Biometric Verification Can Redefine the Payments Market. In recent months, hackers have been able to circumvent many of today’s popular 2FA protocols via techniques such as sim swaps. As a result, it is important for business owners to up their game and adopt advanced solutions such as biometrically-verified digital IDs, that can allow users to facilitate their payments in a highly streamlined, secure manner.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Alastair Johnson.
Alastair has led global integrated product development and product marketing for brands such as Microsoft, Skype, Office, Xbox, Hololens, Disney, TED and the BBC. He is Founder and CEO of Nuggets.life, a blockchain ecommerce payments and ID platform that is redefining online security and privacy.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Derby, England in the late ’80s when the Silicon Valley tech boom was still in its nascency. Through the mid-nineties, I worked as a product designer for a number of reputable clients including Nokia, Ericsson and Siemens. As the internet started to become accessible and viable I landed a role as Multimedia Design Director and was able to start to maximising the opportunities that the internet had. This was a blossoming time for technology and I quickly moved on to other opportunities around early e-commerce offerings and the like.
I then had my own tech company for 10 years, striving to push the boundaries of the technological opportunity. From there I had the opportunity to work for Skype and Microsoft where I finally learned to have confidence in my own abilities, developing enough self-belief to drive my own ideas with new technology and problem-solving techniques. At the same time, I was getting to grips with the high likelihood of being dyslexic, despite only finding out in my forties. This immediately explained why problem solving had always been my thing.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
A major turning point in my life — one that led me to establish Nuggets — came in 2015 when my credit card and personal identity data were used fraudulently by hackers. As a result, I witnessed first hand the hugely frustrating process of dealing with banks, learning along the way that no one really had control over their personal data and that most people were more than happy to leave highly sensitive information (pertaining to them) in the hands of random third-party organisations. This led to me to start the journey I’m on today.
Can you share the most interesting story that happened to you since you began your career?
While designing for the telecoms industry, a team member from the shop floor came up to me and showed me a mistake I had made: the holes I had designed in a piece didn’t match up with the corresponding holes as they should. Beginning to sweat, I asked how many units had been produced. 300,000 was the answer, leading to absolute horror from my side and certainty in my immediate demise. Luckily, though, I had extensive experience of working on the shop floor with the team. I can only assume that this had earnt me a certain level of respect, as they said they were willing to remedy the mistake over a few shifts, with the only cost I had to front being work drinks for the foreseeable future.
What I took from this experience is the value of working as a team and being respectful of all participants in that journey, as you never know when they might be the one saving your bacon.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There have been a number of people throughout my life that have helped shape me into who I am today, and for whom I’m extremely grateful. But ultimately it’s probably my parents I ought to thank the most, especially my dad, for my creativity and problem-solving skills, combined with practical common sense application (some may question this). To him, I’m eternally grateful for all his best pieces of wood, which I used up from his shed in my endeavour to make the world a better place, or at least a better toy castle than before.
Are you working on any exciting new projects now? How do you think that will help people?
We’re constantly working towards a world in which people own and control their own personal information. Privacy is a fundamental human right that is being stripped away. We’re determined to help bring about a fundamental shift in the way personal data is stored.
In light of this, one of the projects that I am currently involved in is a document storage solution that is being tested in the FCA’s regulatory sandbox.
We’re dedicated to making antiquated username and password combinations coupled with insecure SMS and email verifications a thing of the past. Nuggets offers a common sense alternative, where customers can frictionlessly tie their ID to apps, platforms, and services — all without intermediaries interfering with their privacy and security.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I’m actually not very good at this, and I would be lying if I said otherwise. I work too many hours, stress about too many things, don’t rest enough, and have a nasty habit of waking up at 4 in the morning with more ideas.
Heart failure is my retirement.
But, having said that, I’ve definitely found meditation to be of great use when you’re about to pop — on an app, of course, as I wouldn’t have time otherwise.
Also, never underestimate the support you can get from your mentors (read partner), since they may have been in many of the exact same spots that you may find yourself in at various times during your professional career.
