GDPR: Consequences, Fines and Responses

The UK’s Information Commissioner’s Office (ICO) has finally done what it’s been threatening to for a while and levied enormous fines on British Airways’ parent International Consolidated Airlines (£183 million) and Marriott Hotels (£99 million).  While subject to appeal, these are the first signs of how the ICO now has real teeth and is prepared to use them. The question is, what lessons can we learn from this?

Well, firstly, we can observe that card payments aren’t optimised for the internet.  The BA breach looks like it was at entry point – i.e. it wasn’t that the data was breached while stored in a database but that someone managed to get hacked software to intercept payments in flight and capture the details. The point here, of course, is that the paradigm of giving your card details to the merchant so they can pass them to your issuer originated in the 20th century when we didn’t have a choice. Now, given that we have this internet thing it makes more sense to contact our issuer directly and tell them to pay the merchant. Realistically, this may be the only way we can be sure merchants won’t lose our card details – don’t give them to them.

This points to push payments a la PSD2 APIs. But given that these won’t be pervasive for a while then the next best option is to tokenise cards to either limit their use to a single merchant or even a single transaction. Both of these are areas we’re seeing lots of interest in, and ought to be high on the agenda of heads of IT security and payments everywhere.

Secondly, we can note that static credentials are a sitting target. Seeing email addresses and passwords breached opens up companies to all sorts of horrible consequential damages under GDPR – let’s face it, most people reuse the same combinations across multiple sites so a breach on one site can lead to exposure on another. Any company relying on static credentials should basically assume they’re going to get some level of breach.  

Fixing this requires two factor authentication and we have a ready-made, state-of-the-art, solution here in the EU. PSD2 SCA is about as strong an approach as you could ask for and we have banks and authentication providers drowning in relevant technology. There simply is no excuse for a company using static credentials if they get breached.  We’ve been working closely with providers to look at how to take these solutions into the wider authentication market, because there’s been a certain inevitability about the way a lot of companies have dealt with their data breach protection.

Finally, note that the point that BA have made – that they haven’t seen any impact due to their breach – needs to be quantified: “yet”. Hackers tend to sit on breach data for 18 months before using it, waiting for the identity protection schemes that are often engaged post these events to expire. GDPR allows affected companies and individuals to sue – up until now the costs of a data breach have been borne by banks having to deal with fraud and issue new cards and consumers having to sort out identity protection. The ICO fines may yet be just the be tip of a very expensive iceberg as GDPR ensures that the costs more appropriately allocated to the offending parties.

IdentityNORTH 2019

We recently attended IdentityNORTH in Toronto and as usual it was a great event to connect with colleagues and hear about what’s going in with digital identity initiatives in Canada. Aran, Krista and the entire IdentityNORTH team always put on an organized, well-run event with lots of great speakers and interesting sessions.

The spirit of collaboration around digital identity in Canada is one of the strongest we’ve seen, especially in North America. Both the public and private sectors have a genuine interest in working together, and this is seen primarily through the great work being done at the Digital ID and Authentication Council of Canada (DIACC) to bring together a wide variety of stakeholders, industries and even different levels of government (e.g. federal, provincial, municipal) to work together towards a common goal. Work has been ongoing for a few years now to build a Pan-Canadian Trust Framework (PCTF) that will enable businesses, citizens and governments alike to have a common understanding of what it means to be part of a digital identity ecosystem and what is considered the standard in Canada of a well-designed, secure and privacy-respecting identity system. DIACC has released an initial version of the PCTF and is soliciting public feedback. They also announced a timeline for ongoing public releases of more detailed components of the framework taking place throughout the rest of 2019 and into next year. We are encouraged to see this progress and look forward to seeing this framework evolve over the coming year.

The other major highlight from the event was to see a variety of live demos and nearly market ready solutions from various organizations. In past events, we’ve seen a lot “coming soon” presentations, wireframes or mockups. But this year, there was a decidedly heavier live demo presence and quite a few solutions that have either launched or are launching soon. Some of the solutions presented included:

