Making Data Better is a podcast about data quality and the impact it has on how we protect, manage, and use the digital data critical to our lives. Through conversation and examination, George Peabody and Stephen Wilson look at data's role in risk management, at use cases like identification, lending, age verification, healthcare, and more personal concerns. Privacy and data ownership are topics, as are our data failures.
The Bigger Step: Want a Single Digital ID?
In this quick take, Steve and George discuss the idea of a single digital ID through a review of the proposed bill currently in front of Australian legislators. We being by comparing that approach to two very different models: India's Aadhaar program and the "shadow IDs" as employed by commercial data providers.
We are excited by the steps Australia is taking to secure the online activity of its citizens. This is serious work with many of the required elements for success already in place. And connecting those elements into a strong chain will be challenging.
We conclude with a discussion on the quality of the data feeding into any system performing identification. How do you know that the data is authentic when it is presented through plaintext? Like chip cards and passkeys, we posit that device-bound data is required for secure online interactions.
This concern isn't just about what's happening in Australia, of course. The problems of data authenticity and how to integrate a new digital attribute into KYC processes are non-trivial. So take a listen and get in touch.
A Big Little Step: Australia Shifts from Digital Identity to Digital ID
Australia's online security community - government, banking, and providers - has made a major, deliberate move. Over the last year, the term "digital identity" has been replaced by "digital ID" in government and industry publications and press releases.
Steve and George unravel this deliberate linguistic shift from the amorphous 'digital identity' to the more concrete and pragmatic 'digital ID', and understand why this nuanced change is more than mere semantics. It's a shift that promises greater clarity in technology, legislation, and personal identification. Tune in and explore a future where proving who you are online is not just more secure, but refreshingly straightforward.
Why does this matter? As Steve and George discuss it in this episode of Making Data Better, it accurately shifts the focus of policy and technical work on to the quality of the data used for identification purposes. It frees everyone from the impossible tasks of representing our "identities" digitally.
Through our discussion, we celebrate the strides made by Australia in addressing the advancement of digital identity systems—a contrast to the comparatively uncoordinated, market-driven efforts seen in the U.S.
Steve and George conclude with their perspective on how to secure digital IDs using device-assisted presentation. Plaintext presentation is the enemy. It gives hackers endless opportunities to copy (via data breaches) and replay (via fraud) that data. There is a straightforward solution that we have done before: marry the cryptographic strength of how chip cards are secured to the convenience of smartphone presentation and we have the opportunity to remove breach incentive by making our digital ID data better.
There's plenty of work ahead but there's great power in what could be an uncontroversial, technically practical, achievable approach. So take a listen.
Confidential Computing: Protecting Data and Code in Use
Data provides the basis for how we make decisions. An enemy of security these days, from our point of view, is plain text. We need better than that. We need device-assisted support for proving where data comes from and how it's been handled. We need systems that keep data (and code) from being altered without cause, that give us the ability to trace the change history of data.
Confidential computing is a new compute paradigm that provides a hardware-based foundation for running code and the data it manipulates. It safeguards data and code (it's all data; it's all code) in its most vulnerable state: while it's being processed.
In this episode of Making Data Better Steve and George are joined by Anjuna's Mark Bauer to dive into this new model's high impact on security and low impact on cloud app development.
Mark dissects the mechanics behind this approach including how it strengthens the software supply chain through hardware-based attestation. He addresses its fit in modern cloud infrastructure including Kubernetes, data loss prevention (DLP), API scanning and more.
The conversation addresses the initial major use cases for confidential computing. High risk environments including defense, banking, and healthcare are obvious. Not so obvious is securing multi-party data sets in the cloud for machine learning and AI-based applications.
So take a listen to this episode of Making Data Better and learn how hardware-based security can harden the cloud.
Building a Credential Management Platform: So Many Stakeholders, So Many Use Cases
Credential sharing is complex and exciting. Take a listen to our guest, Dan Stemp from JNCTN, in this installment of Making Data Better. We discuss JNCTN's credential sharing platform and its major use cases.
Discover how managing digital identities supports the work of critical industries, from power generation to healthcare. We unpack the intricate relationships between those who rely on credentials, the individuals who hold them, and the authorities who issue them.
Dan tells us the story of his firm's evolution from card personalization bureau to today's digital credential management scheme. We discuss the firm's clients' transition from physical tokens to digital credential presentation. Of course, we discuss wallets because they are the natural containers to hold verifiable credentials and we address JNCTN's proprietary approaches, the W3C, and big players like Apple and Google.
Implementation of systemic systems is never easy. JNCTN has multiple stakeholders to convince. We examine enterprise adoption and the leverage points that resonate with the relyingn parties, the risk owners, who deploy these systems. It's not just about risk mitigation and operational efficiency.
So, take a listen as Dan, Steve, and George share their enthusiasm for verifiable credential sharing and the breadth of applications ahead.
Navigating digital ID: The role of government
Ever wondered about government's role in online identification and how it could expand to help our digital economy function better and safer? Or how government data quality directly impacts risk assessment?
In this episode of Making Data Better, we tackle where US and Australian governments stand on protecting our digital IDs and personal credentials.
Join us as Jeremy Grant, Managing Director of Technology Business Strategy at Venable LLP, brings his insights on security technology strategy, policy, finance, and more to Making Data Better. Jeremy speaks to his decades-long experience with US federal and state government initiatives. And to the work of his organization, the Better Identity Coalition (check out its policy papers for federal and state-level policymakers!)
Government issues the credentials we rely on to prove who we are. Regulating how those credentials may be protected to enjoy expanded usage is both necessary and fraught with complications. Tech regulation has a history of being well behind technology's evolution.
That said, it is coherent policy and political direction that is needed. Disparate agencies may fully understand the potential of the assets they manage but without strategic focus at the highest level, the challenge of digital ID will remain. And our exposure to fraudsters, synthetic identities, and nation-state attacks will continue.
This is no small matter. FINCEN, the Treasury Department's Financial Crimes Enforcement Network, recently announced their analysis of bank-filed suspicious activity reports. They found that $212 billion of transactions were tied to compromised identity. The General Accounting Office, the investigative arm of the US Congress, estimated between $100 and $135 billion losses in public benefits fraud during the pandemic.
This is real money, ending up in the hands of organized criminals and adversarial nation-states.
So, take a listen to this episode with Jeremy Grant and Lockstep's Steve Wilson and George Peabody. There's work to be done.
Redemption after data disaster: Heartland Payments breach spurs card data innovation
In October 2008 Heartland Payment Systems discovered it had been breached. Albert Gonzalez and several other individuals hacked their way through an external company website using SQL injection — an attack that too often still works — to the core of Heartland’s systems. They were able to copy credit and debit card numbers and other data used in payment authorization.
At the time, that data enabled those who bought it to create new magstripe cards.
Some stats about the hack:
Heartland’s stock price fell by 77% in the months following the attack.Some 130 million card numbers were exposed.Heartland paid $60 million in fines to Visa, over $40M to Mastercard, $5M to Discover, and $3.6M to AMEX.The business of signing up merchants to accept cards using Heartland’s services took a big hit.To me, this is also something of a hero story. Because Heartland’s leadership, led by CEO Bob Carr, got angry. Yes, at the hackers. But more important they took that anger and frustration and used it to fill a gaping hole in card system security, way out in front of what the card systems themselves required.
I was fortunate enough to play a minor part in Heartland’s response. As an analyst, I got to know some key players who will tell their part of the story in this episode.