Finance

Six Challenges Facing the U.S. Cyber Trust Mark

Published

4 weeks ago

November 5, 2023

admin

By Johannes Lintzen, Managing Director, Cryptomathic

The United States government recently announced its Cyber Trust Mark program, a certification and labelling initiative to help citizens identify IoT devices with strong cybersecurity protections. The program is scheduled to launch in 2024 and will be a welcome addition to the IoT ecosystem.

The seamless, connected experience offered by IoT devices is increasingly attractive to consumers – the IoT market is expected to grow to $3353 billion by 2030. Yet it is no secret that IoT devices are also increasingly attractive to bad actors. In 2022, the number of cyberattacks on IoT devices was estimated to be over 122 million, more than double the year before.

So, while the U.S. Cyber Trust Mark signifies a positive step in ensuring the security of the IoT, what challenges does it currently face and what challenges will emerge once the program has been introduced?

1. All carrot, no stick

The first challenge facing the U.S Cyber Trust Mark is that the program will be entirely voluntary. While it will be in the interest of manufacturers to sign up and demonstrate their device’s security to consumers, there are no repercussions for those that don’t. Some believe that without repercussions, there isn’t sufficient motivation for manufacturers to abide by the security guidelines.

2. Securing resource-constrained devices

There are an inconceivable number of different IoT devices and services performing a huge variety of tasks. It would be an almost impossible challenge to hold all devices to the same security standards. Does a light bulb need the same protection as a smart speaker? Probably not. Many such IoT devices are resource-constrained and do not have the capacity to execute complex cryptographic operations. As a result, the level of risk exposed by a cyberattack will be different.

Many resource-constrained device manufacturers are considering supporting data protection with secure enclave technology. Manufacturers can link devices to the cloud and securely execute cryptographic operations in a protected environment. This brings higher levels of security assurance into reach for most IoT device manufacturers.

3. Building trust in IoT

IoT devices integrate technologies that connect and exchange data over communications networks, such as the internet or other IP-based networks. While this means they can offer new and exciting functionalities, it also means that bad actors have a significantly larger attack area to target in comparison to an offline/non-connected device.

This, combined with high profile IoT cyberattack cases, has contributed to low consumer trust in IoT security. A study by the University of Warwick echoed this and demonstrated that UK consumers are not convinced that they can trust the privacy and security of IoT devices.

For industry players already adhering to good security practices, this can be frustrating. There has been no clear, consistent way to communicate the level of security within products/services to consumers. I hope the U.S. Cyber Trust Mark program will change this.

4. Protecting data

As IoT devices continue to become smarter, more data will need storing on the devices. In addition, this data will become more personal to enable a more tailored and connected IoT experience. This means data protection will be become even more important.

To combat this, secure procedures and processes must be established as early as the manufacturing stage. Enabling the secure storage and handling of cryptographic keys and certificates within the devices is critical. But there is not a ‘one size fits all’ solution.

Smaller, less complex IoT devices may be able to leverage Elliptic Curve Cryptography (ECC), which provides high levels of security but with smaller cryptographic key sizes. Resource constrained device manufacturers can also seek enclave solutions or use alternative cryptographic algorithms. Just a few months ago, NIST concluded its “lightweight cryptography” selection process and chose the Ascon family of algorithms as a future standard data encryption method within the Internet of Things. Though it is worth noting that Ascon’s lightweight algorithms are symmetric and do not address the issue of IoT device certificates.

5. Securing software updates

The U.S. Cyber Trust Mark program highlights the need for enhanced security to enable secure software updates. Due to the always-connected nature of IoT devices, the security of a product is not ‘complete’ at purchase but rather must be maintained throughout the product’s lifecycle. This fact becomes more disconcerting when you consider the lifespan of some IoT devices. Those who buy a smart car today may still be using it in 10-15 years’ time. Software updates will be essential to enable the security of devices to evolve after purchase.

For manufacturers looking to be proactive in addressing this issue, there are ways they can prepare ahead of the program’s projected launch. By leveraging the latest data protection technology for the cloud, software updates can be remotely installed in a secure manner. And as the IoT continues its upwards trajectory, user experience must not come at the expense of security. Manufacturers must stay ahead of their criminal counterparts to ensure that all IoT devices protect data and can be updated securely as required.

