We meet such situations again and again. A new solution looks impressive at first sight but looking at the details we see risks everywhere. We can thus estimate that some of the risks will materialize, the number of frauds will grow, data can be compromised, and responsible managers will talk about foreign spies meddling…. The log can be avoided if old and proven security rules were taken seriously.
The state of Alabama enables people to apply for tax refund online. There has been some fraud, so authorities decided about more robust user authentication. Under the new arrangement, the applicant downloads authentication application into his /her smartphone, takes a photo of his/her driving license, takes a selfie, uploads and consequently is approved as trusted for online transactions. Systems architects understood the risk of putting an image instead of a live person before the smartphone camera. Users are therefore asked to turn their head from side-to-side slowly. Full information is here.
The system is helpless against sophisticated attacks such as putting video before the camera, which is not difficult in the era of deepfakes. However, ID card scanning is the weakest point. Alabama´s driving licence is protected with a magnetic stripe, UV sensitive ink and microletters. It is not a highly resistant document but still can guarantee a certain level of security. But in front of the camera, such quite secure ID card can be replaced by a picture created in a simple graphical software. The difficulty of counterfeiting is next to zero.
It is very likely that fraud attempts will appear and, sooner or later, will be successful. The reason is that at the very beginning, the solution included a system mistake.
The old proven theory recommends making a difference between authentication in the physical world and digital authentication. In the physical world, a person tries to prove to another person what is his /her identity. The inspecting person can use a kind of automatisation, but it is still up to him/her to believe /not believe someone ´s identity. We go through e-gates in the airport, but a guard can check us personally in case of suspicion. Authentication in the physical world is based on what we are, how we look and what ID document we own.
Digital authentication is not primarily based on our look but rather on hashes, trusted certificates, electronic signatures and similar tools. Digital identity is backed by the physical one. Digital identity may be compromised, and the saving process will take place in the physical world.
It is not difficult. What is difficult, is mixing of physical and digital identity, which results in lower level of security. After some time we may hear that it is the price of progress. It is not. It is the price of ignoring security guidelines.
What would be the right solution? Perhaps something like CzechPOINT in the Czech Republic. An applicant visits the closest office /post /police station, is seen by an officer, authenticated (using ID card) and gets a digital certificate or something like that.
Optaglio helps through its products and services that include:
- Consulting support for the building of authentication systems.
- Visible anti-counterfeit protection elements.
- Microholograms for hidden and forensic protection
- Complete solution for checking of documents against a database.
Perpetual innovation and technological development to keep advantage against counterfeiters.