Privacy and Risk-based Authentication - Gresa Mjeku

hello everyone so uh welcome to this much needed security conference which is building and promoting the information security community in the western Balkans region this session is about privacy and risk-based authentication and ironically I will start by presenting some data personal data with you so as you heard my name is gracea and I'm an experienced data protection specialist at procredit bank Kosovo I have a background in cyber security I'm a graduate from a computer engineering and currently I'm pursuing my Master's studies in the International University of applied sciences before this hands-on experience on implementing gdpr in the banking sector I used to work with some of the most famous ISO standards in information security cyber security and risk management one of the most frequent questions I get asked is why data protection so that you have a legal background to exercise that and I assume many of you were thinking the same well uh data security and data privacy are the two basic elements of a cyber security as nearly every organization today that exists relies on data the loss of data or misuse of one can cause tremendous consequences for an organization however impairing security does not only affect the organization itself because it can cause impairable uh unimparable damages to individuals to whom the data belongs as well that is why a protection of personal data in particular has become more and more important we as data protection Specialists cooperate closely with software development teams and information security teams for two reasons to protect and secure the data but also to comply with the principles of privacy by Design and privacy by default this principle require every organization to consider data protection and privacy at every step and every project and activity that processes personal data nearly all key processes and activities that we use in an organization today process personal data and that is why having an understanding of I.T security I.T management and I.T configuration is a basic skill to succeed in a data protection role uh this session today comprises three main pillars I will introduce the risk-based authentication and how it works to continue with the privacy and risk-based authentication and to conclude with key privacy threats and mitigations create strong passwords this is a very common advice for many security specialists even Microsoft itself states that uh one of the most important ways to ensure that your online accounts are safe and secure is to protect your passwords but is it because a study shows that on average a user has 16 online identities what this means is that we as users tend to choose simple and easy to guess passwords but also tend to reuse the same passwords across services that is why in practice passwords have many security flaws one of them is that users are prone to disclosing passwords to attacks such as phishing but we also reuse the same passwords across Services what this means is that a compromise of accounts on one service leads to a compromise of accounts on many other services and last but not least today modern password cracking tools exist and the latest studies studies show that um a password tracking tool can find up to 2.7 billion passwords according to a research released by skycloud researchers discovered that 700 million so we are talking about 700 million exposed credentials only in the last year and to make the matters worse 72 percent of users guess what still use the same passwords so no surprise that major online services are doing something on this one of the most proposed measures is a two-factor authentication in a two-factor authentication a user confirms possession of another credential linked to the account typically by a hardware token an authentication app a mobile phone or or an email address however as two-factor authentication is an opt-in process so it requires user intervention the user acceptance is very low for instance Google Google has offered two-factor authentication since 2011. however only 10 percent of users so 10 percent of users were actively using it in 2018. uh what can be done to protect against two-factor authentication to make it more usable implicit authentication is one of the answers so if we classify the logging data as suspicious or normal attempts then we can differentiate these attempts by other parameters and define whether it is suspicious implicit authentication is practical because it is employed in the background without user intervention and it is secure as it is a continuous process a risk-based authentication that I will elaborate more during the day is a two-factor is an implicit authentication form RBA or risk-based authentication is recommended by the National Institute of Standards and technology and the national cyber security Center of United States to protect users against password spraying and credential scripting RBA has an increased password authentication security because uh it leaves the usability in act commercial sales of RBA Solutions are currently increasing and expect to do so supporting the demand of strong authentication methods however currently the use of RBA is limited to a number of major service providers like Amazon Facebook Google and Linkedin but how does RBA work RPA monitors contextual features that can range from a network features such as an IP address to client behavioral information such as logging time and based on these parameters it calculates a risk score so when we as users submit our logging form the risk based on uh the risk-based authentication calculates the risk score which is typically classified into three main categories low medium and high if the user behavior is as always then the access is granted and the user is not bothered by another form of authentication whereas if the risk score is medium or high then depending on the RBA implementation the system requires more information as a proof If no proof is given then access is denied so far so good RBA is offering high security is leaving the user ability inept so why we should consider privacy well don't forget that RBA offers security and usability but all at the cost of processing our data a data that may have a potential reference to our personal data and in case an RBA database is forwarded or breached then we are at a higher risk than usual because not only the traditional username is explo is exploited in addition security is not enough to meet privacy regulations and uh we all agree that security and privacy have in common and focus on protection of data however there is a difference security protects confidentiality integrity and availability of information and privacy on the other hand is more granular on privacy rights with respect to personal data and privacy will always Prevail when there is personal data processing whereas Security will continue to focus on the information protection of information assets considering this I will elaborate why the integration of RBA systems should consider data protection laws and regulations but what is personal data personal data is a term used in gdpr the famous General data protection regulation as other terms used instead of personal data are personal information and pii the personally identifiable information as used in ISO