The European Banking Authority has released the final draft of its Regulatory Technical Standards on authentication and secure communication for PSD2. In follow up to my original blog, I’m back with my analysis of the affect their final guidance may have on the consumer experience.
Sci-fi often portrays artificial intelligence (AI) like this: a computer watches people for a while, blinks darkly and decides the solution to the world’s problems is to kill off the human race. Thankfully we are far away from that. But what AI is capable of today is simulating a specific human brain function – such as pattern recognition. And that’s very exciting for security.
AI makes security practical in the open world
The world is now open, causing disruption in many industries and changing the demands on security.
Picture Bob. He thinks he’s figured out how to avoid paying for cable TV by watching programs streamed from pirate websites. One day, he’s watching a live football broadcast and ten minutes into the game, he loses all access. His screen goes blank. Is ruining the user experience on pirated sites a new combat strategy?
Seeing it differently
Degrading user experience may not be the first thing that comes to mind when considering how to combat cybercrime.
We live in a very different world today than we did 10-20 years ago. We’ve never been more connected. So, it’s surprising that software security practices remain in the realm of “We’ve always done it this way before”. Can they really expect to solve today’s security problems with an old way of thinking?
Traditional thinking typically starts with the premise that honest parties control the computer devices and any cryptographic operations are performed free from interference from would-be attackers. Given this, it’s probably understandable
Cryptography is no longer limited to the military and spies. This ancient art underpins modern life. It’s about encoding intelligible data, e.g. numbers, text and transforming them into something unreadable to anyone other than who the information is meant for. The question is, does it need an upgrade for today’s always connected world?
How secure is your house?
Hundreds of times a day we use cryptography in our everyday life. From the lock on the website that you’re browsing, remotely unlocking your car with the key fob to using all kinds of devices.
Statistically every person in the world between 15 to 64 years old has a smartphone or tablet today. In the next 5 years for every baby born 10 smartphones will be sold1. Smartphones have literally changed our lives, from playing, working to everyday living. But what can we learn from app developers, who’ve made mobile devices so powerful?
Learning from app developers
With 102 billion mobile app downloads to date – averaging 22 apps per device2 – it’s clear that software developers know what they are doing.
As Richard Branson said “Business opportunities are like buses. There’s always another coming along.” Looking at the online piracy world, the latest bus is exploiting software media centers. And unfortunately, many consumers are being taken for a ride.
I’ve mentioned it before, online pirates are undoubtedly criminals. Yet they’re also entrepreneurs. The pirates are continually adapting. To effectively fight online piracy means keeping up to date with their latest activities.
APIs are everywhere in modern day life. We rely on them to access services on mobiles, tablets and laptops. Without them our day-to-day life wouldn’t be the same. Yet they are also increasing the attack surface. Are they really a friend to e-commerce or to cybercrime?
APIs are not new. They’ve been around a long time. APIs are key to building scalable web-based applications as they allow and manage the interaction between 2 online connected services.
In today’s OTT world, pay-media operators continually modify their business models to find the sweet spot; what resonates best with their consumers. Unfortunately, the same is true with cybercriminals. For them, the introduction of account generator sites is at the heart of this evolution.
No longer limited to the DarkNet
In an earlier blog, I explained how compromised account details are regularly being sold on the DarkNet. However, in the last few months the Irdeto cyber-services team has witnessed a change.
On a recent flight, I was sat next to a security auditor. He asked “can someone steal keys used to encrypt credit cards from the server memory?” It depends, was my reply. But his question left me wondering. Why hasn’t anyone built a server side white box implementation?
Why does it depend?
Like any implementation, some are more secure than others. If the server side code was using ‘standard cryptographic APIs’ and they were black box implementations then