Tokens, smart cards, biometrics and the battle for digital security
If digital security is a concern for you, then buckle up, it’s going to get a whole lot better.
A few days ago, we read about a new Siri bug that can let anyone spy on your iPhone – ignoring the fact that you’ve actually locked it. Apple’s biggest competitor is equally susceptible to sharing your data: November 2015 saw stories of an Android vulnerability that could very easily open your smartphone’s door to hackers. Privacy concerns are more prevalent than ever in our increasingly interconnected world.
Online privacy has been a topic of heated debate ever since the introduction of the public internet, in the early 1990s. Statista reports that 96% of US internet users are concerned that their personal data is vulnerable to hackers. Recent times have seen privacy considerations ramped up to an increasingly important level as the world is beginning to realize that the security measures currently in place are often not enough to protect sensitive data or even actual money.
With large password dumps and other massive leaks seemingly becoming a regular news item, there is an ongoing question of what additional measures can be taken to ensure that an online account is completely secure. Because it’s such a new field, there’s little precedent as to what can truly help our efforts to truly keep our data private. Constant technological advances provide a variety of suggestions, including soft tokens, smart cards, and even biometric devices. How are they currently being used and which ones are the best? Let’s take a closer look.
The first computer password was created in 1961, at MIT. Of course, it was much later that the concept of passwords became as current as it currently is. You hear the term “two-factor authentication” so often today that it may be difficult to pinpoint precisely. This 1984 patent simply means that in order to verify your identity, two different elements – or steps – are required.
Even the oldest of ATM cards for that hole-on-the-wall follow the concept of 2FA: You both need the physical card and your PIN in order to access your account. Nowadays, most digital services offer 2-step verification options, including Google and Facebook.
Hard and Soft Tokens
26% of respondents to an Impermium Study said they have been a victim of some type of account compromise. Tech brands have tried to address that in a multitude of ways. After username/password combinations, hard tokens were the most common security device that banks, stock trading platforms and other online enterprises implemented to protect their users. For instance, Citi Private Bank uses a physical device simply called a security token to enable the customer to further verify their identity for online banking. In effect, this is a “hard token” as it is hardware.
Although we associate hard tokens with banks, more companies are offering them to the customers of their online services, for added security. That’s especially the case where money could be involved. Online poker provider PokerStars, for instance, offers its players an optional RSA Security Token as an added measure to better protect their accounts from keylogging, hacking and phishing attacks. After a player has received the hardware gadget by post and activated it, their account is rendered inaccessible by anyone who does not physically possess the token, even if that person has (or has guessed) the account’s password.
There are also soft tokens. Soft tokens are software, either available for installation as a smartphone app or a remote piece of software that sends text messages to a user’s verified mobile phone. While the underlying technology for tokens can be different, they almost all work in the same way. The user connects their account to their mobile phone or device and must physically have their phone to access their accounts. First, they would enter their username and password, which would trigger an SMS to be sent to their phone. This SMS contains a numeric code that is entered on the website login. Alternatively, users are required to install apps such as Authy or Google Authenticator, which will be used to generate the numerical code in question.
Smart Cards and RFID Chips
For a bigger bang in a smaller package, smart cards and RFID chips were some of the first additional security methods to be introduced. However, their entrance into the security discussion has been met with a great deal of privacy concerns. RFID stands for Radio-frequency identification. Although research that culminated in their invention started as early as 1945, the first pattern associated with RFID chips was granted in 1983. This technology uses electromagnetism to identify objects. Even though RFID chips are currently present in many of the world’s passports, there is a fear that anyone with an RFID scanner would be able to access the data simply by being near the chip and without a need to physically have it in their possession. Still, the global RFID market is expected to reach $18.68 billion by 2026, according to IDTechEX.
Smart cards are a little more complex and stand a good chance of being the next security method to see mass introduction. There are both contact and contactless smart cards, the latter first introduced to the mass public by Visa and Mastercard in 2004. Yes, smart cards are exactly what enables you to make contactless credit or debit card payments. At the simple end, the basic smart cards are only capable of storing data and then returning that data when needed, with a standard example being a gift or telephone card. However, the new generation of smart cards are CPU-based, which means the cards themselves would be able to process information rather than just storing or returning it. With a CPU, these cards can also add a layer of cryptography, encoding information to make it more difficult to access.
Biometrics: Sci-Fi or Reality?
Biometrics is a less common security measure that is starting to see gradual implementation. Think about fingerprint scanners on laptops. Do you use yours? That’s a basic application of biometrics. Essentially, the idea of biometrics revolves around the idea that every person is physically different and counterfeiting traits such as a fingerprint, retinal scan, or voice pattern is close to impossible. The current problem with biometrics is the cost associated with mass development and production of scanners and other technology needed to turn these devices into a reality.
While it may not have widespread acceptance yet, biometrics is clearly on the rise. The country of India has begun an ambitious program that may pave the way for future biometric projects and online adoption. The country is pushing for national ID to be based on biometrics and about 600 million residents (slightly less than half the population) have signed up for the program. It is thought that this process will provide instant verification for government services and will include demographic information for easier use in scientific studies. The jury is still out on the effectiveness of India’s program, but if it fares well, then it may be the turning point that pushes biometrics into the forefront of digital security.
Officially released in October 2015, Android 6 “Marshmallow” was the first mobile OS to provide native support for fingerprint recognition. It wasn’t long until mobile manufacturers such as Samsung (with the Galaxy S6) and Huawei (Nexus 6P, Mate S) started releasing smartphones with fingerprint sensors. The most interesting aspect of Google’s move is that the recognition API is available to third-party applications. In effect, that means that app creators can choose to implement this feature as an extra security measure in their Android apps. Marshmallow was certainly a huge leap in the move towards biometrics.
Right now is an exciting time for online security. As the debate continues to get hotter and hotter, developers are working hard to solve privacy issues and anyone who comes up with a truly functional solution could be sitting on a virtual goldmine. The more connected we become, the more at risk we seem to be, from our smartphones and smartwatches to our laptops and tablets – not to mention our USB sticks. The days of the old username and password combo may be limited, but that is certainly a good thing. With better security and more options out there to enhance our online protections and decrease security vulnerabilities, safety will be increased and less instances of digital theft will occur.