Saturday, November 23, 2024
Home Authors Posts by Michael Bridges

Michael Bridges

14 POSTS 0 COMMENTS
Michael Bridges has served the life insurance industry with technology and thinking that challenges change within the industry. As a respected thought leader among his peers, Bridges has participated and helped shape our industry’s progress over the last 20 years. Bridges has received several US and foreign technology patents related to data security and compliance benefiting and protecting industry processing. Bridges currently leads PaperClip Inc as their President and COO.

Data Breach Party—Who’s Paying The bill?

If you are the owner or the caretaker of a financial services industry firm then you have a $4 million plus liability waiting for you—the data breach. The financial services industry collects personal information, financial information, health information, and in some parts like insurance. This is the data the cyber criminals want to steal.

Just to be clear, the information cyber criminals are after are our names, social security numbers, date of birth, and anything that identifies an individual (PII). Next is nonpublic information (NPI), typically financial information encompassing credit cards, bank accounts, loans, and mortgages. Cyber criminals are also after personal health information (PHI). This is any type of information regarding medical conditions, pharmacy, family history and more. These three categories of confidential information are at the center of transacting business in the financial services industry.

According to the IBM 2021 Cyber Security Report, the average breach costs $4.23 million and, if that breach included medical information, it could reach as high as $9.2 million.

Now when we talk about the average breach, what is that? It’s every company that’s reading this article. It only takes (at $148 the average cost of breach mitigation per record) approximately 30,000 records to be stolen. Larger companies rise to mega breach liability, 50 million records stolen with an average cost of $400 million to resolve. These breach costs are typically expensed within the first 12 to 18 months. For more detail on the anatomy of a breach, you can read the entire article discussing these events and their associated cost in the Broker World archive.

Well now, who is responsible for this average breach? Who has to pay $4.2 million? It’s every company reading this article. Federal and state laws hold the firm or organization that collects the user’s data responsible. That means you are responsible for the data breach; you will pay any fines or fees resulting from any legal action. As a company or firm processing transactions on behalf of a customer or client, you are now the data owner—you are responsible for the privacy and security of their information. Engaging a third party to manage that information (Cloud SaaS Vendor) is called the data holder. If a breach occurs at the data holder location, the data holder must notify the data owner but not much more than that. The data owner who outsourced to the third party SaaS vendor may pay more in fines related to how the data holder secured the information and your failure to do proper due diligence over their operations. Again, to be clear, the data owner (that’s you) bears all the financial responsibility. There are some exceptions to this, such as HIPAA, which, under certain circumstances, can fine the data holder as well.

Inside the company, the CEO most likely accepts the blame for the breach. A third of these CEOs either resign or are fired shortly after the breach. The cyber security community believes the C-Level leadership is responsible because they control the budgets that impact the resilience of their cyber security. IT professionals continually need more technology, which costs more money to protect the data they’re in charge of.

Cyber security professionals face a daunting task; they are fighting a criminal that has the advantage. Attackers according to the IBM cyber security report of 2021, maintain a presence inside the company’s infrastructure an average of 297 days, almost nine months, undetected. Once the attackers get through perimeter security they are now inside the infrastructure. They now conduct reconnaissance, inventory all the assets of the infrastructure, understanding the security in place while always pursuing the highest level credentials they can obtain. Once inside the infrastructure with credentials they can steal your data. Over the last decade, security professionals have focused on the internal infrastructure called Network Detection and Response (NDR). NDR has proven useful reducing the average stay inside the infrastructure to 222 days. New solutions appearing in the market leverage artificial intelligence to reduce the number of false positive detections making NDR more effective.

Cyber security experts agree that the only defense to the breach pandemic is encryption. Cyber encryption was first deployed when companies wanted to interconnect data systems over dedicated lines, and to secure them they created the Virtual Private Network (VPN). When businesses turned to the Internet for conducting business, they turned to internet HTTPS protocols. Today Google estimates that 95 percent of the Internet traffic is encrypted. Before encrypting the Internet, it was very easy to listen—all you needed was an ethernet packet sniffer and you could collect data real-time. This encrypted traffic is known as “encrypted data in motion,” and, with today’s strong encryption, encrypted traffic has not been cracked.

Once we secured the Internet and before the cloud, most business computing was done at on-premises and co-location data centers. The attackers changed their tactics to stealing hardware, hard drives, and backups. In 2008, Microsoft introduced Transparent Database Encryption (TDE). This symmetrical encryption scheme encrypted the database requiring a login or additional authentication whereby the database would be decrypted and available for use; this is known as “encryption at rest.” With TDE encryption deployed on databases on notebooks, desktops and servers, databases were now protected with strong encryption. This was a significant improvement because if a notebook computer was stolen and the database was protected with TDE security, experts would determine there was no breach. Security professionals agree confidential information with strong encryption provides no access to its contents, therefore the data owner is in safe harbor—no harm.

Now with “encryption at rest” protecting mobile devices, notebooks, desktops and servers, the attackers changed tactics again and started penetrating infrastructures to reach the data in use. This attack surfaced over the last decade and has created the most damage and what we call the breach. Once inside the infrastructure attackers have direct access to plaintext data in databases that support our business applications. The logical next step would then be to encrypt the “data in use.” Unfortunately, if you encrypt data in use your applications will not run. The utility of encrypted data in databases becomes inoperable—no searching, no computations, no productivity. If we could encrypt our data maintained in databases while in use, the attackers would find no value in stealing your data and they would be out of business (e.g., sell your cryptocurrency).

Over the last decade plus, academics and researchers have been working with a new type of encryption called Homomorphic Encryption (HE). The goal of HE is to do computations on encrypted data while the data remains encrypted. In 2009, Dr. Gentry demonstrated the use of lattice cryptology whereby computations could be performed on encrypted data. Dr. Gentry called this variation, Fully Homomorphic Encryption (FHE). Since his disclosure, many technology companies have continued his work on FHE because it was the first that could do both arithmetic and multiplication. Many security experts agree that encrypted data while in use would be the “Holy Grail” of data security.

Unfortunately, FHE is not ready for prime time. It will take a few more decades before a practical use may be realized. FHE suffers from several problems which impact performance, encryption strength, and accuracy. FHE is 10,000 times slower than today’s SQL performance. For example, a SQL query taking 25 milliseconds to execute normally would take 3 ½ minutes in FHE. FHE encryption strength is limited to 128 bits, considered weak encryption by today’s standards. FHE multiplication is limited to integers and small data sets so as not to suffer from execution noise—but we never give up.

I am proud to have worked over the last five years with a group committed to finding a solution to “data in use” encryption. Remaining true to the tenets of homomorphic encryption, this group has created a new solution that allows us to encrypt the database and use it in commercial applications never having to decrypt while in use. This patented technology along with other innovations can now stop the breach, eliminating the attacker’s reason to begin with. This group set out with the real world security understanding that the attackers are inside the perimeter, the attackers have gotten credentials and that every database query is an attack. This unique privacy enhancing technology will be available soon for anyone to finally secure their data from everyone. It’s zero trust encryption ensures that no single keyholder could access the data, removing implicit trust to data holders, and that data owners cannot be betrayed by internal staff. Application Program Interface (API) access to the data also is secured by zero tolerance threat detection and response quickly isolating attackers and blocking them.

If you are still reading this article, the good news is that the cavalry is just over the hill. In a very short time you and your vendors will have access to new tools that will stop the reality of a breach and save your company. Remember, it’s always better to be safe than sorry. Let’s stop the breach.

Independent Life Distribution Technology Survey

The Life Brokerage Technology Committee (formerly NAILBA Technology) is a gathering of industry technology leaders with great experience to discuss and report on standards and trends. The group is represented by brokerage general agencies, carriers, medical information providers and solution vendors. Workflows were documented, data sets were negotiated, and appetite to change was measured. In short, the day’s discussions produced new solutions and road maps that materialized some years later. The committee’s work over the last two decades did bear fruit and greatly impacted cycle time, accuracy (IGO), underwriting, and digitalization to big data, while the cost savings were taken over by rising compliance cost.

Then COVID-19 hit us out of left field. A new virus to all of us, requiring us “overnight” to work from home, wear a mask and quarantine. Thankfully the current maturity of our available technology made it possible. The pandemic forced change also in the life insurance process as well. In 2016, 45 percent of BGA new business submissions were E-Apps (full) which by October 2020 jumped to 75 percent. In 2016 the number one E-App obstacle to adoption was “Agent Training.” It took a pandemic to create change and even other lines of businesses (i.e., annuity, long term care, final expense, group, disability) grew from nowhere to 20 percent.

LBTC conducted a 2020 survey that was different from the previous eight years of surveys. The new qualitative paradigm focused on areas of the workflow process to automate and standardize whereas the previous surveys focused quantitatively on tools and vendors. The PaperClip survey adhered to the old survey scheme because many people would use its results to help justify partnering on projects and decide who to spend resources on. Experience shows you want to engage with market leaders whereby the desired change being introduced would reach the largest audience possible. In review of the LBTC 2020 survey the takeaways were exchange standards, automated underwriting, commission standards and E-Policy delivery.

