There are a few recent developments in the field of cybersecurity that businesses, individuals, and fraud investigators alike should take note of. One is a recent case which, if followed, could expand a business’ liability for security breaches and the others are new tools businesses possibly could use to protect against that same liability.
Digital information, including how to protect it and prevent fraud, is always a fascinating topic. New advances in digital security go hand in hand with ingenuous ways to steal digital information. It is fun to follow, in the same way it is fun to watch Wile E. Coyote chase the Roadrunner: the chase never really ends, they always come back for more, and they use bigger and better gadgets every time.
Cybersecurity, though, is more than just a fun-read. It has real-world implications. According to a report published in the Wall Street Journal, Federal District Court Judge Esther Salas, on Monday, April 7, 2014, upheld the Federal Trade Commission’s right to police corporate cybersecurity practices to ensure businesses take reasonable precautions to safeguard their customers’ data. The FTC reportedly sued Wyndham Worldwide Corp. and three subsidiaries, in 2012, after hackers broke into the company’s corporate computer system and the systems at several individual hotels, between 2008 and early 2010, and allegedly stole credit and debit card information from hundreds of thousands of customers. The FTC alleged that Wyndham did not take reasonable measures to protect its customers’ information from theft. It cited what it alleged were wrongly configured software, weak passwords and insecure computer servers. Wyndham argued that the FTC did not have the statutory authority to police corporate cybersecurity. The FTC argued that its authority came from its 100 year old statutory power to protect consumers from businesses that engage in unfair or deceptive trade practices. There was no finding of liability, but the court reportedly upheld the FTC’s right to bring the suit. The lawsuit reportedly seeks to have the court order Wyndham to improve its security measures and fix whatever harm its customers suffered.
With the possibility of federal enforcement of what amounts to a “reasonable-precautions” cybersecurity standard, businesses, not just fraud investigators, should pay attention to the potential tools at their disposal to protect their clients’ information.
The technological advances in keeping things secret are ingenuous. Much like the mythical jackalope, or my favorite, the basselope, they use things that do not seem to have anything to do with each other, to come up with something better: A more effective lock and key to turn away prying eyes from private information they should not see.
We previously wrote about fully homomorphic encryption. It really is like searching a locked box from the outside: You search for what you want but don’t see anything until you find what you’re after. The trick is to keep the box locked so no one peeks inside. The best way to do that is to require two sets of keys to unlock it. It is a proposed solution to the conflict between government collection of data for national security purposes and privacy concerns, at least according to Dan Kaufman, the head of the software-innovation group of the Defense Advanced Research Projects Agency, or Darpa.
Another encryption method is quantum cryptography. It uses individual particles of light, or photons, to transmit pieces of information. The solution, or the problem depending on how you look at it, is that the photons are destroyed if they are intercepted. The fact that they are destroyed will tip off the intended recipient that the message has been intercepted.
The problem with quantum cryptography has been the size of its necessary technology: it is bulky, expensive, and tethered to a fixed physical location. Researchers at the University of Bristol Centre for Quantum Photonics, led by Dr. Anthony Liang, in collaboration with Nokia, recently announced a breakthrough. They showed it was possible to use quantum cryptography on mobile computing devices by integrating an optical microchip developed at the university into a mobile handset, such as a cellphone. Though not yet deployed in a real communications network, it opens up the possibility of letting the general public keep their information safe by making all sorts of mobile on-line communications and commerce more secure.
Another ingenuous encryption method, this time based on human biology, was recently announced by the University of Lancaster. The researchers, who include Dr. Tomislav Stankovski, Professor Peter McClintock, and Professor Aneta Stefanovska, used a mathematical model based on the way the human heart and lungs communicate with each other. Think of the way they work in unison when you run, play ball, or shovel snow: the faster your heart beats the faster you breathe; you normally do not have one working hard while the other is at rest. The key to the method, according to the researchers, is that it gives you an infinite number of choices for the encryption key, which is nothing more than a code used to unlock the private information. The more possibilities, the harder it is to crack the code.
Whether using fully homomorphic encryption, quantum encryption, or encryption using dynamic system coupling, will ever be considered a “reasonable precaution” that businesses must take in order to safeguard their client’s data, is something we will have to wait to see. They do, however, point out the effectiveness of thinking outside the box and taking inspiration from anywhere you can get it, even from places that seemingly have nothing to do with the problem at hand. It will be fun to see what comes next.
Go raibh maith agat