Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/10/2020
02:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Major Brazilian Bank Tests Homomorphic Encryption on Financial Data

The approach allowed researchers to use machine learning on encrypted data without first decrypting it.

Banco Bradesco, S.A., a prominent Brazilian financial institution, has for the past year been working with IBM Research to apply a technique called homomorphic encryption to banking data. The pilot showed it was possible to apply machine learning algorithms to encrypted data without decrypting it, creating a new level of privacy that could be applied to other industries.

Machine learning is often used in banking and finance to predict scenarios like transaction fraud or investment outcomes. This typically involves vast stores of data, much of which are sensitive but must be decrypted before processing, exposing sensitive data to exfiltration and leaks.

The idea behind homomorphic encryption (HE), now emerging in real-life applications like this one, is to keep data encrypted while it's being processed. This type of cryptography was first proposed in the 1970s; it wasn't until 2009 that IBM scientist Craig Gentry created the first fully homomorphic encryption system. HE is based on the mathematics of lattices and, researchers say, protects the confidentiality of data from complex attacks – even by quantum computers.

"In the past, we've used encryption for transmitting data," says Flavio Bergamaschi, IBM researcher and lead author of this project. When you shop online and enter your credit card number, it's encrypted to transfer but must be decrypted to do anything with it. The number is encrypted when stored on a disk, but it must be decrypted to act on it. 

Bergamaschi says HE protects information from what he calls the "honest but curious" threat model. An entity performing computation may be legitimate but at the same time curious about your information: When you ask a cloud service how long it takes to get to work, or where the nearest coffeeshop is, you reveal factors like where you are and where you're going. The machine collecting this data can then create a graph of everyone whose data it holds.

With HE, these machines can perform computations while the data remains encrypted. As a result, the entity can act on data without gathering or storing any sensitive information. HE won't prevent data breaches but will prevent data thieves from grabbing usable information. The technology has now reached an "inflection point" at which it's ready for practical use.

During their pilot project with Banco Bradesco, the scientists' goal was to look at an account holder's banking activity over a window of time and using machine learning, predict with good accuracy whether that account holder would need a loan within the following three months.

The first step was to use HE to encrypt transaction data, as well as the machine learning-based prediction model. Financial analysts usually pinpoint factors in someone's financial history to make these types of predictions, IBM explains in a blog post. Scientists showed they could make predictions using encrypted data with the same accuracy as with unencrypted data.

"Once we proved we could achieve the same level of accuracy, we looked at, 'Can we now train or retrain the model using new transaction data that remains encrypted?'" says Bergamaschi of the process. "In doing so, we limited the chance of data exfiltration." The team was able to train the model using encrypted data, demonstrating the use of HE to maintain data privacy and confidentiality while running algorithms on it.

Lessons Learned
The pilot, which ran from January through July 2019, taught a few key lessons. "It's been very educational in the sense that we had to work with many groups that have different levels of understanding of the privacy, security, and mathematics behind everything," Bergamaschi says. "Being able to interact with all of them, and trying to make all the mathematics and cryptography consumable, was interesting."

Scientists also had to consider every aspect of their workflow and how to protect data in different scenarios. Being able to manage encryption keys was one; another was ensuring secure environments when the researchers had results and wanted to decrypt them.

Banking isn't the only industry where HE can be applied. "There are a plethora of use cases that we are just scratching the surface of," Bergamaschi adds. Industries like government and healthcare, where data privacy is a top priority, could benefit from the use of HE. IBM Research will continue working with Banco Bradesco to apply HE on financial data, he says.

We may not know the extent of where and how HE can be used. "Imagine what you could do that you don't do today, if you could do the computation on encrypted data," Bergamaschi adds. Many of business activities require information sharing, but the sharing of information is only done on a need-to-know basis. "There are many things we don't do because we are not prepared to share the information in its raw format," he says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "In App Development, Does No-Code Mean No Security?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
David.Sanders.Haystax
50%
50%
David.Sanders.Haystax,
User Rank: Author
3/23/2020 | 4:55:23 PM
Re: Picking the best tool for the right job
Great article on an instersting topic. Thanks.

David S
bradshimmin
50%
50%
bradshimmin,
User Rank: Author
1/24/2020 | 4:25:45 PM
Picking the best tool for the right job
Thank you for this terrific post and explanation of homomorphic encryption. It's great we have a growing number of methodologies at hand beyond basic encryption, masking, and tokenization to control access to data. Honestly, if you think about how AI prefers numeric over categorial information, ideas like homomorphic encryption make perfect sense as a means of predicting outcomes sans Personally identifiable information (PII). 

Cheers!
b.
SEODan
100%
0%
SEODan,
User Rank: Apprentice
1/15/2020 | 5:27:22 AM
Re: Wonderful post on encryption
Agreed. This a really great post. I'm still a newbie on this suject but I learned a lot.
lesacote
100%
0%
lesacote,
User Rank: Apprentice
1/12/2020 | 11:48:36 PM
Wonderful post on encryption
Thank you for the amazing post on encryption. I came to know about homomorphic encryption. I understood the importance of financial data.
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11565
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.