The leader by request remains “Data Exchange Standards” with the specific mention of Application Program Interface (API), and second was Automated Underwriting (AU). These two items are joined at the hip and to get an effective AU you will need the appropriate data. ACORD messaging as the standard for many years became problematic because of the different needs it had to address for data exchange, hence why virtually everyone had their flavors of ACORD standards. This is now changing to a less structured format, to a simpler JSON (paired values) model, while relying on a common data dictionary. The next question becomes who should create the data dictionary, LBTC or the vendor community? The LBTC is the best venue to construct the data dictionary terms and to manage the terms. The Data Dictionary, though, should support custom terms as needed.

Next is actual integration from the source data container (E-App, AMS, Paper App) to the receiving partner’s data container, SaaS to SaaS. So, let us start with the design question of “Point to Point” or a “Centralized Hub Model.” Well, the Centralized Hub Model is the most efficient choice based on our 22 years of experience exchanging over 70 million documents just last year among 1,400 Points of Presence (PoP). Today, data integration is dominated by point-to-point vendor SaaS PoP. One would think it should be a one to many, but every customer needs a change because they do things differently—ACORD’s challenge. Whoever brings the solution to market, it should be “Data Dictionary” based and the community (LBTC) should police it like we did with document exchange (can anyone say doctypes…).

The 2020 PaperClip Survey maintained the vendor questions so the reader can see what their peers are doing with their technology resources. We see from our customers a continued trend to move from on-premises to vendor SaaS solutions. The driving forces are work from home, compliance, and technology staffing cost. The buyer’s top requirements are compliance and integrations with other vendors. Larger offices (> 100 users) want Cloud (Azure, AWS, IBM, etc.) deployments because cyber security depth will only be accomplished in the Cloud.

The following results reflect vendors that singularly or collectively obtained more than 65 percent market share. The complete report can be downloaded from PaperClip’s website. The survey request was sent to over 5,000 people—249 started the survey and 39 participants completed it, dominated by BGA distributor’s (33). The responding BGAs reported they process 150 to 300 life and annuity applications per month. These BGAs process 80 percent of their business between six to 10 carriers. BGAs found very important to them “ease of doing business with,” “product pricing” and “relationship with the underwriter” in keeping their business. An agent is producing about 50 to 150 applications annually and the age of these producers are 40 to 60 years old.

BGAs use social media to attract agents and to keep current producers informed. The primary services are LinkedIn (87 percent), Facebook (56 percent) and Twitter (41 percent). Fifty-six percent advertise on these social services while only 38 percent prospect.

The following solution categories and vendors again represent the market share leaders, but each category is being challenged by new vendors that have a strong mobile offering. As noted above, the age of producers is just now including millennials and that group will gravitate to mobile selling tools. The most requested mobile applications are quotes, illustrations, and pending case status.

Customer relationship management (CRM) is the solution that manages your client relationships and interactions with prospects. There were eight different vendor responses, led by SmartOffice and “None,” and 25 percent of respondents do not use CRM tools. I expect significant change here with mobile adoption.

Agency Management Systems (AMS) market leaders remain iPipeline’s Agency Integrator and Ebix’s SmartOffice. Only 15 percent of BGAs open access to their AMS to producers. BGA’s would open more if “pending case status” was better. Fifty percent of BGAs use carrier web sites instead of accepting the AMS data feeds. The lack of timely and accurate data is the objection and remains on the BGA’s top five LBTC request list. Quote Engine had 14 vendors listed with the market share belonging to iPipeline’s LifePipe and Ebix’s VitalSales Suite.

Document management with eight vendors maintains PaperClip’s Virtual Client Folder as the market leader. Interesting here is that 13 percent of respondents report “None.” I hope this means they paper-out and store paper. If this means images on a local hard drive it would be considered today as gross neglect. BGAs preferred method of submission to carriers and receipt from medical service providers is “secure email” and “imaging vendor;” at zero percent, looks like the FAX machine and FTP servers are finished. Secure email delivery was led by PaperClip’s eM4 and TLS direct connect. Twelve percent reported “None” which opens their email traffic to the world—not a good thing.

Electronic Application (E-App) with six vendors noted is led by iPipeline’s iGO. The next group combined representing 30 percent were Applicint, Ebix’s LifeSpeed and PORCH. Twenty percent selected “None” with only one write in for “home grown.” E-App electronic signature most used was DocuSign followed by Click Wrap (10 percent). Deeper in the survey, Customers (41 percent) would prefer a simple “Click and Close” solution. Drop Ticket options support nine solutions with “Carrier’s Direct Link” and ApplicInt holding the market share. Agents that will take a paper application and then rekey it into an E-App was 25 percent and BGAs that keyed from paper was 36 percent. This tells us that 61 percent of new business is from distribution via E-App and 39 percent is still paper.

Electronic Licensing and Contracting (E Con) only had two vendors with the leading market share held by SureLC followed by “None” (18 percent). Electronic Policy Delivery (E-Policy) is owned by carrier provided solutions. The major reason is risk tolerance—each carrier wants it done their way. BGAs would like to see that change but I think this falls into that untouchable realm of events like Check21 and 1035s—a “carrier-controlled process.” The leading E-Policy E-Sign vendor is DocuSign.

Compliance was something new added to the survey. Since compliance continues to demand more resources, we wanted to see how those surveyed viewed compliance. Many misconceptions surround responsibility for unauthorized use of confidential information. The truth is, “You can outsource your technology but not your responsibility.” Managing third party confidentiality is a double-edged sword—it cuts both ways. Access to secure data starts with the User placing confidential data into the solution, which creates a liability for the vendor.

When asked, “Where do you maintain client confidential data?”, 28 percent reported “In House,” 44 percent “Vendor” and 33 percent “Both.” This means the majority of BGAs continue to maintain shadow files, most likely in digital format. Here is where we start judging neglect versus gross neglect. If you conducted the best practices of oversite required by federal and state authorities’ laws, regulations and rules, loss of data at worst could be found neglectful. If you ignore or only partially approached cyber security and conduct, you most definitely would be considered grossly negligent and most likely fined.

Compliance “Best Practices” start with documenting how you control confidential information. Areas to address typically fall into these categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. These policy documents serve as the basis of training your staff on how to manage the personal data customers have trusted you with. Once you have policies and procedures you must maintain these documents to reflect change that naturally occurs as a business scales both up and out.

Annually these processes are evaluated and tested by an approved auditing firm called Service Organization Controls Audits (SOC Audits) and, because you manage medical information, HIPAA Audit as well. As part of the SOC Audits you need to provide evidence of third-party penetration testing of your internal/external network assets where confidential data exist. The 2020 Survey reveals that 25 percent conduct SOC Audits, 43 percent HIPAA and eight percent PEN Testing. A positive trend is the adoption of Multi Factor Authentication (MFA /2FA) at 72 percent and Single Sign On (SSO) at 59 percent. BGAs need to become more aggressive with cyber security and compliance.

Since most solutions are outsourced to vendors, the good news is that you can get major SOC and HIPAA carve outs by leveraging the vendors compliance documentation (i.e., SOC2T2, HIPAA, PEN, etc.). This helps to keep your audit simple. Some simple suggestions: Your “Clean Desk” policies should ban the keeping of shadow files and all employees should execute a privacy agreement that identifies your documented policies. Training and infrastructure maintenance should be continuous, so start a business objective to get audited (everyone starts with a SOC2 Type 1) and ask your auditor if they would combine it with HIPAA because the auditing controls are very similar. Great time and cost saver.

To improve cyber security, I would recommend we move to a 10-character minimum password scheme. Today, according to many experts, it takes five hours to crack an eight character all lowercase password, while it takes four months to crack a 10 character all lowercase password. Very strong passwords at eight characters can take a couple of years to crack and the Vendor community follows the strong password requirements. Truth is that hackers are not trying to hack your password when it’s proven to be easier with Phishing, password sharing, and poor system design that leaves passwords stored on-site in text files, databases, browsers and the actual code or email with no encryption.

Overall, the survey was good with positive trends to eliminating paper and touch points to process business. E-App for term and other simplified issue products has strong adoption, agent self-service portals have come online, automatic underwriting is rolling out quickly and “I’ve got a guy” quoting is seeing investment from BGAs, IMOs and carriers. Vendors have new challenges too—integration. The world of cyber security and compliance is making it harder to align with vendor partners that have a mature cyber security regimen. The risk of integration is in competition with Users ease of use. Example: If you’re downstream of a SSO integration, how can you document that SSO complied with MFA? How can you document your TLS connection did connect securely? How did the agent manage the information they electronically captured and sent to you? What are their safeguards?

Distribution is making the change and the industry is prepared.

