Are We Having The Right Encryption Conversation?

The Apple v. DOJ battle has made encryption a household word. But what’s the right conversation to be having about keeping consumer and payments data secure and private? Michael Reitblat, founder and CEO of Forter, and Shaunt Sarkissian, founder and CEO of Cortex MCP, joined MPD CEO Karen Webster to debate what isn’t being discussed right now but should be — and the role of encryption in that conversation.

shutterstock

There’s no doubt that keeping payments data and customer data safe is job number one of every player in the payments ecosystem.

But as much as this is a given — and, clearly, table stakes — there is a debate raging over the lines now being drawn between keeping data safe and keeping it private, as the ongoing debate between tech giant Apple and the U.S. Department of Justice has demonstrated.

In an effort to clear the encryption air, particularly when it comes to the payments industry, MPD CEO Karen Webster hosted a digital discussion with Forter CEO and Founder Michael Reitblat and Cortex MCP CEO and Founder Shaunt Sarkissian, who offered their insights on the significant role encryption plays in safeguarding consumer data and why there is even a debate at all.

 

SECURITY AND PRIVACY — CAN WE HAVE IT ALL?

“Encryption is one of the best ways to protect data. It’s not a bulletproof solution, but it’s a very important one, especially if you want to make everything else very easy,” Michael Reitblat, founder and CEO of Forter, explained. The “everything else” is consumers transacting on the Web with ease and criminals not being able to easily have access to data that they could use for malicious purposes. Otherwise, and obviously, consumers are not going to want to use a service that they feel does not have their best (and safest) interests at heart.

With respect to payments specifically, where the encryption of payment information is a vastly different issue than the encryption of communication channels, the balance of having both security and privacy may be more achievable.

“Payments is one of the rare areas where you can have your cake and eat it, too,” Shaunt Sarkissian, CEO and founder of Cortex MCP, said. Sarkissian pointed out that the wants and needs of government, as they relate to payments, tend to be more about where a credential is used and the patterns of payments themselves, but there are still challenges to striking that perfect balance of security as to not compromise customers’ privacy.

He said it really requires a symbiotic relationship between public and private entities, which is somewhat of a far cry from the current Apple case, describing it as a “public relations stunt gone awry.”

As Reitblat pointed out during a recent panel discussion at PYMNTS Innovation Project 2016, the entire issue becomes even more complicated as the world becomes more global, since it is not as clear which government has the authority to act.

For example, imagine that a payment network that has all of its rails encrypted and transactions completely protected complies to a request from the U.S. government to access data to see who is moving money where. Reitblat posed the question of what moral grounds there are for that company to reject the same access to all of the other governments in the world — governments that may not all share the same interest in protecting their consumers.

“In that case, we are actually undermining and giving access to everyone, but not all governments have the best intentions for all people. It really creates a significant conflict,” he added.

 

IDENTITIES AT RISK

Today, criminals aren’t just after payments data; they want a consumer’s identity.

Stealing account credentials is harmful, but it has its limits, unlike when a criminal is able to get their hands on someone’s identity. Then, they have the ability to continue to access and even create new accounts as that person.

Reitblat made the interesting comparison between what we do in authentication and crime prevention and how diseases work.

He says that, in the same way that as diseases evolve they become even harder to treat, since the original medications no longer work, we have become better at identifying fake identities, but criminals have evolved to the point where they can now create fake passports that are almost undetectable.

“We have so many different pieces of our identity floating around; every time we interact with someone, there is a piece of that identity that we expose,” Reitblat said, adding that this is why even more information is requested by companies to authenticate people. But when those entities are compromised, the consequences become even worse.

So, what’s the solution? How can we stop making it easy for identities to be compromised?

“We have to move to a world of transactional identity,” Sarkissian suggested.

This means securing all endpoints, especially those that currently rely on identification based on physical cards or documents, much more effectively. For Sarkissian, this involves provisioning credentials down and getting drivers’ licenses and other similar methods of identification scanned and verified.

“It’s mind-blowing that we live in a world of connected commerce and a bunch of connected devices, and still, the final arbiter for that driver’s license is a person being paid $8 per hour saying ‘Yeah, I think that’s you,’” he explained.

While admitting that securing data from the threat of criminals will always be a cat-and-mouse game, Sarkissian noted: “A lot of the same technologies we are employing around payments and tokenization have a lot of transferability to a transactional identity world.”

But maybe the authentication of identities needs to be based on more than just the data individuals carry around on an ID card or enter into a form online.

Reitblat believes that the things we do and the way we conduct ourselves is also key, and something that can’t be faked.

“We need to stop looking at identity and start looking at behavior,” he said, noting that there are various ways to identify not just if a person has legitimate access to a payment card but their intentions for using it as well.

 

WHERE IS THE WEAKEST LINK?

As Webster pointed out, the industry is working towards the same goal: protecting customer and account information, while doing its level best to make sure neither of those things are compromised by those who wish merchants, banks or the homeland ill will.

But do we have a way to get there?

Unfortunately, no perfect system exists, and that’s because there will always be people involved in the process.

As Reitblat explained, people represent a “very weak link” in the whole process. He said that while more investment in security needs to be made as an industry, the government and media also play a role in communicating security threats that the general public faces.

Reitblat said individuals need to know that “it’s a risky world out there, and people will always try to compromise your identity for their benefit.” Those people are well-trained and highly motivated, so it will have to come down to more than just systems, he added.

While many people do their best to keep their personal data safe, there is still a significant need for education. Webster noted the fact that, even though consumers are generally in touch with the things that may be fraudulent, they don’t toss and turn at night, because they’ve been trained to think the bank has their back.

They may be tuned into risk, but they have been conditioned to rely on others rather than themselves when it comes to playing a part in their own data and identity security.

Sarkissian advocated for more education for consumers and also putting some responsibility back on them to take on a proactive role and to be much more vigilant about protecting their own information and how they use it.

“There’s always a threat factor out there that you can’t patch, and stupidity, obviously, is one of them,” Sarkissian said. “It’s like saying you live in the middle of a terrible neighborhood with your door wide open but you have a decent insurance policy. You’re still getting robbed.”

However, the education is also necessary when it comes to companies themselves and ensuring they provide the right training and knowledge sharing to their employees about security concerns and issues.

Public entities will always have their own interests in mind, and companies will always be responsible for protecting their consumers. But finding smarter ways to work together when problems arise may be the first step in actually making progress towards striking the security versus privacy balance.

“The more cooperative and collaborative these things can be, the more effective it will be, and the system will work better,” Sarkissian stated.