A friend was recently burgled and had a bunch of documents stolen by the thieves who were as interested in identity theft as selling an old tablet and gaming console at the local pub. One of the documents that was stolen was a passport. And that led my friend into a complex journey of proving his identity in order to procure a replacement.
This friend is known by a first name he adopted when he emigrated to Australia from what was the USSR until the break up of that region. But the name on his birth certificate is not the same as the name he is known by.
Adding to this complexity is that his birth certificate was lost and the odds of getting a new one is challenging given he will be trying to recover it from a country that didn’t really exist when he was born. Now, as he applies for a new passport following the theft of his old one, he is faced with the challenging task of proving who he is.
Welcome to the 21st century’s version of “Who do you think I am?”
The question of identity is one that more and more us will face in the coming years.
The government of New South Wales recently launched the trial of a new Digital Driver License in selected suburbs in Sydney’s Eastern Beaches and the greater Dubbo area. The idea is that, in time, you’ll do away with the need for a small plastic card and use a secure app on your smartphone.
With driver licenses used as an important identity document by banks, as a proof of age to enter certain venues and even to check into a hotel, the security of a digital license is critical.
Things get even more interesting as Mobile Passport Control (MPC) allows U.S. citizens and Canadian visitors to use the Mobile Passport app for entry into the United States. The app, which is authorised by U.S. Customs and Border Protection allows eligible travellers with a smartphone or tablet to submit their passport information electronically.
For now, neither of these technologies will replace the trusted paper-based systems that many authorities trust and rely on. But are there risks and how does this change to ID change the way fraud is perpetrated?
Identity theft has been a significant issue for many years and is far older than the challenges that the internet present.
In the partly biographical movie Catch Me If You Can Frank Abagnale Jr led law enforcement on a merry chase as he falsified his identity to pose as an airline pilot and doctor before embarking on a career in forgery. And it’s a fair bet many of you used a fake ID to visit a bar or buy otherwise contraband items in your youth.
But the consequences of falsifying a drivers license or passport are far greater. It will rely on encryption and other privacy measures. In NSW, the digital license will be stored on the device and won’t be dependent on a network connection for access. In other words, a compromised device could give someone access to a highly sensitive identity document.
Valid drivers license information can be used by an identity thief to apply for a credit card online, as well as access services or access other personal documents. It could even be used to reset passwords on digital services, locking someone out of their own email or deleting their online information.
Service NSW, who administers the state’s driver license system say the new license will be built on a specialised blockchain which allows the data on the license to be checked cryptographically.
What isn’t yet clear is whether other applications can also access the data. And this is where the real risks lie.
Poorly written software or malware could potentially access the locally stored data. NSW’s Treasurer, Dominic Perrottet says the license app uses “multi-tiered security features” like those used by phone banking apps.
But tools such as Quixxi Security Vulnerability Scan have identified flaws in banking apps that could be exploited. This is where the hyperbole surrounding digital identity documents falls short. Software is rarely perfect. It is created by people and they can make mistakes. And the conditions they test for can be invalidated by users who click and tap in ways that are impossible for developers to anticipate. So having a tool that can analyse the Mobile app deeply and look for potential vulnerabilities is critical.
For businesses or governments seeking to protect their users, Quixxi Shield not only resolves most of these vulnerabilities but also allows mobile app developers to protect their app against unauthorised modification by wrapping it in a hardened encryption layer. That way, if someone does consider trying to modify a digital drivers license – it becomes extremely difficult.
As our digital identities become increasingly important, we need to ensure apps and devices are protected. While app developers can help by designing with security in mind and by testing thoroughly, we can go further by secure the apps themselves – and that’s what we do at Quixxi Security.