FB pixel

Will Europe’s digital wallet become a honeypot? Seminar warns of security risks

Will Europe’s digital wallet become a honeypot? Seminar warns of security risks
 

Will the European Digital Identity (EUDI) Wallet become a honeypot for attackers? As the 2023 deadline approaches for offering European citizens a digital wallet that can store identification data, sign documents and even travel and buy products, experts are convening to discuss the hidden dangers of the project.

Last week, technical standards organization GlobalPlatform hosted a seminar in Brussels on the security of eID wallet schemes, featuring speakers from companies and organizations such as HID Global, Itsme, the Secure Identity Alliance (SIA), Thales, NXP Semiconductors, ENISA, Deutsche Telekom and more.

“It is a very interesting target for a lot of attacks, so we need to design it in a proper way,” says NXP Semiconductors’ security certification expert Fabien Deboyser during a panel dedicated to certification. This goal will have to be achieved under a time constraint, he adds.

Creators of EUDI schemes will have to balance many aspects to create successful products that are also secure. They will have to be simple enough for users and seamless enough so that users do not have to be educated for each and every feature, according to Chiara Casoni, head of business development and partnerships at decentralized identity technology provider Gataca.

“Not less important are the privacy and security aspects of things,” says Casoni who participated in a panel for EUDI wallet service providers.

Privacy means ensuring that the wallet and credential and verification service providers cannot track what is being done with that wallet while offering the user transparency to see where they shared their credentials. Security means making sure the wallet is unhackable as it can be and making sure that the wallet holder can prove their identity in a manner that does not create roadblocks for mass adoption. Finally, there is also the challenge of interoperability.

“It’s not only between different technology stacks but also across sectors,” says Casoni. “I think we should try to minimize as much as possible the specific wallet for a specific sector type of scenario, because that’s just going to create a more siloed experience.”

The European Union adopted the regulation on the European Digital Identity, the eIDAS 2, in June 2021. The regulation stipulates that each of the twenty-seven member states will have to issue a digital identity wallet with a scheme recognized and accepted by the other member states, built on common technical standards and with early pilots in 2024.

As the deadline approaches wallet creators are tackling many challenges, including achieving full interoperability, setting technical standards and certifications.

“There are a huge amount of use cases for one wallet,” says Oscar Leurs, director of business development at SGS Brightsight. “What we see in certification is that currently, we have for different use cases separate schemes or several separate sets of standards that we can evaluate against. I think that is indeed the biggest challenge to get these things together”

From a technical perspective, the wallet is a combination of hardware and software components, cloud applications but also processes and services that support the security of the wallet. One of the issues is assessing the security of each of those components, according to Alban Feraud, vice-president of digital security industry organization Eurosmart.

“It’s really a bundle, a mix of various technologies, various items, products, services, and processes,” says Feraud. One of the key issues is the ability to “glue” together all those components and processes that may have been assessed and certified individually.  “I think common criteria is no golden bullet,” says Feraud.

There is also a risk of fragmentation: National governments have a natural tendency to introduce fragmentation in the certifications, especially in terms of data protection which could hamper the certification process by introducing national requirements, he adds.

Finally, panelists touched upon the risks that surround the use of biometrics in the EUDI wallet for applications that require the highest levels of assurance and what additional steps should be introduced for certain phases.

“It remains a challenge to provide the highest level of security given the deep fakes that you could inject into the system,” says Jean-Karim Zinzindohoué, CTO of France Identité during one of the panels dedicated to security. “I don’t think for the enrollment [phase] the facial recognition has been removed from discussions but there was a question about adding additional processes which would add friction. So in the end, the question is, could we do completely remote onboarding or not?”

Article Topics

 |   |   |   |   | 

Latest Biometrics News

 

As retailers turn to biometrics to reduce theft, costs of poor implementation loom

Demand for biometrics to reduce retail crime continues to rise, but the risk of flawed deployments of the technology are…

 

Socure announces faster biometric IDV, deepfake and synthetic identity fraud detection

Identity verification provider Socure has announced the launch of its next generation DocV, now including enhanced deepfake selfie biometrics detection…

 

Rights group criticize EU AI Act for inadequate protections against potential abuse

The EU’s AI Act is done, and no one is happy. Having been adopted by the European Parliament in March…

 

Kids Code bills prompt epic showdown between regulators, activists and big tech firms

The latest craze sweeping the United States – legislation to protect kids’ data and overall online safety – has its…

 

UK’s £54M welfare fraud case illustrates need for biometric identity verification

A team of fraudsters has been convicted for what was described as “the largest case of benefit fraud in England…

 

Intellicheck, OneID tout banks’ unique position to cut fraud as digital ID enablers

Banks could play a significantly larger role in protecting consumers, businesses and payment systems from fraud, Intellicheck CEO Bryan Lewis…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read From This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events