• Evolving threat landscape Cyber threats are constantly evolving, adapting and getting more sophisticated – it’s never safe to assume that anything is secure. Being able to keep up with and mitigate against these threats requires dedicated cybersecurity expertise.
• Regulation is vital for enforcing a set of standards within an industry. There are currently multiple cybersecurity initiatives in Europe which bring with them a level of confusion. The need for harmonisation is important – organisations, such as ESMIG, help to create unity through the collaboration of multi players in one room to discuss and move things collectively.
• Challenges of retrofitting If security hasn’t been built in from the start it can be hard to solve any security flaws in hindsight. You can always use analytics to see there is something wrong, but you´ll have a hard time solving the issues if security elements have not been integrated at the core of the system.
• Multiple attack vectors There’s a lot of potential attack vectors that need to be secured; the connected meter, the source of the data going to grid managers, the transfer of data itself and who has access to the data.

How to protect the smart meter infrastructure:

As identified above, there are a lot of hurdles to securing smart meter infrastructure – requiring a holistic approach to cybersecurity. That said, there are some fundamental principles that need to be followed:

• Proceed to an automatic risk or threat assessment at the beginning of a project to meet regulation and specific context
• Establish a trusted source of data by implementing strong trusted IDs in the core of connected meters
• The data sent from smart meters should be encrypted to ensure confidentiality
• The exchange of data should be done between trusted entities. This is possible through digital mutual authentication
• A strong lifecycle management process should be implemented, assets and credentials should always be updated via secure, remote updates using digital signatures

Only systems that have been built from the ground up with strong security will be robust enough to withstand the growing cyber threats and implement the above best practice. The importance of security by design cannot be underestimated here.

It’s vital that utilities and Distribution System Operator (DSOs) must require this from their suppliers. There’s a tremendous amount of responsibility that they have here in the future of smart meter development, to protect critical infrastructure, as well as their own revenues and reputation.

In turn smart meter vendors need to work with a cyber-security provider to help design their security from the outset.

Watch our video on Securing the Advanced Metering Infrastructure here:

The post Securing the Smart Meter appeared first on Cybersecurity Insiders.

In my previous blog posts I took you through the last 30 years of digital banking security and how it has evolved to what we know and use today. In my cliff hanger I mentioned FIDO and passkeys and how they will change the landscape – it’s time to dig deeper and discover how this technology will mark a new era for Strong Customer Authentication (SCA).

FIDO Alliance

In 2013 FIDO Alliance was founded as an open industry organisation with a very focused mission: to build authentication standards to help reduce the world’s over-reliance on passwords. To do so, FIDO Alliance has released a set of new specifications and protocols for SCA based on the combination of biometrics as the first factor, and possession as the second factor. In short, no knowledge factor and no passwords.

FIDO Strong Customer Authentication

What FIDO Alliance does, for a given user and service, is generate an authenticator consisting on a cryptographic key pair, on-board a FIDO enabled device; the private key, remains on the device , while the other key is sent to the service provider’s FIDO Authentication Server. Once an authenticator has been generated and registered, it can be used to securely authenticate the user on that device. The user will then present biometrics that are checked locally on the device and upon successful validation of biometrics, it will trigger the cryptographic exchange between the device and the authentication server to validate the device.

FIDO native support on devices

An impressive list of companies have joined FIDO Alliance over time, including chip makers, computer and smartphone manufacturers, payment schemes and banks. But, most importantly, Microsoft, Apple and Google all joined and pledged to support FIDO at OS level on Windows, Mac OS, Android and iOS. That pretty much grants native FIDO support to all laptops, PC computers, tablets and smartphones.

With that level of ubiquity and underlying “plumbing”, FIDO have big chances to succeed in becoming the next mainstream SCA technology. As of January 2022, according to FIDO Alliance, more than 4 billion commercial devices with native support for FIDO, were already deployed worldwide. That is a big deal as OATH has been the dominant standard for strong customer authentication for 30 years, and we never enjoyed native support for it on PCs, laptops or phones.

What is WebAuthn?

FIDO Alliance have gone one step further – they reached out to W3C, the standards body for all things internet, and worked together to define a new standard API, published by W3C under the name of WebAuthn. As its name hints, the purpose of WebAuthn is to enable any web service to call the OS of the device where it is running to request FIDO based authentication. Never before has it been possible for web services to directly integrate strong customer authentication – the best we could do was initiate an out-of -band push from the web service to a mobile app in the user´s smartphone, where we could have SCA implemented via an SDK. Now, with WebAuthn, a user with a FIDO enabled laptop and a WebAuthn enabled browser, can register, store and use a FIDO authenticator for that service on that device, with a user experience as sleek as simply presenting biometrics on the device. WebAuthn was published by W3C in 2018 and is today supported by all major web browsers, including Microsoft Edge, Google Chrome, Apple Safari and Mozilla Firefox.

