Biometrics for your device – [FULL INTERVIEW]

0:02
So hi everyone, I’m here today with with Giulio Coluccia, who’s who’s the CEO of toothpick and toothpick are a cybersecurity company. And they look at identity identity verification, essentially in the, in the, in the mobile space. So, Julia, thanks very much for joining me today. And welcome, I suppose, first off, it’s probably worth exploring a little bit about some of the background that you can where you’ve come to basically the problem around identification.

0:32
Yeah, sure. So thank you, Chris, for hosting me today. And yeah, as I said, we are cybersecurity company. And our focus is on the identification of devices, and in particular, of mobile devices. And we do it with unique technology that we developed in our previous activity at university, that now we are proposing to the market. And the peculiarity of our technology is that we are able to recognise to identify a specific piece of hardware, so a specific device or specific smartphone or specific tablet, and in general, any device which is equipped with a digital camera, because we are able to identify the unique pattern of manufacturing imperfections that uniquely characterises our camera sensors. So each and every sensor that is mounted on our devices that we use every day.

1:41
So do you think there’s Do you think I mean, so Well, obviously, we’ve all got passwords. And you know, we’ve used passwords a long time, there’s like different types of passwords, and now we’re using longer passwords, you know, and they have to include certain characters, or even though they need to be longer. I mean, and then we’ve been sort of moving to this whole thing around like, you know, additional authentication methods. I mean, do you think what we’ve got currently is not strong enough?

2:03
Yeah, definitely. Consider that passwords or technology that as primaries, something like 4050, or assault. They were invented in an age where there were basically no users and the few users that existed to login, you know, two big machines used to have one or two accounts, so they had to remember a couple of passwords. Nowadays, all of us have access to dozens 30 accounts. And for each of them, we should remember a different difficult password difficult from the point of view that should be shouldn’t be easily guessed. So it should be something ideally long and completely random, which is something that’s impossible for us, which are your human beings. So let’s say that the first step was improving the security of passwords by accompanying them to the verification of a different factor. When we talk about passwords, we talk about knowledge password, so we prove that we know something, the password specifically. So the verification of something that we know has been paired with the verification or something that we have something that we possess, which is the so called possession factor. In this kind of verification. All the systems based on the verification or you know, the code that appears on the device the banks used to give us, but also all the technology that rely on the possession of the smartphone, that range from you know, the LTP code that we received by text message, or something that is generated by an app, or for example, when we receive a notification on our device.

4:00
And how much do you think that the use of telephones or cell phones or mobile phones specifically is sort of a game changer? Because we’ve used that even talked about one time passwords? And obviously, you got your technology as well, it feels like that the mobile phone in particular seems like that’s a real game changer in terms of like being able to do that third party authentication.

4:19
Yeah. Yeah, I can say that the choice of the smartphone as our verification of the position factor device, as being as you said, a game changer but has been I can say a sort of trade off choice. trade off between what between usability and security and also costs. Let me be more specific. When the banks used to give us the bank tokens, you know, OTP those OTP devices, it was a choice that was very unconvenient for the users because you need to manage you know, one or more of these devices you may have Story is installed, stolen, or you know, you may lose it and so on, or there, I’m simply out of battery. But those devices were very secure. Because in some way they couldn’t communicate with the world. They had no antenna, no port, you couldn’t plug it to a PC. And so on these

5:20
days, like the little calculators used to get with the buttons, and those Yeah,

5:23
I have one in my bag. Yes, exactly. But which is the device that everybody has in their pockets, it’s remarkable, the smartphone. So it was a natural choice. But a natural choice that, as I said, presented some trade off. Because, of course, the smartphone and life the USB key, like the OTP key hasn’t been as has connection is connected 24/7 and is subject so to and can also have malicious software. Now, a lot of malware that are specifically designed to trick, you know, the less educated users that are convinced by you know, phishing emails to instal these kinds of malware. And these malwares have the specific purpose of stealing the credentials that we have on our smartphones. So as you said, it was a game changer. It’s it’s not necessarily a choice that has improved the security of these processes. And I want, I want also, to add something more, the hardware tokens had a cost, there are some reports that show that the total cost of ownership on those kinds of devices ranges between 20 and $40, which is quite a lot. Instead, with a smartphone, you know, it’s a device that the user manages, buys know, when somebody fills, and it’s, it cost much, much less. So the purpose of our technology is to, you know, kind of solving this trade off between security and usability by giving a technology that can securely identify a user’s device without impacting his user experience. But with the highest level of security possible.

7:23
Do you think that cell phone penetration? I mean, it’s pretty high now? But I mean, obviously, you have different makes a cell phone, you have different types of phones, some people, some people still have very old phones, not many of us now. But I mean, how does that sort of impact, particularly financial services, almost like being able to offer service for everyone, right? So you want to be able to make sure that you’ve got that universal service? And so is it is the fact we’re so reliant on cell phones, you think limiting that what do you think, and they have to look for other more expensive alternatives?

