Freedom at a cost: how do you build trust online?
Okay, so my understanding is that there's a lot of freedom with our digital identities and being able to maybe create an ideal image of ourselves, etc. Conversely to that freedom, what are some of the risks and costs associated with our digital identities?
I think you're right. That freedom definitely comes at a cost. It's hard to prove digital identity, and many of the current approaches – such as email + password + SMS PIN codes – add complexity for the user without actually addressing the core issue, which is: can these identities be trusted?
As I mentioned before, you can have email addresses that represent your identity online. And you could have multiple [email] addresses – for example, it's easy to get Gmail addresses; they're free, and so bad actors can exploit that freedom. You can have multiple accounts created by using those multiple free email addresses, and bad actors can hide behind them either to commit fraud or just to spread fake news. The trick is very much to have some sort of balance between the freedom and the friction; the freedom and that proven identity.
Coming back to mobile numbers as the core theme here, it's an interesting approach to use a mobile number as an online identity. It's personal, but it's not too personal, so people are willing to share it, and generally we give out our number to other people. But if you can make it something that has an associated security factor – and the phone does this, because it's got the SIM card – then you can have that thing which you're willing to share, but at the same time has a proven credential, and that allows you to build trust associated with that.
Where does the responsibility lie for fraud and fake requests for information?
Authentication is definitely getting more and more complex. I know when I forget a password to an account, I can go through multiple levels of verification to gain access, and often it's very frustrating.
If I know this, then of course, bad actors also know this, and can capitalize on that opportunity to confuse mobile users and get their information; taking over their digital identities. So, Paul, how can people trust that they're being asked for legitimate information via their mobile devices?
My view is that as an individual, obviously, we should always be vigilant. I think that's just a natural responsibility that everyone should have. So try not to share personal information online; banks will always say that they're not going to ask you for personal information and PIN codes. You just shouldn't share that personal information.
But actually, I think the primary responsibility for that really lies with the corporations, with the enterprises whose services we're consuming as individuals. It's those organizations who choose how they verify the identity. And those methods that the companies choose, they either work or they don't work, and the individuals don't really control that.
We can have vigilance and take care not to share data, but the fundamental authentication methods that are being chosen – such as SMS, one-time passwords or even email PIN codes – they leave individuals open to risks that those individuals themselves can't really control.
How will trust evolve in the digital future?
Final question for you in this episode, Paul, is are there any other ways that we can build trust in the digital world?
Again, mobile is going to be a core part of what we're talking about here. The world is going mobile; in many, many territories now, mobile is the default method for accessing the internet. We live in a mobile-first world, and that has consequences, good and bad. But I actually think the good consequences are that it's an entirely new way of doing business, and the phone is a very powerful tool, but it's not really being used properly yet.
There's been a few small steps that businesses have taken; moving away from email address, perhaps, to using the mobile number a bit more, but they're not using the fundamental security that is innately inside a mobile phone.
There are 5 billion phones out there, all of which have got cryptographically secure SIM cards in them – now the world has this opportunity to move away from a knowledge-based password to a possession-based security factor. And if we can do that together, then I think we can make the world a much safer place.
You can check out the full interview in podcast form, plus the rest of the SIM security series, at Cybercrime Magazine’s Soundcloud page.
Find out more about tru.ID
tru.ID is a mobile authentication platform that enables direct connectivity to the mobile authentication systems used by mobile carriers, so that online businesses can build simpler, stronger alternatives to SMS one-time passwords, email links, and other legacy 2FA methods.
It’s even easier for developers to get started. tru.ID products are easily implemented into any client-server application architecture using restful APIs and iOS, Android, React Native and Mobile Web SDKs. We offer a fully online, developer-first API platform. Simply sign up to create an account and start testing for free, today.