Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    How to Solve Security Problems of Identity Verification Systems

    By
    DAVID BALABAN
    -
    February 12, 2021
    Share
    Facebook
    Twitter
    Linkedin

      There are many different perspectives on how identity verification systems should work to provide confidence, trust and interoperability between different sectors, both local and international. At the same time, these solutions should ensure a decent level of privacy. Comprehensive security instruments are required to address threats such as the abuse of power by some privileged players in the ID verification ecosystem.

      The international scale of the issue

      The current methods of identity management have plenty of weak links that underlie many forms of cybercrime. Furthermore, the fact that these isolated systems do not overlap prevents law-enforcement agencies from conducting coordinated operations at the international level.

      At this point, the approaches to ID verification are undergoing transformations. Security professionals have come up with new principles, developed auxiliary technologies and specified new scenarios for testing these services.

      The implementation of modern identity verification services is closely related to the degree of interaction between various sectors of this industry. High-end solutions already have been created both at the enterprise and nation-state levels, but most of them ignore the need for interoperability. Expert communities are actively discussing these issues in an attempt to create relevant solutions.

      Next-generation ID verification systems can be a response to security problems in related areas such as identity spoofing via AI algorithms. However, new risks continue to emerge.

      Businesses and digital services are becoming more and more interconnected. Digital transactions require sufficient trust and confidentiality between different systems, which can only be achieved through consolidated identity solutions. In other words, the global community needs to create a uniform digital identity model to reduce security risks.

      Risks to secure identity verification

      The development of next-generation ID verification systems will cause society to increasingly rely on this technology in critical areas. As a result, cyber-attacks targeting this environment will be escalating. Malicious actors will try to find and exploit vulnerabilities in devices and identification mechanisms to access sensitive data.

      That said, let us highlight the top threats in this context along with different facets of the motivation for compromising such systems.

      • Insider threat. Motivation: service disruption or money. An intruder disguised as a trusted individual can take advantage of access obtained by circumventing physical security.
      • Unethical competition. Motivation: gaining a competitive advantage. A malefactor can engage insiders and other third parties to carry out the attack.
      • Nation-state foul play. Motivation: politics and economic gain. This type spans espionage, account takeover, authentication system compromise and surveillance.
      • Organized crime. Motivation: money. The dodgy instruments include identity theft, account takeover, data abuse, authentication system compromise, man-in-the-middle (MITM) attacks and document forgery.
      • Hacktivism. Motivation: disrupting a target’s operation, causing reputational damage. Account takeover and impersonation, as well as authentication and authorization compromise, can be applied.

      Now, let us outline the key risks to the security of present-day ID verification systems.

      • Privacy: Perpetrators may obtain large amounts of personal data, including biometrics, behavioral and geolocation details.
      • Integrity: Undermining the integrity of these solutions could reduce trust between participants of the ecosystem.
      • Availability: Attackers may try to hack the identity verification infrastructure to disrupt a service that the participants heavily depend on, thus causing a cascading effect.

      Information security professionals will face new challenges when building a secure digital identity environment and ensuring both the availability and integrity of these services. A breach could entail more serious systemic consequences, ruining trust between participants that underpins the effective functioning of cyberspace.

      Security solutions

      ID verification of the future will be backed by a distributed and heterogeneous infrastructure. Trust and transparency, as well as the reliability of the service, will play a fundamental role on a global scale. Reducing security risks in this paradigm is a complex task that hinges on a collective approach.

      Unless all the security issues are addressed in a coordinated way, the technology cannot reach its full potential. InfoSec experts need to step in to develop a tamper-proof technology for digital identity verification.

      Here are some possible ways to deal with the challenges that will likely occur in the near future.

      Assurance, trust and transparency: The resilience of the ID verification infrastructure components is achieved through the transparency of all interactions between participants. The community will need to have an understanding of the trust level in such a system and accurately gauge the trust gap. This will facilitate the implementation of defenses to maintain integrity.

      Despite significant progress in developing approaches and security standards for autonomous ID verification services at both regional and national levels, there are still no uniform criteria for a distributed identity framework that would ensure compatibility of approaches across different cyberspace sectors and create a decent level of trust. These criteria need to be formed at an international scale, drawing on previous experience (open-source code and alliances like FIDO or DID) and offering new approaches.

      Shared management principles: Collaborative efforts to standardize and certify identity verification systems internationally will provide baseline levels of cybersecurity for all participants across the board. Such standards, for instance, have been formed for payment transaction security (PCI DSS) and the aviation industry (SARPs, ICAO). These fundamental principles will specify both technical requirements and performance criteria for the digital identity process while additionally addressing privacy challenges.

      The end-user needs to have control over personal data and understand how it is processed and to whom it is transmitted. Developing additional incentive models for businesses and politics will encourage all the involved entities to support interoperability and innovation of ID verification services combined with a profound understanding of who is responsible for ensuring security in different parts of the distributed environment.

      Getting participants together: Local, isolated identity verification systems are already here. An assembly of different industry players will help explore the interoperability of its various sectors, creating incentives for developing management principles to ensure proper security. This way, it will be possible to single out the overarching entities (government, private sector, society) and key players in the ID verification area (banks, telecommunications service providers, technology companies).

      Such an assembly would open new opportunities for cooperation between sectors, identifying not only the key roadblocks on the way toward creating a global ID verification infrastructure but also the ways to dodge them. The economic, political and even crisis factors (the COVID-19 pandemic) emphasize the need for collaborative action and naturally shape up next-generation ID verification services.

      Cooperative Operations Security (OPSEC): The InfoSec community is bound to meet the tough challenge of protecting the distributed, heterogeneous and inherently complex ID verification systems of the future against hackers and their malicious code. These should be entirely new approaches and coordinated actions by all security professionals in the digital identity arena.

      As the other technologies evolve and next-generation ID verification systems are deployed, experts will need to consider the potential threats of the future. One of the things on their to-do list is to ensure a proper level of quantum cryptography of distributed components. While some approaches to detecting, tracking and neutralizing fraudulent activity are available for isolated ID verification systems, they have yet to be created for end-to-end solutions of that kind. There is a need for systemic risk and threat modeling that takes different industry players’ privileges into account.

      A common incident reporting framework will be key to assessing current risks and optimizing incident response rates. Coordinated efforts at the level of the InfoSec community as well as the development of international ID verification security standards and data sharing will ensure a decent level of security for all members of the ecosystem and unleash the true potential of the next-generation digital identity technology.

      Amsterdam-based David Balaban is the founder of the Privacy-PC.com project and is a computer security researcher with more than 17 years of experience in malware analysis.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×