7:52
This is, this is a problem, actually. Because in order to serve also, those kinds of customers that do not have a smartphone, you need to keep alive, some services like, you know, OTP is sent via text message, which are very insecure, it’s a very insecure way of proving the possession of a device, which actually is proving the possession of a mobile phone. Because there are a lot of frauds that can be perpetrated to these kind of services. One is the sim swap. The other the other one is, you know, malware that can intercept those SMS text messages, and so forward them to the malicious user. So your message, the message with your Tp send to them, they can read it, and let’s say it, so it’s very effect. Also, this kind of technology has been deprecated. I can cite, you know, a document by the National Institute for security and technology of the United States, the NIST, which they provided this kind of technology back in 2015. So it’s almost 10 years. But you know, you have to keep them alive, because there are some people that do not want to abandon these kind of devices. And of course, you cannot force them to change to buy a smartphone. And so of course, you cannot prevent them from accessing their bank accounts or their you know, financial services, payment systems and so on. So, yeah, it’s, it’s a problem for them.

9:28
Tell me a little bit about the unique identifiers. So I remember, I remember a technology years about 10 years ago when they’re talking about, I suppose, looking at phones that are unique and have unique code with each of the phones and using a combination of those to uniquely identify with them. And when we were chatting before you said there’s some problems with that kind of technology, which is some of the stuff that you’ve kind of done so. So maybe talk a bit about why the Unity unique identifiers in the in the phones really aren’t as got problems with it as well.

9:56
Sure, well, this is a very good question because as you said, There are already in the phone, some code, some serial code, some addresses that can some way uniquely identify a piece of hardware. And so a phone which which this hardware is mounted on, but I can see two kinds of problem, two kinds of problems. The first is that these codes are assigned by somebody, you know, a producer, somebody has assigned these codes to that specific piece of hardware. So in theory, these codes are Cloneable, or spoof remote are very easily spoof role. So you can pretend that a specific component has occurred, instead of the one that has been assigned during the production phase. So they are Cloneable, in theory. And the other problem, which is a more practical problem is that those kinds of identifiers used to be used also for targeting users with targeted advertising. And this is something that is related to privacy and is something that the mobile operating system, so Apple, iOS, and Android by Google, are really trying to fight. There was a commercial in the last month in Italy, I guess, but I guess it was spread, at least in Europe, where with the latest update of iOS, you had this, you know, there was this guy that was holding his iPhone, like this was, you know, doing things on the phone. And then some people started looking, sneaking what he was doing. And then these people became more and more, and then he just deactivated a toggle, and those people disappeared, poof, they disappear. And that’s exactly what I meant. Because in the latest update of iOS, Apple as disabled, by default, all this kind of identifiers. And these kind of identifiers were used to provide users with targeted advertising, but were also used by you know, authentication systems, anti fraud prevention systems. And this is a problem for these kinds of companies, which actually use those kinds of identifiers, you know, you know, in a legit way, okay. Also selling, also selling advertisement is a legit way of using those codes. But the fact is that now, those codes are disabled by default. And there’s our statistics that show that only less than 20% of users actually unable to scouts. And so it’s getting very hard to rely on those codes to identify reliably device, which is the difference between those codes. And what we do? Well, what we do to identify the device, the characteristic of the hardware that we identify is not has not been provided by somebody, but it’s inside the electronics of the device itself. Nobody has assigned that device ID, but we read something that stays inside the electronics of the device. And this as this, of course, makes these kind of identifiers unclonable. Because these kind of characteristics are related to processes, which the producers have no control on. So they’re not able to remove them, they’re not able to clone them into different devices. And moreover, those identifiers are not soft identifiers, but are harder identifiers. So they resist also the the most extreme ways to reset codes like no formatting the device if a fraudster wants to flood several users with the same device, all he needs to do is to format the device between two consecutive frauds. By formatting the device, all the software identifiers will reset. And so the device won’t be identifiable in a sequence of frauds. Instead, our characteristic that we read in the camera sensor stays there, because of course you cannot for my toddler,

14:35
yeah, so it’s almost like you’re measuring almost like the great accuracy the physical imperfections that naturally occur within the manufacturing process and which are gonna happen there is always some, some look at Six Sigma, I suppose there’s always some imperfections that that are going to happen, but not material to affect the function of the phone. But if you measure it, then it becomes unique, right and a combination of them properly. Exactly.