The Anatomy Of A Breach

Let’s start with some findings relating to breach and current events. A mega breach is more than a million rows of data lost or stolen. A million records is not hard to get to these days and, if breached, the remediation expense is the heaviest in year one, two-thirds. Year two is 22 percent and then 11 percent for the out years—but experience would tell us that toward the end of an event like this the last 11 percent will cost you about half your money and half your time.

Who’s breaching you? Fifty-one percent are your classic hackers, outsiders, out there to just get some financial gain and steal identities. You can basically divide a breach into three motivated categories: Identities, financial and health. Identities have value for impersonation, people trying to use your ID to get a job, travel and more. Financial theft is all about what it sounds like, taking someone else’s money—steal a credit card and use it until it dies. Medical record theft has the most value, a complete identity kit. The dark web calls this theft “The FullZ,” everything you need to build a new life.

Twenty-four percent of breaches are human error—those are your employees clicking on websites not knowing what they’re doing and downloading malware or getting phished via email. Twenty-five percent of breaches are from system glitches. This one makes me smile because a system glitch is something that breaks but then fixes itself. In software systems, to me, that’s just bad coding and “fixes itself” is when services are restarted or computers are rebooted. Hackers are always looking for bad coding or what we call “vulnerabilities.”

Another important statistic today is the likelihood of being breached. In 2020 you are one-third more likely to get breached in the next two years. If you’re sitting at a table right now with someone to your right and left, you or one of them are going to get breached.

The anatomy of a breach is a collection of events and the time they play into.

January: For the last 279 days on average the hackers have been sitting in your system undetected. They have figured it out through elevated access, privileges, passwords, and discovery—for almost nine-plus months. They now have all your data and now you just discovered it! Equifax hackers sat in their systems for ninety days until they were discovered. The CEO is briefed, the board of directors are briefed, everybody pulls out the playbook or the incident plan, and hopefully everyone has one so they can determine the next play to call.

February: Well that is obviously to go to your breach law firm—every organization should have a law firm with breach experience. I mean, through contracts or any type of cyber questionnaires or surveys about breach notices, the lawyers are running the show. Do not think your employees will be calling customers telling them that they just got breached and lost all your NPI, PII and PHI. The law firm is going to manage communications. Your job is to start determining how many records are stolen, isolate the vulnerability and plug up the hole.

March: The law firm has now picked a cyber forensic firm. They’re working very hard collecting information, interviewing your IT and other individuals concerned. Other people in the firm are researching and assessing federal and state laws. They’re trying to understand what the level of breach is and whether there are any safe harbor exemptions. Then the next decision is how and when to contact law enforcement if they didn’t call you first. Many times a company first hears of the breach when law enforcement calls them because they found data related to you.

April: Public relations firm is now selected; somebody has to go out and tell the world that this breach event has happened. So, they are being coached by the law firm, and forensics firm, and everyone agrees when to go public. It now tracks pretty well that seven percent of your customer base is lost—and that means they’re not coming back.

May: In May, public relations is fully engaged, the forensic reports are coming in and you now know the who, what, when and where about the breach. Full knowledge of the breach, on average, takes 73 days. Once all that information comes in, 30 percent of those breached companies fire the CIO or CISO.

June: With all the reports coming in you now have identifiable, quantifiable records to address. The company, the law firm and the PR firm gather and decide on what credit monitoring to engage. It is very clear now what the state and federal laws are that must be adhered to.

July: Credit monitoring selected is directly related to the information stolen. Identities are going to cost you about 10 to 15 dollars…if that included financial information you’re getting up there around fifty bucks…and if that also included medical information then you’re nipping at a hundred dollars per record. So this is where the big money starts to spend; now you’ve spent ten million dollars just to go out and protect people’s credit for a year. And just so you know, the average shelf life of people’s data is four years. Back at the ranch the law firm is talking to your employees involved that may have any information that could help. The real critical part of this is that they are looking for the decision of negligence, a breach of duty, because a finding of gross neglect down the road here is going to be a multiplier for what’s coming.

August: The law firm is now answering all the federal and state inquiries. They know what they must report—to whom and by when—while starting those interviews. Now the board of directors have decided if the CEO stays or goes. Three out of 10 CEOs are terminated.

September: When the Board reaches decisions like that, they’ve pretty well figured out who they’re going to hire. The interesting thing here with the new CEO, CIO or CISO, they’re looking for people, oddly enough, who have breach experience—experience that will help them navigate over the next few years. Public relations remain engaged, they’re running with the company message, working its reputation, getting out there as much positive information and truthful information as they can. Now all the people who are going to be hurt and become victims form up and start bringing civil actions.

October: The new CEO and team have decided on what enhanced security they want to deploy immediately, they promised to increase the cyber budget by two or three times, and everybody in the company has to go through cyber training multiple times.

November: The federal and state fines are being levied, you know how much they want, and a lot of it is being driven again by the type of information that was taken. Equifax has paid over $700 million dollars in federal and state fines. Public relations is continuing their work.

December: The legal group continues the civil actions; public relations continues working and settlements are being agreed upon. Your one million record data breach has cost you now $48 million dollars. Two-thirds, so as you can see when you start taking that out over the next couple years you will be nipping at $100 million dollars.

Let’s turn the conversation now to the people whose data, that you were entrusted to protect, have been affected. The average victim is losing $197 dollars. If they are a casualty of this breach, they could lose their job or contracts through no fault of their own.

The psychological effects of anger, annoyance, being cheated and, as you can see, most everybody just has a sense of helplessness. What is interesting here is that cyber-crime today in 2020 is tracking with what we’ll call physical crime—assaults and burglaries. People have that same emotional stress now about their electronic records as they do about their property.

Back at the shop employees have reputational issues, you have already lost some of your key members, and soon other staff will be lost. Those that work with the customers constantly having to defend and promise that they can and will do better. The media is nothing but negative press. You lost customers’ data. How dare you lose their data!

Social media is just a disruption and the people get a negative perception of technology; when someone really wants to come out and tout something new people just see it as another chance to be robbed. Morale, for obvious reasons, has reached a low point and that’s where the leadership has to come in—positive action and positive leadership.

Economically $197 dollars doesn’t sound like a lot, but when you take it times a million that’s a $197 million dollars that’s coming out of the people that trusted you to protect their information. And some of them will never be made whole. Example: In the 2020 settlement for Equifax, the court capped the top line claim to $20,000. If you lost $30,000, or $50,000, you lost money and you are not getting it back.

Of course with all these individuals and the way they feel, 80 percent of them said they will continue to use the internet despite the risk—so they will just become victims again when the next group gets hacked. Equifax lost control of 150 million records consisting of identities and financial information, almost half of Americans. To date, Equifax has paid out over $1.3 billion dollars.

Cybercrime And Cryptocurrency— Things That Make You Go Hmmm… (Part Two)

The notion that Cybercrime is fueling the Cryptocurrency market through money laundering activity-they are interdependent. If we eliminated 95 percent of cybercrime, we could declare victory and keep $5 trillion moving in our global economy.

I picked today to start writing because Bitcoin mining rewards halves today. BTC halving simply means a 50 percent pay cut for building (mining) block chains, therefore, I cut my expenses by half resulting in 50 percent less blocks verified per period-advantage cybercriminal. When I wrote the part one article, BTC was trading at $6,800. This past Friday it closed at $10,000. No one can predict if the BTC mining cutback is going to affect the coin price as it has in the past. I believe it will go up because of the COVID-19 pandemic and ignore the 50 percent mining reward cut. Hackers are having a field day with us opening our systems to enable work from home, and this summer we will see an uptick in reported cybercrime. Hackers will have more money to push into BTC. BTC market cap will grow, and that is the fuel for BTC appreciation.
Three promising approaches core to our perimeter defense doctrine are coming on-line and will become game changers in stopping cybercrime: Identity and Access Management, Software Defined Perimeter, and Searchable Symmetrical Encryption. Think about what’s important-people accessing content-it’s that simple.

Identity Management has many implementations today, but the trend is to cloud solutions because of the resources they can touch and the vendor community can support-Cloud IAM. Single Sign On (SSO) was one of the first tools and even though it helped, it had limited utility and IT remained with multiple silos to management. Users, in general, need more for online safety as they work, shop, bank, travel, and more. There are already certain restrictions in place for those who want to access casino sites, hence why are so many are looking into how to bypass roobet location checkpoint, for example, to ensure they have the opportunity to play the games on this site. This type of protection is something that should be in place for all sites. Also, the point is Identity Authentication is paramount for the individual, the people and the organizations around them. Supporting one identity provider has many benefits for all concerned. Users could interface with one site for all their online needs including work. These identity providers offer Multifactor Authentication (MFA) features like fingerprint scans, facial recognition, GPS location, IP address, behavior analytics and complete isolation when bad actors are detected. What if an online store hack of an individual could close their ability to access company assets, or a company hack could lock down all your employees’ bank or credit card accounts?

