Blog

Should I be present to withdraw money from a digital bank?

 

Should I be present to withdraw money from a digital bank? This is the question that should drive security. If I am not present, how does the bank know I approve? Change your viewing point and you change your point of view.

An upgraded debit card can create and maintain digital existence. Using existence as a factor permits a bank to verify the customer is present before approving a charge. If a customer is shopping online, is it too much to ask them to be present at the bank for approval?

Existence is the seatbelt for cybersecurity. Seatbelts were rejected because they were…too expensive, disruptive, inconvenient, “people won’t use them”.

Consumers CANNOT act responsibly online without a method to do so! Existence provides a system and methodology to maintain a state-of-existence. In the real world a body creates state-of-existence, an upgraded debit card can also do this digitally. People are always online, presence proves identity.

What digital activity requires proof of presence? This is the starting point for cybersecurity. If secure activity requires presence, existence provides a closed environment where secure activity can be migrated, it is a configuration change.

 

Can we have a moment of cybersecurity honesty?

The truth is sometimes hard to hear but from a point of truth there is a path to a solution. Without objective reality there is only deception. The facts:

  • Browsers are insecure*. They are appropriate for public and classified activity
  • Since 2001 there has been published guidance* for Multi Factor Authentication (MFA)
  • MFA is inclusive of Two Factor
  • Current MFA misrepresents functionality* 
  • All secure activity is based on a guess of who is providing data*
  • Every mitigation solution introduced new attack vectors*
  • Existence is the missing factor in cybersecurity*
  • Every solution using MFA authentication is compromised
  • In a binary environment there are two choices: guess or not

 

The moment a webpage to secure services is loaded into a browser, cybersecurity failed. In a binary environment every decision on a wrong fork is wrong.

“The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.” – Stephen Hawking.

Existence strips illusionary security protocols from cybersecurity: https://lnkd.in/eNFR7Qn

References:

Chrome Dev, Eric Lawrence stated it is “Almost impossible to secure a browsers UI” https://www.theregister.co.uk/2017/01/19/browser_line_of_death/

“Authentication in an Internet Banking Environment”, August 8 2001, The Board of Governors for the Federal Reserve and the FFIEC

MFA is a “Multi” step process, to gather data as a “Factor” that is transferred for “Authentication” as DATA – one factor

“Today digital identification is based on indirect assertion of Identity. Until a direct assertion [solution] is available it [authentication] will just be an informed guess.” – Dr. Daniel R. Ford, CTO/CIO, 1st Source Bank

“With every new service or connected entity, a new attack vector is born” said Oded Yarkoni, Head of Marketing at Upstream Security http://www.autoconnectedcar.com/2019/01/automotive-cybersecurity-ces-beyond-karamba-upstream-saferide-trillium-zerodayguard/

Existence: “having objective reality”– Oxford English Dictionary

Creating and maintaining existence, “Methods and systems for internet security via virtual software” US Patent No 8,074,261 http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=8,074,261.PN.&OS=PN/8,074,261&RS=PN/8,074,261

 

Facebook is accused of “friendly fraud”

The question is: What friends want to be defrauded? Children? Facebook also has a “friendly” relationship with financial institutions and exploited it to complete the theft!

Friendly fraud is a direct result of financial institutions not meeting authentication guidance*. Facebook stored credit card data, deceived children and used data to exploit financial institution’s “trust” to execute thefts!

“Trust but verify” – Ronald Reagan. Every fraudulent charge is a security protocol failure. The trust relationship fails because verification has not risen to published guidance*. Facebook just got caught.

The solution for fraudulent credit card transactions: FOLLOW GUIDANCE! It has been in place since 2001*. Consumers carry financial IDs, they are called a debit or credit card, UPGRADE THEM! Nothing is secure based on trust alone. The failure to PROPERLY verify must be corrected.

NO fraud is “friendly”, it is a crime! Only financial institutions can prevent fraudulent charges, they authorize the transaction and transfer funds. Valid authentication prevents data from being exploited to steal.

Existence Based Access meets guidance.

“Facebook duped kids into spending on games without Mom and Dad knowing, documents reveal”: https://techxplore.com/news/2019-01-facebook-duped-kids-games-mom.html

“Authentication in an Internet Banking Environment”: https://www.ffiec.gov/pdf/authentication_guidance.pdf

MFA, How it Damages Everyone

The reality of MFA; a “Multi” step process, to gather data as a “Factor”, to be transferred for “Authentication”. The marketing definition of MFA, “Multi Factor Authentication”, is untrue.

Cybersecurity was an inconvenience when the Internet was being created. (link in comments) Security was designed and marketed to be “Friction-less” so that it did not interfere with adoption. However, security requires friction. It is the friction that provides security. In the real world, showing a passport is friction that identifies a body. The Internet has proven friction-less security protocols inadequate.

