Moves towards a password-free future
Imagine a world where your micro movements and fingerprints unlock your most sensitive information. Katie Kenny discovers we’re there.
Aaron Doody was the victim of identity theft the old-fashioned way: thieves broke into his Wellington flat and pinched his passport.
It was 2015 and Doody, now an accountant in Auckland, immediately cancelled his passport and called the police. But a week or two later, a man strolled into a Waikato ANZ and withdrew $2000 cash from Doody’s account, using his passport as identification. Then came bills from Spark and Vodafone, for accounts he didn’t recognise and products he hadn’t ordered.
Eventually, the cash was reimbursed and the debt wiped, but Doody worries what the impact would have been on a struggling family or individual.
‘‘The banks and telcos should have been able to access a register of cancelled passports,’’ Doody says. ‘‘There needs to be a higher duty of care. I don’t think you can be excused for taking those documents at face value, anymore.’’
If the offender had been asked to prove their identity with biometric information, such as fingerprints or iris scans, he wouldn’t have left the bank with $2000, and might not have been allowed to leave at all (according to the latest KPMG International Global Banking Fraud Survey, nearly 70 per cent of banks have invested in physical biometrics such as fingerprint, voice pattern and face recognition).
In an ideal world, according to some technologists, activities such as banking would involve a digital identity, controlled by the individual. It could include everything from birthdays to qualifications. No passwords, and no physical passports.
It sounds far-fetched, but owing to the growing problem of identity theft, it’s being pursued with urgency. In December 2018, the Government committed $5.15 million towards a two-year digital identity programme, led by the Department of Internal Affairs, looking at ways to put Kiwis in control of what happens to their data.
More than 130,000 New Zealanders fall victim to identity theft annually, with passport details the most commonly stolen. Usually, identities are stolen online, and passwords are a common weak point. Strong, unique passwords is one of the best protections, yet many of us resort to repetition, or the names of pets. Kiwis are among the worst offenders in the world when it comes to reusing passwords, behind Canada and Australia.
As computers are being embedded into everyday life – not just phones and watches, but cars and health systems – the consequences of data breaches are only becoming more dire.
‘‘I hate passwords,’’ says Digital Identity New Zealand executive director Andrew Weaver. ‘‘When passwords first originated, they were a good mechanism to keep your two, four, five accounts secure. But now, if like many people you have hundreds, they make absolutely no practical sense.’’
While password managers can
‘‘I don’t think you can be excused for taking those documents at face value, anymore.’’ Aaron Doody
help users generate different passwords, accessible via a socalled master password, they’re only an ‘‘interim solution’’.
The obvious next step is biometrics – identifiers such as our fingerprint, retina, gait and voice. If you’ve travelled internationally and had your photo or fingerprints taken on arrival at an airport, you’ll be familiar with biometric authentication.
‘‘Generally, biometrics are more secure in their strong link to an individual,’’ Weaver says. ‘‘I can absolutely see a future where passwords are not required.’’
The complicating factor for biometric authentication is having that stolen, too. As biometric databases grow, they become an increasingly attractive target.
Technology companies are investing in less tangible versions of biometrics; behavioural traits, such as the angle you hold your device at, how often you pause between typing letters. Essentially, micromovements, which are less sensitive and much harder to replicate. Another option is contextual authentication — where the factors around a user’s login decide whether the person is likely to be who they say they are.
For example, if my routine dictates I arrive at work and access my desktop at 8.30am, then someone attempting to log in from a different country at a different time might raise red flags.
While Doody was able to move on from his identity theft relatively quickly, that wasn’t the case for Axton Betz-Hamilton, an expert in identity theft who teaches at South Dakota State University.
Betz-Hamilton had a childhood plagued by identity theft committed by her own mother.
The family, living in rural Indiana, crept closer to financial ruin as a mysterious doppelganger drained their bank accounts. It was only after her mother’s death in 2013 that BetzHamilton and her father discovered it was her.
‘‘I remember wondering what we’d done to deserve this,’’ says Betz-Hamilton. ‘‘I was always on the defensive, wondering why people were asking questions, worried they were trying to get more information out of me.’’ When she checked her credit report for the first time as a student, she was dismayed her score was in the lowest two per cent. She disputed fraud charges, but was rarely believed. She focused on working hard to clear her debt and establish good credit, while paying exorbitant interest rates.
Technology has contributed to the proliferation of this problem, and technologists have to solve it, says Brad Pearpoint, managing director at cybersecurity firm, Advantage.
Historically, New Zealand has been too small for cybercriminals. However, they’re now realising the country is an untapped market, Pearpoint says.
‘‘There are plenty of marketplaces online where people are freely trading them. Health records are also valuable, because they often contain people’s addresses and family member details. People are getting around US$10-US$15 for health records, whereas credit card records are worth about US$1. Passports, depending where they’re from, fetch US$50US$100.’’
It’s the responsibility of those holding the information to protect it, he adds.
While biometrics can keep companies safer because people ‘‘can’t lose their fingerprints’’, they also involve greater risk if, say, employers are holding individuals’ sensitive information. ‘‘It’ll solve part of the problem but it’s not a panacea, it won’t stop people losing their data.’’
Regardless, it’s on the rise, says Cert NZ operations manager Declan Ingram.
While Cert NZ doesn’t have specific data on compromised biometrics, he believes it will likely be a more common way for attackers to access accounts. His advice is to share biometric information only with trusted services. ‘‘If you’re not sure, a strong password that you haven’t used anywhere else could be a better choice.’’
Privacy Commissioner John Edwards says that if a biometric identifier is compromised there might be nothing the victim can do to protect themselves. ‘‘They can’t change their face, retina, gait, or voice or fingerprint.’’
In most cases, biometric authentication allows a user to bypass passwords . So it doesn’t necessarily solve the password problem, says Caroline Dewe, CEO at Alphero.
In the digital agency’s Wellington office, Eujin Au, a digital architect, adds: ‘‘There’s always a password in the equation... But with biometrics, maybe we can minimise the number of them, and make them stronger.’’