As the author of the autobiographical book-turned-film “Catch Me If You Can,” Frank W. Abagnale knows a thing or two about theft. Once a con man, he now works as a security consultant and has written multiple books on the subject. We asked him about the biggest trends in the world of digital security.
What are the biggest trends in digital identity right now?
The trends I see are the realization that passwords are the core issue we face, and that we need to work to remove them. All the breaches you hear about are related to stealing static credentials. We have to make things harder for criminals to steal and easier for consumers to use. I see that, in the near future, more and more organizations will prioritize this task, as we now have industry solutions for it.
The next trend I see is using government-issued ID to prove identity for online transactions. Just like when you drive, you are asked to show your driver’s license, we now have the technology to do that on mobile phones. Because it is so easy to fool the support call center and pretend to be someone else, the need for better identity proofing to prevent SIM Swaps is urgent.
How do you foresee blockchain impacting digital identity?
Blockchain is a great technical invention. It does not, however, solve the core issue of identity theft and fraud. If I steal an identity and open an account with it, and then it’s stored in a blockchain, how will we ever undo this record?
The fact that blockchain perfectly seals the record and makes it public does NOT make it true, real, nor correct. While I do see this technology being used, it is a folly to think it will solve the root cause of the identity theft crisis.
From a security standpoint for businesses, what are the advantages and disadvantages of maintaining a private cloud vs. a public cloud?
Ten years ago, this was the top of mind question. I think today, most organizations are going to focus on HOW to port more operations to the public cloud, not if. For cost reasons alone — not to mention the scale — it is the path of the future.
With the security landscape changing all the time, we cannot assume anymore that if we host our own data it is “safer.” By using good encryption and best practices, organizations can and should consider the faster — and more secure — delivery option, which happens to be public clouds.
What are some rudimentary security steps you can implement for any data you’re collecting from clients?
Encryption, and when possible one-way hashing. Say you want to authenticate a customer by asking them to scan their driver’s license (on a risky transaction). You do not need to store any PII (personally identifiable information) to do so. You do not need to store the data encrypted with a symmetric key either. If you one-way hash the data, into a value even, you cannot reverse, and you can still run the comparison without risking your customer’s data.
To explain this, I use this line: “You can’t unscramble, scrambled eggs.” One-way hash prevents the data from being reverted to its original values.
What industries are currently most at risk for a data breach?
It’s better to ask which one isn’t, and the answer is simple: everyone is at risk, period. There are only two kinds of organizations: those who have been breached and know it, and those how have been breached and don’t know it, yet.
If you are in charge of security and you are still using passwords to protect your organization, your employees, and your customers data, you are putting them all at risk. We are all insecure because we are still using technology from the 1960s to protect us today. To change the security landscape and turn the tide, we need to move off of passwords.