Digital IDs and the global fight for identity
By Vyacheslav Zholudev, CTO and co-founder of Sumsub
Despite recent analyst research predicting that the global number of users of digital identity documents, construed broadly, will exceed an astounding 6.5 billion by 2026, the present status of digital IDs and stakeholders is complex and far from clear. First, it’s vital to unpack exactly what’s encompassed by “digital ID” in order to grasp the challenges around it—and to understand the global battle for identity that’s unfolding.
The cited research defines a digital identity document as a digital representation of a physical identity document. This could comprise anything from birth certificate identity data in a digital table to a mobile device photo of an ID, like a driver’s license, passport, voter registration, health or social insurance card. Digital identity documents are tied into digital identification ecosystems, sometimes via a scannable code on a physical document. But so-called “soft” identities are tied into these ecosystems too and include online credentials like usernames, passwords and one-time access tokens for multi-factor authentication that give us entry to our digital banking apps, email or e-commerce accounts and are connected to our user profiles. Further, a mobile subscriber’s phone number with the international country code (MSISDN ID) and biometric applications that evaluate fingerprints, facial images, irises and voice patterns can be tied into digital ID ecosystems as well.
Today’s ecosystems are increasingly architected as trust frameworks between government agencies and the private sector, offering digital layers on top of existing legal identity systems and registers, and ideally designed with security and ease of use as top priorities.
But for every technological leap forward, fraudsters set on identity impersonation and theft are in lock step with innovators.
In fact, according to an independent financial services 2022 research report, identity fraud losses in the U.S. involving direct contact with victims totaled $28 billion and affected 27 million consumers. The U.S. Federal Trade Commission (FTC) reported that identity theft and related fraud rose nationwide in 2021, with fraud complaints increasing 19 percent for the year and financial losses from fraud rising 77 percent from the previous year. PwC’s Global Economic Crime and Fraud Survey 2022 found that 51 percent of companies with global revenue over $10 billion experienced fraud from 2020 to 2021, with over 25 percent losing more than a million dollars.
In the global fight for identity, digital protection strategies and digital attack strategies are both rapidly becoming more sophisticated. Here are five important insights to help organizations better understand the titanic struggle underway.
Digital IDs are a key to empowering excluded populations and expanding markets
According to the most recent estimate from the World Bank’s Identification for Development Initiative (ID4D), as of 2021, almost 11 percent of the world’s population (about 850 million people) cannot prove who they are to governments and other institutions because they have no official form of identification at all, paper or digital. Especially impacted are marginalized and vulnerable groups living in lower-income countries. Without identification, they become almost completely disenfranchised from services, benefits and opportunities — including jobs, housing, ownership, voting, medical care, bank accounts and utilities including phones.
The World Bank also estimated that in 2022 nearly 3 billion people remained offline, almost half of the global population was not using mobile internet despite mobile broadband connectivity in their areas, and that 60 percent of global GDP expected to rely on digital communication technologies. This means economic opportunities and access to markets are severely limited for those unable to connect. Worldwide, that’s a massive losing proposition for individuals and businesses alike.
Recognizing these challenges, organizations are responding. For example, the Bill & Melinda Gates Foundation has committed itself to digital ID investment and made it a key part of a $1.27 billion package that supports global health and development projects — including $200 million for digital public infrastructure and digital ID and civil registry databases. And many nations are working vigorously, often with the private sector, to establish digital ID systems like India with 96 percent of its population registered for that country’s biometric ID system, Indonesia with 95 percent of its population possessing e-KTP cards linked to a government database of citizen identities and biometrics, and all of Scandinavia having mature digital identity programs, among many others.
This optimism positioning digital ID systems as both democracy- and economy-strengthening is tempered by the fact that the same ecosystems could be used by authoritarians to oppress individuals or manipulated by criminals to steal identity unless robust safeguards are in place.
Social engineering for digital impersonation has grown due to remote user onboarding
Remote processes born of the pandemic have made it too easy for fraudsters to steal identity and abuse commercial services. For example, in Europe, car sharing now regularly happens without in-person verification. Unsurprisingly, digital impersonation has become a big problem, where individuals will register for a car as another person and use that account to drive.
In cybersecurity, social engineering refers to manipulating people into divulging confidential data. That data can be acquired through phishing and fraud, like a convincing email claiming to be from the Microsoft team linking to an important software patch. Some people will click and reveal key information or even upload documents. That’s all the fraudulent onboarder needs to hire the car or disrupt an online profile or, in some jurisdictions, even open a bank account remotely. On the dark web, there are even special courses on how to generate an identification document with someone’s personal data, aided by AI that’s trained in the precision needed for machine-readable zones on the document.