A REAL cybersecurity SOLUTION: analysis, valid security protocols and technology solutions that function as claimed.

Existence is a system where the endpoint, server and communication are unified into a single process. The process is broken into two parts, a device and its environment. When the device comes into contact with the Internet, it connects to its secure environment. When the device is removed, the connection ends. While connected, there is a state-of-existence plus data; true Multi Factor Authentication, at the point-of-authentication.

Cybersecurity is focused in the wrong place

Data protection is important but protecting the data is not enough. Cybersecurity must also focus on protecting the use of data. In a data rich environment, data alone cannot be trusted to approve a transaction.

A state-of existence (existence) is created by a body in the physical world. Authentication is all about identifying the body creating existence. Once identified secure activity can be performed until the body leaves, ending the existence at the secure environment.

Existence-based access provides a serialized private portal as a non-data factor, a state-of-existence, for authentication. The question is, what can current environments do with existence for authentication? Verify presence before executing secure transactions. “If I’m not present, do not take action.”

The goal of authentication guidance since it was first published: a non-data second factor. The goal was aspirational until a decade ago, but indirect assertion was the standard then…and now.  It caused an average of $1.6B daily in damage in 2017. Indirect assertion is one factor authentication, it does not meet guidance.

Existence-based access, Not slick marketing, it’s valid science.

Cybersecurity -a Novel Approach

 May I present a novel approach to cybersecurity? Hire a physical security expert to assess cybersecurity architecture and protocols. Physical security experts will all point to the same core problems.

First apply proper identification and authentication, indirect assertion of identity fails on both counts. Proper identification has always been critical to security. Second, limit secure portal exposure to only authorized entities.

Every alleged secure digital environment has exactly the level of security it desires. The damage from their security posture is acceptable or their posture would change.

Thousands of years of accumulative physical security knowledge has been rejected in cybersecurity. Nothing is secure when identification and access are uncontrolled, even the ancients understood this. The only solution to guessing identity is to STOP. The only solution for public access to secure services is to remove it.

Existence-based access provides presence at the point-of-authentication. This is the only place authentication factors can be properly deployed. The current multi-step data gathering authentication model never met guidance.

 Existence-based access: Not slick marketing, just valid science.

Existence-based Access the Future of Cybersecurity

Today’s method for Internet interaction was designed on the fly and built with limited knowledge of what the Internet was or what it would become. Browsers were designed to browse this wild new digital world in a “user-friendly” fashion. Browsers brought the public to the Internet by making navigation easy.

As the public came to the Internet, alleged secure portals were added to this browser-based environment. The decision to move secure services into a public environment granted access to known users and set in motion indirect assertion of identity. Indirect assertion of identity is guessing.

20 years ago, the drive was for Internet usage, not security. When security stood in the way of convenient public access to secure services, security was rejected as a hurtle to the adoption of services by consumers and security protocols were compromised to meet a business desire. In 2017 these “business defined security protocols” cost $600B in cyber damage.

The time has arrived to re-evaluate uninformed decisions from the past with knowledge garnered from years of experience. Browser-based access is designed for public activity not security. Accessing secure activity from a browser-based environment was, is and will continue to be a violation of security protocols.

For the purpose of this article, the following definitions apply:

  • Existence is “having objective reality”
  • An Aura is a physical device used as identification.

What is existence?

Existence is a unified interdependent system where the endpoint, server and communication are unified into a single process. The process is broken into two parts, an Aura and its environment. When the Aura comes into contact with the Internet, it is connected to its other half, the secure environment. When the Aura is removed, the connection ends.

The process permits an Aura owner to connect to any USB c compatible device anywhere anytime and a private portal winks into existence for “ultra-secure” communication. When secure activity is completed and the Aura is removed, the private portal winks out of existence. Similar to Einstein’s “Spooky Theory”.

How does existence-based access work?

Process
  • Insert the Aura: Connect the Aura into an Internet connected computing device. This begins the process of creating presence. While the Aura is connected to a computing device, it is present.
  • Authenticate: The Aura contains the endpoint software. Once executed, a uniquely serialized virtual operating environment is created and the process of maintaining a state-of-existence begins by connecting to a Pre-Authentication server to be validated.
    • Pre-Authentication process:
      • Challenge and response process between the Pre-Authentication server and the Aura
      • Path to the location of secure services is returned to the serialized environment
      • The serialized environment connects to the secure services location
    • Connection to Existence Server:
      • Check connection type, anything other than an Aura operating environment is rejected
      • Services connect to Pre-Authentication server setting up triangulation
      • Serialized environment allows application of role-based protocols prior to loading a login process
  • Triangulated monitoring of the process begins verifying that all elements remain present throughout secure activity
  • Perform Secure Activity: starting with an identified individual prior to login allows knowledge data to be validated along with the presence of the Aura
  • Remove Aura key: The removal of the Aura ends the owner’s presence at the secure service provider
  • Secure Environment Vanishes: Once the Aura is removed the serialized virtual operating environment implodes leaving no footprint on the computing device being used.

