How Digital Identity will Change Being Online
We all know how it works: If you need to prove your identity for some reason, you have to provide an official physical document like a passport, driver’s license, or state ID. But that may soon be a thing of the past. Technology that allows digital identity verification will make it easier to prove who we are. And it has the potential to make our online experience both simpler and more secure.
See The Evolution of Digital Identity with Philipp Pointner for a complete transcript of the Easy Prey podcast episode.
Philipp Pointner works for Jumio, a company in the identity space. For his first nine years with the company, he was their Chief Product Officer. Now, he’s the Chief of Digital Identity. His job is to future-proof Jumio for the approaching world of digital identity and the new threats that will come with it. Before starting with Jumio, he was responsible for paysafecard, Europe’s most popular prepaid gift card. He knew how bit of a challenge it was to identify people and keep fraudsters out. Keeping the verification process from being too burdensome to real people was also a challenge. Not only does he find the idea of identity interesting, being able to verify your identity is key to accessing services that matter to people. He wants to help make the process better.
Changing Perceptions of Digital Identity
Jumio started thinking about digital identity in 2014. Back then, identity verification online involved asking for a passport, a driver’s license, or some other kind of documentation, or asking people to show their faces for a facial recognition scan. People didn’t appreciate that. Those kinds of verification methods really impacted consumer use.
Almost ten years later, that has changed. Especially with facial recognition, people are much more comfortable showing their face to their phone camera. Biometrics like facial scans and fingerprints are an easy and convenient way to unlock things. The ability to take photos on our phones also gave most people the skills to put their face the right way in the frame in order to be scanned. In that way, smartphones have paved the way for better security.
People are also more aware now. Often people aren’t concerned about their fingerprints, but once devices are scanning their faces, they want security. They want their biometrics protected and covered by security regulations. There is also the question of accessibility and making sure everyone can use the technology. It’s about guiding the user and using the right methods so people can achieve what they want with authentication and security.
The next level of digital identity is making them reusable, so you don’t need to get out your driver’s license or passport every time. It could be a credential that lives on your phone and you can choose to share with apps. The industry has been talking about this for a long time, and Philipp thinks it’s coming soon. In a few years, we may live in a whole different world.
The Challenge of Interoperability
When it comes to digital identity, there’s a question of widespread use. If some jurisdictions accept digital ID and some don’t, if that country accepts only that type while this country only accepts this type, or if countries or jurisdictions are creating their own exclusive digital IDs, it becomes difficult to the user. The industry uses the term “interoperability” to discuss these challenges and ways to make universal, or close to universal, digital identities.
There’s a good chance that digital identity standards will be adopted along with the mobile driver’s license initiative, which has an ISO standard. There is also potential for a digital passport, which would be governed by EATA, the entity that governs cross-border document use. This makes it likely that there will be a global standard.
When it comes to national e-identification, though, there are more challenges. Some countries try to lean towards the standards, but nobody is doing pure standard implementation. Everyone is doing their own thing to some degree. It’s not looking like a global initiative. In the EU, the EU Digital Identity Wallet is going to harmonize a lot within the EU. Internationally, it will likely be through globally-recognized driver’s licenses and passports.
How Scammers (Might) Take Advantage of Digital Identity
Technically, a digital identity is more secure than a physical identity when used online. And that’s for one simple reason that most people don’t think about: If you upload a photo of your passport or your driver’s license to a website so they can verify you, they now have a copy. You have delivered both your identification information and your proof of it. There’s always a chance that someone could get their hands on a database of ID photos. They could get your information, and they use that photo of your ID as “proof” that they’re you on other sites that require photos of ID for proof.
With a digital identity, though, the proof stays with you. You can provide both your ID and the proof to a website or app so they have that info, but they don’t get a copy of it. Even if someone gets the data that website collected, they still wouldn’t be able to pretend to be you. The actual evidence that proves the identity is still with you and only you. It sounds confusing, but it makes a huge difference in your security.
The digital identity is going to be a lot more secure than your plastic identity when you use it online. Philipp Pointner
The consequence of that is that there are fewer things a scammer or hacker can do on the technical side. Even if they successfully hack a database, it won’t do them any good. So they are going to shift towards targeting people themselves. They will run scams and use social engineering to get access to the ID itself or to get people to use it in a way that benefits the fraudster. We’re going to see a rise in schemes that target identity.
AI and Fraudulent Documents
Every day we are seeing the evolution of sophisticated fraudulent documents. There used to be different levels of faked documents. At the lowest level, there would be kids trying to hide their age or something doing low-effort modifications. Sometimes they would even copy genuine documents with a sticker or a piece of paper stuck on to change the information. But now, even low-effort attempts are sophisticated.
The really dumb, stupid frauds that you can easily identify have pretty much gone away. Philipp Pointner
Engineers have now prove that with AI image generation and the right templates, anyone can create real-looking fake identification documents en masse. You can create a file with names, dates, and everything you want printed on the document, press a button, and generate tens of thousands of fake documents that look practically real.