Sophisticated liveness checks can help curtail fraudulent account access and impersonation. Comparing original liveness photos from the initial account onboarding to a liveness check when an individual is sitting in a car with their device detected can make all the difference in a crime being committed or not. But businesses — especially ones embracing remoteness — must adopt verification that includes this technology within a larger system of checks.
The duel between liveness detection and deepfakes is ongoing
In fact, thanks to AI, deep fake videos have become so realistic and widespread that they can fool liveness tests and enable fraud — if other protective techniques are not leveraged in tandem with the liveness tests. The Verge reported on a recent test that copied deepfake faces onto target ID cards to be scanned and the same faces onto corresponding real-time video streams, fooling 9 out of 10 vendors’ liveness fraud detection systems and exposing many banks leveraging this as “extremely vulnerable” to digital impersonation and fraud.
Additionally, a Penn State College of Information Sciences and Technology team recently determined that “facial liveness verification, which is a feature of facial recognition technology that relies on computer vision to verify the presence of a live user, is highly vulnerable to deepfake-based attacks.” Attackers are simply swapping their face for another and are able to spoof many of the facial recognition tools on the market.
Does this mean the attackers have won the battle for digital identity? Fortunately, no — as long as an organization is staying a step ahead by using multiple verification techniques. These include: facial recognition depth sensors; device intelligence detecting emulators and jailbroken phones; mobile location and past location behavior comparisons; unique, unpredictable server-side generated numbers and words read back aloud in an onboarding or verification check leveraging voice biometrics; and movement or facial expression instructions on demand at the time of the live check.
Crypto has been especially bloodied by digital identity fraud, but can re-emerge
Sumsub’s 2022 Identity Fraud Report shows that industries like banking and crypto have seen a two-fold increase in fraud over the past year. But crypto is especially exposed. Not only is digital identity theft rife in the community, but people are largely unprotected as their balances and wallets are generally uninsured. While scandal has historically been part of the growing pains of any new industry, confidence in crypto may be at an all-time low, at least in the U.S. where FTX’s demise, value crashes across coins and Kraken’s SEC troubles are well known.
Additionally, banks have in place complex KYC, KYB and transaction monitoring for suspicious activities and money transfer, but crypto exchanges and vendors have been sorely lacking. If someone steals your identity and wallet or transfers your coin elsewhere, you’re probably out of luck. And whereas there’s been tremendous distaste for regulation among many crypto enthusiasts, it may be regulation that helps revive the industry. For example, the ‘Travel Rule’ extends FATF Recommendation 16 on wire transfers to virtual assets (VA) like cryptocurrencies and to Virtual Asset Service Providers (VASPs). Under the Rule, senders and recipients of all crypto transfers must exchange identifying information, guarantee its accuracy and convey the data to government if required. Already, 29 of 98 countries have already enacted Travel Rule legislation — adding a layer of protection for those investing in crypto.
Regulations are critical and different countries approach them with different expectations
The upside of regulation, like the Travel Rule, is that it helps steer the market in a more mature direction and offers a degree of certainty in transactions. We’d be living in the Wild West with no sense of security, reliability or trust in institutions and businesses without regulation. Business is often confusing and more costly when the rules of engagement are blurred. What’s interesting is the different approaches to regulation impacting digital identity and account security that are in play around the world based on different legal considerations and cultural expectations. For example, Europeans have been ahead of the curve in demanding the GDPR’s data protection and privacy guarantees, while the U.S. has taken a far more piecemeal approach, with big swaths of the population seemingly more willing to trade privacy for convenience.
Within digital ID and onboarding ecosystems, there’s a fundamental tension between having systems robust enough to combat digital fraud and crimes like money-laundering, while still protecting individuals from public- or private-sector oppression. Criminals are empowered when there’s too much anonymity, but regimes are empowered when there’s too little. Good regulations that demonstrate a deep understanding of a sector seek to maintain a balance.
Digital IDs and their ecosystems are still a new, rapidly evolving area of technology. Will iterations of digital IDs in the next 10 or 20 years find us using sci-fi-like chip implants? Will the wave of our hand at the doctor’s office reveal health information, a wave at the HR office reveal employment history and a wave at the DMV reveal our driving record? Would the next wave of malicious hackers then electromagnetically reprogram our implants sitting a few meters away in a cafe?
Or perhaps AI-fed biometric tools will scan our blood vessel patterns and gesture signatures as part of a next-generation multi-factor authentication to prove we are real and who we say we are. Whatever the future holds, what’s at stake right now is fighting digital identity fraud, making the internet safer for transactions and communication, and helping companies stay compliant while focusing on their core business.
About the author
Vyacheslav Zholudev is CTO and co-founder of Sumsub.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
biometric liveness detection | biometrics | digital ID | financial inclusion | fraud prevention | Sumsub