FIDO is everywhere

So, in summary, as of January 2022, current OS versions used by every single smartphone, tablet, PC and laptop are already FIDO enabled – and every major browser is also ready to use FIDO thanks to WebAuthn.

Now, if only service providers and end users would know about it …

The future is passkeys

On May 5, 2022, Apple, Google and Microsoft issued a joint PR what appears to be a first, and the only joint PR I can find on record. This PR, in essence, is a very strong pledge to kill passwords.

The first paragraph sums it all up:

“In a joint effort to make the web more secure and usable for all, Apple, Google, and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms”

They also gave a name to the technology for end users to refer to moving forward, “passkeys”.

The media impact of the announcement was immediate, with lots of articles and commentaries. In the weeks that followed, Google & Apple unveiled their specific plans for passkeys during their annual developer’s conferences: Google I/O and Apple WWDC. Apple announced that passkeys would be deployed commercially on iOS 16 and Mac OS Ventura, set for release after the summer. Google and Microsoft also deployed resources for developers that enable them to start building passkeys to support web services.

What can we expect next for authentication?

So we have a name, we have documentation for developers to do the work and we have all the OS and browser support we need. Now it’s just a matter of time before we begin to see services supporting passkeys more and more. Users are going to love it. Service providers, including financial institutions are going to love it… There is not a single cloud in the sky… or?

In my next blog post, I will look in detail at passkeys, how they differ from FIDO Authenticators as we knew them, their unique benefits, and the unique concerns they raise to some FIs.

I will also speak on this topic at the FIDO authenticate conference in Seattle on October 18.

For further reading, visit:

• The Evolution of Digital Banking Authentication – Part 1
• The Evolution of Digital Banking Authentication – Part 2 – The Digital Banking Revolution
• How our payment habits are changing: three major trends that are here to stay
• Deploying a Modern Card Program

The post The Evolution of Digital Banking Authentication – Part 3 – FIDO and Passkeys will rock the digital world appeared first on Cybersecurity Insiders.

When we discuss the importance of identity, it’s usually in relation to advancements in digital identity. Whether it’s biometric passports, Foundational ID, Border control or travel facilitation solutions, or ID wallets – the focus of a lot of thought leadership within the industry usually centres on the tech innovations that enable us to prove our identity instantaneously, seamlessly and securely.

While these developments are important and (rightly) get a lot of attention – in this blog we’ll be highlighting the wider issue of identity as a basic human right.

Identity as a human right

Every year on the 16^th September we recognise International ID Day. It’s an important and symbolic day in the fight for everyone to have a legal identity; the date is chosen in recognition of the UN’s Sustainable Development Goal 16.9 which calls for the provision of legal identity for all by 2030, including birth registration.

According to the World Bank, more than 1 billion people in the world today do not have the legal means to prove their own identity. Just take a step back and consider that fact. In 2022, one seventh of the world’s population cannot prove who they are – and the implications are far reaching. Not having the legal means to prove one’s identity means not only are you unable to vote or access education, you cannot benefit from state services or social safety net programs set up to help poor and vulnerable households with cash, social pensions, school feeding programs and more.

In short, those who don’t have a legal identity are effectively excluded from the development of the political and economic life within their own countries – with tech advancements only making this inclusion gap or ‘digital divide’ wider.

We’ve highlighted this issue before, most recently for Earth Day – and given today marks International ID Day, it seems appropriate to shine the spotlight again, and the work being done – specifically the ID4Africa movement.

ID4Africa

Founded in 2014 by Dr. Joseph Atick, ID4Africa is driven by the need to establish identity-for-all, not just as a legal right, but also as a practical necessity to enable inclusive access to services in Africa. The event, which takes place every year in a different African country, sees African governments come together alongside solution providers to discuss and explore how digital identity and aligned services can advance socio-economic development within their countries.

In 2022, there is a renewed sense of purpose and energy since the conference in 2019 – with the Covid-19 pandemic further highlighting the importance of this mission, with this sentiment perfectly expressed by Dr. Joseph Atick, executive chair of ID4Africa:

“Our end goal in ID [for development] is not about digital identity, it is about building public infrastructure for governance and service delivery as frictionless, robust and respectful of people’s rights and liberties – including the right to have legal identity.”

At Thales, we’re a proud sponsor and contributor of this important movement, and back in June we took part in the ID4Africa conference in Marrakech.

