Depending on where you live in the world, you may or may not have a digital ID. But for those with digital IDs, have you ever wondered about the likelihood of it getting stolen? What about the consequences? Let's take a look at this question through our Norwegian perspective of “BankID”.
Digital identity became a much hotter topic once the EU identity eWallet was introduced in the summer of 2021. While there are huge benefits to be gained from introducing digital identities across the EU, there is one fundamental issue that needs to be considered: identity theft.
Today, if someone steals the credentials and factors you use to do Strong Customer Authentication (SCA) for payments, the worst that can happen is that they gain access to your bank account and your money. But, what if someone steals your identity, aka, the one stored in an identity wallet? What is the worst-case scenario if someone can impersonate your identity?
In the Nordics, we’ve had (and still have) various forms of successful digital identity schemes that stretch back almost 20 years. For us here in Norway, that would be BankID. If you want to learn more on the history of BankID, this recent report (in Norwegian only) by the University of Oslo’s Faculty of Law provides some interesting insight into the types of identity fraud seen by legal aid organisations, the types of victims, and how the legal system has handled it.
The Norwegian BankID was launched to end users back in 2004 as a pure authentication and signing solution. Initially, BankID was based on one-time-code dongles and the SIM card of mobile phones. Then, it moved on to being an app-based solution. The biggest driver for the initial success was that it was launched and supported as an authentication and signing method by all the banks and the government.
By late 2007, the number of users was somewhere around 760,000. But by 2021, it was used by 4.3 million out of Norway’s 5.3 million people. Or, in other words, basically anyone above the age of 18. Note: The number of uses is quite large as well, with a total of 966 million sessions recorded for 2021.
Today, BankID is used for everything related to the government. This extends from local to central government, including healthcare, education, and taxes. Nearly all governmental forms are digital and go through the same portal and API, where citizens and companies will mainly use their BankIDs for authentication.
If you live in Norway, using BankID for everything is quite convenient. You can as easily look up your vaccinations as a kid, your 20+ year old university transcripts, or sign up for new services. On the commercial side, it is fair to say that every larger service/every service introduced in the last 10 years supports BankID for onboarding. And, in many cases, only supports BankID. This covers everything, such as creating and registering a will and testament, selling your car, buying a house, or accessing an automated sun tanning booth.
One important point to remember is that solutions such as BankID are not identity eWallets - they are solutions for signing and authentication. While an identity eWallet can store many types of information, such as driving licences and certifications, BankID is based on a central register and the solution is only used for identification and signing.
Here is a simple way to look at it in use: instead of having your driving licence in the identity wallet, you instead install a driving licence app on your smartphone, and then use the BankID to link it to your identity. Ultimately, from an end-user perspective, there is probably little difference between a centrally managed system and a distributed wallet, at least for financial transactions.
The private company running BankID is not very forthcoming when it comes to providing statistics on crime involving BankID. The data in the report from the University of Oslo is collected by three volunteer legal aid organisations, which often get involved with people requiring legal assistance.
The 292 observations are thus only based on observations where the victim has sought support from free legal aid, and where the case has been followed by the aid organisation. This limits the representativeness of the study, but it makes it possible to create much more detailed statistics than what is otherwise possible.
There are some interesting findings from the report:
What is clear from the report is that most eID-related crimes in Norway have been “crimes of opportunity”, where someone has needed cash and taken advantage of a friend or family member. This type of crime is quite short-sighted, as it is typically easy to see where the funds end up.
From a legal point of view, it is more complicated, as you’re not allowed to share your BankID in any way, which puts some of the liability on the owner of the identity. This is also the reason why so much of the cost ends up having to be covered by the victim. Seen from the credit institution's point of view, they have a legally binding contract with the victim, regardless of the victim never having had access to the funds.
Unlock updates, insights, and exclusive content delivered to you.
From the report, there is one statistic that stands out: a large majority of the fraud was relying on the old one-time-pin generators. This is why phasing out these generators in favour of the more modern app-based authentication and signing apps should be a priority as the industry moves forward. With modern authentication methods, it is not enough for the perpetrator to steal or borrow a password and a dongle, as the victim would have to sign the payment on their phone. Using an app makes it also possible to do extra biometry tests so that the security level of a signing process can be improved. An example of this is requiring the user to reverify using biometry for important transactions.
Securing the app becomes very important as well, as it would be a very tempting target for a hacker. As I mentioned earlier, you can use your Norwegian eID to sell your house, set up a last will and testament, and even apply for new loans. The amount of cash that a perpetrator can extract from even a poor victim is a lot higher than what most people ever will have as a balance on a bank account. So, it is certain that when we will be seeing Europe-wide identity eWallet solutions they’ll become a very tempting target for criminals.
From a consumer perspective, what is really scary is that seen from the service provider's point of view, you are responsible - even if you can argue that someone stole your identity. This is quite different from the consumer protection that is built into the PSD2. In my view, it should be required of an identity eWallet solution to have a strong app and identity protection, at least for important life-event scale events such as buying or selling your home.
If you’re interested in securing payments, either through SCA or eWallets please sign up for our newsletter, and follow us on LinkedIn.