FB pixel

Workshop showcases EU progress on remote identity proofing, but fragmentation persists

Workshop showcases EU progress on remote identity proofing, but fragmentation persists
 

The legal, technical, and user requirements for remote digital identity proofing are sometimes contradictory, but must be navigated by service providers and other stakeholders, and to that end, ENISA and ETSI held a joint workshop on remote identity proofing and the ecosystem which eIDAS regulation addresses.

Professor Dr. Rainer Herpers of the Institute of Visual Computing at Bonn-Rhein-Sieg University opened the event with a presentation on deepfake attacks against identity proofing systems.

The next presentation, by Battista Biggio, PhD., of the Patterns Recognition & Applications Lab at University of Cagliari and co-founder of Pluribus One, explored the use of adversarial attacks on machine learning systems through pixel-level perturbations or during the labeling of training data.

The combination of deepfakes and adversarial attacks could pose a particular threat to remote digital identity proofing systems, according to panelists.

ENISA’s report on attacks and countermeasures was also briefly introduced.

Juliette Delanoe, co-founder and CMO of Ubble.ai, said that the company’s research shows an average of five to six percent of attempted digital identity verifications which it can make a judgement on are fraudulent.  She also provided a breakdown of the frequency of fraud types.

This figure was slightly different for other panelists representing the biometrics industry in the first session, IDnow Founder and Managing Director of Technology Armin Bauer and Veriff Co-founder and CPO Janer Gorohhov.

Gorohhov said Veriff has found a six to eight percent fraud rate, depending on what industry is being served, and up to 10 percent in cryptocurrency. Social engineering is the most common attack vector observed by IDnow, Bauer reports.

All agreed that deepfakes are a looming attack vector, but not rare today.

Asked about the impact of NFC and electronic IDs on document fraud, Delanoe argued that the tools that are effective today can be complimented by NFC, but will not be replaced by it, as multiple defenses are always necessary.

Updating identity documents that have been mostly unchanged since the 15th century should be a priority for governments, Gorohhov quipped.

The discussion of real-world attack vectors and mitigation methods became quite detailed, and the panelists expressed optimism that effective counter-measures for sophisticated attacks are known, though they also cautioned against underestimating attackers or failing to anticipate the maturation of their methods.

The second session of the day focused on the perspective of users from the government cybersecurity, telecom and financial services ecosystems.

A session on testing and auditing followed.

NIST Biometrics Evaluator Patrick J. Grother spoke about the current state of the art in face biometrics and risk mitigation. The latter includes coming up with prompts to users that humans can understand, but that automated systems cannot, to prevent the possibility of spoofs interpreting and following the instructions properly.

Kevin Carta of French biometrics laboratory CLR Labs reviewed the threat of biometric data injection attacks, either prepared or live. Injection is possible because current architectures do not allow images to be associated with a particular identified camera.

Biometrics must therefore be deployed against injection attacks. PAD systems, however, are not designed to recognize this type of attack. Specific biometric data injection attack detection methods must be developed to head off near-future developments in the fraud type, according to Carta.

An international standard is in development, he says.

Clemens Wanko of TÜV TRUST IT GmbH presented the auditors perspective, including how identity service providers are audited for compliance to international standards.

Clear reference values are needed to apply specifications to different levels of assurance to move the field forward, he explains. Changes to eIDAS have not helped with clarity.

Certicar.es Technical Director Paloma Llaneza delved further into the complexities of overlapping standards and regulations, each of which need to be regularly updated.

A look at the ETSI TS 119 461 technical specification for electronic signatures and infrastructures for trust service components providing identity proofing.

Hugo Mania of ANSSI gave an overview of the certification scheme and its goals, and Dr. Christian Berghoff of Germany’s BSI described the biometric authentication component of certification.

“AI systems have “complex supply chains and they are quite sensitive to small changes, and this means there are different possible way to attack them,” Berghoff warns.

He advocates for manual inspection of at least some samples, and measures to impede the complete automation of attacks.

Sylvie Lacroix of Sealed explained how technical standards, certifications and regulations fit together for digital identity proofing providers, and Signicat’s Jon Ølnes discussed the reach of the standards and regulation in areas beyond trust services, such as how they impact financial service providers that want to onboard users in a neighboring country.

Knowing what the relevant rules are, and even whether they exist, remains a challenge for many service providers attempting to transact across European borders, according to Ølnes.

A more unified set of requirements that still protects people and businesses from fraud is surely possible, based on the tools and expertise discussed during the event. For now, it is work in progress.

Article Topics

 |   |   |   |   |   |   |   |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Biometric video injection attacks getting easier; ID R&D helps devs mitigate

Through the use of generative AI and open-source tools, hackers are gaining the ability to easily create deepfakes and voice…

 

Innov8tif patents document authenticity check method to boost IDV security

Smartphones play a central role in remote identity verification (IDV), enabling a host of advanced functionalities that compliment biometrics, including…

 

Controversial US privacy bill rewritten again, but path still unclear

The already controversial American Privacy Rights Act of 2024 (APRA), which was originally introduced in April by U.S. Senate Commerce…

 

Idemia and Iowa collaborate on mDLs in Samsung Wallet

Idemia is bringing mobile ID to Samsung Wallet in Iowa, in collaboration with the state’s Department of Transportation (DOT). The…

 

Australia, Nigeria announce moves to ease digital birth registration

Governments in Australia and Nigeria are working on digital birth registration to make it easier for parents to qualify their…

 

UNHCR to seek provider for BIMS lightweight fingerprint and iris scanners

Biometrics firms should be aware of a forthcoming procurement opportunity with the United Nations High Commissioner for Refugees (UNHCR), which…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events