By John Davies, CTO, Velo Payments
Security is not just the complexity of your password, security covers the entire platform and its users, inside and out. It is not something that can be fitted in after the fact but needs to be designed in from the start. Today the news is full of data breaches, security hacks, data loss, almost all of them are bad and can result in billions in losses, bankruptcy and loss of life. Velo take security very seriously, coming from a background in wholesale banking and Visa we know how important data is, we built our platform security-first.
Avoid Data Breaches
Virtually everyone on the planet with a digital record somewhere has been leaked, many billions of people several times over, and that’s just in 2019. Whilst you might not have lost sleep over Dunkin’ Donuts data breach (twice in 3 months) releasing 10 million discounted coffee IDs, these might… Rutland’s 72,000 release of medical records with names, addresses, SSNs etc. or FEMA’s 2.5 million disaster victims’ bank accounts, addresses, date of birth etc. Georgia Tech’s 1.3 million, 80 million US households from an “unknown” service on Azure, Instagram’s 49 million influencers, First American Financial Corp’s 885 million financial records. That is just a small fraction of the hundreds of serious, potentially life-changing, data leaks of 2019, we started 2020 with Travelex being taken off line with ransomware.
We really don’t need to worry about our governments watching us, almost anyone with a computer and a little knowledge can download almost everything they need to know on you from these data breaches.
At Velo, we acknowledge that some people are bad, a sad but realistic assumption. Even if one of these bad actors was able to work from inside Velo, they could not access data. We have designed our system in such a way that no one, not even the head of back-office operations, the head of engineering or the CEO can access our client-confidential data. No two people can collude to access data so no one can be forced to access data. The only way anyone can access data is through our unique VCR (Virtual Clean Room). It needs multiple people from more than one continent to provide credentials, once started everything is logged. There is no data connection to the servers, only a virtual screen and data is velocity limited so while one or two records can be seen it is impossible to list any “useful” amount and then still impossible to copy them externally.
The payor and payee data we hold is signed and encrypted by the owner of the data. Communication between our payors and their customers (our payees) is end-to-end encrypted, even we can’t read it even if we want to. We use Hardware Security Modules (HSMs) for high-value payments and a unique Web Assembly module to encrypt data before it leaves our customers. In addition to these unique features we also use “NSA top-secret grade” encryption and limit the operating systems and web browsers we support to further lower the risk of a breach. All of our employees also undergo background check, so far no bad ones.
Started security-first, not an afterthought
Many payment companies start small and scale, security is usually an afterthought. We started security-first knowing where we were heading. Our architecture, code, employees, APIs and platform are systematically audited by external experts across the globe.
You own your data, we make sure of that
We operate a “you own your data” policy in Velo, internally and externally. You decide who can access what, we tell you what the regulators need to know and we can even keep the regulators’ keys in Escrow. We store your confidential data on our blockchain which is permissioned, i.e. we grant you permission to access it, you write your data to it, decide who has permission to access each field and then sign it so we know that it’s authentic. Everything in the blockchain is provably secure and access is also audited so everyone can see who has accessed or added a record but not what it is (unless you gave them permission).
We designed this to work with GDPR and CCPA and as it’s not a DLT we can partition the data to ensure geo-sensitive data is kept local. This is not possible with DLTs simply because everything is copied everywhere, not great for countries or businesses with data sovereignty or privacy concerns. We store deletable data separately from the blockchain, sign it and anchor the signature in the chain. The signature can never be deleted but it contains no data whereas the data can be deleted or moved but we can’t re-create the deleted data. We can however, still prove that moved or re-presented data is original by using the signature.
We want your data to be secure, encryption is a good start but we can take it further, firstly the encryption keys need to be kept safe, secondly encrypted data in the wrong hands make it much easier to decrypt so we do not distribute data, even encrypted, unnecessarily. Internally our services do not have passwords (keys) to the data, the services authenticate themselves with a security service and are given session keys (limited for a specific time). The design of this came about after an early security audits by ex-NSA specialists NISOS. We call this service The Overseer, it is inaccessible via a terminal even from the inside. To start it we need multi-factor authentication including Hardware Security Modules (HSMs).
Don’t negotiate on cryptography
One of the biggest flaws in cryptography in recent years has been the encryption levels negotiated between computers as they attempt to find a protocol they can both use. Your web browser does this every time you run up a secure session, almost every page you visit these days (easily indicated by the ’s’ in https://). Velo could take the policy of only using the most secure cryptography, the problem is that only the very latest devices would be able to communicate with us. To solve this everyone uses TLS (Secure Transport Layer), it’s been around since the late 90s. The big, and I mean BIG issue with TLS is that computers negotiate down from very secure through secure to blatantly insecure until they find something that works. Velo has taken the position of accepting TLS 1.2 and 1.3 only, this may be jargon for most readers but it’s an important step to limit the possibility of “downgrade attacks”.
While we’re on cryptography, we don’t see quantum computing being able to reveal your secrets in the next 5-10 years but we do see it as a threat in the longer term. We have post-quantum alternatives and both our blockchain and platform can be upgraded, it’s over-kill for now. There are also holes being found in some of the “simpler” hashes every few weeks so we’ve opted for some of the best. We use AES (Rijndael) double-round 256 in counter mode with a SHA-2 512/256 HMAC and for signing we use Ed25519, basically EdDSA with SHA-512.