Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/10/2020
02:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Major Brazilian Bank Tests Homomorphic Encryption on Financial Data

The approach allowed researchers to use machine learning on encrypted data without first decrypting it.

Banco Bradesco, S.A., a prominent Brazilian financial institution, has for the past year been working with IBM Research to apply a technique called homomorphic encryption to banking data. The pilot showed it was possible to apply machine learning algorithms to encrypted data without decrypting it, creating a new level of privacy that could be applied to other industries.

Machine learning is often used in banking and finance to predict scenarios like transaction fraud or investment outcomes. This typically involves vast stores of data, much of which are sensitive but must be decrypted before processing, exposing sensitive data to exfiltration and leaks.

The idea behind homomorphic encryption (HE), now emerging in real-life applications like this one, is to keep data encrypted while it's being processed. This type of cryptography was first proposed in the 1970s; it wasn't until 2009 that IBM scientist Craig Gentry created the first fully homomorphic encryption system. HE is based on the mathematics of lattices and, researchers say, protects the confidentiality of data from complex attacks – even by quantum computers.

"In the past, we've used encryption for transmitting data," says Flavio Bergamaschi, IBM researcher and lead author of this project. When you shop online and enter your credit card number, it's encrypted to transfer but must be decrypted to do anything with it. The number is encrypted when stored on a disk, but it must be decrypted to act on it. 

Bergamaschi says HE protects information from what he calls the "honest but curious" threat model. An entity performing computation may be legitimate but at the same time curious about your information: When you ask a cloud service how long it takes to get to work, or where the nearest coffeeshop is, you reveal factors like where you are and where you're going. The machine collecting this data can then create a graph of everyone whose data it holds.

With HE, these machines can perform computations while the data remains encrypted. As a result, the entity can act on data without gathering or storing any sensitive information. HE won't prevent data breaches but will prevent data thieves from grabbing usable information. The technology has now reached an "inflection point" at which it's ready for practical use.

During their pilot project with Banco Bradesco, the scientists' goal was to look at an account holder's banking activity over a window of time and using machine learning, predict with good accuracy whether that account holder would need a loan within the following three months.

The first step was to use HE to encrypt transaction data, as well as the machine learning-based prediction model. Financial analysts usually pinpoint factors in someone's financial history to make these types of predictions, IBM explains in a blog post. Scientists showed they could make predictions using encrypted data with the same accuracy as with unencrypted data.

"Once we proved we could achieve the same level of accuracy, we looked at, 'Can we now train or retrain the model using new transaction data that remains encrypted?'" says Bergamaschi of the process. "In doing so, we limited the chance of data exfiltration." The team was able to train the model using encrypted data, demonstrating the use of HE to maintain data privacy and confidentiality while running algorithms on it.

Lessons Learned
The pilot, which ran from January through July 2019, taught a few key lessons. "It's been very educational in the sense that we had to work with many groups that have different levels of understanding of the privacy, security, and mathematics behind everything," Bergamaschi says. "Being able to interact with all of them, and trying to make all the mathematics and cryptography consumable, was interesting."

Scientists also had to consider every aspect of their workflow and how to protect data in different scenarios. Being able to manage encryption keys was one; another was ensuring secure environments when the researchers had results and wanted to decrypt them.

Banking isn't the only industry where HE can be applied. "There are a plethora of use cases that we are just scratching the surface of," Bergamaschi adds. Industries like government and healthcare, where data privacy is a top priority, could benefit from the use of HE. IBM Research will continue working with Banco Bradesco to apply HE on financial data, he says.

We may not know the extent of where and how HE can be used. "Imagine what you could do that you don't do today, if you could do the computation on encrypted data," Bergamaschi adds. Many of business activities require information sharing, but the sharing of information is only done on a need-to-know basis. "There are many things we don't do because we are not prepared to share the information in its raw format," he says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "In App Development, Does No-Code Mean No Security?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SEODan
100%
0%
SEODan,
User Rank: Apprentice
1/15/2020 | 5:27:22 AM
Re: Wonderful post on encryption
Agreed. This a really great post. I'm still a newbie on this suject but I learned a lot.
lesacote
100%
0%
lesacote,
User Rank: Apprentice
1/12/2020 | 11:48:36 PM
Wonderful post on encryption
Thank you for the amazing post on encryption. I came to know about homomorphic encryption. I understood the importance of financial data.
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5397
PUBLISHED: 2020-01-17
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not incl...
CVE-2019-17635
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted inde...
CVE-2019-19339
PUBLISHED: 2020-01-17
It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries...
CVE-2007-6070
PUBLISHED: 2020-01-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1382. Reason: This candidate is a reservation duplicate of CVE-2008-1382. Notes: All CVE users should reference CVE-2008-1382 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
CVE-2019-17634
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose todownload, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could...