Why we need privacy-first security solutions
9 February 2020

Why we need privacy-first security solutions

9 February 2020

Why consumers won’t pay for privacy – why they shouldn’t – and why we need privacy-first solutions that protect people and organizations from security threats.

With the tightening of privacy regulations across every region, the world is finally waking up to the hidden cost of the so called ‘free’ internet — the intrusion of personal privacy.

Consumers are now hyper-aware that each and every business collects, stores and sells their data onto third parties. Besides the invasive nature of the phenomena, there seems to be a resounding acceptance of it, so long as technology continues to improve and add value to our lives.

What’s still not quite understood by many, is that the personal information being collected, stored and transferred from one company to another, is at extremely high risk of falling into the wrong hands.

The threat of cyberattacks is increasing with methods used by criminals are becoming more sophisticated, invasive and profitable. According to Cybersecurity Ventures, cybercrime damages are expected to rise to $6 trillion annually by 2021.

Yet companies continue to store their customers’ personal information, including usernames and passwords, in centralized databases — which are frequently targeted in cyber attacks. Breaches not only leave users vulnerable and helpless against cybercrime, they also expose businesses to substantial financial losses.

For consumers and businesses, this should sound the need to reconsider how we think about technology and privacy.

Digital privacy is a right, not a commodity

When thinking about who should be responsible for ensuring user data is safe, it feels negligent to place the onus onto consumers who, until recently, have been oblivious to how much of their personal information is collected, stored and sold off at the hands of companies.

Privacy is a human right that is synonymous with open and free societies, and it deserves to be protected. Since most companies profit from selling customer data, there is an expectation that they will also protect it.

Pay-for-privacy schemes, which offer to collect less information about users in exchange for a fee, not only disadvantages those who can least afford it — they do little to protect users against data breaches.

Businesses that don’t invest in privacy and security, could fail.

Privacy is becoming an essential factor in how consumers judge the overall value of a company and its products and services. Studies are proving that data breaches can diminish consumer trust in a business overnight, which can take years to rebuild.

Since Cambridge Analytica, Facebook has had every decision, announcement, acquisition, feature update scrutinized. The financial consequences and ongoing reputational damage is a threat that most businesses cannot recover from.

IBM’s 2019 Cost of a Data Breach Report, which provides insights into how breaches are financially impacting businesses around the world, estimates that the average cost per compromised record is $150. With the average size of breach also estimated at 25,575 records, IBM estimates that cybercrime is costing businesses approximately $3.8 million per breach. However, for some industries the costs of data breaches can be much greater.

25% of all cyber attacks target the financial services industry. Considering the sensitivity of the information being stored in customer records, it makes sense that the industry suffers more significant financial consequences following a breach than most other industries. According to an IBM security report, data breaches on average cost the financial services industry US$5.86m and US$210 per breached record with only the health industry topping those numbers. In the US, data breaches are more costly, with the average data breach to the financial services industry setting businesses back US$13m.

Small businesses are hurt the most. A report released by Verizon this year found that 43% of data breaches affected SMEs. To consumers, small businesses are often perceived as lacking the resources to invest in robust security systems — essentially diminishing faith in a company’s ability to protect them. According to a survey conducted by PwC, 69% of consumers believe that companies are vulnerable to cyberattacks.

29% of consumers surveyed by Bank of America said they would never return to a small business that suffered a data breach. The same survey found that two out of five SMEs spent over $50,000 and attempting to recover their business after a data breach despite the odds.

Simply put, most businesses cannot afford to put off investing in technology that puts privacy first.

Poor password management poses the greatest risk

When launching a cyber attack, criminals are often hunting after information that will allow them to impersonate a user for financial gain. Whether it’s to access accounts, or steal one’s identity, passwords are the key to unlocking troves of personal information.

For most users proper password management is a daunting and messy task that is frequently left ignored. With the average person in the US having over 130 accounts linked to just one email address. Consumers are reusing the same, and astoundingly easy passwords for the simple reason — they’re easier to recall.

The UK’s National Cyber Security Centre (NCSC) analyzed leak data and found that 123456 was used as a password an estimated 23.2 million times. A possible explanation is that users struggle to quantify the costs of having their accounts compromised leading to such risky behaviour.