The workplace now can rely on one access integration point and enhance their users’ experience. Vendors now can set requirements with the identity provider on the type or level of authentication required (i.e., password greater than eight characters, two-factor, bio rec, etc.) before granting access. A unified access portal where users can set vacation flags turning off work access but opening travel destination access. Wallet security questions further personalizing the individual identity. This process could help adoption for electronic signatures, video conferencing, voting, law enforcement and electronic health records. Users could get their own access reports, and all concerned could be notified when an alert is triggered or a distress condition is set.

Validating and testing the identity are also important. Individuals have a responsibility to validate their identity by an onboarding process where nonpublic information is asked, and answers provided much like the experience of locking down your credit reports at TransUnion, Equifax, and Experian. Then an annual recertification process to ensure all the information and goals are being met.

The Cloud IAM market is taking shape with the usual suspects, Google (Cloud IAM), Amazon (AWS IAM) and Microsoft (Azure AD). There are many IAM vendors in the market, the first started around 2007 focused on company enterprise solutions benefiting the company not the individual. Cloud IAM vendors are focused on both the individual and the company enterprise. Leverage the reach of the cloud to ensure access security and stop the decentralized landscape we endure today-fifty different points of potential failure deployed by fifty different companies. Hackers rarely waste time with companies that deploy MFA solutions because there are so many who have not. Today, you are best served to extend your password length to 10 or 12 characters or use passphrases, enable two factor authentication and IP restrictions.

The second change of behavior comes from the Cloud Security Alliance Association (CSA) known as the Software Defined Perimeter (SDP). The Software Defined Perimeter solution is designed to stop network attacks against application infrastructure. With the adoption of cloud services, the threat of network attacks against application infrastructure increases since servers cannot be protected with traditional perimeter defense techniques. The traditional fixed perimeter model is rapidly becoming obsolete because of internal security neglect or bad actors, BYOD that attach to internal networks, phishing attacks and IoT devices that introduce malware providing untrusted access inside the perimeter-the classic Trojan Horse.

Connectivity in an SDP is based on a “need-to-know” model, in which device posture and identity are verified before access to the application infrastructure is granted. Today’s perimeter approach is too broad when looked at from underneath (what I call the plumbing). Vendors building SaaS solutions design three layers separated by firewalls and connected via VPNs and NACs. Unfortunately, what is in view across the network can be seen if you know what you are looking for-hacking. CSA states this as “Authenticated users have overly-broad network access, increasing the attack surface area and enabling the types of wide-reaching breaches that we see far too often.”

Let me give you this example: You are kidnapped and being driven to a secret location, all the while watching the scenery and sites as you travel. SDP environment is the same story but this time they blindfold you going to the secret location. The Department of Defense and Intelligence community call this a “Black Network.” In effect, SDP establishes a direct connection from you to the host resource (application) you are requesting and if the host resource needs help from a different host resource (database) a new connection is created between host resources only. The SDP instrument managing all these connections is called “SDP Host Controller.” Now that I’ve over simplified SDP, the concept is, there is no plumbing-connections are dynamic.

So far, we have discussed Cloud IAM solutions designed to ensure your identity and maintain your authentication. SDP introduces Black Networking where the identity also has a “need to know,” or privilege to a portal or application. The bad guys now have a tremendous challenge to break in from the outside. Eight-character passwords are considered weak security when that is the only challenge separating the bad guys from your third-party trusted content. With cybercrime growing 15 percent per annum, our security perimeter needs to change. Bad guys are smart too. The technique of brute force password hacking is seldom used because it is much easier to be invited in. Phishing, URL Forgeries, and Social Media Impersonations are just some of the techniques used whereby one click is all they need. Then they sneak in some Java code infecting File Explorer, coming to life the next time you start File Explorer. Red Flag: If your File Explorer starts doing odd things (i.e., very slow, chopped screens, bad characters) then you should sweep your device in Safe Mode with a capable commercial tool.

What can we do when the bad guys gain access inside our defenses…eliminate their reward? Yes. We want an ending like Geraldo Rivera opening Al Capone’s vault-nothing. Well that goal has been long coming because today’s database protection is non-existent. Databases are secured by Transparent Data Encryption (TDE) or Cell Encryption (CE). TDE encrypts appropriate database files (every row) and CE encrypts only the field (cell) where the data exist-a column. They both use one symmetrical key, and each has pros and cons.

TDE is good for “Data at Rest,” which means the database is inactive but cannot be reasonably searched because you must decrypt all the rows before the query can begin. According to Matthew McGiffen, “When TDE does not read from disk it doesn’t add any overhead, but how do we quantify what the overhead to queries is when it does have to access the disk? From my testing we could suggest it adds from 10 percent to over 1000 percent CPU.” (Thoughts on Query Performance with TDE enabled, May 23, 2018). To make it clear, it kills performance not just for you but everyone. Microsoft, who created TDE in 2008, now offers Always Encrypted SQL where the data is encrypted at the workstation. This distributed model makes sense-offloading the server-but we want to move away from workstations and the thought of moving symmetrical keys across the enterprise would make any IT organization nervous.

CE is a column level encryption; it encrypts only the sensitive information in a table column. With CE, the data is still encrypted even when searched and decrypted when displayed. Just like TDE though, if you search on that column, then the entire column is decrypted. Again, a performance killer. How much of a killer? A 5,000,000 row database with one encrypted column takes 12 seconds to return results compared to 0.0012 seconds when not encrypted. User mutiny.

The real problem is TDE and CE are not that secure because of the leakage they create. Leakage is a term used to describe breadcrumbs and artifacts left in the SQL database which enables hacking. A great demonstration of this is a 10-minute video published by Simon Mcauliffe (https://simonmcauliffe.com/technology/tde/) where he steals a TDE database and hacks it revealing all its decrypted content. Ten minutes.

In 2005 scholars started a subject called “Searchable Symmetrical Encryption” and many doctoral theses were launched. And that is where it ended-abstracts and a bunch of calculus but no products-until now. I have watched over the last four years our version of SSE perform with virtually no overhead and no leakage; a totally different approach to securing data making it searchable and secure. Security that does not encrypt plaintext data but instead shreds the data with no context. It does not store data in rows but builds algorithms that bring order to shreds of data across multiple records; a mathematical non-equation (equations that produce more than one answer). Hackers rely on seeing encrypted text and plain text together as best portrayed in the war movie Midway (AF). Without these relationships hackers are flying blind. SSE that supports more than one symmetrical key making it impossible to remove (steal) the database. A total scheme that delivers no value to thieves and will not for the next 100 years. As an employee of a company that builds supply chain solutions, my company will not rest until we complete our SSE project, eliminating risk for the data we manage and report that we do not store confidential information.

Cybercrime reached over $5.5 trillion dollars last year. The bad guys cashed out for $1.5 trillion and the victims paid out an additional $4 trillion covering the lost $1.5 trillion and $2.5 trillion in mitigation cost, technology, fines, and lost reputation compounded with departing senior management.

Protecting confidential information from bad guys is obtainable and the above discussed subjects collectively can put hacking in the past. Publishing the fact that XYZ Company has deployed Cloud IAM, Black Networking and Shredded Data at Rest should be more than enough for Bad Guys to move on and not waste their time. Of the three options, Shredded Data Storage would have the least impact on deployment and stop the potential loss of confidential data immediately.

In signing off, BTC is selling at $9,400, no effect from the halving four days ago. And if you are in BTC, sell high-because the party is about to end.

Cybercrime And Cryptocurrency— Things That Make You Go Hmmm… (Part 1)

I’ve always been curious about who’s making the money from cybercrime. Among the players we have Nation States, Organized Crime, small teams to individuals, so let’s follow the money. To keep this simple and about money, we’ll discuss the three most active cyberattacks-Phishing, Ransom and Identity Theft. Each of these attacks have a list of usual suspects, Phishing is a small group or individuals, Ransom and Identity Theft are larger groups like Organized Crime and Nation States. According to McAfee the top Nations States are China, Russia, North Korea, Iran and Central America. All these groups combined in 2019 realized $1.5 trillion in money stolen-good guys to bad guys. The good guys also ended up paying $4.0 trillion in money to clean up the mess; global cybercrime cost $5.5 trillion in 2019 in an $80 trillion global economy.

So, what did the bad guys do with $1.5 trillion? Where can you hide billions of dollars? At the top, identity theft spoils (NPI, PII and PHI) are sold to others on the dark web and they launder and monetize the stolen assets. This accounted for $860 billion. High-earning cybercriminals can make $166,000+ per month; middle-earners can make $75,000+ per month and low-earners can make $3,500+ per month according to Mike McGuire, University of Surrey (UK), April, 2018.

Just selling your personal information to other bad guys can collect:

  • Social Security number: $1
  • Credit or debit card: $5 to $110
  • Driver’s license: $20
  • Passports (US): $1,000 to $2,000
  • Medical records: Up to $1,000 for complete APS

Experian 12/6/2017

The value of your personal information is four to six years. Once they have their clean cash, then how do cybercriminals spend it?

