Criipto CEO’s phishing tales make for a wild ride at Authenticate 2024

Copenhagen-based firm Criipto was recently acquired by the parent company of Norwegian BankID, which runs Norway’s digital identity infrastructure. So its CEO, Niels Flensted-Jensen, speaks from a true multiplicity of perspectives in his talk at Authenticate 2024, in which he covers the differences between data center security and a truly secure population – via Romanian gangs, his wife’s susceptibility to phishing scams, sports betting and cast iron cars.

Flensted-Jensen’s main thesis is that “phishing is a big thing,” and that too much focus is being put on cybersecurity at the back end. “Regulators, all the attacks and such, are keeping our attention away from the phishing,” he says. “People are not breaking into our data centers. They’re cheating our users out of their money.”

He recounts the Norwegian smishing case of Romanian gangs that sent out SMS messages claiming to be from Norway’s department of motor vehicles, which allowed them to steal digital identities. This is followed by an account of how his wife, an art historian, was tricked by an online phishing scam posing as a Norwegian bank.

Flensted-Jensen notes the prevalence of digital ID in Scandinavian society, and says the ideal of standardization (which he claims is achieved in his native Denmark’s digital ID) also leaves verification processes open to fraud. “Digital identity succeeds when it looks the same no matter where it goes.” But that makes it “ripe for phishing.” FIDO passkeys are a potential answer.

Usable, affordable security for all trumps ‘cast-iron cars’ that make few safe

Over a black slide with the text “Intentionally left black,” Flensted-Jensen swerves to weigh the benefits of good security for many versus great security for some – i.e., those who can afford it. “Legislators tend to lean toward great security, without understanding that means security for fewer people. If we did that for transportation, we would have cars made of cast iron and going 20 miles an hour or something.”

The advancement of biometrics, mobile identity and client side cryptography means “we can do things on our devices that in the past we would have had to do in the data center.” Decentralized identity wallets can house verifiable credentials issued by trusted sources, which can then be presented to relying parties. But there are regulatory snags: for example, attestation is a problem with synched passkeys that leverage the cloud.

For web wallets, Flensted-Jensen says usability leads to adoption. But on top of usability, you need economic force, engaging industries wherein high frequency use makes sense on a cost-revenue level. He gives the (ethically iffy) example of online sports betting, where addictive behaviors necessitate repeated logins. “People that do sports betting, like it or not, they do it a lot. They sign in every day, use it for authentication day in and day out, every second hour when they go and check if Manchester United won that game.”

In near-conclusion, Flensted-Jensen sums up his main arguments (somewhat) tidily. In terms of regulations, “regulators for phishing more than they do. They should think about building for the masses, not for the few German politicians that need high security. And they should think hard about UX.” He also offers a manifesto of sorts: “stay in the browser, and stay out of the walled gardens of the app stores!”

BankAxept AS, the operator of Norway’s national payment system and its largest digital identity, BankID, acquired Criipto ApS in September 2024. The move was prompted by interest in what Øyvind Westby Brekke, CEO of BankID BankAxept, calls Criipto’s “unique and developer-friendly integration platform.”

Article Topics

Authenticate Conference  |  biometric authentication  |  biometrics  |  Criipto  |  cybersecurity  |  digital identity  |  FIDO Alliance  |  passkeys  |  passwordless authentication