*By Paulo Milliet Roque
We are plagued weekly by news of mega intrusions and data theft in various information security systems. Data on more than 220 million Brazilians alive and dead – including yours and mine – are already available in this diffuse place called Dark Web that nobody knows where it is. The list includes millions of face images and copy of ID documents.
Given this scenario, we have to assume in our daily lives that hackers already know our full name, phone numbers, emails, login and passwords, date of birth, parents' names, CPF, ID, address and bank account data. All that remains is for us to work in “damage control” mode, hiring free and paid monitoring services to warn us of advances and attempted borrowings on our behalf. After all, when they don't have a login and password for a specific service, the hacker usually starts by calling or accessing credit services to change our cell phone number and create a new login and password. To confirm the origin, these institutions ask the security questions – precisely the information I described that is already spread across the Dark Web.
Increasing security in digital access and electronic signature of documents is an urgent need and is still under-implemented, as there is a conflict between convenience and security. And the main ways to validate a user differ greatly in these two aspects: access via face-to-face is safer, but it is extremely inconvenient and is being abandoned in these times of pandemic. Remote access via login and password, which is still the most used, is convenient, but very insecure. Just see the website "have I been pwned?" from Troy Hunt, which lists 11 billion hacked accounts. That's right! Billion! There are more hacked accounts than inhabitants on the planet.
A remote biometric swipe based on a photo of an identity document and a photo of the person, the so-called badge face, makes it more difficult to break in, but the hacker can use Photoshop to alter the photo on the document. On the other hand, a remote biometric stamping at government bases, such as Denatran, greatly increases security, as it assumes that the state traffic departments have already performed the driver's face-to-face validation. Nowadays, these remote beats are being used more and more.
The use of the ICP-Brasil digital certificate (e-CPF, e-CNPJ, etc.) is considered the safest and with the legal validity of legal non-repudiation. Prices have currently dropped and validation, which was previously mandatory in person, can now be done via videoconference for people who have a National Driver's License (CNH). This apparently subtle change was a milestone in the ease of broadcasting, which takes less than 30 minutes. Today, more than 70% of broadcasts are already made by videoconference, and this index goes up month by month .
Digital certificates can be used to access portal services, such as the eCac of the Internal Revenue Service, and to sign documents with legal validity. There are 8 types of digital certificates, but only two “sticked”: A1 and A3. A1 digital certificates are in software (file) that is installed on the user's computer. It is less secure, because it can be copied to different computers or mobile applications and therefore it is only valid for 1 year. The A3 certificate is recorded on approved cryptographic media – Smartcard or token – and is theoretically valid for up to 5 years, but in practice they are sold with a validity of up to 3 years. Recently, the A3 certificate in the cloud began to be used, which is stored in cryptographic hardware (HSM) in an approved data center and the user accesses by computer or cell phone, receiving a unique identification code for each use or period.
This new ease of issuing and using digital certificates has increasingly motivated their use in applications, such as digital signature of contracts and declarations that replace the notarized signature, access to court systems by lawyers, prescriptions for controlled drugs, transfer of vehicles, digital diplomas and digitization of documents with legal validity allowing the disposal of the original. This creates the possibility for e-commerce companies and access systems to start using the technology as well.
This type of access is not difficult to implement, but in practice it is still little used. And so it is a great opportunity for software companies. It is also up to the user to demand more security from the systems he accesses. In Reclame Aqui, I have not yet seen testimonials from consumers about a particular supplier that does not take the necessary precautions in this regard.
Brazil is a world reference in digital certification, considered the best example of a successful public-private partnership. The challenge now is to increase evangelism for the benefits of using certification and the enormous potential it creates for new applications.
*Paulo Milliet Roque is an entrepreneur in the digital identity and certification sector, co-founder of DigiForte, with extensive experience in international negotiations with technology companies, having made agreements with more than 100 companies in several countries (USA, United Kingdom, Ireland, France, Taiwan, China, among others). Entrepreneur, he was a founding partner of several companies, including BraSoft and Brasoftware. He is Vice President of ABES (Brazilian Association of Software Companies).
EN 
PT 
