By PATRICK STEPHENSON
BRUSSELS – In October, the US-based credit reporting agency Equifax revealed that hackers had penetrated the company’s databases and stolen the private information of over 145 million people. Looted identity data included the “big four” personal security identifiers of name, address, birth date, and social security numbers. These four identifiers together constitute the basis for most personal consumer transactions, online or off.
According to the Chicago Tribune, cyber-criminals have already begun using the stolen info to take out credit cards, mortgages, and student loans. Many now wonder if keeping such vital personal data inside vast corporate ‘silos’ is a good idea in the first place. Shouldn’t consumers make purchases, or take out loans, without allowing companies to hold on to their personal data?
One company hopes to change the way that consumers interact with online retailers by using blockchain technology. To find out more, SECURITY EUROPE sat down with Nuggets CEO and Founder Alastair Johnson on the margins of the 8th Annual Data Protection and Privacy Conference held on 30 November. His company is a consumer blockchain platform that gives users a single biometric tool for login, payment and identify verification, while never sharing or storing private data – even with Nuggets itself.
“Throughout the globe, at the moment, there are breaches on a daily basis in honeypot silos of data,” he said. “Fundamental change has to take place to get rid of these silos, atomise them, and give them back to the individual user.”
Johnson said consumers engage in online activities they would never countenance face-to-face. “You wouldn’t write down your credit card and personal information and go to a local shop and stick it in the till and go, would you?” he said. “But digitally, we do that everywhere. Currently, you’ll have your credit card, your email, maybe your date of birth and password information on numerous retail sites.”
He said the big problem is when retailers keep giant silos of consumer data, and then are obliged to protect them. In the Equifax case, various media reported that the ceaseless drive to innovate and expand market share led the company to skimp on its security measures. “Obviously, all that data becomes a honeypot that has got so much value. Some of the best brands have proven that they’re not able to stop people breaking in,” Johnson said.
The solution is to keep the private truly private by never surrendering the individual’s control. “What needs to happen is that we no longer store our information when we use a service,” Johnson said. “Instead, we keep it within the Nuggets blockchain.”
Blockchains are linked, expanding list of records, or blocks. Once a block is made, its data cannot be altered without also altering all subsequent blocks. Changes must be verified by more than half of all the blockchain elements. Blockchain thus function as open distributed ledgers that record transactions between parties permanently and verifiably. It is also extremely secure, and has been the basis for the meteoric rise of Bitcoin.
“The key principle is, you keep your data to yourself. You can still use [a retailer’s] services, but you’re not passing over information, and they’re not storing any,” Johnson said, adding that biometric data can be entered via a customer’s personal mobile phone using touch ID fingerprint identity technology, or facial recognition.
Retailers would still be able to see a user buy socks every Wednesday “and still use behavioural models based on that. But they won’t know who it is, what you’re done previously, or what type of currency you’re using, and so on,” he said
Though they might lose out on the lucrative business of selling customer information to third parties, retailers would also stand to gain from the shift in verification, according to Johnson.
“When we talk to retailers, they just want the product to go out the door and the money to come in. Card and ID fraud was 16 billion dollars last year in America, but false positives [when an algorithm declines credit card usage] cost 118 billion dollars,” he said.
According to Johnson, a key principle is that Nuggets uses on-device biometric scanners. “That means your biometric information is not actually kept in the Cloud,” he said. “It’s in your device’s secure enclave.”
The main issue, of course, is that highly evolved hacking techniques are exploiting slow-moving or antiquated corporate security practices. It just doesn’t boost the bottom line in the short term to beef up your company’s security. When the break-in comes, it’s likely to be during someone else’s turn at the corporate helm.
While Nuggets seems to offer a complete security solution for consumers, many corporations won’t like it. Facebook’s whole profit model rests on knowing everything its users do, while the sale of client information to third-parties is a huge revenue stream in many sectors.
But this stream has to shrink, and in some cases even dry out entirely. Nuggets could help do what the EU’s GDPR intends: keep a person’s private details in their hands, in their own secure enclaves. Let’s hope it works.