ENISA workshop surveys remote identification security threats, possible fixes

The European Union Agency for Cybersecurity (ENISA) held a virtual workshop last week laying out the security challenges and the latest EU requirements on remote video identification.

Speakers came from EU agencies, national digitalization agencies and companies such as iProov, IDNow, Swedish BankID and Norwegian Buypass.

Gerard Feitsma, Mickael Lam and Eva Vanessa Ernst presented how remote identity verification systems are implemented in their respective countries; the Netherlands, France, and Germany.

Feitsma highlighted that remote identification lacks a clear definition as it needs to be distinguished from remote biometric identification which is mentioned in the upcoming EU Artificial Intelligence Act. Lam noted the need for a harmonized regulatory framework because of regulatory limitations such as limiting identity chip reading to private service providers.

IDnow’s Sebastian Elfors said that the top three countries for identity fraud are Italy, France and Spain. The company uses AI-powered automatic fraud engines to collect risk signals from documents, biometrics and other sources and also combines AI with manual video identification.

Buypass representative Eivin Hansen said that the company has been involved in a pilot project with the Norway authorities since 2020. He predicts that the main challenge in the future will be presentation attacks with deepfake and AI technology. The solution will be improving sensor devices and including human operators, he said.

Robert Carlsson from BankID, which provides services for the largest Swedish bank, presented security checks for passports and ID card-scanning in Sweden while iProov’s Andrew Newell talked about video injection attacks. The attacks now present a threat to all platforms using video or biometrics for identity verification, and have seen a 149 percent increase on mobile between the first and the second half of the year 2022, he said.

Fernando Pires of the European Banking Authority presented the organization’s guidelines on remote customer onboarding while Jon Ølnes from Signicat talked on behalf of the European Telecommunications Standards Institute (ETSI) about standardizing remote identity proofing.

Other speakers included Stéfane Mouille from the French technology evaluation laboratory CLR Labs and Clemens Wanko from testing and certification company TÜV AUSTRIA.

The workshop was organized in cooperation with the European Competent Authorities for Trust Services Expert Group (ECATS EG), the informal group focusing on trust services liaising between EU members, EU candidate countries and European trade associations.

ENISA also published a study this week analyzing the national cybersecurity strategies of EU members. The study laid out cybersecurity governance models of different countries and provided a list of indicators for cybersecurity objectives such as secure digital identities and public services.

ENISA developed a framework to help the member states assess their cybersecurity objectives in 2020.

Article Topics

BankID  |  biometrics  |  ENISA  |  fraud prevention  |  identity verification  |  IDnow  |  iProov  |  remote verification