One of the many definitions of identity is:
“The characteristics, feelings or beliefs that make people different from others”.
This is particularly relevant in an ever-changing and diverse cultural landscape, as demonstrating our identity is one of the most key factors in creating trusted personal and professional relationships.
When we engage with companies, financial institutions, or other individuals, one of the first hurdles we encounter is proving the identity and legitimacy of the other party. This is easier if you hold a personal relationship; however, the nature of our online world continues to create a disconnect in this domain. Consequently, securing the identity of the people we interact with is critical to protecting ourselves from fraud and attack.
Protecting identity in an online world takes many forms, including biometrics built into our phones and computers, voice recognition, passwords, passcodes, and two-factor authentication codes that are sent to your mobile phone.
All these approaches have their pros and cons and individually none are completely infallible, but when used in combination they become more powerful. On the other hand, when we put them together in the wrong combination, we make the entire process too difficult, putting up barriers between us and the people we want to communicate with.
The biggest challenge to identity in our world today is that of immediacy. We expect to be able to complete our transactions quickly and simply with minimum fuss. When challenged to prove our identity, we often become irritated at the time and effort we spend identifying ourselves, feeling unjustly targeted because we know we are who we say we are!
As we move into what some have called a “passwordless era”, eliminating friction in communication without compromising the protection of digital identity and associated regulatory commitments is key.
The history of communication
Since the beginning of time, we have relied on services to transmit our communications. These might have been a personal courier sent by horse, stagecoach, ship or even the unfortunate messenger on foot. All of these fell victim to attacks by unsavoury individuals.
Whilst we might assume that the use of technology has mitigated some of these issues, phone calls can still be intercepted, postal mail stolen, and emails or electronic interactions intercepted in their transmission across the internet.
If we are going to learn from history, protecting our identity is founded on two key factors – proving our identity and protecting our communications from attack…
How unique is our identity?
Every day of our lives we deal with identity, whether proving to others that we are who we say we are or verifying that others are who they claim to be!
Daily smartphone usage is the most obvious and frequent example of us proving our identity, in many cases using the biometric capabilities built into our devices.
According to a leading global technology supplier, the probability that a random person in the population could unlock your mobile device using Face ID is approximately 1 in 1,000,000, fingerprints offering lower levels of ‘uniqueness’ at a ratio of around 50,000 to 1.
However, I recently discovered something interesting in the use of biometrics...
I’m lucky enough to have two great sons, one older than the other by just over three years. Whilst naturally they differ in appearance, there are of course family resemblances… similarities that enable my eldest son to open his brothers’ phone with Face ID.
I suspect that the reason why the tech supplier references a ‘random person’ in the introductory words might be because they are also aware of this phenomenon!
Identity at a distance
We continually identify those with whom we converse, a process that the human brain is ingenious and unique at achieving. Our brains perform incredible levels of processing in the blink of an eye and utilising all our senses, with sight and hearing being the main two but, in some cases, smell too!
Of course, life becomes more complicated when we are remote from the party we are seeking to identify, and we are called upon to resort to fewer of our senses. Recognising someone’s voice on the phone, by way of example, might leave us open to higher levels of risk and misinterpretation.
Remote Identity – putting words in our mouths?
A BBC reporter successfully fooled the voice ID authentication of a high street bank when his non-identical twin was able to access his account.
Advancements being made by projects such as Google’s DeepMind Wavenet or LyreBird have demonstrated how artificial intelligence can, within minutes, synthesise our voices to a very high degree of accuracy. Combining both these examples understandably raises concerns as to the integrity of voice authentication.
A prime example of reducing the risks associated with remote identity is in telephone banking.
When a bank’s representative engages with you, the bank must seek to ensure that the representative themselves cannot harvest enough information about you to subsequently misrepresent themselves as you.
So how does the bank seek to secure their telephone banking experience?
Initially, the bank’s representative will ask for light ID parameters which they use to narrow the field as far as the caller’s identity is concerned. Commonly, this will be the caller’s full name and a home postal code, against which they hope to identify the caller’s bank records.
To ensure that the caller is the ‘right party’, the bank’s representative is then presented with a series of questions. These are randomly pulled from a longer list of ID challenges that were set up by the bank and account holder at the outset of their relationship. Each of the caller’s answers is then keyed into the system and, assuming the caller can satisfactorily answer the pre-agreed challenges, the bank can allow the caller to transact their business.