  • Immediate needs-paying bills: 15 percent
  • Disorganized/Hedonistic spending: 15 percent
  • Finance criminal activities: 20 percent
  • Status spending: 20 percent
  • Cryptocurrency: 30 percent

Mike McGuire, 4/2018

Nation States mostly focus on intellectual property and, when monetized, its value is $600 billion. China’s Ministry of State Security and People’s Liberation Army are mandated to steal U.S. industrial and trade secrets. Forrester Research Inc. 10/2019

Here’s a typical story on how Nation States engage business opportunities with technology companies to gain access to their infrastructure, steal their intellectual property, then pursue litigation while making use of stolen property.

American Superconductor Corporation (AMSC) was a developer of world-class technology for software to control wind turbines. Sinovel (2007), AMSC’s Chinese partner, paid a bad guy $1.7 million to steal the software and, as a result, ended their AMSC relationship. Sinovel engaged in litigation refusing to pay $800 million owed to AMSC and AMSC has countersued for $1.2 billion. AMSC is in survival mode and the litigation is going nowhere. AMSC claims that 20 percent of China’s wind farms are running stolen code. In the last decade the Chinese initiative has stolen intellectual property such as:

  • Dupont technology for the benefit of Chinese chemical manufacturers
  • Motorola’s cellular technology
  • Dupont genetically modified corn seeds
  • T-Mobile confidential equipment
  • Cisco Systems core router software code
  • Avago and Skyworks wireless communications technology

Gen. Keith Alexander, NSA Chief, in July 2012, warned us that Nation State cybercrime will be the “greatest transfer of wealth in history.” Nation States like China are after our technology for their own internal benefit and to understand how to crack it as we use this technology today in our perimeter cyber security defense.

Bad guys conducting Ransom attacks took home $21 billion and Phishing victims lost $1 billion. Ransom attacks start with the introduction of malicious code (Phishing) that encrypts your hard drive or database with a displayed message on how to contact them.

“Fifty-five percent of SMBs from the US would pay hackers to recover their stolen data in ransomware attacks. A total of 140 US local governments, police stations, and hospitals have been infected with ransomware. In the third quarter of 2019, the average ransomware payout increased to $41,000. Ninety-five percent of ransomware profits are laundered with cryptocurrency,” reported Heimdale Security, December 2019. The FBI reports that only 19 percent of Ransomware crimes are reported. No loss of data exempts them from declaring a breach and if the FBI’s figures are close, $100 billion plus was coerced from businesses last year.

Cybercrime continues to grow at 15 percent per year and the bad guys have figured out how to make more money by selling their tools. Bad guys now offer platforms like service providers; they don’t commit the crimes directly but enable others for a fee. Such sites offer more than tools, they include customer reviews, technical support, descriptions, ratings and information on success rates. Some examples of the services offered:

  • A zero-day Adobe exploit can cost $30,000
  • A zero-day iOS exploit can cost up to $250,000
  • Malware exploit kits cost $200-$600 per exploit
  • Blackhole exploit kits cost $700 for a month’s leasing, or $1,500 for a year
  • Custom spyware costs $200
  • One month of SMS spoofing costs $20
  • A hacker-for-hire costs around $200 for a small hack

The point here is that cybercrime is evolving into its own institution like drug cartels, prostitution rings and illegal gambling. The same types of people involved in organized crime are now into cybercrime. Well, so far we’ve discussed who, what and where cybercriminals are making their money, but like all illegal gains it must be washed of any stains and be accounted for by a trusted third party.

Here I sit, a cybercriminal with $1 million worth of credit cards ready to cash in. Now we play the shell game where we move money around offshore shell companies with just enough transaction history to be legitimate when it lands. Setting up shell companies is quick and costs about $5,000 each. Me, the bad guy, has an E-Commerce site in the Cayman Islands that only sells pet rocks. I place the orders using stolen credit cards, never shipping anything, and deposit the proceeds into my Cayman business account. The next day I start moving the money through Panama, Samoa, The Seychelles, Belize and ending up in the British Virgin Islands. Then move what I need into the U.S. for taxation. This process has worked well for many years but, like most third-party processes, you’re paying fees and dealing with many layers-a lot of systems to trust that leave fingerprints around the money.

So now we come to cryptocurrency, several different types of peer to peer financial exchange networks (see here for an example of one). The most popular of the cryptos are Bitcoin and Etherium, with names like those you would think they held no weight but it is the opposite. Cryptocurrencies have no third-party trust, no oversight, traceability or bureaucracy. With the technology behind them it is almost impossible to forge them (but it is possible to steal). Naturally, dealing with cryptocurrency trading can feel like you’ve swiftly waded into murky waters which is why using the best cryptocurrency trading platform might help you safeguard your investments. Just two people agreeing to exchange value based on an arbitrary exchange rate. One of the first cryptocurrencies, called Bitcoin, was founded in 2009 by Satoshi Nakamoto (alias).

Satoshi’s design solved the fundamental problem of double-spending with the introduction of Blockchain-a public ledger of all transactions that ever happened within the network, available to everyone. Bitcoin, to establish the market exchange, set the total number of coins at 21 million. You can buy portions of Bitcoins and you can be a miner and be rewarded Bitcoins. If you are thinking to trade on more coins, then the crypto portfolio tracker could help you in keeping track of all the coins and all the exchanges you’re on. That being said, miners are Blockchain verifiers who add transactions to as many Blockchains out there as quickly as they can so that thousands of Blockchains will have your transactions. Mining has evolved into very special hardware, similar to the equipment that you can get on sites like https://coinminingdirect.se/product/goldshell-kda-box-home-miner/, which means that the miners have gone institutional. It’s not a surprise to find the most well-known mining hardware manufacturer around, Bitmain, was founded in 2013 in China, and today has offices in several countries around the world. Bitcoin today is valued at $6,887.49 per coin for a market cap of $126 billion. Source: https://bitcointicker.co/.

Now back to my cybercriminal selling pet rocks in the Caymans. Bad Guy now wants to move his washing machine to crypto-exchanges and stay below the radar of law enforcement because they’re so far behind. Bad Guy takes the stolen identities and opens 20 to 30 crypto accounts under the same names. I write about cryptocurrencies because there are 540 plus crypto exchanges on the globe and bad guys spread these new accounts across many exchanges. Some platforms collect personal information to build trust, but many others remain anonymous accounts; 40 million people own cryptocurrency, 11 percent are Americans. Based on my research, I believe half (five percent) of those Americans don’t even know it. Interesting for 2019 IRS forms asking if you own any cryptocurrency.

Bad Guy now takes about 300 to 400 credit cards directly to the Bitcoin trading platform and deposits about $2,000 to $3,000 illicit CC transactions directly into their wallets and buys 145 Bitcoins. The next day Bad Guy starts trading among his controlled accounts creating three to five transactions each. The small amount of trades is less likely to be mined because these networks rely on the largest Blockchain to be more complete, therefore a better record by passing small chains. Then on schedule, Bad Guy transfers funds to a “legitimate” account (opened with stolen ID) and then to their roadside vegetable stand bank account or to their import/export business. Hell, today you can go to a Bitcoin ATM and withdraw cash directly as needed.

In connecting the dots, let’s look at two ecosystems: Cybercriminals and cryptocurrency. Cybercriminals reportedly bought $350 billion ($250 billion in ID theft and $100 billion from Ransom theft) worth of cryptocurrency in 2019. Reports size the cumulative market capitalization of cryptocurrencies at $237 billion in 2019, almost double 2018. Professional money laundering is a business and they are very active in cryptocurrency, taking the normal 10-30 percent off the top-in BTC of course. The money laundering front sells to Bad Guy a coin at the going rate ($6,000). Bad Guy then sells the coin back to the front for $4,000; Bad Guy walks away with $4,000 and the front keeps $2,000. Remember, this is a peer to peer exchange, not much different than OTC brokerage exchanges but without any oversight.
Therefore, with the admission of cybercriminals using cryptocurrency to launder stolen money around a market of stolen identities with unsustainable Blockchain verification and auditing, the bad guys are cashing out. In Part Two of this article, I’ll discuss three promising technologies that could eliminate or at least significantly reduce cybercrime. Then one wonders…by eliminating cybercrime, could that alone crash the value of cryptocurrencies?

How’s the Phishing? Great!

My company was hit again with a Business Phish this February targeting a new hire, same as last time. This is why it is so important to have cyber training as the first training a new employee receives. In my cases, new employees were targeted within a few weeks of coming onboard. In each case the newby receives an email from an executive manager. The request is simple—get bank cards, gift cards and so on and email back the transaction numbers so the receiver can cash in—and the newby just lost hundreds of dollars or more. This is a “Business Phish” and the simplest to execute.

There are basically three types of Phishing attacks: Business, Spear and Account Takeover. Business Phishing is easy because they do not require links or Http formatting. Therefore, they can slide right by the technology gatekeepers. Their attack audience is cultivated through social media content. In our case the phishing exercise happened within days of the new employees updating their social media profiles about the new position and company. The red flag in Business Phishing is the sender’s email address—the majority of the time it is incorrect. Typically it’s found in the domain name, some slight variation that delivers the email to the attacker. And, ready for this? With the current release (June 2019) the Top-Level Domain list is now at 1,520 options. The “.COM”, “.NET”, “.GOV” can have 1,517 new choices like “.FOOD”, “.TECH” and yes, “.SUCKS.” Point here is the attacker is playing on the lack of company knowledge the new employee has. Best defense is day one training on Phishing and how company communications work and how the chain of command interacts.