We believe that identity management solutions can no longer rely uniquely upon the issuing of physical ID cards, but instead will focus also on biometrics such as face, fingerprint, or iris. The establishment of biometric identity, designed with data privacy and compliance at its core, will not only increase efficiency in the long term, but will reduce the chance of fraud; in short, it’s the most trusted way to automate the steps involved in the identity registration process. As my colleague Charlotte Chateau (Manager at Thales Identity & Biometric Solutions) put it perfectly in her speech during the event: “biometrics is a prerequisite to establish a unique identity, a unique legal identity.”

The whole session can be found here, with Charlotte’s   contribution from 42 minutes in.

While the work of governments and solutions providers alike is not just limited to one day, there are various initiatives taking place to highlight this cause: https://www.id-day.org/

The post International ID Day: Shining a spotlight on legal identity appeared first on Cybersecurity Insiders.

The issue of climate change is one of the most pressing facing us all – with the spotlight firmly on government, big businesses, and industries alike – with the travel industry one of those industries consistently called into question.

A lot of this conversation tends to center around aircraft emissions – and while this is no doubt an important issue, there’s a wider drive for sustainability and energy efficient solutions across the whole travel sector.

European Sustainable Development Week

This week it’s European Sustainable Development Week – an initiative to facilitate the organization of activities that promote sustainable development and make these efforts visible on a common platform. As such we wanted to take this opportunity to shine a spotlight on sustainability drives that might not get a much attention, specifically the airport sector.

The sector has set itself some very ambitious and strict net-zero deadlines. A prime example of this is ACI Europe, the body that represents European airports, is committed to achieving carbon net zero by 2050. In addition, nearly half of Europe’s airports have set themselves target dates of 2030 or earlier. This race to net-zero energy also coincides with the ever-pressing need to reduce energy spending.

As such, the airport sector is scrutinizing every aspect of the passenger terminal infrastructure –  with automated document readers a prime example of this.

Making Automated ID Energy Efficient

Automated ID readers have become commonplace in airports today – and have become increasingly sophisticated. Even first time and infrequent passengers can scan their own passports and travel documents in a matter of seconds. As a result, perhaps the most notable use of document readers in airports is at the heart of automated, self-service passenger gates and kiosks. High levels of customers satisfaction, shorter queues, less staff intervention plus high levels of security are just some of the benefits associated automated ID.

Usually, speed and reliability are the number one factors for airport operators when selecting a document reader – but now energy efficiency and carbon footprint also must be front and center.

Given the high volume of passenger throughputs, even marginal savings in the energy needed to scan each travel document could deliver significant reductions in overall carbon emissions. The operating profile of document scanners can also play a huge part; while they typically need to be available 24-7, during quieter periods there could be lengthy downtime between passengers where less energy is required.

We recognize how important it is for the sector to respond – and as such at Thales we’re proud to have achieved the world’s first Energy Star certification for a document reader, the Thales AT10K.

What is the Energy Star Label?

Established in 1992, the Energy Star label is an important accreditation for businesses and consumers seeking to reduce their carbon footprint. Backed by the US government’s Environmental Protection Agency (EPA), the scheme provides an independent and authoritative means of identifying products that can demonstrate high standards of energy efficiency.

Our document reader, is designed to inspect and image travel documents, including electronic travel documents and 1D and 2D barcodes used by the airline industry on boarding passes and cell phones. The reader’s low profile and simple shape make it ideal for integration with self-service airport kiosks and automated passport control gates.

Certification was achieved via design enhancements that include introducing standby modes to minimize power consumption when the scanner is not in use. Compared to previous generations of the product, overall power consumption has been reduced by 28%.

Every Effort Counts

In the race against climate change and meeting net-zero targets, there is no one size fits all solution, nor one silver bullet. Instead it requires every sector to look at its operations, piece by piece and re-evaluate how they can improve and make more energy efficient.

Thanks to technology, this drive towards lower carbon emissions also will have financial benefit, as well as improving standards and the customer experience.

Awareness weeks like ESDW are important as they highlight these important developments that sometimes go under the radar – in the race to reach net-zero, the more knowledge sharing across industries and sectors is vital.

Further reading:

• Thales Gemalto Document Reader AT10K
• ESDW
• Why Digital ID Should be On the Vacation Checklist

The post European Sustainable Development Week: Shining a Spotlight on Energy Efficient ID Verification and Document Readers appeared first on Cybersecurity Insiders.

2009 was the year that changed banking forever. It was the year we saw Apple launch the iPhone and in no time, feature phones were a thing of the past. Smartphones were everywhere, bringing with them mobile apps which went on to pave the way for the digital banking revolution that we know and use today.

In my last blog we delved into the evolution of remote financial services, exploring the steps that led us up to this point in 2009. But even since then, in just 13 years, the digital banking landscape has evolved even further, and continues to do so. So how did the smartphone era impact digital banking?