14:57
Yeah, they’re called proofs. Physical and global functions. And as you said, they have no practical effect, you know, you haven’t, you’ve never realised that the pictures that you take with the phone, there is a sort of fingerprint of the camera, but it’s actually there. And it can be read, it can be extracted, you have to process the pictures, but you can read them. It’s almost like

15:20
just making me think it’s almost like facial recognition for phones. So just like our facial recognition for humans, right, we’re all humans. Material different. But yeah, yeah, yeah, it’s some

15:30
biometry of the phone. So if you pair this biometric of the phone, with the biometric of the user, you get a say, okay, you can never be 100% Sure, but you can have the highest level of security that you can provide now. And you can go over the use of passwords, for example, but because you’re already doing multi factor authentication, or multi factor verification, because you verify the possession factor, the diameter of the phone, with the endurance factor, the biometry of the person, combine them together, you obtain a multi factor authentication scheme, or you can skip the verification of something that user knows, you can keep, you know, in that case, you can keep it as a backup, authentication, so lean on the cup authentication, you don’t use it in the day by day operation. So you can ask for a very difficult password that users can you know, right down, putting our ruler in the desk, they won’t use it every day, because every day, they will use the most user friendly techniques to use the very difficult password as a backup, for example. Yeah.

16:45
So you think so you think the days of password, it’s really a kind of a kind of numbered, I mean, certainly my days have 123456 as a password is gone. Or password as a password. But between the days just generally a password is sort of completely completely going to disappear, where we’re going to have biometric, which is, which is us. And then it’s almost like that bio device, in a way I think, is kind of the way you’re sort of describing it, which uniquely identifies the like a third, a third party type type device.

17:15
Well, okay, let’s say, yeah, there was a nice joke by Barack Obama. And some years ago, he was talking to, you know, to cybersecurity conference, and he said that, yeah, and my password is 123457. And everybody, everybody laughed, because he wasn’t using once you provide six, my 123457. But okay, I cannot, you know, I cannot forecast if it’s going to be days or months, or years, I guess that in some way, passwords will stay there. Because for some applications, they’re still good, as I said, for example, for the cap. But for sure, the trend is to abandon the passwords, at least for the day by day use. So you, when you access your email, you access your bank account, you access, you know, your e commerce website, the trend is to abandon them. It’s not something that can be done super easily, because you know, it’s something that is there since the case. So it takes a while to abandon that. But the trend is set. And they guessed that this is the way

18:29
and in terms of personal authentication in terms of individuals. So we’ve had the passwords, especially got pins that have also gone out. But then we’ve also got fingerprints, I suppose on the phones. And we’ve also got like, facial recognition as well. Do you see any sort of trends in terms of like, different preferences for customers for using each of those? We’re all comfortable with passwords, although they’re a bit of a fiddle on a phone, I think, but I mean, is it but fingerprints now seems to be more sort of facial recognition? Is that as you think any kind of trends in terms of preferences?

19:00
Well, let’s say that, you know, there are some, some some events that can cannot be easily forecasted. For example, everybody liked facial recognition, and then the COVID K, yeah, you need to wear a mask, for sure emission systems stopped working. So you know, it’s good to have alternatives. But let me be a little bit more clear about those kinds of biometric verifications. They actually are not biometric verifications. What I mean, when you use your fingerprint or your face to be recognised by your banking app, for example, you want to access your bank account from your home bank now. Well, actually, the bank doesn’t know anything about your face, does not ever say anything about your finger and they don’t want to know anything about that. Because it’s a very sensitive data that needs to be treated. And if some kind of this data leaks, you know, you can recalibrate the phone, but you cannot replace your face or your finger. So it’s something that they don’t want to treat. So they rely in some way to the verification, which is done by the operating system of your phone, which is something that stays in lockout on your phone, I mean, your finger doesn’t travel over the internet or your face, travel over the internet. But this means that the bank has no clue. If the finger that is unlocking the phone is actually your finger, or your wife’s finger, or your son’s finger, or your cousin’s face, they don’t know anything about it. So what they verify actually, is the device, meaning that using your finger, you unlock a credential that stays on your device, which is remotely verified. And this is, this is a subtle difference, because you actually need to protect the thing that is stored on your phone, because it is the quantity that is actually verified remotely on the banking server. For example, when you show your face to the phone, it’s actually your phone that is unlocking a credential stored on your phone that the bank will verify. So it makes a lot of sense to protect. Also, the quantity that is protected by these kinds of biometric. So you asked me, Is there a preferred way, where let’s say that it’s not always the user that can, you know, influence, you know, the, the kind of technology their bank, for example, if you want to keep the example the bank we use, and of course, for for, for the developers of systems, it’s a natural choice to choose what the operating systems, at least the most widespread ones. So Android and iOS, are offering now in terms of cybersecurity. And so I don’t think that it’s, I mean, I don’t know, I don’t think that a user will change its bank, because it doesn’t like the way its bank is making the authentication process. But you can see the strengths in you know, in places where they are not mandatory, but they are optional. When those kind of systems are optional. So the user is able to choose whether to use it or not. They will more likely activate those systems, when they are user friendly. When they are tricky to use complicated to use, they simply say, Okay, forget it, I will risk something. Yeah, no, maybe, maybe I’m aware of it, maybe I’m not that I want to use it, if it’s too hard to use.

