The Evolution of Data Security: APIs and Phone Numbers

Published October 19, 2015 by Eric Nadalin

Mobile app downloads are increasing at a rapid rate as individuals and organisations use mobile apps to access personal and business information through mobile devices. Gartner predicted that global app downloads will reach 268 billion by 2017, with business apps one of the fastest growing categories. This increasing ‘appification’ changes the way we create and consume digital content. You can now retrieve your personal information on demand; but so can hackers, criminals and even spies. For businesses—big and small—data breaches can be crippling. The need for data security has become ever more urgent.

Screen Shot 2015-10-17 at 9.24.36 AM

Authentication—a matter of survival

With mobile devices and apps driving e-commerce, there will be changes in the way transactions are made. The inception of cryptocurrencies and financial technology such as Bitcoin, Google Wallet, PayPal and Apple Pay only expedites the need for data security, given the tendency of cyber-criminals to search for exploitable loopholes in the system in order to make a quick buck. Verifying user identity and transactions are of paramount importance to the prevention of fraud, theft, fake profiles, spams, scams and click-baiting. Failure to ensure a secure environment around transactions damages customer experience, retention, brand equity and could result in serious fines and legal ramifications.

The provision of a robust data security system is not merely a service that customers entrust businesses with. Verification of identities is also a requirement set by regulators; the European Bank Association (EBA) has issued guidelines on strengthened levels of customer authentication for payment service providers. Similarly, the Monetary Authority of Singapore (MAS) has made two-factor authentication (2Fa) a mandatory process prior to logins and transactions, and SingPass users have to use a one-time password in order to engage in secure e-government transactions involving sensitive data. SingPass (Singapore Personal Access) is an online account management for access to Singapore Government e-services using only one user ID and one password.

And you thought your password was secure

Company websites prompt users to change their passwords frequently to minimize unauthorised access. Remembering multiple passwords however, each with its own unique permutation, can prove daunting, or useless. A Verizon risk study has proven such methods to be futile; 95 per cent of web app attacks involved harvesting credentials stolen from customer’s devices and logging on to web applications with them.

Phone numbers are the ultimate user identity

The static nature of traditional logins and passwords is obsolete as hackers require only the pre-set login-password combination to breach an account. Taking into consideration the need for universality, a dynamic security system, positive user experience and information privacy, phone numbers are best equipped to tackle the challenges of data security today.

First, phone numbers address the issue of universality as it has a global reach of six billion people, allowing governments and private enterprises to engage their stakeholders on a single, standardised platform. Second, phone numbers are impossible to forge, unlike online identities. This is because of telcos functioning as an external system, compared to businesses. Lastly, phone numbers are exclusive to the user, meaning that information sent to a particular number will be private.

But telcos were not created for the purpose of authentication

Despite the suitability of phone numbers to verify identities and transactions, there exists several flaws in the system which may undermine the verification process, although through no fault of telcos themselves.

Given the variation of global number plans, phone numbers need to be distinguished between mobile plans and landlines, as only the former can receive or send messages. Global delivery of messages requires the copying from one satellite and forwarding to another, possibly compromising security. Carriers and compliance laws may block or filter messages, preventing the user from receiving the information needed for identity verification. Country-specific compliance filters include send hours and illegal content, whereas carrier-specific filters include encoding languages and carrier policies.

APIs to the rescue

APIs can overcome the above-mentioned shortcomings by providing a direct connection with telcos themselves. The generation of a random one-time password (OTP) with a short expiry period provides a dynamic security system, proofing users from replay attacks. This means that potential intruders who manage to record a used OTP will be unable to use access the system as the OTP is made invalid. Also, several features can be added, such as a function call to authenticate, automatic log out after a certain duration, and push notifications.

Towards the future

The next stage of data security will most likely see the use of biometrics, such as fingerprints on a digital device in the authentication process. OCBC Bank for example is the first bank in Singapore to allow customers using mobile devices equipped with fingerprint sensors to access their bank-account for details such as transaction history and account balances. But hackers are increasingly turning their attention to stealing fingerprint IDs, having recently stolen 5.6 million US government employee’s fingerprint IDs.

As technology continues to evolve and transform the way we access information, our security measures must also follow suit. With data security becoming ever-more important—particularly in the fields of social networking, ecommerce and fintech—users are demanding less intrusive forms of authentication. While over-complicating the process puts an unwelcome strain on user experience, actionable authentication is a necessity, given the crippling implications of data breaches. In response, one plausible solution is the development of adaptive authentication, where risk signals such as change in IP address or transaction size will trigger stronger authentication requirements. Marrying the dichotomy between security and user experience is not impossible, after all.

This post originally appeared in NetworkWorld Asia.