API Academy

Sponsored by Layer7

A man holding a laptop in front of some servers.

How Can You Prove Your Digital You is You?

By Bill Oakes, CISSPPosted on

George Bernard Shaw was witty and fun.  He was famous for being quotable – very much like Oscar Wilde.  One of the quotes I love, and I thought was perfect for this blog:

“The single biggest problem in communication is the 
illusion that it has taken place.”

In the real world, communication is an illusion.  People talk but they don’t listen.  Not always, but probably more often than we would care to admit.  And this problem is further compounded by your tendency to communicate via email or text rather than face to face.  How often are things taken out of context or do we imply emotions that were never intended.  We try to communicate, but we really are never sure if what we have said has been heard and understood the way we meant.   

In the digital world, we face a different type of illusion.  Communication in the form of dialogue occurs between users and systems, or nothing happens.  No, the illusion in the digital world is not that communication has not taken place, rather that it may not have taken place with the right person.  This may or not be an issue, unless, of course, it involves you – or more importantly, impacts you.  And a salient example of this may be a combination of you, your phone, your banking app, and your bank.

Picture this – you and your significant other go out after a long day at the office for a quick bite to eat at your favorite restaurant.  As you’re waiting for your meal, you decide to see if a banking transfer has taken place yet.  So you pull out your phone, load up the application, authenticate to your bank, and just as you’re about to find out about that transfer, someone you haven’t seen in a while comes into the restaurant, sees you, and comes over to say hi.  You put your phone down on the table, have a few words, finish, and sit back down.  And…..your phone’s gone.

Here’s an ugly reality.  Your bank believes that it’s you on the other end – you’ve already authenticated.  And as of now, it’s not really you.  It’s an illusion on the banks part.  Even worse: it’s not just an illusion for you – it’s your money.  Or, was, anyways.

Many banks and other financial service institutions, as well as other regulated industries, have turned to API management solutions that have specific modules for mobile devices – to help developers ensure secure end-to-end communications.  Of course, while that prevents Man in the Middle (MITM) [NO2] attacks, it doesn’t do much for the scenario above.

What you need is a relationship between you, your device, and your banking app.  A relationship built on trust.  And if there’s a deviation from that trust (i.e. the person who now has your phone implements a huge money transfer), then a step-up authentication should be implemented. If your bank had established a relationship between you, your device, and your app, and someone tried to do something out of the ordinary (like empty your savings account), then a step-up would have indeed been triggered, stopping the transfer from occurring. 

At Broadcom, we’ve implemented the above through our Mobile SDK, and our financial service customers have adopted these APIs to stop just an attack.  In fact, API World recognized Layer7 API Management at the 2019 API Awards in both Best of API Infrastructure (primarily due to our implementation of full lifecycle API management) as well as Best in API Security – recognizing the integrated security built-in out-of-the-box as well as the Mobile SDK and the additional security it can bring to mobile applications.

I invite you to stop by and have a chat with us at API World in San Jose, October 8-10 and learn more about Layer7 API Management and API Security.