Before, criminals had to do this manually. Creating a sophisticated fake identification document would take half an hour to an hour per document. But now they can do it almost instantly. It’s this scalability that makes it scary. They’re not attempting to get through with one, two, five, or even ten fake documents. Now they’re using thousands of documents to try to open thousands of accounts in the hope that one succeeds, and it doesn’t require much effort on their part.
Scammers can Scale with Tech
Scaling – increasing the amount you can do without putting in too much more time or effort – happens with all kinds of criminal enterprises now. If you look at Nigerian prince or 419 scams, scammers used to have to print off (or write out) each letter, put it in an envelope, and pay for a stamp to mail it. Then fax machines arrived, and they could do it faster and cheaper, but they still had to pay for the phone call and the machine and take time to send each fax. Then faxes could be automated. But when email got popular, they could suddenly send out millions at a time for almost no money.
And email isn’t the only technology scammers are using. Chatbots can be very intelligent at holding a conversation. If a scammer sent out 50,000 emails and got a 1% response rate, that’s still 500 people that they now have to convince and trick into sending money. That’s a lot of conversations for a person. Even though most scammers have templates, they still have to check what the person said and which response in the template would be best. But if they connect a chatbot that’s been programmed with the templates, the chatbot can do it by itself. Philip doesn’t think that consumers are aware yet of how quickly generative AI is changing the landscape of scams.
Nobody yet has really hit the alarm and said, the internet is changing, be careful, protect yourself, and how to protect yourself. Philipp Pointner
The Burden of Security is Still on the User
Right now, there is very little guidance or help when someone is the victim of identity theft. Where should they turn to? How should they behave? What do they do next? How often should they check their accounts? What else should they watch out for? These are all questions victims ask, but there’s no good guidance out there. Banks, credit agencies, and institutions have legal obligations in these situations. But consumers need to know who to talk to, what to tell them, and what the process is.
It’s unfair to shift the burden to the end user, but it’s very easy to do. At the end of the day, it should be on institutions and businesses that offer services online to make sure they’re safe. There should be ways to keep people from giving away valuable things, whether that’s a digital identity requirement, biometric authentication, or something else. There are ways to set up security where even if the end user is tricked, it’s not easy to get at their assets. Sometimes ambitious scammers do work to get data like biometrics, but it’s not common. The most common attack vector is still contacting people online, such as through email, text messages, and social media.
Account Security Matters
Philipp’s team did a survey recently asking people if they would be willing to invest more effort into account security for various online activities. The results were interesting because they showed that people are generally pretty smart about this. For the most part, they ranked everything that needed strong protection highly, and things that didn’t warrant such strong protection as lower. The one exception was social media. Philipp thinks social media needs strong account security, but most people ranked it very low.
People don’t think about social media accounts as an asset that needs to be protected … [but] social media is the gateway to other areas in your life. Philipp Pointner
People often don’t think about social media as an asset to protect. But in the current internet, our social media accounts are keys to our digital identity. If someone gets into your LinkedIn account, it’s a nightmare – he’s seen it happen. A hacker who gets social media access can then social engineer themselves into more information and access. Most people haven’t considered these consequences yet.
A scammer who’s gotten into your social media accounts can also use that as a way to scam your friends. They have access to everyone you’re connected with, and they can use your digital identity on social media to pretend to be not a suspicious stranger, but a trusted friend. If a stranger texts you asking for $20, you’re going to be suspicious. But if your friend sends you a message on Facebook saying money is tight and asking if they can borrow $20 to get groceries, you’re much more likely to want to help your “friend.”
Scams are Evolving so They’re Harder to Spot
In some ways, people are getting better about online security. Especially with blatant, well-documented scams, like the Nigerian prince scam or an email claiming you won the lottery. Experts have been warning about those for years, and most people are pretty comfortable with spotting them.
The challenge is that scams are evolving. Crypto romance scams, also called “pig butchering,” involves scammers on dating sites tricking their matches into investing in a fraudulent cryptocurrency. It’s not a case where the scammer asks the victim to send them money. Often, victims feel like it’s not the person they’re talking to that’s scamming them, but this “third party” crypto trading platform. They continue a relationship with the scammer while thinking this platform is at fault, never connecting that the scammer is the one running the platform.
There are still people out there who use the same password for everything. Obviously, that’s a risk to their online security. But security is always a barrier. There’s tension between what experience people want to have and what they’re willing to tolerate in the name of security. People may be willing to do two-factor authentication to access their bank account once a week, but less willing to do it to access their social media several times a day. Even if they recognize the value, the inconvenience outweighs it.
Businesses Can Do Better for Security
Reducing the inconvenience of good security is something businesses can do better. They could implement something like passive biometrics, where something as simple as the way someone pulls their phone out of their pocket can tell you if they are the user or not. The technology exists, but it’s not deployed as widely as it could be.
Banks especially still haven’t quite figured out security. They can tell from one transaction that a credit card was compromised and automatically cancel the card and issue a new one. But a lot of obviously suspicious or fraudulent wire transfers get through. At the end of the day, the inconvenience lands on the customer.