The rise of soft-tokens

The first use case from the banking industry, among others, of mobile apps brought us “soft-tokens”. Soft-tokens were the software version of a hardware OTP token turned into a mobile app. The user would still access the banking server through a PC or laptop presenting password as a first authentication factor. But now they would open a dedicated “authenticator” app, issued by the bank (or a bank´s trusted 3^rd party) to get an OTP on their smartphone. Switching from a tamperproof offline device to a software token generator running on a multipurpose, and very much online device was, again, a major concession of security in the name of better UX whilst lowering costs. The innovation was received reluctantly… yet quickly embraced by more and more banks. The phone, whether through apps or through SMS OTP, became mainstream as a possession authenticator during the 2010’s.

But smartphones had an even bigger impact than that. They became not just an authenticator, but a channel. Banks started to replicate their digital web services in the form of mobile apps. Mobile banking (m-banking) was born as an alternative to internet banking (e-banking) and users were fast to embrace both the UX offered through apps and above all the “anytime, anywhere” access to digital banking services.

Integration of Software Development Kits

Mobile banking apps also needed to be protected with SCA, and so they started to incorporate OTP generation capabilities, often by integrating Software Development Kits (SDKs) from security specialists like, Thales. These SDKs evolved to implement many software security features to protect the sensible OTP generation process, and even add over

all protection to the m-banking app – so, overtime, security of the apps improved.

But the improvement on UX was even higher. The mobile app could now generate an OTP and send it silently to the authentication backend to validate the possession factor, in real time and transparently to the end user.

Biometrics become mainstream

In 2013 Apple launched Touch ID on the iPhone 5S, and in 2017, Face ID on the iPhone X. The smartphone industry quickly followed suit, and along the second half of the 2010’s, biometrics became mainstream on mobile devices. For mobile banking, biometrics quickly came to replace knowledge as the “first” authentication factor of choice for end users – a solution fully compliant with the most demanding banking regulations, such as PSD2 in Europe.

Out of band

The security, and especially the UX, offered by mobile banking apps got so good, that banks wanted to leverage them to offer better access experience through all other channels available to their users. Mainly, of course, e-banking via PC/laptop, but also other channels such as voice calls or even ATM. For example, to start e-banking on a PC/laptop, where biometric support adoption was not as fast as on mobile, in 2020 a user is still asked to enter username and password. But thanks to out of band, there is no need to type an OTP anymore. Instead, when the user clicks enter, the banking server will trigger a push notification to wake up the bank’s mobile app on the user´s smartphone. The user will open the app and the app will silently generate an OTP and will send it to the backend as proof of possession. “Out of Band” (OOB) refers to the fact that the authenticator is a different device than the one used to access the service. This on itself brings in enhanced security. As for the UX, the OOB implies more friction than what we achieve for m-banking, but it is significantly better than having to type in an OTP.

Banking today

This long journey has brought us to where we stand today. We have started the 2020’s with all the different legacy authentication methods mentioned above still in use by banks all over the world. But the state of the art SCA in banking at the start of the 2020s can be summarised as:

• Biometrics + in band mobile app OTP for m-banking
• Password + OOB mobile app OTP for e-banking and any other channel

Technology advances have allowed us to greatly improve both UX and security over time. Not always in a straight line. For over a decade we faced a compromise between security and UX, and FIs had to accept degrading one in order to improve the other. But with the arrival of smartphones we have been able to leverage the connectivity and power of these devices to improve both UX and security to where we stand today.

The future of banking

While FIs were implementing all these changes on their banking services, and users were being exposed to them, something else has been going on behind the scenes over the last 8 years. Something that was revealed to the grand public in the summer of 2022, but that will change the way we access digital services over the next decade.

We are indeed on the brink of a major paradigm shift for authentication to digital services.

The arrival of FIDO Passkeys

Experience from the past tells us that the arrival of FIDO Passkeys is likely to drive financial institutions to address end user demand for an even better UX, as well as associated legitimate security and service continuity concerns.

This October (18th), I will speak at the FIDO authenticate conference in Seattle about the evolution of security and UX in financial services – along with the technology solutions that have helped this to grow.

Stay tuned for my next blog post where we will look at what FIDO, WebAuthn and Passkeys are, and what impact they will have on digital banking services in the coming years.

For further reading, visit:

• The Evolution of Digital Banking Authentication – Part 1
• How our payment habits are changing: three major trends that are here to stay
• Deploying a Modern Card Program

The post The Evolution of Digital Banking Authentication – Part 2 – The Digital Banking Revolution appeared first on Cybersecurity Insiders.