Irreversible steps

The fight against fraud and counterfeiting will only get tougher in the future. Every time an attacker breaches a level of protection, we are forced to use a new weapon to stop them. And this time we have to reach into the “biometric” arsenal.

The essence of the fight against fraud and counterfeiting is that when we draw a magic sword, the attacker must not be able to neutralize it. The immediate effect will certainly work, but to maintain the effect in the long term requires a careful strategy.

Online fraud is becoming more sophisticated. The move to add biometrics to the protection is a sign that the battle will be fierce. There will be many levels in the biometrics arsenal, each time having to use a higher level is an “irreversible” step. And if the level keeps escalating gradually, until the point of using genetic data, that will be the final step, and if you lose, there will be no other weapons left.

Now, we have to use real, real-time images to confirm transactions. Of course, there will need to be huge data warehouses to store images, biometric data for matching and authentication. Of course, real images will be transmitted through information channels. What will happen when these data warehouses are attacked, transmission lines or terminals are accessed? Bad guys will have all the user data again. And with increasingly powerful AI tools, what will ensure that bad guys cannot overcome the new authentication wall?

We are collecting more and more personal data. While we cannot protect the old data, what guarantees that we will protect the new massive data that has been and will be collected? More dangerously, if bad guys access the image and biometric data, they can impersonate us not only for bank authentication but also for many other purposes unrelated to banking. They can create a fake world of who we are that we cannot control and cannot prove that we are impersonated.

The first thing is that people need to be aware of demanding protection for themselves and the management agency is responsible for protecting biometric data so that it does not fall into the wrong hands.

When banks take an irreversible step, there must be responsibility and laws to protect people. The nature is due to the ineffective technical measures to protect personal data, due to the superficial policies of assigning responsibility for data disclosure. Therefore, bad guys can easily overcome the protection steps and gradually disable the system's control.

To truly protect, before collecting personal data, the state and banks need to commit and clarify:

- If biometric data is leaked, what is the bank's responsibility? Who or which specific unit will be responsible, and what are the sanctions?

- What security measures does the system have to ensure that individual links cannot access confidential data? The technical system must ensure that even if bank employees (including managers) are manipulated, they still cannot access and sell personal data.

Data security is a huge and difficult issue, even the most talented IT people cannot foresee all the vulnerabilities. Imposing a deadline of July 1st could force banks to use weak, untested systems that are easily penetrated by bad guys, and the consequences would be unpredictable. We need to be very careful and test the use of limited steps so that only when maximum security is achieved can we widely apply new methods.

We also need to learn from the world, in terms of data security, we can look at China's experience. After a period of widespread data collection, they have understood the seriousness of revealing personal data and have clear laws to deal with all units that reveal data extremely strictly. The more important the data, the higher the responsibility. When the responsibility is pushed to a very high level, no one can ignore it.

All units that own personal data will have to seriously implement technical protection solutions at the highest level. From that need, companies specializing in security assessment and security measures implementation have developed strongly, many "unicorn" companies have opened, promoting a dynamic digital security economy , with very high quality according to security standards carefully considered by the state.

A well-functioning system is one that maximizes protection of people's personal data, while collecting only minimal personal data from people.