Unless you’re in ‘the banking industry’ or perhaps an avid news reader, the importance of anonymization probably isn’t top-of-mind. This may be the case because it doesn’t feel like it immediately affects you. It does and you’ve been putting up with it being done wrong for many years.
Consumers have generally lost track of what privacy means which allows for uninformed assumptions about how safe their personal information is when in the hands of businesses they frequent. To make matters worse, our digitized life and hectic schedules likely mean there are more than a handful of old and unused accounts probably using the same credentials or similar credentials—very risky—one breach breaches them all! Believe me it’s scary isn’t it?
“If you’re not paying for the product; you are the product.”
Perhaps you’ve heard that colloquialism before, if not you might be surprised by it’s meaning. Let’s put it into real-world terms so you have a better understanding. Do you use Gmail, Twitter, Facebook, or perhaps a loyalty program? Since you aren’t paying for any of these products, the companies need to make money somewhere and that’s where you become the product. The things you do, messages you send, places you go are really valuable to marketers and advertisers, and they pay handsomely for that information. All of these pieces of information (data) are tied directly to you, your address, habits, perhaps credit card numbers or worse is the product. They promise it is secure.
Is it? The flimsy layer of protection that we all rely upon — username and passwords — is the minimum information extracted in data breaches that have become commonplace. So common, that Cylabs recently published a study that indicated only 33% of consumers modified their passwords after an announced breach event. This means that bad actors are likely to be successful in accessing personal private information, bank and credit accounts and other digital assets 67% of the time — very lucrative odds that will continue to encourage them.
This doesn’t even account for the unfortunate habit of reusing username and password across a number of accounts. One breach and they have them all.
Physical retail, mail order (yes it’s still out there), and e-commerce (digital mail order) each present their own set of general business risks. Theft and fraud are still the most common, however with the growth of the digital commerce credential highjacking, account takeover, and identity theft are on the rise. The most common assumption is that the merchant card processor is responsible to manage data protection on your behalf, and they are, but that does not remove your ultimate responsibility to protect it.
Thinking this doesn’t apply to you? Do you accept debit or credit cards? Do you offer a loyalty program? Does your POS contain any customer information? What about ID checks — is the information from the process being cached or stored in any way, in any fashion? Sadly, you may not even know it is — it is putting your entire business viability at risk.
Anonymization – What does it mean?
Anonymization is the process of protecting private or potentially sensitive information by altering the information that connects an individual to the stored data. This usually applies to data in transit in most cases, but it doesn’t necessarily apply to data at rest (meaning it is not actively in use or being transited). There are a number of techniques used to achieve this — some of the more common:
- Encryption – obfuscation of sensitive information so it is of no value to bad actors should it be extracted.
- Data Masking – effectively hiding data using altered values such as character shuffling or word substitution.
- Pseudonymization – A de-identification method that replaces private identifiers with fake ones (pseudonyms).
It is important to recognize, security is most effective when implemented in layers, i.e. the more layers, the better the protection. So the anonymization of data provides a strong safeguard but is it enough?
Is Biometrics enough?
Here’s another often misunderstood tech.
Odds are you use some form of biometric security tool — fingerprint the most common— typically tied to our mobile devices. Some devices even added facial unlocking. Enter consumer-grade biometrics security layers, which are generally good, however they’re watered down and tied back to your username and password — simply a shortcut to an already established weak security method. In order to maximize adoption and minimize technical support demands, the depth and complexity of these tools have to be greatly simplified – making it much easier to fool and therefore more a speed-bump than a locked door for bad actors.
Commercial-grade biometrics have been proven and in use for some time but are only now becoming more widely adopted. It has rigorous analysis, tests, verification and validation processes that occur during each transaction that consumer tools simply aren’t capable of.
One such tool is liveness testing and 3-D rendering analysis for example. In order for the biometric method to be effective, it must start with an official Identification document to validate against, providing a recognized global standard for individual identification verification and validation. Then combine it with spoof-proof 3D liveness. Now you’re cooking!
So, combining the decoupling of private information with anonymization with commercial-grade biometrics AND issuance of tokenized identifiers delivers a dual key, multi-layer fortress. This approach helps protect the consumer, your business, and the vendors and partners that make up the business supply chain. If everyone requires a dual key-set that cannot be spoofed, guessed, calculated or copied the transaction and data environments will be secure — the entire ecosystem will benefit.