Spear Phishing is much like the name’s meaning…one hit and you can’t get away. This spear doesn’t have a barb, just a link, and with one click they own you. They call it Spear Phishing because the link is delivered to you by email. The phishing part plays on giving you the warm and fuzzy because you know these people or have done business with the company. “Look, it’s just a service satisfaction questionnaire about the service I had done on my car last week, why not take it? They did a great job.” “Congratulations on your child’s college graduation last week and click here to see their ranking on the National Honor Role.” Your best defense here starts with the domain name scrubbing. If it’s someone you know but it’s a new domain, red flag. Look at the URL—warning signs are two letter country codes (.CN—China, .IR—Iran, etc.). Misspelled names and bad grammar in the email subject or email body, all red flags.

Account Takeover, like Spear Phishing, has one objective—click that link. Where Spear Phishing is commonly associated with identity theft, Account Takeover focuses on your company, stealing your company’s credentials whereby they can reach as deep as they can into the layers of security and disrupt your business (Ransom, IP Thief, Data Destruction) or steal your data (Breach, Hack). When clicking that link the return is malicious code designed to harvest all the information it can and send it back to the mothership where analysis will shape the next malicious code insertion. Studies report in 2019 malicious code attacks go undiscovered for an average of 290 days.

Today’s desktops have many tools available to protect you against attacks, but most people don’t go far enough in their product choices. People should focus on Malware protection that includes defense against viruses, spyware, adware, nagware, trojans, worms, and more. Also, not all malware tools can remove the malware once found. Many times you identify the malware and acquire a specific tool designed to remove that specific malicious code.

Let’s now talk about what you can do today that is the best improvement you can act on—it’s your firewall. Over the last decade, with the maturity of Artificial Intelligence and its implementation into firewalls, we can keep malicious code away from our desktops and stop it at the front door. All the leaders in firewall solutions have evolved their offerings to support many resources identifying bad actors and can scan inbound and outbound traffic for malicious code and company data. One of the biggest changes is the migration to the cloud. If your cyber security staff wants to move from the on-premise appliance to a firewall cloud source, it’s probably a good thing. Take advantage of new options like isolation—stopping all traffic from regions you don’t do business in. I don’t do business in China, therefore block all traffic originating from China. Probably the most important feature is patching and policy management. The cloud-based firewall options provide the largest possible data set AI can work with instead of islands of data recorded by on-premise appliances. AI can see and predict the wave coming before it hits you and automatically change its defenses to block and protect you at the front door. All of the major vendors are moving to the cloud and continue to build on that model providing the best real-time perimeter security. Data Loss Protection has also moved to the firewall. In most architectures the firewall serves to segregate our data and how we divide it into multiple layers. Typically, the lowest level is where the data is protected. In normal operations this data should never see the light of day. AI learning your traffic behavior will detect if your lowest level data is streaming directly to your DMZ and stop it immediately. Point is, sharing collective information on bad actors for a common defense is a good thing.

This approach is taking shape to what the Cloud Security Alliance calls “Software Defense Perimeter.” The principle here introduces the concept of “Need to Know.” A trusted principle in security clearance is taking shape in the firewall where AI is building training sets on who you’re communicating with. I like to describe it like yesterday your front door needed a simple key to get in…under SDP your front door just became US Customs.

Finally, the best defense is to remove the value of your data. We are shredding our databases making its content worthless but still available for day to day operations. Our end goal is to remove any liability if our perimeter is breached, protecting individuals once and for all.

Machine Learning— Real Or Hype? (Part Two)

Machine Learning (ML) will change three areas of the core processes we use in the life insurance industry today—paper and electronic application business, internal workflow, and underwriting medical data. The supply chain of life insurance distribution has for years promoted electronic forms for processing. While captive carrier models have the high adoption, 80 percent of distribution remains paper based. The good news is that even though paper is used to execute the agreement, if properly managed, an imaged document can be created and the original paper can be ultimately destroyed or stored. Internal workflow applications, commonly referred to as “Rules Based Workflow,” are programed applications managing routing, tasks, approvals, logic (if/then), limitations, people and exceptions, ensuring case management flows in an efficient manner. Medical input remains critical to underwriting so the best evaluation for an individual can be predicted to competitively price the policy. ML over the next few years will greatly impact these areas for the better.

Starting with Paper/E-App capture, Deep Learning (DL) and ML will be game changers, and this is why—color capture. In Part One of this article I discussed DL and it’s focus on processing color images, MNIST Training Set (TS) of grayscale images and DL models focused on biometrics. Today we challenge DL with the least optimum source image to process, the binary compressed TIF image; TIF images are limited to black or white pixels. Since the beginning of image capture our entire electronic documentation foundation is built on TIF images. The reasons for TIF remain as valid today as they did 30 years ago—quality reproduction output (paper-out), small byte count for bandwidth requirements and smallest storage footprint. So, we have a world of TIF images and a “slow to change” supply chain to overcome.

Paper/E-App capture will have to change from this day forward and change this inbound traffic to color. To take the greatest advantage of DL we need to start to capture with color images (i.e., PDF, JPEG, PRN, etc.). Delivering color images to your DL-CNN for text or handwriting recognition is your best chance of getting the best results. Getting producers, agents, registered reps, and advisors to scan in color, or mobile capture and save in color, to send in is all the change we need. This works because they are going to deliver those color images directly to your DL solution or DL service.

In the field of AI, people are working in a color world, no one is building Symbolic Learning (SL) or DL algorithms for black and white pixels; that would be like building PONG again. Therefore, if we expect great things from our technology, we must be willing to change. By introducing color into our documents, forms can use color to help page recognition, instructions for people and print or handwriting processing. Example: If my form when digitized (scanned) was the color blue and the person filled it out in black ink, when you do forms dropout you only remove the blue pixels; you preserve (black pixels) the original content which enables better recognition. Once the DL process is complete and you have received your data, convert the color image to a TIF image for storage. Conclusion: When building or selecting a vendor, ensure direct capture to the DL solution or DL service of color images.

Medical information and ML have several opportunities and challenges. The opportunity is that ML provides more perspectives to analyze data which will help when evaluating an individual. A true premise in Statistics and Probability mathematics is that you can predict the population but not the individual. Most systems are confined to three dimensions of perspective (i.e., lifestyle, health and family history). The one area you cannot predict is the ability of the individual to change. When negative lifestyle and health behavior changes to the positive, this individual changes to a new carrier/product for better coverage value, while the opposite change goes unnoticed. ML now offers the opportunity to add on new data sources available and predict the ability of the individual to change. New sources like social media, electronic health records, DNA screening, internet activity, buying trends, twitter content, criminal violations, fraud detection and more will help predict the individual aptitude or tendencies to change.

ML models are pliable. One model can be used for many processes and even across different industries. The point is, one ML model could automate an entire company. UCLA developed a ML algorithm to predict earthquakes around the globe. The same ML algorithm is used by the Los Angeles Police Department to predict crime. In both cases, they used historical data to train their models and have produced significant results. LAPD has experienced a reduction of 33 percent in burglaries, 21 percent in violent crime, and 12 percent in property crime across the area where the algorithms are being applied. LAPD built a TS incorporating data going back as far as 30 years. The next effort underway is to process more sources to fine tune the ML parameters.

This ties back to change in medical information because finding the right model is key and next is your TS. This now becomes a challenge because the Electronic Medical Record (EMR) is 90 percent image based. The good news is that the Electronic Health Record (EHR) is digital. The bad news for EHR is that there are no standards; interoperability between vendors is nonexistent. EMR requires a process of transcribing images to usable data to build your TS. All the Attending Physician Statements (APS) and Part 2 medical forms need to be converted into data. These are one-time projects called “Dark Data” and the trend in the life insurance industry is converting Part 2 forms.

Carrier Part 2 medical forms is another area of change that needs to happen to make ML/DL effective. Carriers and others paying for medical exams need to stress to the examination companies to “Follow the Forms’ Instructions!” Working with many Part 2 forms we see shortcuts which to humans may be acceptable but to ML are accuracy killers. Example: Part 2 checkbox groups where the author strikes a diagonal line through the group intending No as the answer for all the checkboxes. This line now passes through some checkboxes making them true to DL when the intention was for false. Without a level of quality control of the form, this individual could lose their chance or at least add additional expense to the carrier’s process. Part 2 form designers need to add more space when collecting explanations to requested questions. Designers should provide data capture examples (i.e., MM/DD/YYYY, $1,000, Group checkbox selection, etc.) and allow space to write equivalent to 30 font size.

