Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/10/2020
02:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Major Brazilian Bank Tests Homomorphic Encryption on Financial Data

The approach allowed researchers to use machine learning on encrypted data without first decrypting it.

Banco Bradesco, S.A., a prominent Brazilian financial institution, has for the past year been working with IBM Research to apply a technique called homomorphic encryption to banking data. The pilot showed it was possible to apply machine learning algorithms to encrypted data without decrypting it, creating a new level of privacy that could be applied to other industries.

Machine learning is often used in banking and finance to predict scenarios like transaction fraud or investment outcomes. This typically involves vast stores of data, much of which are sensitive but must be decrypted before processing, exposing sensitive data to exfiltration and leaks.

The idea behind homomorphic encryption (HE), now emerging in real-life applications like this one, is to keep data encrypted while it's being processed. This type of cryptography was first proposed in the 1970s; it wasn't until 2009 that IBM scientist Craig Gentry created the first fully homomorphic encryption system. HE is based on the mathematics of lattices and, researchers say, protects the confidentiality of data from complex attacks – even by quantum computers.

"In the past, we've used encryption for transmitting data," says Flavio Bergamaschi, IBM researcher and lead author of this project. When you shop online and enter your credit card number, it's encrypted to transfer but must be decrypted to do anything with it. The number is encrypted when stored on a disk, but it must be decrypted to act on it. 

Bergamaschi says HE protects information from what he calls the "honest but curious" threat model. An entity performing computation may be legitimate but at the same time curious about your information: When you ask a cloud service how long it takes to get to work, or where the nearest coffeeshop is, you reveal factors like where you are and where you're going. The machine collecting this data can then create a graph of everyone whose data it holds.

With HE, these machines can perform computations while the data remains encrypted. As a result, the entity can act on data without gathering or storing any sensitive information. HE won't prevent data breaches but will prevent data thieves from grabbing usable information. The technology has now reached an "inflection point" at which it's ready for practical use.

During their pilot project with Banco Bradesco, the scientists' goal was to look at an account holder's banking activity over a window of time and using machine learning, predict with good accuracy whether that account holder would need a loan within the following three months.

The first step was to use HE to encrypt transaction data, as well as the machine learning-based prediction model. Financial analysts usually pinpoint factors in someone's financial history to make these types of predictions, IBM explains in a blog post. Scientists showed they could make predictions using encrypted data with the same accuracy as with unencrypted data.

"Once we proved we could achieve the same level of accuracy, we looked at, 'Can we now train or retrain the model using new transaction data that remains encrypted?'" says Bergamaschi of the process. "In doing so, we limited the chance of data exfiltration." The team was able to train the model using encrypted data, demonstrating the use of HE to maintain data privacy and confidentiality while running algorithms on it.

Lessons Learned
The pilot, which ran from January through July 2019, taught a few key lessons. "It's been very educational in the sense that we had to work with many groups that have different levels of understanding of the privacy, security, and mathematics behind everything," Bergamaschi says. "Being able to interact with all of them, and trying to make all the mathematics and cryptography consumable, was interesting."

Scientists also had to consider every aspect of their workflow and how to protect data in different scenarios. Being able to manage encryption keys was one; another was ensuring secure environments when the researchers had results and wanted to decrypt them.

Banking isn't the only industry where HE can be applied. "There are a plethora of use cases that we are just scratching the surface of," Bergamaschi adds. Industries like government and healthcare, where data privacy is a top priority, could benefit from the use of HE. IBM Research will continue working with Banco Bradesco to apply HE on financial data, he says.

We may not know the extent of where and how HE can be used. "Imagine what you could do that you don't do today, if you could do the computation on encrypted data," Bergamaschi adds. Many of business activities require information sharing, but the sharing of information is only done on a need-to-know basis. "There are many things we don't do because we are not prepared to share the information in its raw format," he says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "In App Development, Does No-Code Mean No Security?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bradshimmin
50%
50%
bradshimmin,
User Rank: Author
1/24/2020 | 4:25:45 PM
Picking the best tool for the right job
Thank you for this terrific post and explanation of homomorphic encryption. It's great we have a growing number of methodologies at hand beyond basic encryption, masking, and tokenization to control access to data. Honestly, if you think about how AI prefers numeric over categorial information, ideas like homomorphic encryption make perfect sense as a means of predicting outcomes sans Personally identifiable information (PII). 

Cheers!
b.
SEODan
100%
0%
SEODan,
User Rank: Apprentice
1/15/2020 | 5:27:22 AM
Re: Wonderful post on encryption
Agreed. This a really great post. I'm still a newbie on this suject but I learned a lot.
lesacote
100%
0%
lesacote,
User Rank: Apprentice
1/12/2020 | 11:48:36 PM
Wonderful post on encryption
Thank you for the amazing post on encryption. I came to know about homomorphic encryption. I understood the importance of financial data.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19325
PUBLISHED: 2020-02-17
SilverStripe through 4.4.x before 4.4.5 and 4.5.x before 4.5.2 allows Reflected XSS on the login form and custom forms. Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built...
CVE-2020-1693
PUBLISHED: 2020-02-17
A flaw was found in Spacewalk up to version 2.9 where it was vulnerable to XML internal entity attacks via the /rpc/api endpoint. An unauthenticated remote attacker could use this flaw to retrieve the content of certain files and trigger a denial of service, or in certain circumstances, execute arbi...
CVE-2020-1828
PUBLISHED: 2020-02-17
Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00; and Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00 have an input validation vulnerability where the IPSec module does not validate a field in a specific message. ...
CVE-2020-1857
PUBLISHED: 2020-02-17
Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00SPC100; and Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00SPC100 have an information leakage vulnerability. Due to improper processing of some data, a local authent...
CVE-2020-1858
PUBLISHED: 2020-02-17
Huawei products NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00SPC100; Secospace USG6600 versions V500R001C30SPC600, V500R001C60SPC500, and V500R005C00SPC100; and USG9500 versions V500R001C30SPC600, V500R001C60SPC500, and V500R005C00SPC100 have a denial of service vulnerability. Att...