  • Verified.Me by SecureKey, a mobile identity service used to verify and share personal information online, in person and on the phone. It was developed in cooperation with major Canadian financial institutions who act as “Service Hosts” to verify and authenticate End Users. End Users can also connect with other identity and data providers who generate or hold information about them (e.g. MNOs and credit bureaus), and safely and securely share certain information with service providers and relying parties (e.g. online merchants, insurance brokers, or other providers conducting account opening or confirming service eligibility).
  • 2Keys and Interac presented a live demo of a digital wallet proof of concept sponsored by the Ontario Centres Of Excellence which demonstrated age verification for buying cannabis or liquor online.
  • Niagara Health Navigator by Identos for the Niagara Health regional authority, a digital health ecosystem designed to protect patient privacy and security while connecting patients to their health data, care providers and innovators.
  • eID-Me by Bluink, a mobile identity verification and digital identity wallet with demonstrated use cases in healthcare (fast check-in and electronic medical record integration) and car sharing (owner registration and vehicle unlocking).
  • BC Government demonstrated enabling a Mobile BC Services Card via remote video chat, through a mobile app. The app allows a citizen to identify themselves over video and means they don’t need to visit a location in person to apply for services. An initial trial was launched last year to make it easier for students to apply for aid with the mobile BC Services Card.

With all these new solutions and service offerings, interoperability seems to be one of the new buzz words. As more products are introduced to the market, there will be a need for broader industry cooperation across sectors, and likely across international borders. As mentioned in our previous post on digital identity technical and assurance standards, it will be important to watch these developments as they continue to evolve.

Lastly, it wasn’t all work with no fun as we even got in a visit to Jurassic Park, the Toronto Raptors fan zone during the NBA Finals. It was a bit wet and rainy but that didn’t stop the crowd from being quite enthusiastic!

SCA: the end of merchant liability, and other authentication factors

The EBA’s recent Opinion on the elements of strong customer authentication under PSD2 was, apart from moving the goalposts on when SCA will be enforced, full of interesting information about what constitutes a valid SCA element. It closes some doors, opens others and ends any notion that merchants can take liability and not do SCA themselves.

Taking the final point first, there’s been a view that Article 74(2) of PSD2 permits merchants to carry on without implementing SCA as long as they take liability. We at Consult Hyperion have long argued that that is an optimistic and overly legalistic reading of the regulations and this has now been confirmed. The EBA states:

In addition, even if there were a liability shift to the payee or the payee’s PSP for failing to accept SCA, as articulated in Article74(2) of PSD2, this could not be considered an alleviation of PSPs’ obligation to apply SCA in accordance with and as specified in Article 97 of PSD2.

Basically, Article 97 takes precedence – PSPs (aka Issuers) must apply SCA so if the merchant chooses not to then rather than end up with a payment for which they’re liable they’ll end up with no payment at all. Which, you’d imagine, would rather miss the point of being a merchant.

Beyond this point the Opinion has lots of interest to say about inherence, possession and knowledge elements.

On inherence two points stand out. Firstly the Opinion unambiguously states that behavioural biometrics can be a valid factor: this opens up a world of possible low friction SCA, and we expect to see lots of innovation in this area. Secondly it states that 3DS-2 does not support inherence as none of the data points being gathered relate to biological or behavioural biometrics but – and we view this as important – 3DS-2 is a valid means of supporting SCA.

This is critical because the dynamic linking process behind 3DS-2 is not straightforward and there have been differences of opinion over whether this is compliant. Given that 3DS-2 appears to be the only game in town for CNP transactions having a statement that it’s OK is mighty important.

On possession, the EBA clarifies that OTP SMS is valid and also that mobile app based approaches can be – but only if the app is linked to the device. We’ve been arguing that this is obviously the case for a while, so it’s good to see this confirmed: although there are going to be a few app developers out there that need to revise their approaches pdq (we can help, of course!).

Also on possession the EBA has stated something that really should have been obvious to anyone taking more than a moderate interest in the topic – printed card details such as PAN and CVV or user ids and email addresses are not valid possession or knowledge elements. As a number of prominent industry players have been taking the opposite approach this could lead to some interesting developments in the coming weeks, particularly as the Opinion states that if the CVV is not printed on the card and is instead sent on a separate channel, then it is a valid knowledge element.

Overall, the analysis and discussion in the Opinion on valid SCA elements is welcome, if a trifle tardy. To be fair to the EBA, we don’t see anything in their analysis that a proper reading of the RTS wouldn’t have produced. However, it’s been clear for some time that many industry players have been making a highly liberal interpretation of the requirements usually based on a legal opinion. But PSD2 and the RTS are about principles, not rules: if you need advice on this you need to talk to the people who understand this stuff. Which, by the way, is us, not law firms.

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.