Digitizing the APS has challenges, but with ML we see the opportunity to transcribe for about the same cost of summarization. When underwriting ML matures, the APS data will best reveal the individual. Predictive Analytics will become a competitive edge if focused on the individual and not the population. In the medical industry their ML efforts are focused on quality of care. The most used vendor service for doctors and medical providers is “UpToDate” a Wolters Kluwer company keeping professions up to date with the latest clinical support resource with improved outcomes. Medical professionals also want “Natural Language Processing” (NLP) because they know there is so much more data collected if the doctor—patient encounters could be recorded and processed. Unfortunately, there is very little progress with NLP and medicine, but this is the hottest AI area according to Robert Wacther, author of The Digital Doctor and others. To life underwriters I would recommend working with their summarization partners and get the ML projects going to build TS, something small but that still has a positive impact, and start cheering for medical NLP.

Rules Based Workflow Is Dead—Long Live Machine Learning! Over my career I have never seen a Rules Based Workflow (RBW) produce a ROI. I have been involved in many RBW projects that took many hours of consulting, configuration, programming and training wrapped in much debate on how the flow really works. A year or two in development, finally launched, the standard comment was “Great—we’re only two years out of date.” RBW is like the newspaper business—their product has a 24-hour lifespan. Change it and the staff required to manage it simply stops, users pushout work-arounds, and then the entire RBW is killed in the first reorganization chance that comes along.

ML is a different paradigm. You don’t configure or program rules. ML writes the rules on the fly based on its data inputs. ML will learn from all three training events (Supervised, Unsupervised, and Reinforcement) and, based on input, change the workflow. Let’s walk through such an event like routing information for approval. Jillian works within a New Business processing shop; she and her boss Lara are the only ones who are authorized to approve a type of application. Jillian takes a one-week vacation and therefore won’t be available to approve, leaving Lara to watch her queue or get sysops involved to change that route for a week and then change back. ML would learn from email that Jillian is out of office. ML knows from the existing TS that this type of application is routed to Jillian 90 percent of the time and Jillian approves the application compared to Lara’s 10 percent of the time. ML could have an input from the email solution for Jillian’s “Out of Office” notices and change the routing to Lara’s queue and back to Jillian’s when the input changes. The point is, new workflow solutions will be manual with ML taking over as the data and TS mature. This is where the data science comes in, reducing program development for data development and, in time, the workflow will maintain itself.

I talked about three areas AI and ML can impact the way life insurance is processed today. Image capture, future back office systems and medical underwriting. Of those three, there is no question the industry is focused on medical underwriting, the real opportunity for competitive products. Next, ML workflow for its inherent focus on your processing and your product optimizing resources. Leave “image capture to data” to vendors—it offers little, if any, ROI when built internally. Final point: Focus your ML efforts on your largest and most strategic return, and outsource the rest. 

Identity Theft—The New Norm…

Identity theft is growing quickly, and we all know someone that had their identity stolen. The severity of identity theft has been further emphasized by the fact that one million children feel victim to identity theft last year; a concerning figure. When your identity is stolen it can affect you in several different ways-credit, payments and liability. Protecting yourself should now be a way of life, like needing homeowner insurance if you own a home, car insurance, health insurance and now identity insurance. Identity insurance typically costs $10 to $20 per month, many providers with credit monitoring and a million dollars or more to repair and retake your identity. If you are a victim of identity theft and don’t have insurance, it’s going to be difficult to prove to companies that you are now reliable. Whilst trying to resolve this issue, you can use Credit Cards for No Credit to rebuild your credit score as it’s likely the thief would have damaged it considerably. Most of the time, thieves will spend as much money as they can as well as borrow money from other lenders too, leaving you in debt. Questions become: What else I can do and what do I do when my identity has been used?

Identity theft falls into two categories, First Party and Third Party. First Party refers to an individual that provides identification documents with your personal information (i.e. drivers license, medical cards, car registrations, credit cards, etc.) directly, impersonating your identity. Third Party is typically over the internet or phone where the person’s stolen identity can easily be provided.

Things you need to know, and actions you need to take will be clear as we walk through several real-world stories.

David starts to receive letters declaring medical and auto claims for his most recent car accident in Los Angeles, CA. Of course, this was not David-who lives and was in Tennessee at the time of the accident. This is First Party-Liability which required two lawyers, almost a year and about $5,000 out of his pocket in expenses to resolve.

Mike had his credit card read, duplicated and used in retail shops amounting to $5,000 before the credit card company cut it off, First Party-Credit. Fortunately for Mike, his card vendor covered this type of loss and Mike simply had to declare it wasn’t him making the purchases and was issued a new card.

Beverly had her social security checks redirected (change of address) by an on-line user who had Beverly’s identity. Beverly, after realizing her checks had stopped coming, called the Social Security office which later lead to a face-to-face meeting. The result of the meeting led her to the local police department to file an identity theft report. This report was then returned to the Social Security office and the payments were stopped until an internal investigation could be completed; Third Party-Payment theft.

Jessica and Mary had their identity stolen and used to open new credit card accounts (i.e. Nordstrom, Macy’s, Costco, PayPal and more); Third Party-Credit. Both events were revealed when they got U.S. Mail letters a week or so after the accounts were opened or declined. It has become good practice to send both email and hard copy in case email addresses where changed. Neither one received any emails. Resolution required a process of filing with the local police department an identity theft report. Fortunately, the credit was not used and the accounts were flagged immediately after all the credit providers where notified.

The hard copy notification saved Jessica and Mary, but the bad actors are always ahead of the game. If you receive one of these letters, it may be a phishing scam. People are now receiving these letters with instructions to call the number if there is a problem. They present themselves as third party administrators for the credit applied and take all your personal information-in effect, stealing it first-hand. Call the store or service directly and report the letter, do not call the number on the letter. The real service may ask you to produce a photo ID as proof of identification, and in some extreme cases, they may accept alternative forms of identification such as ID God photo IDs, with additional information as proof of your identity.

Now, how to protect yourself. If in the future you are a victim of these crimes, the first thing you need to do is contact all bank accounts and tell them the situation. You then need to do a quick search engine search for “an identity theft lawyer near me” and get a lawyer on your case. If a friend or family member has been through this, they may be able to recommend a lawyer to you. Having a professional on the case can help prove your innocence and may also help find the people who did the damage. However, some preventative measures can also be put in place to help protect you. These actions are for individuals, not married couples, unless explicitly engaged. There are programs that include children and should be activated. According to the FBI, the fastest-growing target is underage children. IBM Security Reports conducted by Ponemon Institute LLC, indicate retail credit usage remains a leader in identity theft. Opening credit cards in your name with quick charges and then dumping them is what happens. The first thing you can do to protect yourself is Freeze Your Credit!

Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 provides for individuals to Freeze or Lock access to your individual credit report. By securing your credit report you’ve stopped bad actors from opening credit cards, bank loans, mortgages, auto loans, cash advances and so on. Securing your credit does not cost you anything, but you must do it with three service bureaus:

  • Equifax: Freeze Your Equifax Credit Report, 1-800-685-1111 (NY residents 1-800-349-9960).
  • Experian: Freeze Your Experian Credit Report, 1-888-397-3742.
  • TransUnion: Freeze Your TransUnion Credit Report, 1-888-909-8872.

I strongly suggest you first obtain a copy of your most current credit reports from all three bureaus. The bureaus, to verify your identity, will ask you financial questions where all the answers come from your credit reports that they possess.

The next action is to secure Identity Insurance if you want to cover out of pocket expenses to resolve the theft. These policies cover items such as processing, credit reports, medical records, travel, childcare, accounting, lost wages, investigators, legal defense fees, bank account, credit card and unauthorized electronic fund transfer theft.

Identity theft is directly related to Data Breaches and will continue for the foreseeable future. Therefore, it is highly recommended to protect you and your family’s identity no matter their ages, young and old, simply because. By the way, the stories above were about myself, my wife, daughter, sister and brother in-law. Everybody knows someone. Stay tuned. Coming soon, IOTA-the Breach Killer.

Machine Learning— Real Or Hype?

I get a lot of inquiries on Machine Learning about two areas: How does it work, and how will it affect selling insurance? To answer these two questions, I will be writing a two-part article for Broker World explaining the technology and how it’s going to change life insurance processing.

Machine Learning is not new, nor is it the technology that will replace humans. It’s just another tool to be integrated within the business process. Machine Learning (ML) really competes with several areas of today’s core processes we use in the financial service industry of rules-based workflow and document imaging. Rules-based workflow remains people intensive with a short process life span. Document imaging (including all digital pictures) remain less than accurate in their digital transcriptions resulting in dirty data or false/positive classifications. ML though is real and a game changer if you use it right. In part two I’ll expand on how ML will replace rules-based workflow.

Let’s start with the Artificial Intelligence (AI) family tree so we can understand what makes it tick and, for our processes, make sure we’re using its strengths. There are two disciplines of AI, Symbolic Learning and Machine Learning; Symbolic Learning (SL) works with visual input (e.g. pictures and streaming video) and Machine Learning works with data. SL is the science behind self-driving cars and robots. Humans can see with their eyes and hear with their ears and their brains process what’s going on around them to predict how that same environment will change while all the time the brain is storing those events and their outcomes.

