A study released by Experian, the global leader in consumer and business credit reporting and marketing services, revealed that online shopping fraud in the US is growing nearly twice as fast as the growth rate of e-commerce sales by consumers in 2017. Given the dramatic rise in e-commerce fraud, it is imperative for businesses to implement stronger authentication and cybersecurity policies to help reduce these nefarious online transactions.
One company that helps address the challenge of fraud in e-commerce transactions by ensuring that data, no matter the format, remains encrypted and protected at the highest possible level is StrongKey. As the leader in enterprise key management infrastructure, StrongKey secures data at its core through the use of strong authentication, encryption, and digital signatures.
SourceForge had the opportunity to speak with David Irwin, Vice President of Engineering at StrongKey, to talk about cryptography and cybersecurity as well as StrongKey’s recent news on its company rebranding. Irwin also shares insights on Magfido and StrongKey’s FIDO server and how these opensource components can reduce the risk of online fraud.
Q: Share with us a brief overview of StrongKey. What’s the story behind the name?
David Irwin, Vice President of Engineering at StrongKey
A: In 2006, StrongAuth released the first, open-source, symmetric key-management system with some very advanced security capability called StrongKey. This software was hosted on SourceForge (SF). This was the first time, StrongAuth – which was originally focused on using cryptographic keys for strong-authentication (hence the company’s legal name) – created a software product using cryptographic keys for encryption. Thus, StrongKey seemed a more appropriate name for the product.
The company has evolved since 2006 and is now focused on using cryptographic keys for strong-authentication, encryption, digital signatures, FIDO, etc. It seemed appropriate that StrongKey was a better fit for a company’s brand than StrongAuth (which in the geek world is associated only with strong-authentication).
Q: What types of industries do you currently serve and what pain points do you seek to solve?
A: We have traditionally found ourselves addressing requirements of PCI-DSS in the FinTech space. However, cryptographic keys, while mostly used in banking and military applications, are applicable to any industry that needs to protect sensitive information: finance, government, entertainment, biotechnology, manufacturing, utilities, defense, healthcare, education, and more. Our goal is to serve all industry segments, anywhere in the world (except legally embargoed countries); however, we may choose to focus our resources on specific industries at a specific time.
Q: User authentication and data encryption are two of the most crucial aspects of security. Can you explain to us in the simplest terms how these two components help enterprises build a solid security foundation?
A: The simplest way to explain how authentication and data encryption help enterprises build a solid security foundation is: Application Level Encryption and Strong Authentication (ALESA).
If data is encrypted and decrypted in any part of the system (e.g., the hard disk drive, operating system, database) other than the business application using that data, significant residual risks remain despite the encryption. Hackers can compromise a software layer above the encrypting layer to see unencrypted (plaintext) data, because the decrypting layer below will already have decrypted the sensitive data before sending it to layer above in the stack.
The application layer is the highest layer in the technology stack, which makes it the most logical place to protect sensitive data, as it presents the hacker the smallest target. This also guarantees that, once data leaves the application layer, it is protected no matter where it goes (and must come back to the application layer to be decrypted).
While encryption is a best practice, strong authentication should be the first line of defense. Strong authentication is the capability to use unique cryptographic keys combined with secure hardware (in the user’s possession) to confirm that the user’s identity. The FIDO Alliance (fidoalliance.org) is working to simplify this problem by eliminating passwords completely; there are solutions that are currently on the market and successful deployments under way.
Once a company has achieved ALESA across the enterprise, they will need to add digital signatures to complete their security picture.
Q: StrongKey has recently experienced significant momentum with new funding and a corporate rebranding. Congratulations on these company milestones. How are the changes affecting your organization and what feedback have you received from your customers so far?
A: After a Japanese software company named Systena invested $10 million in 2017, we were able to use these funds to rebrand, scale our business, and add key executives in product, sales, marketing, and engineering functions. In addition to these changes, we opened a new office in Durham, North Carolina, which provides us access to a talent pool and increase our company reach to the East Coast and European markets. Our strong partnership with Systena also helps to build our brand collaboratively in Japan and Southeast Asia.
We’ve always had a very strong engineering and support relationship with customers. One of the most notable changes now is to be able to have the people bandwidth to build business relationships with them too. Customers are being invited in to influence the product roadmap in ways they haven’t before. We’ve been able to add on new product lines to address an even wider group of businesses and use cases within our current customer base. They also love the new octopus!
Q: According to information services company Experian, e-commerce fraud rose to more than 30% in 2017, compared with 2016. With so many cyber-attacks happening daily, how is StrongKey addressing concerns about data security and e-commerce fraud?
A: The majority of fraud can be traced back to poor password practices, but for StrongKey, we provide the security to avoid it and are focused on educating companies, developers, and individuals as to why these security breaches happen and how they can be avoided (“made irrelevant”).
Q: We’ve learned that you are currently working closely with the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) on a project to help e-commerce merchants and retailers reduce the risk of fraud. Can you tell us more about this?
A: On the heels of the success with FIDO in the Public Safety/First Responder (PSFR) project, the NCCoE recognized the potential for FIDO to play a significant role in reducing/eliminating e-commerce fraud. StrongKey proposed the idea of modifying the open-source e-commerce platform – Magento – and integrating FIDO into the platform to require FIDO-based strong-authentication when the merchant determines that the risk of the transaction is higher than what they’re able to absorb. This effort was successfully completed in mid-2018 and the NCCoE has published a DRAFT Practice Guide documenting how FIDO can help merchants reduce/eliminate e-commerce fraud using FIDO. StrongKey, in turn, is hosting the open-source Magfido component at SF.
Q: Tell us more about Magfido. What are its key features and capabilities? How does it revolutionize the way enterprises manage and mitigate the risk of e-commerce fraud?
A: Magfido is a component created by StrongKey to add FIDO U2F registration and strong-authentication to the Magento e-commerce platform. Once a user has registered a FIDO key with FIDO-enabled Magento site, the merchant can choose to accept a transaction from a user, as a: 1) Guest; 2) Authenticated with Username/Password; or 3) Strongly authenticated with Username/Password + FIDO.
The merchant may make modifications to the Magfido component and integrate their own risk-based rules (the default component triggers the risk-mitigation code if the order exceeds USD25) to require FIDO-based strong-authentication from users. Users buying for less than USD25 can buy as a Guest or authenticate with a Username/Password, but if the transaction exceeds USD25, the Magfido component forces the user to authenticate with a previously registered FIDO authenticator.
Q: Looking ahead, what trends and technologies do you think are bound to shape the future of cybersecurity? How is StrongKey meeting these?
A: Once companies get past ALESA and digital signatures, we really see only Blockchain as being a truly transformative security technology.
StrongKey is focused on the basics of encryption done right. We believe that FIDO2, cloud security, encryption key management, and developer security APIs to build into apps from the start are bound to shape the future of cybersecurity. We are currently in the process of FIDO2 certification and a web project that will underpin our data security initiatives.
About StrongKey
StrongKey, formerly StrongAuth, Inc., is the leader in enterprise key management infrastructure that offers products and services in symmetric key management, tokenization, encryption, FIDO, and PKI. Headquartered in both Silicon Valley, California and Durham, North Carolina, StrongKey focuses on securing data in cloud computing, healthcare, e-commerce, finance, and other sectors.