There are many different perspectives on how identity verification systems should work to provide confidence, trust and interoperability between different sectors, both local and international. At the same time, these solutions should ensure a decent level of privacy. Comprehensive security instruments are required to address threats such as the abuse of power by some privileged players in the ID verification ecosystem.
The international scale of the issue
The current methods of identity management have plenty of weak links that underlie many forms of cybercrime. Furthermore, the fact that these isolated systems do not overlap prevents law-enforcement agencies from conducting coordinated operations at the international level.
At this point, the approaches to ID verification are undergoing transformations. Security professionals have come up with new principles, developed auxiliary technologies and specified new scenarios for testing these services.
The implementation of modern identity verification services is closely related to the degree of interaction between various sectors of this industry. High-end solutions already have been created both at the enterprise and nation-state levels, but most of them ignore the need for interoperability. Expert communities are actively discussing these issues in an attempt to create relevant solutions.
Next-generation ID verification systems can be a response to security problems in related areas such as identity spoofing via AI algorithms. However, new risks continue to emerge.
Businesses and digital services are becoming more and more interconnected. Digital transactions require sufficient trust and confidentiality between different systems, which can only be achieved through consolidated identity solutions. In other words, the global community needs to create a uniform digital identity model to reduce security risks.
Risks to secure identity verification
The development of next-generation ID verification systems will cause society to increasingly rely on this technology in critical areas. As a result, cyber-attacks targeting this environment will be escalating. Malicious actors will try to find and exploit vulnerabilities in devices and identification mechanisms to access sensitive data.
That said, let us highlight the top threats in this context along with different facets of the motivation for compromising such systems.
- Insider threat. Motivation: service disruption or money. An intruder disguised as a trusted individual can take advantage of access obtained by circumventing physical security.
- Unethical competition. Motivation: gaining a competitive advantage. A malefactor can engage insiders and other third parties to carry out the attack.
- Nation-state foul play. Motivation: politics and economic gain. This type spans espionage, account takeover, authentication system compromise and surveillance.
- Organized crime. Motivation: money. The dodgy instruments include identity theft, account takeover, data abuse, authentication system compromise, man-in-the-middle (MITM) attacks and document forgery.
- Hacktivism. Motivation: disrupting a target’s operation, causing reputational damage. Account takeover and impersonation, as well as authentication and authorization compromise, can be applied.
Now, let us outline the key risks to the security of present-day ID verification systems.
- Privacy: Perpetrators may obtain large amounts of personal data, including biometrics, behavioral and geolocation details.
- Integrity: Undermining the integrity of these solutions could reduce trust between participants of the ecosystem.
- Availability: Attackers may try to hack the identity verification infrastructure to disrupt a service that the participants heavily depend on, thus causing a cascading effect.
Information security professionals will face new challenges when building a secure digital identity environment and ensuring both the availability and integrity of these services. A breach could entail more serious systemic consequences, ruining trust between participants that underpins the effective functioning of cyberspace.
ID verification of the future will be backed by a distributed and heterogeneous infrastructure. Trust and transparency, as well as the reliability of the service, will play a fundamental role on a global scale. Reducing security risks in this paradigm is a complex task that hinges on a collective approach.
Unless all the security issues are addressed in a coordinated way, the technology cannot reach its full potential. InfoSec experts need to step in to develop a tamper-proof technology for digital identity verification.
Here are some possible ways to deal with the challenges that will likely occur in the near future.
Assurance, trust and transparency: The resilience of the ID verification infrastructure components is achieved through the transparency of all interactions between participants. The community will need to have an understanding of the trust level in such a system and accurately gauge the trust gap. This will facilitate the implementation of defenses to maintain integrity.
Despite significant progress in developing approaches and security standards for autonomous ID verification services at both regional and national levels, there are still no uniform criteria for a distributed identity framework that would ensure compatibility of approaches across different cyberspace sectors and create a decent level of trust. These criteria need to be formed at an international scale, drawing on previous experience (open-source code and alliances like FIDO or DID) and offering new approaches.
Shared management principles: Collaborative efforts to standardize and certify identity verification systems internationally will provide baseline levels of cybersecurity for all participants across the board. Such standards, for instance, have been formed for payment transaction security (PCI DSS) and the aviation industry (SARPs, ICAO). These fundamental principles will specify both technical requirements and performance criteria for the digital identity process while additionally addressing privacy challenges.
The end-user needs to have control over personal data and understand how it is processed and to whom it is transmitted. Developing additional incentive models for businesses and politics will encourage all the involved entities to support interoperability and innovation of ID verification services combined with a profound understanding of who is responsible for ensuring security in different parts of the distributed environment.
Getting participants together: Local, isolated identity verification systems are already here. An assembly of different industry players will help explore the interoperability of its various sectors, creating incentives for developing management principles to ensure proper security. This way, it will be possible to single out the overarching entities (government, private sector, society) and key players in the ID verification area (banks, telecommunications service providers, technology companies).
Such an assembly would open new opportunities for cooperation between sectors, identifying not only the key roadblocks on the way toward creating a global ID verification infrastructure but also the ways to dodge them. The economic, political and even crisis factors (the COVID-19 pandemic) emphasize the need for collaborative action and naturally shape up next-generation ID verification services.
Cooperative Operations Security (OPSEC): The InfoSec community is bound to meet the tough challenge of protecting the distributed, heterogeneous and inherently complex ID verification systems of the future against hackers and their malicious code. These should be entirely new approaches and coordinated actions by all security professionals in the digital identity arena.
As the other technologies evolve and next-generation ID verification systems are deployed, experts will need to consider the potential threats of the future. One of the things on their to-do list is to ensure a proper level of quantum cryptography of distributed components. While some approaches to detecting, tracking and neutralizing fraudulent activity are available for isolated ID verification systems, they have yet to be created for end-to-end solutions of that kind. There is a need for systemic risk and threat modeling that takes different industry players’ privileges into account.
A common incident reporting framework will be key to assessing current risks and optimizing incident response rates. Coordinated efforts at the level of the InfoSec community as well as the development of international ID verification security standards and data sharing will ensure a decent level of security for all members of the ecosystem and unleash the true potential of the next-generation digital identity technology.
Amsterdam-based David Balaban is the founder of the Privacy-PC.com project and is a computer security researcher with more than 17 years of experience in malware analysis.