Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/10/2020
02:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Major Brazilian Bank Tests Homomorphic Encryption on Financial Data

The approach allowed researchers to use machine learning on encrypted data without first decrypting it.

Banco Bradesco, S.A., a prominent Brazilian financial institution, has for the past year been working with IBM Research to apply a technique called homomorphic encryption to banking data. The pilot showed it was possible to apply machine learning algorithms to encrypted data without decrypting it, creating a new level of privacy that could be applied to other industries.

Machine learning is often used in banking and finance to predict scenarios like transaction fraud or investment outcomes. This typically involves vast stores of data, much of which are sensitive but must be decrypted before processing, exposing sensitive data to exfiltration and leaks.

The idea behind homomorphic encryption (HE), now emerging in real-life applications like this one, is to keep data encrypted while it's being processed. This type of cryptography was first proposed in the 1970s; it wasn't until 2009 that IBM scientist Craig Gentry created the first fully homomorphic encryption system. HE is based on the mathematics of lattices and, researchers say, protects the confidentiality of data from complex attacks – even by quantum computers.

"In the past, we've used encryption for transmitting data," says Flavio Bergamaschi, IBM researcher and lead author of this project. When you shop online and enter your credit card number, it's encrypted to transfer but must be decrypted to do anything with it. The number is encrypted when stored on a disk, but it must be decrypted to act on it. 

Bergamaschi says HE protects information from what he calls the "honest but curious" threat model. An entity performing computation may be legitimate but at the same time curious about your information: When you ask a cloud service how long it takes to get to work, or where the nearest coffeeshop is, you reveal factors like where you are and where you're going. The machine collecting this data can then create a graph of everyone whose data it holds.

With HE, these machines can perform computations while the data remains encrypted. As a result, the entity can act on data without gathering or storing any sensitive information. HE won't prevent data breaches but will prevent data thieves from grabbing usable information. The technology has now reached an "inflection point" at which it's ready for practical use.

During their pilot project with Banco Bradesco, the scientists' goal was to look at an account holder's banking activity over a window of time and using machine learning, predict with good accuracy whether that account holder would need a loan within the following three months.

The first step was to use HE to encrypt transaction data, as well as the machine learning-based prediction model. Financial analysts usually pinpoint factors in someone's financial history to make these types of predictions, IBM explains in a blog post. Scientists showed they could make predictions using encrypted data with the same accuracy as with unencrypted data.

"Once we proved we could achieve the same level of accuracy, we looked at, 'Can we now train or retrain the model using new transaction data that remains encrypted?'" says Bergamaschi of the process. "In doing so, we limited the chance of data exfiltration." The team was able to train the model using encrypted data, demonstrating the use of HE to maintain data privacy and confidentiality while running algorithms on it.

Lessons Learned
The pilot, which ran from January through July 2019, taught a few key lessons. "It's been very educational in the sense that we had to work with many groups that have different levels of understanding of the privacy, security, and mathematics behind everything," Bergamaschi says. "Being able to interact with all of them, and trying to make all the mathematics and cryptography consumable, was interesting."

Scientists also had to consider every aspect of their workflow and how to protect data in different scenarios. Being able to manage encryption keys was one; another was ensuring secure environments when the researchers had results and wanted to decrypt them.

Banking isn't the only industry where HE can be applied. "There are a plethora of use cases that we are just scratching the surface of," Bergamaschi adds. Industries like government and healthcare, where data privacy is a top priority, could benefit from the use of HE. IBM Research will continue working with Banco Bradesco to apply HE on financial data, he says.

We may not know the extent of where and how HE can be used. "Imagine what you could do that you don't do today, if you could do the computation on encrypted data," Bergamaschi adds. Many of business activities require information sharing, but the sharing of information is only done on a need-to-know basis. "There are many things we don't do because we are not prepared to share the information in its raw format," he says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "In App Development, Does No-Code Mean No Security?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
lesacote
100%
0%
lesacote,
User Rank: Apprentice
1/12/2020 | 11:48:36 PM
Wonderful post on encryption
Thank you for the amazing post on encryption. I came to know about homomorphic encryption. I understood the importance of financial data.
SEODan
100%
0%
SEODan,
User Rank: Apprentice
1/15/2020 | 5:27:22 AM
Re: Wonderful post on encryption
Agreed. This a really great post. I'm still a newbie on this suject but I learned a lot.
bradshimmin
50%
50%
bradshimmin,
User Rank: Author
1/24/2020 | 4:25:45 PM
Picking the best tool for the right job
Thank you for this terrific post and explanation of homomorphic encryption. It's great we have a growing number of methodologies at hand beyond basic encryption, masking, and tokenization to control access to data. Honestly, if you think about how AI prefers numeric over categorial information, ideas like homomorphic encryption make perfect sense as a means of predicting outcomes sans Personally identifiable information (PII). 

Cheers!
b.
David.Sanders.Haystax
50%
50%
David.Sanders.Haystax,
User Rank: Author
3/23/2020 | 4:55:23 PM
Re: Picking the best tool for the right job
Great article on an instersting topic. Thanks.

David S
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...