June 1, 2021
Securing personally identifiable information (PII) has come into existence since the inception of GDPR. However, data protection has been a subject of study since 400BC, when messages were first inscribed in tapered batons for secured communication.
Tokenization has gained popularity in the financial market, mainly for securing credit card numbers, CVV, PAN, etc., over PoS or e-commerce retail transactions. Today, tokenization has found its way into many non-payment security applications such as ePHI disclosure mandated masking of critical healthcare data, automated HR jobs involving employee PIIs for payroll deposits, tax/401K contributions, and storing citizen PIIs (social security number, driver’s license or passport number in public servers for casting online ballot votes or other online services).
Cyberattacks on deciphering these tokens are inevitable; hence hiding them has become an absolute necessity. One such technique is camouflaging these alphanumeric/numeric tokens with an image/audio/video file. This 500 BC archaic art of concealing is less popular than cryptography yet infamously used by cybercriminals.
According to a report by Market Research Future, Covid-19 had a positive impact on the Global Tokenization Market. It is expected to grow from $1.9 billion in 2020 to $4.8 billion by 2025 post-covid. The pandemic has accelerated the volume of online payments as people stay indoors and use online payment options. Online shopping has become more popular, and with it, the need for payment security has become crucial.
Steganography in Greek means covered writing. The goal is to hide messages in a way that only the intended recipient knows that a message has been sent. This goal is achieved by concealing the existence of information within harmless carriers, viz. text, images, video, or audio files, without altering the data structure. In today’s world, cybercriminals use this technique to embed malicious codes or trojans into .jpg or .mpeg4 files in the form of images or audio/video data. However, some of the common ethical applications of this method are hash marking, authorized viewing, and copyright piracy protection.
Steganography is not cryptography, and neither is tokenization some form of encryption. However, taking advantage of both these techniques can provide better encapsulation of the data in motion. Internet of Things (IoT) has been one of the highly cyberattacked domains post COVID-19, as many enterprises with compromised IT networks had backdoors open to their OT networks. While edge computing is an emerging need in IoT, most of the user transactions are still done over the cloud server involving the movement of sensitive user credentials. Image steganography can be used in IoT applications that deal with some form of multi-factor authentication mechanism, e.g., fingerprint image or facial image, as these are user PIIs. Consider an IP camera with low processing power and storage capabilities being used in a smart video surveillance system to capture user images for access control. The camera will capture the image and send it to the authentication server over the cloud for user verification. Such unsecured data over the internet are susceptible to MITM attacks where the attacker can masquerade the user and hack into the system. Similarly, consider a retail transaction over smart PoS devices requiring a photograph of user credit card and/or driving license for verified payment or verifying patient identity over a hospital ERP which requires user photo ID viz. driving license or passport. It would be highly beneficial in these cases if the captured image gets converted into a random token and is hidden in a pseudo image before sending it over the cloud.
Hughes Systique offers both a tokenization server and a steganography server along with the capabilities of combining them into a single system. To learn more about our tokenization capabilities, read our blog on Steganography in Tokenization.