The danger with weak passwords is that only one compromised account could give intruders access to someone’s entire digital life. In other words, the burden of choosing and remembering complex password combinations, which are often forgotten, is forcing users risk their privacy and security. While forgotten passwords costs companies on average $70 per password reset.

There is good news — awareness and attitudes towards privacy may be shifting. According to the NCSC, 80% of consumers admit that cybersecurity is a high-priority for them in 2019. However, 70% also believe they will become a victim of cyber crime within the next two years.

So why is then, that consumers say they value privacy, yet continue to engage in online activities that are known to put their privacy at greater risk? Is there something that motivates consumers beyond privacy and security?

Time is money, and user experience is intimately tied to affordability.

The Privacy vs Personalization Paradox explains that consumers choose to forgo privacy in exchange for convenience. The personalization of products increases their usability and affordability.

With most adults leading busy lives outside of the workplace, it’s no wonder consumers willingly compromise their right to privacy, an abstract concept at best, if the trade off is as tangible as saved dollars and time.

Convenience is apparently valued so much more than privacy, that one Apple user filed a lawsuit against the tech company for not readily allowing him to turn off two-factor- authentication. While unusual, this highlights just how dearly some value usability.

Not everyone is opposed to the popular security feature however, a study by IBM shows that adoption of two-factor-authentication on the rise amongst millennials.

Even privacy-focused consumers are looking for more seamless and convenient solutions that will protect their online accounts. Anyone who has experienced the nuisance of being locked out of their own accounts due to two-factor-authentication can vouch for the need for better solutions that maintain security without compromising on usability.

Biometrics offer a seamless, secure solution, but only when done correctly.

Biometrics offer a solution to the problems associated with safeguarding passwords and pins by allowing users to authenticate using their own body. With biometrics, the user itself becomes the password.

At the same time, traditional biometrics also pose greater risks than traditional forms of authentication and identification. Unlike passwords, once compromised, biometric data is unchangeable. If stolen, victims will have to worry about bad players using their biometrics illegally for so long as that data matches their own — meaning they’ll never be able to use their biometrics as a form of authentication again.

However, emerging innovative solutions allow for a secure biometric solution that removes the reliance on passwords and centralized databases — protecting both businesses and consumers.

Rather than storing data on centralised databases, advanced cryptographic methods distribute unrecognizable fragments of encrypted data across a distributed network, removing any possibility of cyber criminals stealing someone’s biometric profile from a centralized database.

Without a centralized database to match authentication data against, how can this technology be leveraged by businesses so that they remain compliant with regulations and confident that users are who they say they are?

To authenticate users, it’s possible to verify a user’s device by leveraging zero-knowledge (ZKP) cryptography, which allows users to prove they have something without revealing what it is — adding an additional layer of security and making the reauthentication experience more seamless for the user.

Once the device has been verified, an encrypted sample of the user’s biometrics is sent to a distributed network, and matched against the user’s encrypted biometric template. As a result, the network authenticates the user without having access to any biometric information. Once the network authenticates the user, shares of the user’s secrets (e.g., shares of private keys) are sent to the user’s device, and reconstructed locally. By using this breakthrough technology, only the user can see her secrets. This is essentially how Keyless’ secure multi-party computation protocol works, making it one of the most innovative and secure forms of authentication.

By combining biometrics with secure multi-party computation, there is a clear case to offer a seamless, compliant, and privacy-centric authentication experience that greatly reduces the threat of security breaches, while also protecting businesses from the significant financial losses.

A privacy-focused future

The need for technology that has been designed and built with privacy at the core is more important today than ever before. Organizations and consumers need innovative solutions that help them combat the evolving, expensive and likely risks of cybercrime.

Emerging technologies combined with biometrics will help shape a new era of the internet — one where privacy, usability and economic success exist harmoniously.

Businesses that proactively review and adapt their technology architectures now, with privacy-first solutions in mind, will ultimately fair better than those that choose to ignore the impending threat of stolen data.

This is a repost of the Article written by Fabian Eberle and Aly Madhavji featured in Volume 5 of The Payments & Cards Network Magazine, Issue 10

Get In Touch

Find out how our private-by-design MFA can help your organization prevent ATOs, improve UX, and protect your bottom line.