6. Post-quantum computing

Currently, the U.S. Cyber Trust Mark program does not attempt to address post-quantum security. The longevity of many IoT devices means that a large number will still be in use when quantum computers likely become a reality. The program should make device manufacturers aware of the risks and encourage proactive action. There are several ways organizations can begin preparing for post-quantum now. The road to cryptographic agility beings with a thorough analysis of your organization’s environment.

As post-quantum cryptography certificates will be even more complex than current certificates, the IoT industry will face additional challenges. For instance, if IoT device data that is currently encrypted by methods based on classical cryptography is accessed and stored by bad actors until they obtain quantum technology, they could use it much later down the line in what’s known as a “Store now, decrypt later” (SNDL) attack. This means that IoT manufacturers whose devices/services store data with a long shelf life, such as smart home systems, must be particularly aware of this threat, and make plans that prioritize valuable data with a long shelf life.

As the U.S. Cyber Trust Mark program is being created in cooperation with NIST, I expect that the finalized program will help the IoT world prepare for post-quantum cryptography. Nevertheless, to prepare now, determine exactly what you’re working with, where the gaps are, and what needs to be done next.

While convenience remains priority-number-one in the IoT industry, stakeholders should remain aware that there is nothing more distressing for users, nor damaging for brands, than avoidable cyberattacks.

Up Next

What the UK’s financial situation has taught us so far in 2023

Don't Miss

MACHINE LEARNING OR PEOPLE POWER?

Finance

How technology can help win the war on financial crime

Published

1 day ago

December 2, 2023

admin

By Andrew Doyle, CEO of AML compliance software, NorthRow

Financial crime is on the rise and the stats are alarming. In the UK alone, 64 percent of businesses (according to data from the Global Economic Crime Survey) have experienced fraud, corruption or other incidents of financial crime within the last 24 months, while ONS stats show there were 3.7 million incidents of fraud in England and Wales in the year ending December 2022.

So it’s no surprise that financial institutions and other regulated firms are under increasing pressure from regulators (and the ever-evolving legislation they must adhere to) in the battle against dirty money. Regulators are imposing crippling fines for any compliance breaches, not to mention the significant reputational damage that comes with non-compliance.

Historically, financial firms have employed large numbers of staff to combat money laundering, but regulators are now expecting to see digital solutions in place to counter the risk of financial fraud, and with good reason. Technology can be the deciding factor in the war on financial crime and here’s why:

Better risk detection

Technology platforms can analyse historical data to predict potential incidents of money laundering, enabling organisations to take preventive measures, while also identifying unusual patterns or changes in customer risk profiles, which may also indicate suspicious activity.

Advanced analytics can help companies identify complex patterns across large datasets, making it easier to detect networks of fraud. It is also possible to assign risk scores to transactions or entities based on their likelihood of being associated with money laundering. This helps in prioritising high-risk cases for investigation.

Andrew Doyle

Enhanced customer due diligence

Automated software platforms can analyse customer information, public records, and other data sources to perform thorough due diligence on clients, identifying potential risks or suspicious behaviour before they are signed up.

RegTech automates the process of verifying customer identities and conducting enhanced due diligence on individuals and on companies, ensuring compliance with Know Your Customer (KYC) and Know Your Business (KYB) regulations, both vital components of anti-money laundering efforts.

More accurate identity verification

Biometric verification is a powerful tool in enhancing anti-money laundering and fraud detection. It involves using unique physical or behavioural characteristics of an individual to verify their identity. Traits like fingerprints, facial features, iris patterns, and voiceprints are unique to each individual and are nearly impossible to replicate or forge. This makes them highly reliable for verifying that clients are who they say they are.

Biometric verification can also reduce the number of false positives in fraud detection by providing a highly accurate means of confirming the identity of a customer. This leads to more reliable results and lessens the need for manual intervention.

Continuous and real-time monitoring

Real-time alerts allow for immediate action when suspicious activity is detected. This can prevent or minimise potential financial losses and damage to a company’s reputation. By identifying and acting upon suspicious activities in real-time, financial institutions can reduce the risk of financial losses associated with incidents of economic crime.

