IT Briefcase Exclusive Interview with HYPR Corp: Fighting Online Fraud

Featured interview with George Avetisov, Co-founder and CEO, HYPR Corp. 

The writing on the retail wall is clear: mobile commerce is growing. The ease and convenience of e-commerce has led to the offering of mobile wallets, of which Apple Pay is the latest and largest entrant.Research by BI Intelligence forecasts US mobile payment volume to grow at a five-year compound annual growth rate of 172 percent and projects volume to rise to $818 billion by 2019, or just under 15 percent of total US payment volume.

But here’s the problem, according to HYPR Corp., provider of a device-to-cloud biometric security platform: cyber criminals are focusing on mobile payments too, and organizations are repeatedly failing to secure data as it transitions to the cloud.

In this interview, George Avetisov, CEO of HYPR Corp., speaks with IT Briefcase about what companies that accept mobile payments need to know about mobile wallets and fraud, and how to protect their data.

• Q: What are some of the challenges of securing online data?

A. User authentication has always been a challenge, and it’s only getting harder. As the demand for remote login and flexibility continue to rise, organizations are struggling to find and deploy authentication methods that are effective, easy to use, impervious to theft, and scalable. Authentication in the age of IoT, BYOD (Bring Your Own Device), COPE (corporately owned and personally enabled) devices, and cloud services introduces challenges not addressed by usernames, passwords, or hardware tokens.

•  Q: So, have passwords become pointless?

A. Passwords were once a good idea but they have become so outmoded and insecure that today we can settle on the notion that they are nearly pointless as a sole factor of authentication or even one of just two equally weighted factors. You only need to look at the use case of a consumer wanting to shop via mobile using their password to appreciate how outmoded and insecure passwords have become expressly due to mobile payments. Many users choose easy-to-remember passwords and reuse them for all of their applications. Efforts to increase password complexity have failed because most people use the same common characters to fulfill these complex password requirements. With the rise of mobile computing, human nature is such that no one wants to input complex passwords. This usually means that users choose easy-to-type passwords that are also easy to guess. So it is consumers who have made the point of passwords’ declining utility, which is not surprising, as consumers often do not bear the cost of payment fraud.

• Q: What about other user validation options, like two-factor authentication?

A. First off, software-based solutions have shown to be vulnerable to malware attacks that plague many user devices. Many two-factor authentication, or 2FA, schemes on the market are purely software based ones that send an SMS code to a user’s mobile device. Software based 2FA solutions fail to address the security problem they are trying to overcome by performing on-device authentication, which is still susceptible to the same attack vectors as passwords. While sometimes promoted as being an “out of band” authentication method, many of these solutions inherently rely on a user’s device not being compromised in the first place.

Then there are 2FA hardware tokens. From a consumer standpoint these tokens, while commonplace in large enterprises, are a usability nightmare. Many are expensive, many require a separate carry, and some even require a separate charge.

Hardware tokens also provide expiration tokens that users manually input into applications running on a device’s operating system, making these solutions as insecure as they are inconvenient. In short, 2FA solutions do not provide sufficient security for organizations that require an end-to-end security solution, and some of these solutions are sorely lacking the convenience required for mass adoption. The cost of such solutions also makes mass deployment a nightmare, which is the reason token schemes have failed to permeate the consumer sector for everyday use.

• Q: So, then, what other options exist?

A. The option we see is responsible use of a person’s unique biometric signature as a replacement for passwords and insecure 2FA schemes. By responsible use we mean sequestering a person’s bio signature from both the device’s OS and from that information’s storage and/or use in the cloud. One must assume that the operating system layer is compromised, and assume that the cloud is unsafe. Therefore a biometric authentication protocol can only rely on storing user data in a trusted environment on the device, away from the operating system.

We can take our cue from the latest mobile devices being deployed, as well as some computers, which use on-device biometric sensors – usually a fingerprint sensor or facial recognition camera. These devices have been seen to rely on a Trusted Execution Environment (TEE) that specifically handles the verification of biometric information separately from the primary device’s core operating system, which is susceptible to malware.

What’s significant about this development is that, until recently, mobile devices that are convenient to use were not built to be capable of evaluating biometric information in such a manner. Equipped with biometric sensors and specialized processors, these new devices have the ability to change the way that users authenticate to services they use every day such as email, social media, and banking – as well as more specialized scenarios such as accessing health records or prescriptions, and even voter registration. More importantly, with biometric authenticators now widely available, the platforms providing these services have a major incentive to make biometric-based authentication available as a benefit to their users.

• Q: Are there any caveats about biometric authentication that merchants should be aware of?

A. It needs to be said that utilizing biometric signatures to verify user identity is not a panacea for the security problem. Biometric authentication is a conclusive, logical way to prove one’s identity because a biometric signature is unique to each person. However, users must exercise caution. Organizations would do well to implement a security program that uses biometric data as one tool for proving user identity and ensures that sensitive data is only accessible by the individual to whom it biologically belongs. Again, this means specialized processors and TEEs are where a person’s unique biometric signature should be stored, and other security tools should include channel binding, robust encryption, and tokenization schemes. Used in the context of a comprehensive security strategy, biometric authentication helps provide the level of security required by our rapidly changing, Internet-driven world by replacing the inherently flawed use of passwords.

A former webmaster, George Avetisov has been interested in improving the Internet experience since building his first website at the age of 11 – a fan page dedicated to his favorite childhood anime. At the age of 19,  he cofounded an online store generating over $6m in annual revenue at the time of his departure. Armed with years of experience in cyber fraud and e-commerce, coupled with a strong drive to build a secure internet ecosystem, George now focuses on his position as co-founder and CEO of HYPR Corp.