A shortened version of this article was originally published on the TechUK website as part of their Digital ID Campaign week.
Every hour, Licel systems process over 300,000 live threat intelligence events. This gives us a front-row view not only of how malware spreads and mutates, but also of how trust in the digital world can be undermined and quietly erode.
We see camera injection attacks bypassing eKYC controls, social engineering fused with remote access tools, maliciously modified apps siphoning sensitive data, and rerouted comms that trick users into signing something they never intended to sign. These aren’t fringe cases, but rather are becoming the new normal.
This is a problem, because most societies are built on trust by default. We tend to trust the systems we use and trust that those systems will protect us. But trust in the digital world cannot be assumed. It has to be engineered
Taking all of this together, if you asked us here at Licel today to swap our physical passports for digital versions, we wouldn’t hesitate to say: only when security is treated as the foundation of Digital ID initiatives.
The New Reality of Digital Identity
The world is entering an exciting new phase of identity. Digital IDs that are stored on smartphones are quickly being planned and rolled out by government task forces around the world. These national identity schemes will be used to prove who we are, and to streamline access to public services and the digital economy.
The potential is immense. Faster verification, improved accessibility and efficiency, and seamless cross-border interactions, to name only a few. But alongside this great promise is a new reality; where our digital identity lives inside mobile applications that by their very nature exist in an unpredictable, untrustworthy, and often hostile environment.
Think about your physical passport for a second and how you look after it when you’re on a holiday or business trip. It’s always close to hand, in your backpack or in your handbag. And when you arrive at your hotel, it’s probably one of the first items you lock away in the safe in your room. There are threats in the physical world around us, of course; there are those who would seek to distract you so they can steal your passport from you. But it’s a physical thing that you can touch and protect. You can be vigilant of threats against it. What is more, your physical passport comes with hundreds of years worth of anti-tampering measures that have evolved over time - whether that’s the hologram image, the Common Criteria (CC) EAL6+ secure chip or the unique ID number. It’s a tricky thing to fake.
A digital passport that exists inside an app on your smartphone faces very different kinds of threats. These ones aren’t physical, but rather they exist in the ether, floating in the dark spaces between the mobile application, the operating system, and the backend. These include mobile malware, remote access tools, and zero-day exploits. In other words, compromised environments that enable an attacker to use your most sensitive personal data without even having to steal it.
The danger isn’t that Digital ID initiatives are misguided - far from it. It’s more that it seems that security at the mobile application level isn’t yet treated with the same rigour as backend or architectural security. And without it, the entire chain of trust can be undermined.
Imagine that you’ve built an impressive-looking castle, but have failed to examine the soil around it. That soil could be just the right quality and consistency to enable attackers to construct a tunnel under the castle walls, all the way to the crown jewels.
The Dark Spaces: The Digital ID Threat Landscape
The success of Digital ID initiatives will arguably rest on whether citizens believe that their identities are safe. This is a legitimate concern. After all, digital identities on personal devices can become exposed to:
- Tampering - attackers modify apps to inject malicious code or steal and misuse cryptographic keys.
- Malware interference - malware strains can silently observe Digital ID interactions and signatures, and siphon credentials.
- Synthetic enrolment - sophisticated eKYC Fraud using deepfakes and virtual camera apps can create bogus citizens in the database.
- NFC-based fraud - contactless scans via NFC interfaces can be manipulated and relayed to other devices around the world.
The threats above can be prevented, but only if we see the mobile channel as a critical component of trust. Citizens don’t see - and are almost certainly unaware of - backend systems and encryption protocols. What they do see and experience is the mobile application; that’s why it’s so important that it is able to defend itself and is capable of proving its integrity every time that it runs.
Without robust protection mechanisms, blind spots and dark spaces can emerge and grow in size. The clear and obvious danger of that happening is that once a Digital ID system is breached, trust is very difficult to rebuild. This is especially true when you consider that there is already scepticism about individual data privacy before initiatives have even got off the ground.
We’re living through an interesting intersection in our recent digital history. It feels like the more negative impact of sharing almost every facet of our lives on social media for the last decade or two has led people to withdraw to some degree and begin sharing less widely than before. It has also led people to value their privacy a lot more.
This trend is happening at the same time that cyber threats increase in number and sophistication. In Eurosmart’s position paper on security considerations for the European Digital Identity Wallet, they highlighted that around 2,900 new vulnerabilities were emerging each month.
Here at Licel, we sometimes get the impression that there’s an idea about security being primarily about patching bugs. But this isn’t the case at all. It’s a fundamental architectural issue, especially with National Digital ID projects where there is so much planned investment and so much is at stake.
A Manifesto for Secure Digital ID Initiatives: Building a Foundation of Trust
We’ve spent the last 15 years in the field, building security solutions that solve real-world problems and protect the entire mobile channel. This experience has led us to believe the following principles should underpin every secure Digital ID initiative.
- Secure Enrolment. We work with financial institutions around the world to help them battle eKYC Fraud. This threat could also endanger the success of Digital ID initiatives, which is why it’s vital that biometric data and personal identifiers be integrity verified and secured from the device to the backend.
- Integrity Across the Lifecycle. Runtime Application Self-Protection (RASP) and integrity checks are absolutely vital for identifying and preventing some of the threats we mentioned earlier that float and flicker around mobile applications (malware and compromised environments).
- Trusted Execution. Personal identification, credentials, and cryptographic keys and secrets must be robustly protected. Sensitive operations should be performed inside a trusted, isolated environment.
- Visibility is vital. Real-time threat and device intelligence is crucial for painting a thorough picture of the threat landscape and how it’s evolving over time. Without it, it’s difficult to get a clear view of where attacks are coming from.
- Privacy and Transparency. Security isn’t only about preventing attacks, but about maintaining the confidence of citizens that their identity and data belongs to them. Open communication and education is crucial.
A Shared Mission
The regulatory frameworks for Digital ID already exist: eIDAS 2.0, ICAO DOC 9303, ISO/IEC 18013-5. These standards set the baseline for interoperability and assurance, but compliance alone doesn’t equal security.
We’re convinced that to build sustainable trust, security has to be embedded from the inside out. And that begins with the Digital ID application on each citizen’s device. A holistic approach (what we at Licel call mobile channel protection) that combines protection mechanisms such as runtime security, verified threat and device intelligence, and trusted execution, can go beyond compliance to build lasting end-user trust.
Digital ID initiatives are some of the most ambitious digital infrastructure projects of the modern world. They have the potential to completely revolutionise the way that government, private enterprise, and individual citizens interact. That’s why it’s so important that they are built on solid foundations if we want them to stand the test of time.
Trust cannot be assumed, but it can be built. Here at Licel we’re excited to be a part of the conversation and we stand ready to help Digital ID fulfil its enormous promise and potential.