Existence-based access

The existence environment is an empty container much like a bottle. When a bottle is filled with milk, soda, juice, etc. it is referred to by the content of the bottle. You go to the refrigerator for milk, soda or a juice never thinking about the container, be it a bottle or can.

Similarly, existence containers take on the properties of what is loaded into them, much like the bottle. Secure Aura is introducing a blockchain payment system in an existence container, so it becomes an “Existence-based Payment System”. Cyber Safety Harbor offers a communication suite for messages and file transfer, so it is an “Existence-based Communication Suite”.

It does not matter what is loaded into an existence solution. The key to the system is the ability to:

  • Remove public access to secure services
  • Identify an Aura before granting access to a portal
  • Apply role-based access prior to user interaction
  • Evaporate when access is completed leaving the only record of activity within the secure environment

The breaches of the past have destroyed any value of data credentials. Existence is focused on protecting the use of data by providing a second unique factor for authentication. Existence can be initially deployed in parallel to existing infrastructure providing a method to verify presence before executing a transaction. (If I’m not present, it is not me.)

Once presence is applied, secure services can migrate into existence based-access for interaction. As existence’s functionality is fully realized, it creates a closed secure existence community of known users thus, improving overall data security. With the removal of public access, monitoring granted access become manageable.

Computer science is binary. Therefore, authentication is a binary decision:

  • Indirect Assertion of Identity that uses complex data and the hope that the owner of the data is the entity presenting it

OR

  • Direct Assertion of Identity that bases access on a state of existence via a serialized private portal

Indirect assertion of identity is fully mature with over 20 years of history. The result of guessing as an authentication protocol has proven results. “Cybercrime cost $600B in 2017”. $600 Billion divided by 365.25 equals $1.6 Billion per day in cyber damage. An existence solution would cost less!

 

Attack Vectors Eliminated

“With every new service or connected entity, a new attack vector is born,” said Oded Yarkoni, Head of Marketing at Upstream Security. “These attacks can be triggered from anywhere…”.

I agree and the opposite is also true; correcting higher-level security issues eliminates many downstream attack vectors. In cybersecurity the highest-level mistake put into motion a number of security violations.

The highest-level cybersecurity error: Moving secure activity into a browser-based public environment. From here each solution to mitigate public access created a new attack vector. 20 plus years later, there are too many mitigation-based attack vectors to secure!

Merging public and secure activity provides access to unknown entities. Then using indirect assertion of identity for authentication introduced “informed” guessing as a security protocol. Guessing identity is not valid in any security protocol.

Existence-based access creates a presence at a secure environment. Data is a second factor. Existence removes browsers, public access & guessing from secure services. The downstream effect of presence is an improvement.

A presence check before executing a transaction is essential authentication. ”If I’m not present it’s not me!”

Cyber Security’s Climate Change

Indirect assertion of identity, science denial and ignored guidance are the cyber world’s climate change. In 2021 when the damage hits $684.5 million per HOUR, will it swallow Wall St. and the world economy? 2021 is just a few years away.

In 2001 authentication guidance recommended Multi-Factor Authentication NOT Multi-Step data gathering Authentication. The failure to follow guidance lead to an average of $68.4 million in cyber damage every hour in 2017.

A method to meet the guidance did not exist in 2001, it was aspirational…but it did in 2007. However, in 2007 solving a problem, that was deemed “manageable”, was not important. Is $600 billion in damage in 2017 still manageable? What about in 2021? The first financial services company to license and deploy an authentication solution that meets guidance has been announced.

Following guidance requires merging the endpoint, server and communication into a single interdependent process divided between the provider and a user’s device. A state-of-existence, “Presence Factor”, plus any other factor meets guidance.

If a scientifically valid authentication process is too much to expect, cybersecurity is doomed.

Risk Acceptance is Unacceptable

In the 1990’s a concept called “Risk Acceptance” was used to justify the failure to meet online security protocols and guidance. The theory: Complex data is enough to keep unauthorized entities from gaining access, so the risk is acceptable.

This may have been an acceptable risk when Internet usage was counted in the millions of users but at 10 billion Internet connected devices, the math no longer works. Indirect Assertion is an UNACCEPTABLE risk. The failure to apply proper identification is an open secret that can no longer be ignored.

Resolving the identification problem may be disruptive, but wouldn’t it be a good thing to disrupt $5.5 million per hour in online payment theft? The losses are greater than the cost of the solution.

The problem is clear, the solution is available, the damage is unsustainable. Inaction in the face of $600 billion in annual cyber damage is also unacceptable.

Creating and maintaining a digital state-of-existence provides for proper identification online. Existence (a Presence Factor) plus any other factor meets guidance.