Finally, take some time to reflect on your mental health and the tools that help you to de-stress, think clearly and achieve a state of balance. For me, it’s going for a daily run and checking in with my Calm app.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
When the General Data Protection Regulation (GDPR) was implemented in 2018, we entered a new era which emphasises data security and customer control over personal information.
A key feature of GDPR is that it gives customers the right to compel businesses to delete any trace of their information from company servers (known as the right to be forgotten). This is a great incentive for more secure storage and handling of personal data.
Any company handling the data of a single European citizen must comply with GDPR if they want to avoid incredibly costly fines, even for minor infractions. The legislation is not limited to Europe and actually applies to any business or service that welcomes EU citizens as users — a significant point, given that the proliferation of major breaches of business databases occurs on a global scale.
Another noteworthy data privacy regulation is The California Consumer Privacy Act (CCPA), which came into effect at the start of 2020. Similar to GDPR, it demands the right to be informed, the right of access, and the right to portability.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
Even before reaching a point of having to destroy any stored records, I believe that one’s private, sensitive data should never be made available to a single organisation full stop.
However, if it absolutely has to be shared, this should ideally be done in a cryptographically verified way without revealing any plain text information. ZKPs, homomorphic encryption or secure enclave computing should be used where possible.
If personal data has to be shared in order to fulfil regulatory, auditing or business requirements, it should be done using the absolute minimum of information. In conjunction with this, it should only be shared directly with another verified ID through a secure tunnel using encrypted packages on a restricted read-only basis for an allotted time period.
In the face of this changing landscape, how has your data retention policy evolved over the years?
In terms of the Nuggets platform, our ethos has been the same from day one: zero knowledge storage for user data. No one within Nuggets has any access to any user’s information.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
If Companies Don’t Store your Data, It’s Not There to be Breached
Look at how you can work with your customers and the business model to reduce or remove the need for personal information to be held.
Adherence to PSD2 Regulations is a Must
The Payment Service Directive Two (PSD2) is a regulatory directive for electronic payment service providers in the UK that seeks to substantially reduce the control of banks over their customer’s account information and payment services. It is a must for financial services providers to stay in line with these guidelines in order to avoid legal issues.
Decentralization is the Key
As per today’s open banking regulations, there are hardly any safeguards in place to protect customer data should it fall into the wrong hands. All it takes is an attack on the central server of a major fintech operator for nefarious agents to impersonate someone and steal all of their hard earned money. Thus, it is essential for businesses to promote and adopt the use of digital IDs, as much as possible, so that users can secure their financial data by themselves.
Cryptographic Techniques Should be Employed as Much as Possible
Financial service providers should make use of novel technologies such as zero-knowledge proofs, that allow information to be cryptographically proven without revealing any sensitive client data.
Biometric Verification Can Redefine the Payments Market
In recent months, hackers have been able to circumvent many of today’s popular 2FA protocols via techniques such as sim swaps. As a result, it is important for business owners to up their game and adopt advanced solutions such as biometrically-verified digital IDs, that can allow users to facilitate their payments in a highly streamlined, secure manner.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
For years now I have been an ardent advocate of Self-Sovereign Digital IDs. These tools provide users with complete ownership of their personal information, allowing them to share data in a highly discrete and verifiable manner without divulging any personally identifiable information. When merged with today’s payment systems, they can mitigate a number of risks associated with fraud, false positives, and fraudulent chargebacks. On a more technical note, Self-Sovereign Digital Identities are portable, allow for multi-level ID verification, and can enable users to move from one organisation to another quite seamlessly.
To highlight the need for Self-Sovereign Digital IDs, I would like to point out that during Q1 and Q2 (2019) alone, global data breaches resulted in the records of 4.1 billion individuals being leaked online. In this regard, the number of people affected by health data breaches between 2017 and 2019 rose by a whopping 80%. In one particular incident, a large US real estate and title insurance company exposed the sensitive financial records — including Social Security numbers and tax documents — of 885 million individuals.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.
Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.
Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.