The Green Sheet Online Edition
November 11, 2013 • Issue 13:11:01
Tyfone confronts data security 'cross over'
On Oct. 7, 2013, mobile identity verification and security firm Tyfone Inc. entered a pilot program with Wisconsin-based CoVantage Credit Union to test Tyfone's connected smartcard (CSC) technology. The CSC chip hardware, that can be integrated into different form factors, such as a plastic card, microSD card or key chain dongle, is designed to protect consumers' banking and payment data at a time when the two-factor authentication method of user name and password is widely seen as broken.
The pilot is based on Tyfone's SideSafe microSD card for Android-based smartphones, with CoVantage employees and select business members issued "corporate IT" devices. The plan is for the pilot to then transition to the Bring Your Own Device stage.
Post pilot, Tyfone expects to introduce its proprietary SideKey technology, which makes the CSC chip functionality accessible via a key chain or a wearable device that is interoperable with smartphones, tablet devices and PCs. "Communication protocols may be NFC [near field communication] or Bluetooth, and commercial offerings will have a menu of form factors for institutions to choose from," Tyfone said.
Inside the cross over
Dr. Siva Narendra, co-founder and Chief Executive Officer at Tyfone, likened the current security infrastructure designed to protect sensitive cardholder data stored in the cloud to a medieval castle: the data is protected by strong, high walls – firewalls and virtual private networks – that are fatally weak nonetheless.
"This wall is very porous because a legitimate user still needs to get into the fortress, so there are doors everywhere," Narendra said. "And these doors are actually getting weaker rapidly, by the day."
Narendra referred to Moore's law that states computational power is doubling every 18 months. That means ever faster processing speeds for smartphones and computers, but equally faster data crunching capabilities for fraudsters. To counter this exponential growth in password hacking speed, ever longer passwords are required. Four-digit passcodes that were sufficient protection 30 years ago have given way to the stringing together of eight to 12 numbers and letters, with special characters thrown in. But that path is unsustainable.
Based on Moore's law, in 18 months, passwords will need to be 24 characters long and, in three years, they will need to expand to an impractical 48 characters, Narendra said. In fact, he stated that the password security infrastructure is nearing a "point of no return," where hacking speeds will outstrip current security forever. Narendra called it the "cross over," and added that we are currently in the middle of it.
The "software-based password is dead," Narendra said. "It's just a matter of us recognizing it." He noted that regulatory and standards bodies, such as the National Institute of Standards and Technology, are aware of it, but not others, including payments businesses. "A lot of IT folks are in denial," he said.
Hardware to combat hardware
According to Narendra, the solution to this security dilemma is to migrate account security to physical devices that only individual accountholders can access. "The only way you can compete with hardware speed is by using hardware with you as opposed to [data stored] in a central location," he said.
Tyfone's CSC technology is designed to do just that. The password is stored in the secure chip, which is the safest place to store information, according to Narendra. "[I]f you want to visit a website and make a transaction, you go to a website and your password would be validated by your key chain and then the key chain will expose the certificate for this request, challenge, response paradigm," he said.
Tyfone chose to roll out CSC in a variety of form factors because the device needs to be portable and independent of smartphones and corresponding mobile wallets. "Today, when you buy a pair of pants, the wallet is not stitched to it," Narendra said. "You carry your wallet from one pair of pants to another. So we wanted the technology to be just that – neutral."
Beyond the threat of the cross over for individual security looms the national security issue, as it is generally assumed foreign governments and terrorist organizations are stockpiling hacked passwords for future use in cyber warfare. "Control systems for utilities, petro chemical, some of these systems have already beenbreached by unfriendly parties," said Don Bloodworth, Chief Financial Officer at Tyfone. "They're just sitting back and waiting to act upon that [information]."
The government sector has taken notice. In December 2012, In-Q-Tel, the private industry investment arm for the CIA and the larger U.S. intelligence community, partnered with Tyfone to develop CSC for government applications.
Narendra said mass adoption of CSC technology is about a year away. He believes CSC uptake will track with the rollout of Europay/MasterCard/Visa chip cards in the United States.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.