standards the definitions however are very similar so personal data is any information relating to an identifiable natural person which can be directly or indirectly identified I know very theoretical so let's focus on the key information and map them to the RBA context data used by RBA certainly Falls within the personal data definition two main reasons the RBA works by implement the implementation of RBA Works relying on feature values these feature values are unique identifiers by themselves for instance IP address on the other hand the risk score the risk score is classified as a unique identifier itself because indirectly identifies us and our interaction with the system introduction of data privacy regulations and laws has dramatically changed the way the online services are processing and collecting our personal data for instance the gdpr and the Californian consumer Privacy Act from firmly losing recommendations on how to handle data we now have clear and binding data protection principles these principles of processing personal data are namely the lawfulness fairness and transparency the purpose limitation data minimization accuracy storage limitation integrity and confidentiality in the following slides I will outline the requirements of each principle and how the RBA system should Implement them to process personal data we must have a lawful basis for processing but we also should be fair and transparent with the user what this means in the RBA context is that the design of RBA should be with consent in mind why to provide users with clear and easy to use easy to understand explanations the second principle is purpose limitation personal data should be collected for specific explicit and legitimate purposes and no further processing is incompatible with the first purpose is allowed what this means in the RBA context is that the future values can only be used to calculate the risk score itself so the next principle is data minimization what this principle states is that personal data shall be adequate relevant and limited to what is necessary in the relation to the purposes of processing personal data in the RBA context this means that feature values should be reviewed for suitability and redundant data should be deleted however in practice it's not this simple because providers of RBA systems should consider that data minimization can impact the risk or reliability another principle which is straightforward is accuracy accuracy means that personal data should be accurate and up to date however in the RBA context this is crucial why if we have an incorrect feature value then the risk score is or medium or high what this means is that the user is prompt with another factor to be authenticated and what we are doing we are converting the RBA to a second Factor authentication if you remember from the slides before I stated that second Factor authentication has a very low acceptance user acceptance so we do not want to end there oh okay storage limitation storage limitation this means to follow is it good stories limitation this principle states that personal data shall be kept in a form which permits identification of data subjects only for what is necessary and how long is necessary for the purpose of processing what this means in the RBA context is that if data or no user used or no longer used then they should be securely destroyed or anonymized for the time being it's important to know that anonymized data is no personal data because I will cover anonymization in the following slides that is why as a provider of RBA if we anonymize data we can continue to use this data for testing purposes the last principle is integrity and confidentiality personal data should be processed in a manner that ensures appropriate security and protects against unauthorized access damage or destruction some of the proposed measures are pseudonymization masking and encryption foreign I talked about two terms maybe it's the first time that you heard maybe you use them in your everyday life at work pseudonymization and anonymization reach their Fame when gdpr was introduced not knowing security and data protection tend to use them interchangeably please don't do that there is a big difference pseudonymization is the process of replacing personal identifiers with a pseudonym if you can see from the picture we are replacing the name with a bunch of numbers but for the time being we cannot re-identify in the individuals if we don't have the key that is why pseudonymized data Falls within the scope of personal data however fewer processing restrictions apply anonymization on the other hand is the process of removing elements from personal data so the process is irreversibly this does not uh as such Anonymous data is excluded from the scope of personal data and is not subject to privacy and gdpr laws foreign coming to the last part I will present the Privacy threats and mitigations two common threads that we see related to the RBA context are data misuse and data breach a misuse of RBA feature values is that is when we use the feature values for other purposes rather than calculating the risk score typically for user tracking profiling or advertising no wonder it is a threat because we have seen happen before where a phone number stored for second Factor authentication were used for tracking and advertising to users we as users should trust our online service providers to not misuse our data however a responsible service provider should take precautions to minimize the misuse of scenarios or unintended processing data bridge on the other hand is when an unauthorized person processes personal data or has access to this data a data breach is an attack on confidentiality as such it allows attackers to use the feature values to link profiles at different online services even if we use other credentials they can find Who We Are depending on the service this could result in negative social or legal consequences for the individuals and enable account takeover attack on a larger scale but how can we mitigate them two methods aggregation and logging history minimization we can aggregate the feature values in the logging history so we can only reveal how often a feature value occurs instead of its chronological order by aggregation we mitigate the re-identification in logging sequences on the other hand by limiting the logging history in terms of the number of features and entries we mitigate tracking users for an extended period of time this has already been proved because the study shows that few entries are sufficient to achieve a high RBA protection this was privacy and risk-based authentication what I talked about was that risk-based authentication is an implicit authentication form which offers high security and usability but please don't forget at the cost of processing our personal data that is why design of RBA systems must balance security and privacy I want to conclude by quoting Steve Jobs he once stated that privacy means people know what they're signing up for so fairness in plain language and repeatedly we should provide update the Privacy notice I believe people are smart but some people want to share more than other people do we just have to ask them so obtain their consent however I encourage you to think whether this quote really stands or not thank you [Music] [Applause]