This is even true with verification methods. Businesses often verify people by asking for certain data points. That’s fine if it’s something that they know off the top of their head. But it’s much less convenient if they want something like the amount of the third transaction on last month’s statement, or the exact amount of January’s credit card payment. The method makes the difference.
There’s really no reason to bother the end user anymore with these knowledge-based authentication challenges. Philipp Pointner
Other verification methods like biometrics are strong, convenient, and governed by a strong standard. And the tech is already there on your phone. It can make a big difference for users. The survey Philipp did showed that users are willing to do things for security. But he doesn’t think the message has quite landed with businesses. Even before digital identity is implemented, they could do more for security with less inconvenience.
Getting Better at Security
Part of the challenge in getting more sophisticated as a general population is that there’s no one-stop shop to learn about all the latest stuff. And in fact, that’s probably not even the best way to do it. If you focus on learning about the particulars of a scam, you may end up looking at the wrong signs. You may know all about Nigerian princes, but if it’s a Canadian businessman instead, you may not recognize the warning signs the new scenario.
Currently we’re not teaching people critical thinking, we’re just teaching a long list of red flags. It’s more helpful to ask if someone is trying to trigger your emotions, create urgency, or convince you to follow an authority. But if you’re focused on memorizing a list of red flags, eventually the list will be too big to keep track of. The specifics often aren’t useful because there are so many variations. It’s more important to educate people about the psychological methods scammers use to take advantage.
Security Challenges of the Modern World
I suspect that the general population has become an easier target … because the world has become more stressful, scary, and difficult for people to navigate in the last few years. Philipp Pointner
The world has become more threatening, stressful, and hard to navigate in the past few years. This makes everyone easier targets for scams that prey on our fear. There’s also more opportunity now. Ten years ago, people weren’t online as much, and when they were they generally interacted with people they knew in real life. Now you can work with someone for years and only see them over Zoom.
We used to be suspicious of people we only knew online. Now, because of Covid and years of Zoom, it’s normal. A person you see could be a generative AI face projected on someone else and you’d have no reason to suspect. This is actually something Phlipp tested – people vastly overestimate their ability to detect deep fakes. They have a lot of confidence, but despite the confidence they’re just not good at it.
It’s wonderful what technology can do. But it can also be abused. This is where hope lies in digital identity – you can easily and conveniently prove to the other side who you are. Digital identity is going to change how we use the internet. You can have a relationship with someone on social media, and through their digital identity verify that they are real. You can have more secure communication with businesses and the people you interact with. Currently, verification is still cumbersome. That’s why places like social media often don’t require it. But with a reusable digital identity, it will be much easier and more convenient to verify everything.
Concerns with Digital Identity
These digital identity advancements also come with concerns. One of those concerns is fraud. Is it possible to pay someone or somehow create a fake digital identity so that a criminal ends up with a fake identity that seems even more trustworthy than a fake identity today? These types of concerns are why Philipp encourages thinking about digital identity as an evolutionary step and an add-on, not a full replacement. It will help with security, but it isn’t the only thing needed for security.
There are tools today that help identify risk and check behavior. If you’re wiring all your money out of the country, is this something you do regularly or is it new? Those kinds of checks aren’t going away. When digital identity happens at a large scale, there’s just going to be more use cases. That’s why convenience matters.
Imagine you are a Q&A forum where anyone can post questions and anyone can give answers. It would be great for you to verify your users’ identities. Not because you need to know who they are, but so if anything they say has legal ramifications, or if they’re posting hate speech, you can hold them accountable. Currently, that kind of verification is expensive and inconvenient. But when digital identification costs nothing to transmit, all these use cases open up. Currently, you probably upload documents to verify your identity only a few times a year. But with advancements in digital identity, we will end up using it all the time.
With a digital identity … all these use cases are going to open up where we don’t even think about using identity today. Philipp Pointner
What Consumers Can Do Today
The first thing you should do is self-education. Stay on top of what’s happening. The second thing that Philipp recommends to everyone is to turn on two-factor authentication. Any account that offers it but doesn’t require it, turn it on. If possible, use biometrics to secure your accounts.
Third, be concerned about your own security and ask the companies you work with to do the same. If you go into your bank and talk to someone to do your transaction, also ask them what they’re doing to keep your account safe. When you have to send copies of your documents, make sure they’re transmitted in a secure way that you understand.
Also make use of your right for companies to delete your data. In the EU, where Philipp lives, that’s a right that every consumer has. Your particular rights may vary depending on where you live. If you don’t feel like using that service again, make sure your data is gone. This “data minimization” is a great security practice. Finally, be aware your data is out there. When trying to spot scammers, know that they may have more knowledge than you expect and can use that to trick you into thinking they’re authentic.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
In the modern world, we need the internet for daily life. Work, school, banking, shopping, social connection,…[Read More]
You’ve probably seen them somewhere. A sign by the road, an ad on a billboard, or even…[Read More]
Student loans came out of their forbearance period and payments resumed towards the end of last year….[Read More]
A virtual kidnapping call can be terrifying - that's why it's important to be prepared in advance.[Read More]
If someone asked you if you want the messages you send and receive to be private, you’d…[Read More]