As deepfaking and synthetic ID skyrocket, we ask if digital ID is as secure as claimed – and what else might provide transaction security if digital ID ends up being compromised.
We’re all familiar with the background: by 2027, around one dollar in five worldwide will be spent online.
As the world economy goes digital, fraud has also migrated online, exploiting consumer laxity, impatience, ignorance and naïveté– and necessitating the introduction of ever-more complex security arrangements.
These days, accessing bank or investment accounts can involve up to three passwords, separately delivered via email and mobile device – or at best, a passcode and a biometric factor.
Checking out from some web stores can be just as onerous.
Digital ID promises to take away these difficulties by giving us a solid, unbreachable identity online – the equivalent of a medieval personal wax seal for the digital era.
But is digital ID really that safe – and if not, what else might work?
The digital ID promise
In business, as in life, trust is everything. Before the world went online, trust was secured through signatures, drivers’ licenses, passports and physical presence.
These days, it’s not just commerce, but government and social lives that are lived online.
Governments favour online public services because they are much less expensive to deliver (up to 95 percent, according to some estimates) and almost 75 percent faster than the old “letters through the mail” approach.
The promise of digital ID, then, is that both your financial life and your engagement with government services – not to mention municipal services and healthcare – can all be taken care of by a single online ID that can’t be breached because it relies on factors stored off-device, in the cloud or sourced from more than one authority.
You’ll get what you want faster, at a lower cost, and securely.
Some countries have already taken significant strides towards the provision of comprehensive digital ID.
Norway’s BankID lets citizens access healthcare services and pay fines and council taxes online using one ID which can also be used to access most private banking services, including payments.
“The Digital ID market will quadruple in value by 2030 which shows how big a problem this is.”
A very similar system exists in Denmark via NemID, and plans are afoot in Austria (ID Austria) and Romania (ROeID) to deliver digital ID by the end of 2026.
Governments in the UK, Canada, France and elsewhere also have plans for a single, comprehensive digital ID in place – while China introduced a mandatory digital ID system for citizens two years ago.
The EU’s eIDAS aims to deliver full digital ID plus a digital wallet by the end of this decade, anywhere in the bloc.
According to Polaris Market Research, the global digital identity market was worth $23.4 billion in 2021 and is set to almost quadruple in size by 2030, reaching a value of $93 billion – a statistic that emphasizes just how central trust is becoming in the digital world.
The threat of deepfakes and synthetic ID
If digital ID promises an end to transaction friction and faster, easier access to public services, then the question must be asked – what happens if it goes wrong?
The rise of both visual and audio deepfaking should cause concern to those pushing digital ID – as should recent reports of national ID systems being successfully hacked.
According to UK law firm Clifford Chance, deepfaking shot up five-fold between 2022 and 2023, such that there were almost 100,000 deepfakes promulgated in the UK alone last year.
Most recently, public figures such as Taylor Swift and Giorgia Meloni have had to deal with the fall-out from deepfakes of their identity. If such well-known personalities can be deepfaked, what chance for the rest of us?
The parallel rise of synthetic ID – in which consumer account and personal data is stolen, then synthesised, or turned into the ID of a fake person to enable account set-up or access – is a cause for further concern.
Most recently, so-called “merchant takeover”, in which criminals fake the ID of an online merchant to defraud consumers, has begun to rear up as well.
Merchants and banks have tried to counter this with so-called “liveness indicators”, in which consumers are asked to speak, turn left or right or smile to confirm their real identity at account set-up.
More recently, however, such authentication systems have been getting duped: it’s also become clear that so-called impregnable digital ID is also being compromised.
“The absence of a second factor to support digital ID is a serious problem.”
In 2022, Russian hackers brought down the Bank ID system in Norway, along with a number of government agencies. Some 150,000 Norwegian citizens (around 3 percent of the population) have been affected by identity fraud, roughly 45,000 of which are thought to be compromises of the Bank ID system.
While a tiny proportion of the overall population – and still much better than the 2023 theft of 18 million customer IDs in Germany, for instance – the problem is that there is no second factor to support and confirm Bank ID.
As Nordics online security firm Freja pithily puts it, “When Bank ID stops, so does Sweden [or Norway].”
Platformed ID plus tokens: a possible solution
Instead of finding a single ID solution that works across many platforms, one answer could be to invert the current approach, and ask users to log in to a single platform which includes access to many different kinds of service.
This is, in essence, what AliPay and WeChat have achieved in China, where the full range of financial services is available from a single app alongside home insurance, business lending and other services.
It’s also what Open Banking promises – for instance, UK citizens can now pay their tax bills directly from their bank accounts. So why not book a doctor’s appointment via your banking platform?
Extending the range of services accessed from a banking platform to healthcare and social services (for example) would fit with the aspiration of open banking, while reducing the number of high-challenge authentications a consumer has to go through to get what they want.
Another part of the solution could be even wider use of tokens.
Thinking about payments specifically, last year saw seven billion payment tokens issued worldwide – unique codes that confirm bank and payee identity in the transaction process.
According to Visa’s Data Mart, these codes helped to cut fraud by thirty percent.
Perhaps – as looks likely – the use of tokens should be extended to the provision of government services, healthcare and other areas. Whatever happens, it’s clear something has to be done – and fast – to prevent consumer confidence in the digital environment from ebbing away.
This collapse in confidence is already being seen in Austria, where our proprietary research at Payments Cards & Mobile tells us e-commerce growth was just one-third of its long-term average last year with around four in ten Austrians now very concerned about online fraud.
If more attacks happen and this lack of confidence spreads, the consequences for a business community 100 percent committed to the digital future could be severe.
The post If digital ID doesn’t work, what do we do next? appeared first on Payments Cards & Mobile.