Continuous monitoring with real-time alerts can also help refine the accuracy of anti-money laundering systems over time. This reduces the number of false alerts and decreases the need for manual intervention.

To the future

According to data from Capgemini, 68 percent of UK institutions are already looking into real-time anti money laundering monitoring systems to stay ahead of potential threats while 86 percent, says Refinitiv, agree that innovative digital technologies have helped them identify financial crime.

So the data tells us that companies are already heading in the right direction when it comes to fighting fraud, but as the landscape of financial crime continues to evolve, financial firms must ensure they do the same.

By leveraging the right technology, businesses can ensure they not only meet regulatory requirements and safeguard their operations, but also protect their reputations and crucially, maintain that all important customer trust.

Finance

In 2024, payments will evolve to broaden accessibility

Published

2 days ago

December 1, 2023

admin

Attributed to Roy Aston, COO at Paysafe.

As we look to 2024 and beyond, businesses will need to adapt experiences to changing consumer needs and demands, working with payments providers to increase accessibility, offer broader choice, and more.

We break down some the forces driving evolution in payments over the coming years.

Payments need to be available to everyone, everywhere

Regardless of their location or situation, consumers do not want to wait when it comes to payments. The proliferation of smart devices has given users access to everything, all at once, and this is also expected when making transactions.

In 2024, banks and financial institutions will continue to push ahead with this journey to offer smooth, secure payments to everyone, everywhere, delivering services at the lowest possible barrier to entry. This also means ensuring consumers, even those that are unbanked or underbanked, have access to remittances and cross-border payments.

The first step in achieving this goal will be to improve reliability, security and availability, which may see traditional payment methods like debit and credit cards – still the most popular payment methods – become less dominant, while alternative payment methods (APM) like eCash and digital wallets will grow.

This is because, with the right payment provider, merchants can ensure these APMs are available anywhere in the world – eCash, for example, does not require a bank account to use. In addition, digital wallets and online cash can offer swift, secure transactions, helping users overcome security issues by not requiring them to enter their financial details.

Financial companies will embrace collaboration in 2024

While businesses can address consumer payment concerns using APMs, they must also look to bolster their own defences as the threat landscape changes. Increasingly advanced technology, like AI models, are now accessible to far more people, including threat actors.

To combat this escalating threat, it’ll be no surprise to see more financial companies collaborate in 2024 as they seek to improve cyber risk mitigation. This makes perfect sense – and would be a positive step for the industry – though it is easier said than done.

Businesses must share data legally, while aimed toward a positive purpose, rather than for pure profit. For example, if a financial organisation gains intelligence on a cyber group, they could share this with other companies to protect against bad money movement.

Ideally, collaboration could help improve anti-fraud, anti-money laundering, and cyber security measures, and more broadly reduce risk for businesses and consumers alike. But first, thinking around data governance may need to change.

Existing trends will evolve

While exciting new trends will emerge in 2024, we’ll also see the evolution of some that have yet to reach their full potential.

Embedded payments, for example, will continue to develop, with more businesses bringing together financial products with features like loyalty schemes to offer more added value to consumers.

Decentralised finance, too, should continue to build momentum in 2024. While decentralised finance, and specifically NFTs, have faced challenges this past year, it will be no surprise to see companies get to grips with changing regulatory requirements and continue to build in this area.

Open banking could also see a big 2024, with more APIs becoming available, and companies starting to develop new solutions to enhance customer experience and reduce friction in the payment ecosystem.

And while evolution rather than revolution is a necessity in technology, it’s always exciting to look ahead to the big trends that could shape the future – perhaps not in the year ahead, but beyond.

The future is quantum

Quantum computing is a trend that is as exciting as it is potentially frightening. Able to perform computations that are exponentially faster than ever before, quantum computing represents a new frontier and it will be thrilling to see how it is used in the years ahead.

Combined with AI, for example, quantum computing could optimise processes at a speed and scale never seen before – with serious benefits passed onto consumers.

In the nearer term, however, ensuring payments are available and accessible for everyone must remain the focus in 2024.