22:59
It’s kind of interesting in terms of go back to my days in credit card, if you look at in the US, they never checked signatures, whereas in Europe, they always check signatures in terms of whether they matched or not just generally, if you just look at it in the shops, and it’s kind of interesting in terms like usability in different cultures, how that how that sort of, sort of sort of plays out. So. So if you’ve got an encrypted almost like an encrypted key essentially, on your phone, how does how does having that’s an identifier for your phone, but there must be risks associated with that. And so can those be cloned? Which is where being able to uniquely identify the phone as well comes in as well?

23:35
Yeah. Yeah. I mean, above what you said, there are two things that must be said. The first is that of course, the process that associates a device with the user must be robust. Because, you know, attackers, you know, they say that, if you have a chain, the strength of the chain corresponds to the strength of the weak, though of the weakest. So if you make a ring stronger, okay, they will move the target to the Second in the list. So that process needs to be strong, of course. And the other way, yes, you need to make those identifiers unclonable in order to be sure that even if your device is cloned, you know, cloning a phone is a very, it’s very hard to realise. I mean, if somebody steals your phone, you realise it immediately because you’re used to have it in your hands almost. Always. On your hands. If you forget to fall on the table, you realise it immediately. If somebody close your phone is it’s, it’s like, if he if he was stolen, but you know, you don’t realise immediately because you still have your object in your hands. Now, so if somebody is able to clone The keys that are verified by your bank is like that. It’s the very same as it had your phone. So it’s in theory, they’re able to access your account. So having credentials that are unclonable is of extreme importance, because you have to guarantee that as long as your phone is in your hands, nobody else will be able to use it to access your accounts.

25:33
And one of the things outside the model I would use for fraud is it tends to be that the cost of being able to perpetrate the fraud is quite important for the fraudsters, right, so. So the more you increase the cost to them around having to like the cost of cloning, the cost of creating things, it affects their business model, which makes it unprofitable, which means they’ll go elsewhere. Right. So which, which protects you right, which seems like seems like this is yet another barrier we can introduce to introduce to increase the security and sort of, you know, mean, the fraud doesn’t come to us.

26:03
Yeah, yeah, you’re right. I mean, nobody honest in the field of cybersecurity will tell you that, it’s the chronology is 100%. Secure, because it’s impossible, as you said, you can put, you know, further gaze higher gaze, again, around what you want to protect. But as you said, and now I will mention the case I was mentioning before, if you force, the fraudster to buy a new phone, every time he wants to see, you know, 1000 euros from a bank account? Well, it becomes less and less convenient for him, especially if this phone is, for example, an iPhone that can cost 1000 euros. So, yeah, if you put them in those conditions, have not been able to use the same device to perpetrate a number of frauds larger than one. Well, that gets the case you’re making his business model. Well, less, less convenient for them.

27:04
Yeah. Do you think we can see increases in fraud? And it feels like that is a trend that’s that’s taking place? And doesn’t seem like that’s a trend that’s gonna stop? I mean, just, what do you see the future of fraud trends, and where we’re kind of sitting in the environment we’re currently in?

27:20
Well, I don’t want to say something trivial, but, you know, our word is becoming more and more digital. And, you know, COVID has kind of accelerated this process, because a lot of things that one could do also in person, now can be done digitally. And then some people that weren’t used to do something digitally, have now realised that it can be done. So you know, instead of taking a long time in order to, you know, do something at the post office, they can do it at home, and it’s very convenient. So the more this trend keeps going, well, the more the the fraudsters with will focus on those kinds of frauds, because they’re more easy to do. You know, it’s always a matter of, you know, being one step ahead, one step forward with the with the person that is trying to, you know, to steal from you. So yeah, I guess that this is a trend that cannot be stopped, be stopped.

28:32
Do you think it’s a fascinating topic? And Julio, thank you, thanks. Thanks very much for explaining it. But as we become clearly as we become more connected, and as you start to get more and more connected, and it seems like that’s the trend, the risk carries on increasing. And then as we become more sophisticated, even after COVID, it becomes higher and higher. And so it’s like, it’s, it’s interesting to see how, how the industry is sort of really sort of reaching up to kind of meat that that that kind of tasks, really, so it’s, it’s fascinating. It really is so, so Julio, thank you very much for explaining it all. And it has been fascinating, so I really appreciate it.

29:04
Thank you. Thank you very much.