IDG Contributor Network: Financial enterprises look to decentralization to reduce the risk of a massive breach

With an estimated 30 billion devices connected to the Internet of Things (IoT) by 2020, ensuring they are properly secured is more important than ever, as many of these will be payment-enabled. Criminals are constantly challenging the progress of cybersecurity measures as their attacks become more sophisticated.

Following last year’s string of mass credentials breaches, it’s clear that conventional methods to secure passwords, PINs and biometrics are falling short of safeguarding the sensitive information used for authentication and payment authorization. Centralized repositories of consumer data at enterprises have continuously proven to be coveted targets for hackers. Without a paradigm shift in authentication — and with banking, financial, and other business activity becoming more digital — data breaches are only expected to persist. Consider alone the growth of ecommerce and m-commerce, and therefore less EMV protection that’s only found at POS systems, created by Sears and now, Toys“R”Us.

Native biometrics and passwords are not enough to authenticate true users

For this reason, many online service providers are beginning to offer the use of native biometrics features such as Apple’s Touch ID and FaceID, Samsung Pass or the myriad sensors of third-party vendors. Biometrics are often more desirable because they are convenient and can more accurately authenticate users than a typical password/PIN combination, which in the hands of another can serve as the keys to the kingdom once account access is granted. Native and third-party biometrics do have their flaws, however. Some merely unlock the device or act upon passwords still in use and stored at the service provider, essentially using a fingerprint scan to paste in the password. Others, especially third-party ones, have more explicit vulnerabilities, storing biometric templates centrally at the service provider, making them no safer than passwords.

Centralized databases are an easy, appealing target for fraudsters, since the many records hackers obtain caters to their wholesale fraud model. As Yahoo, Equifax, FedEx and other breaches have proved, stolen credentials are sold on the dark web for only a few dollars, yet millions of such records unfortunately demonstrate that fraud is a profitable endeavor. Centralizing data also creates a single point of failure in a system designed to protect privacy and financial assets. This is something enterprises are starting to realize is counterintuitive and unnecessary now that advances in mobile devices make it reasonable to conclude that most people are carrying around biometric keys with the ability to store encrypted templates on them.