The bank’s representative does not know if the individual answers provided are correct or otherwise, they only know that all the challenges have been satisfied. The theory behind this is that no representative should be able to collect enough information during the exchange to profile the caller, allowing them to potentially use such information to misrepresent themselves as the caller.
Of course, this is not infallible, but it emphasises the importance that should be placed upon the ID parameters themselves, given that they are the sentinel.
Beyond trust – securing email and identity
Email has remained largely unchanged since its introduction over 30 years ago. Basic email messages sent today still look very similar to those sent in the early 1970s, however, the volume of emails could not be more different.
Over 330 billion emails are sent and received every day, with this number predicted to rise to around 360 billion within 2 years.
Whilst proprietary systems may use non-standard protocols internally, all of them use Simple Mail Transfer Protocol (SMTP) when sending to or receiving email from outside their own systems; a protocol that has zero built-in security features.
The default state of all email services is unencrypted and open to attack, putting crucial information at risk. Even where email is secured, in many cases, there is no control or authentication in place to determine if the party or individual is the intended recipient.
When you email highly personal information, there’s absolutely no guarantee that your message is protected in transit or in the recipient’s inbox. Equally worrying- there is no ability to take back an email sent to a recipient if there was an error in the content, or indeed, you sent it to the wrong person entirely. Most people reading this will be able to cite examples of where this has happened to them personally.
Email is often compared to sending a postcard, one that contains sensitive information, by way of the postal service. This comparison is more accurate than you might imagine given that, like an email bouncing from one server to another on its journey, our post might pass through several sorting offices and individuals before it arrives at its intended destination. Both the contents of postcards and emails can be easily intercepted.
Of course, we generally tend to seal sensitive information within envelopes, with the aim of ensuring that only the intended recipient opens it but sadly, like a normal email, they are sometimes opened and read by parties other than the intended recipient.
The postal service offers products that seek to solve this problem in the form of Recorded Delivery or perhaps even the Post Offices ‘Document Certification’ process, both of which come at expense and inconvenience, while not necessarily being 100% reliable.
Secure email solutions might employ various techniques to verify an intended party’s identity ranging from a PIN code sent in a follow-up message to more sophisticated approaches. One must consider which might truly enable the verification of identity in fear of infringing the stringent legal and regulatory requirements that surround this topic.
Identity and fraud
According to a global report by Cybersecurity Ventures, over USD $19.9 m (GBP £16.4 m) is lost to cybercrime every minute.
In 2017, the BBC published its latest article set against the massive and continued cyber-criminal activity targeting businesses across the globe, with Business Email Compromise (BEC) remaining one of the largest areas of financial loss. According to an FBI report, the global cost of Business Email Compromise (BEC) resulted in losses equating to $12 billion in 2018 alone.
This type of fraud has taken several different forms and already carries several descriptive names and acronyms including:
EAC (Email Account Compromise)
CEO fraud (impersonation of a senior company executive in order to divert payments for goods and services into a fraudulent bank account)
Whaling (a highly targeted phishing attack - aimed at senior executives)
Each is largely based upon the same fundamental fact that normal email remains insecure and open to abuse, all connecting with the lack of ID verification available for email.
Homebuyer and invoice fraud
Homebuyer fraud is when individuals are tricked into making a payment to a cyber-criminal rather than their solicitor during a house purchase transaction. Invoice fraud is, similarly, where an organisation directs funds to cyber-criminals as opposed to the intended party when satisfying an invoice request.
This topic is the subject of various research outputs and puts the annual cost to UK businesses of this type of cyber-criminal activity at anything between hundreds of millions, to hundreds of billions of pounds. Invoices can arrive at a business in a multitude of formats, ranging from a ‘hard copy’ in the traditional post, electronically via a portal, uploaded directly into an accounts system or potentially via email.
Consequentially, there is a multitude of ways for criminals to corrupt an invoice or the invoice process for a potential scam. However, scandals continue to hit headlines where the issue lies rooted in a weak approach to securing information via email, alongside any connected identity processes (or rather, lack of them).
Can technology help?
