Join the campaign (Learn More)

The Manila Times - No more ComeLeak, ATM skimming, phishing: How is that possible?

News & Interviews
20 September 2017

By Nelson Celis | The Manila Times 

Part 1

RIGHT after the momentous CEO Breakfast Forum of the Information Systems Security Society of the Philippines on September 11, 2017, I had a warm exchange of thoughts with the chairman of NimbusID, Dr. Alex Natividad, about bank fraud like ATM skimming and phishing, hacking, and other information security breaches, including the ComeLeak incident. NimbusID is into “cognitive identification” technology, which Natividad invented after a frustrating experience in 2012. This technology is born of Filipino ingenuity, created to overcome information security beyond passwords, biometrics, and tokens!

Natividad, or Alex for short, is a practicing Filipino psychiatrist in Texas, whose vision is to propagate his technology in the Philippines initially and be used extensively by his “kababayan” with the end in mind of eradicating and “curing” completely the banking fraud, ComeLeak and other “insecurities” in his own country before the rest of the world. Wow! A practicing medical doctor in the field of information technology (IT)! How’s that? I just couldn’t imagine how a busy psychiatrist who does not know anything about IT would get involved in the complex and stressful world of IT. It really tickled my mind. I never heard about this cognitive identification technology. It was the first time I heard about this in many information security events in over 15 years.

Alex and I started our conversation discussing the difference between trust and security in the digital world of authenticating the identity of a computer user, whether related to work or personal banking transaction. We talked about it for some time and he just summarized that security of the system is based on trust. Well, let’s clear this up.

We both agreed on the basic definition of information security from the perspective of information security professionals. I’m sure he would also agree with you, especially if you are the Chief Information Security Officer of an organization, if you tell him that in the field of securing IT assets, one must strictly apply his knowledge and best practices in IT governance like the models of Information Security Management System of ISO 27000 series, Information Technology Infrastructure Library or ITIL, Control Objectives for Information and Related Technologies (COBIT), and similar standards and frameworks.

Alex would also agree with you that the traditional way of authenticating a user to access or open computerized systems, databases and bank accounts practically hinge on our very own secret passwords. Yes, passwords with a “s” like the personal identification number (PIN) of an ATM account, the ever-changing password for Internet banking account/s coupled with one-time-pin (OTP) through an SMS or text message, password for social media accounts (e.g., Facebook), password for cloud accounts, and so many other passwords to access, activate or open an IT-driven system. The only drawback of using a password is when you forget it, you share it with somebody else, when you write it on the board (this actually happened!!!), when you write your PIN at the back of the ATM card (this actually happened so many times!!!), when you are phished using a fake bank website (this actually happened many…many times!), when there’s a skimming device in the ATM (this actually happened tremendous times since the 1990s and not yet solved till today!!!), or when your password was hacked. And beware also—hackers have been using traditional password crackers like John the Ripper for more than a decade now to get into computers. Just check disgruntled employees in your offices as they might possess this cracker and do harm to your computers.

I asked Alex, “What about if I use biometrics instead of passwords to authenticate me in opening my account or even my computerized information systems?” Alex simply replied, “Biometrics are less secure than passwords and are more vulnerable to hacking.” I kept his statement in my mind and did research. By the way, biometrics is defined as the automated use of human or physiological characteristics (e.g., fingerprint/s, retina, face, palm, iris recognition) and behavioral characteristics (e.g., voice) to determine or verify identity before allowing access control. Presto! Alex was right about it.

Many technology experts talk about biometrics as the absolute authentication solution that would make the password obsolete. They said that using a password as a basic information security protection method has long been around since the time the computer was invented. But according to Bergsman, J. & Kirilenko, D. (2016), “Biometrics will be easier to hack than passwords…Biometric data were never designed to be secret. Most people make sure not to divulge their passwords, but it’s difficult to imagine a world where everyone wears gloves constantly to avoid leaving fingerprints. Attackers have already figured out how to bypass many of today’s biometric solutions. Jan Krissler, a famous hacker, used high-resolution photos of Ursula von der Leyen, Germany’s Minister of Defense, to beat fingerprint authentication technology.

Is cognitive identification the solution to the banking fraud, ComeLeak and other “insecurities?”