At the center of ML, we need to discuss how we learn and how we train machines. There are three types of training: Supervised, Unsupervised and Reinforcement. Think of a newborn child learning how to eat. Is it instinct or learned? Since it takes about six months for the baby to eat solid food by themselves, I believe it was learned. If not, the newborn would know how to feed himself day one. The first six months is Reinforcement training, where the child learns how to put his fist in his month. During the same time Unsupervised training is happening while the baby watches others around them eat. Then around six months you place food in front of him and the baby begins to pick it up. Soon thereafter you introduce the spoon for Supervised training. SL uses all three types of learning in a similar manner for training cars and robots.

Most robotic training is Unsupervised training, which is like Thomas Edison’s famous quote, “I didn’t fail, I learned 10,000 ways that won’t work.” A robot is challenged with putting a ball, attached by a two-foot string, in the cup held by the robot’s hand. The robot repeats the event and alters the energy slightly until the ball lands in the cup. It takes about 99 tries until it’s successful, then it never misses (Reinforcement training). Now if that robot sends the answer (IoT) to another robot with the same ball and cup it would be successful on the first try-Supervised training. This is how robots learn to walk and move around their environment.

ML focuses on data to make a prediction of an outcome. ML divides into two groups called Statistical Learning and Deep Learning. Statistical Learning focuses on speech recognition and natural language processing (i.e., Dragon, Google Voice, Amazon Echo, etc.). Deep Learning (DL) is the field of analyzing complicated data from many inputs and across many dimensions, like a color photograph or a scanned image, and breaking the source into segments to analyze many perspectives, using understanding of mathematics like the change of basis matrix. We call this DL-CNN (Deep Learning-Convolutional Neural Networking); I refer to DL-CNN as the “Study of Pixels.”

Deep Learning is the analysis of an image’s pixels and cataloging the pixels found in the image. The ability to differentiate between an orange and an apple can be deduced by the color, texture and shape; color orange to red, bumps to smooth surface, and circle to trapezoid-like shape. The ability to identify objects with CNN processing has tremendous benefit across many industries like farming, manufacturing, transportation and financial services. The ability to detect the brown spot on an apple or orange and remove the item robotically from shipping would enhance the product’s quality and safety of the public. In manufacturing, quality control processes are being deployed to use cameras to review the work area and ensure the correct number and correct item part numbers were used across an entire assembly of hundreds of parts, improving quality to new levels never seen before. Imagine long-haul trucking being scanned for any damage which may lead to traffic accidents that could then be prevented.

When applying DL-CNN to images of handwriting or machine print with the goal of creating its data equivalent, many algorithms (e.g. perspectives) must be utilized. When analyzing an imaged word or character you basically count pixels based on the K Model (Closest Neighbor Algorithm) from different perspectives. We define a known box around the character we want to recognize and record its pixel size (i.e. 28 pixels by 28 pixels) and call it the “Sample.” Inside the Sample we draw four equal size boxes and count the number of pixels in each quadrant. Then we draw a circle inside the Sample of a known diameter and count the pixels inside and outside of the circle. Then we draw more shapes (perspectives) and record their pixel counts. Each of these pixel counts are then compared to stored Sample pixel counts and closest counts start to build a neighborhood or grouping which begins to narrow down the possible answers to the Sample.

Example: Let’s compare the pixel counts for the numbers 1 (One) and 0 (Zero). If I use the four-quadrant method to count, I would find there is very little difference between the 1 and 0 because the counts are well distributed between the four quadrants, therefore both are still in the running as answers. Now apply the circle method to the number 1 and the inside and outside have pixels; for the number 0 we find most, if not all, the pixels only in the inside or outside of the circle. Now if handed an unknown Sample which returned even pixel counts for the four-quadrant test but only had pixels in the outside results for the circle method, the unknown Sample is probably the number Zero. Now imagine many methods being processed (e.g. the layers of the CNN) and compared to known results (e.g. Training Set) produce their “best guess” on what the number is.

DL is a Supervised Learning model which requires a Training Set (TS) and the larger the TS, the better the results. The most used public TS is MNIST (Modified National Institute of Standards and Technology database) which provides 50,000 handwritten greyscale images of numbers, 5,000 samples per number; MNIST has also released a 250,000-sample database called MNIST Enhanced. These greyscale TSs are very good because they can leverage biometric algorithms (perspective) which can help determine the character written. Think of a winding river with many “S-turns” in it and remember how the inside of the curves collected all the fine sands while the outside of the turn is clean and deeper. When you apply the same behavior to the way people write, their curves behave the same as the stream or river does; less pixels on the inside and more pixels on the outside. This further calculates the pixel distribution and contributes to the DL-CNN predictive answer. Good sources of Training Sets are no surprise: Amazon, Google, IBM, Microsoft all have TSs. To leverage their TSs, or better said not worry about building them, is to subscribe to their ML services (i.e. Amazon SageMaker, Google TensorFlow, IBM Watson, etc.). One thing to remember: They add your images and data to their TS-therefore, if your end solution is subject to compliance limitations, clear its usage first.

ML is a real game changing technology if designed properly and really focused. DL-CNN when applied to imaged text or handwriting can provide different results called “False-Positives” because the answer had a high probability of being right but actually was wrong. Imaged text and handwriting are subject to variables: Good vs bad handwriting, scanning, spelling, form design and people following instructions; we’ve seen ML results vary 50 percent based on these conditions.

Hopefully I’ve shed some light on the technology in play with ML and how it generally works. In part two of the article, I’ll discuss how the life insurance community can leverage ML to produce better processes and deliver the right insurance to the right individual.

2FA And Wallet Security?

Living in a business world of confidential data, documents, and managing who can have access to the same, is a daunting task. With the world of identity theft simple logins and passwords don’t cut it anymore. People who are trusted with securing the perimeter need more help and that change is coming quickly in the form of “Two Factor Authentication” (2FA). 2FA is not new. What’s new is its requirement in daily business application logon. Example: Today case managers login to their solution, enter their password and go to work. What’s coming as “Best Practices” is introducing a second step of authentication such as Smartphone texting access codes or emails. Users, in addition to having a password, will need a device to navigate the second step before they can go to work.

Two Factor Authentication is exactly that—two inputs to secure an identity. The rules are that an identity can have a strong password or passphrase, something they know. 2FA requires a second input as something they have—a device (i.e., Smartphone, FOB or Card Swipe) to which only they would have access. 2FA used to be isolated to members of IT staff and those with data management roles, but now anyone that has access to confidential information will require 2FA.

As a solution provider we adopted 2FA years ago. New threats appearing all the time, we found that with “Cross Site Forgery” we had to add CAPTCHA inquiries for all administrative roles. Now the conversations in security associations is “Three Factor Authentication” (3FA), entering biometrics into “IT Best Practices.” The most mentioned are fingerprints, eye scans and facial recognition. With identity thefts still leading the FBI’s most active crimes today—with the agency stating, “The threat is incredibly serious—and growing,”—will these added layers make us safer?

I believe we do not need more layers of authentication which impacts usability, cost and denying access. I believe we need to change today’s “Push Model” of text message, Code generators, FOB or other device receiving the access information, to a “Pull Model” or Wallet Security. Having the device remains valid but adding biometric requirements will leave people out, shift the financial burden to companies and, at best, result in low adoption, missing its intent.

Wallet Security is something that two parties know about each other. It can be simple and there can be more than one challenge. Simple second factor could be, “From this set of twelve pictures, which one is yours?” “How many grandchildren do you have?” “What is your dog’s name?” Complex answers may require a PIN or the first six digits of your credit card.

In recent years Electronic Signatures have come under attack in the courts because the judges don’t believe login and passwords are enough to authenticate an identity. Identity theft resulting from breaches has compromised the integrity of the authentication scheme and the courts wanted to see more identity evidence. The cases at hand were resulting from defendants claiming that they did not E-Sign the documents. Judges defending their decisions want more evidence of a relationship among the virtual parties, like voice signatures, recording with unique qualifying questions and answers; Wallet Security.

Wallet Security is the closest we’ll get to biometrics without requiring special equipment to execute. Ten years ago, some people in the credit card industry thought putting your picture on your credit card would deter theft. It was DOA because CC thieves behave differently and the best thing your picture served was in “Lost and Found.” Maybe here is a case where “signing selfies” and social media can come together as evidence of authentication in E-Signing events. Think about the data points the device and picture can document as evidence (GPS, Date-Time, Secure Smartphone, IP and more) and how social media can serve as “witness” to a given identity as needed.

Well, back to the point and to wrap this up, 80 percent of us in the business world do not use 2FA in our day-to-day lives. Within the next few years it will be a requirement to enhance our perimeter security. To that end, where possible, select Wallet Security based solutions for better authentication and usability.