Technology is a double-edged sword; it has created opportunities for fraudsters and criminals to hijack email traffic carrying sensitive data but can also be used as protection by adding advanced levels of security, control, and audit over electronic communications.
The ability to ensure that only the intended recipient can open an email, and any associated attachments, and for the sender to also verify that an authenticated identity has received and opened an email, can be very powerful.
Whilst most of us might not like to admit it, I’m sure that many, if not most of us, have inadvertently sent an email to the wrong person, an error that can prove not only very embarrassing but potentially very damaging. As such, the ability to fully revoke such an email can be advantageous.
‘GDPR One Year On’
In 2019, the BBC broadcast ‘GDPR One Year On’, a documentary focusing upon the lack of transparency our devices exhibit, as they share data with multiple parties all over the world, emphasising that the need to exercise caution and control over our communications has never been greater.
The show included an interesting insight into customers exercising their rights under GDPR, in the form of Subject Access Requests (SARs). SARs allow an individual to request that a company provides all information held in their name and yet, over a year on, many companies are yet to consider how they would comply with such a request.
Clearly, delivery of such sensitive information to someone other than the right party will, in itself, infringe GDPR and might carry with it both financial and reputational damage.
Proving our identity – the cost
Identity can be described as an uncertain, impermanent shifting concept, given that different parties are likely to have differing opinions on which values and attributes are suitable to help prove our identity.
It’s also worth bearing in mind that many of the ID processes we have become familiar with have their shortcomings and require further questioning. For example, when we are issued with PINs for our credit cards, they are often sent to us in the normal post.
What guarantee is there that only the intended party opens and reads this communication? Additionally, is a passport still a robust enough means of proving that we are who we say we are, particularly if trying to do so remotely?
The Senior Managers Regime (SMR), which came into effect in March 2016, is a part of UK financial regulation aimed at increasing the personal accountability of senior people in the financial services industry. Data issues such as those noted above are captured within this regime, so senior managers may find themselves responsible for failings in SAR delivery.
As such, the question we must ask ourselves when communicating is “How do we secure such information whilst taking a robust approach to the dilemma of identity, particularly when dealing with a ‘remote’ end user?”
Identity and trust
Legislation continues to evolve, seeking to afford us the ability to decide who holds what information about us - after all, our identity is prized beyond all other things.
We revel in the idea of freedom and greater anonymity and yet, as ‘online consumers’ we are faced with an identity conundrum when insufficient information is available to verify that we are who we say we are.
The government’s VERIFY initiative set out to describe how companies might identify clients, thereby encouraging secure transactions and communications.
However, in an age when legislation allows us to be ‘forgotten’, it is likely to become increasingly difficult for companies to access information capable of providing a robust ID verification methodology.
Enforcement of access control and encryption can be achieved using technology.
When we send a message containing sensitive information, it should be cryptographically signed and verified as a matter of course.
The idea of sending such communications using unencrypted emails that can’t be revoked or controlled should be considered as antiquated as an old telephone party line.
Security, privacy, and control need to be a priority, with normal email in desperate need of an upgrade to achieve these ambitions, whether you are motivated to act because of the security of your business or the service efficiencies that can be gained through ‘Digital Recorded Delivery®’.
Identity – the heart of Beyond Encryption
Identity is at the heart of the Beyond Encryption philosophy, as well as its values and mission. Users of the Mailock solution are empowered to leverage decades of know-how in securing their customer's data, protecting their businesses, and addressing the increasingly complex area of regulatory requirements.
Mailock – securing the most insecure medium
Mailock affords unique levels of control over identity verification processes and, more importantly, its technology uniquely affords absolute control over communications data and identification parameters, both remaining sacrosanct in any communications strategy.
nigel — file & forget, find, remind & share
nigel gives organisations the ability to empower customers to safely store their important documents on their mobile devices, keeping their identity protected. nigel goes beyond a secure document wallet by leveraging AI to help consumers manage their admin.
AssureScore — Crowd Authentication®
AssureScore analyses data from email network interactions to identify customers and profile communications risk while maintaining the privacy of the individual. AssureScore provides ID authentication scores to provide all parties with greater certainty about who they are dealing with, anonymously, and without compromising efficiency of communication.
Join the community
Jump onto our email list to get the latest research and guides, secure communications tips & tricks, and exclusive company news and updates.