Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/10/2020
02:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Major Brazilian Bank Tests Homomorphic Encryption on Financial Data

The approach allowed researchers to use machine learning on encrypted data without first decrypting it.

Banco Bradesco, S.A., a prominent Brazilian financial institution, has for the past year been working with IBM Research to apply a technique called homomorphic encryption to banking data. The pilot showed it was possible to apply machine learning algorithms to encrypted data without decrypting it, creating a new level of privacy that could be applied to other industries.

Machine learning is often used in banking and finance to predict scenarios like transaction fraud or investment outcomes. This typically involves vast stores of data, much of which are sensitive but must be decrypted before processing, exposing sensitive data to exfiltration and leaks.

The idea behind homomorphic encryption (HE), now emerging in real-life applications like this one, is to keep data encrypted while it's being processed. This type of cryptography was first proposed in the 1970s; it wasn't until 2009 that IBM scientist Craig Gentry created the first fully homomorphic encryption system. HE is based on the mathematics of lattices and, researchers say, protects the confidentiality of data from complex attacks – even by quantum computers.

"In the past, we've used encryption for transmitting data," says Flavio Bergamaschi, IBM researcher and lead author of this project. When you shop online and enter your credit card number, it's encrypted to transfer but must be decrypted to do anything with it. The number is encrypted when stored on a disk, but it must be decrypted to act on it. 

Bergamaschi says HE protects information from what he calls the "honest but curious" threat model. An entity performing computation may be legitimate but at the same time curious about your information: When you ask a cloud service how long it takes to get to work, or where the nearest coffeeshop is, you reveal factors like where you are and where you're going. The machine collecting this data can then create a graph of everyone whose data it holds.

With HE, these machines can perform computations while the data remains encrypted. As a result, the entity can act on data without gathering or storing any sensitive information. HE won't prevent data breaches but will prevent data thieves from grabbing usable information. The technology has now reached an "inflection point" at which it's ready for practical use.

During their pilot project with Banco Bradesco, the scientists' goal was to look at an account holder's banking activity over a window of time and using machine learning, predict with good accuracy whether that account holder would need a loan within the following three months.

The first step was to use HE to encrypt transaction data, as well as the machine learning-based prediction model. Financial analysts usually pinpoint factors in someone's financial history to make these types of predictions, IBM explains in a blog post. Scientists showed they could make predictions using encrypted data with the same accuracy as with unencrypted data.

"Once we proved we could achieve the same level of accuracy, we looked at, 'Can we now train or retrain the model using new transaction data that remains encrypted?'" says Bergamaschi of the process. "In doing so, we limited the chance of data exfiltration." The team was able to train the model using encrypted data, demonstrating the use of HE to maintain data privacy and confidentiality while running algorithms on it.

Lessons Learned
The pilot, which ran from January through July 2019, taught a few key lessons. "It's been very educational in the sense that we had to work with many groups that have different levels of understanding of the privacy, security, and mathematics behind everything," Bergamaschi says. "Being able to interact with all of them, and trying to make all the mathematics and cryptography consumable, was interesting."

Scientists also had to consider every aspect of their workflow and how to protect data in different scenarios. Being able to manage encryption keys was one; another was ensuring secure environments when the researchers had results and wanted to decrypt them.

Banking isn't the only industry where HE can be applied. "There are a plethora of use cases that we are just scratching the surface of," Bergamaschi adds. Industries like government and healthcare, where data privacy is a top priority, could benefit from the use of HE. IBM Research will continue working with Banco Bradesco to apply HE on financial data, he says.

We may not know the extent of where and how HE can be used. "Imagine what you could do that you don't do today, if you could do the computation on encrypted data," Bergamaschi adds. Many of business activities require information sharing, but the sharing of information is only done on a need-to-know basis. "There are many things we don't do because we are not prepared to share the information in its raw format," he says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "In App Development, Does No-Code Mean No Security?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
David.Sanders.Haystax
50%
50%
David.Sanders.Haystax,
User Rank: Author
3/23/2020 | 4:55:23 PM
Re: Picking the best tool for the right job
Great article on an instersting topic. Thanks.

David S
bradshimmin
50%
50%
bradshimmin,
User Rank: Author
1/24/2020 | 4:25:45 PM
Picking the best tool for the right job
Thank you for this terrific post and explanation of homomorphic encryption. It's great we have a growing number of methodologies at hand beyond basic encryption, masking, and tokenization to control access to data. Honestly, if you think about how AI prefers numeric over categorial information, ideas like homomorphic encryption make perfect sense as a means of predicting outcomes sans Personally identifiable information (PII). 

Cheers!
b.
lesacote
100%
0%
lesacote,
User Rank: Apprentice
1/12/2020 | 11:48:36 PM
Wonderful post on encryption
Thank you for the amazing post on encryption. I came to know about homomorphic encryption. I understood the importance of financial data.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...