Digital identity became a much hotter topic once the EU identity eWallet was introduced in the summer of 2021. While there are huge benefits to be gained from introducing digital identities across the EU, there is one fundamental issue that needs to be considered: identity theft. 

Today, if someone steals the credentials and factors you use to do Strong Customer Authentication (SCA) for payments, the worst that can happen is that they gain access to your bank account and your money. But, what if someone steals your identity, aka, the one stored in an identity wallet? What is the worst-case scenario if someone can impersonate your identity?

In the Nordics, we’ve had (and still have) various forms of successful digital identity schemes that stretch back almost 20 years. For us here in Norway, that would be BankID. If you want to learn more on the history of BankID, this recent report (in Norwegian only) by the University of Oslo’s Faculty of Law provides some interesting insight into the types of identity fraud seen by legal aid organisations, the types of victims, and how the legal system has handled it.

The Norwegian BankID was launched to end users back in 2004 as a pure authentication and signing solution. Initially, BankID was based on one-time-code dongles and the SIM card of mobile phones. Then, it moved on to being an app-based solution. The biggest driver for the initial success was that it was launched and supported as an authentication and signing method by all the banks and the government. 

By late 2007, the number of users was somewhere around 760,000. But by 2021, it was used by 4.3 million out of Norway’s 5.3 million people. Or, in other words, basically anyone above the age of 18. Note: The number of uses is quite large as well, with a total of 966 million sessions recorded for 2021.

Today, BankID is used for everything related to the government. This extends from local to central government, including healthcare, education, and taxes. Nearly all governmental forms are digital and go through the same portal and API, where citizens and companies will mainly use their BankIDs for authentication. 

If you live in Norway, using BankID for everything is quite convenient. You can as easily look up your vaccinations as a kid, your 20+ year old university transcripts, or sign up for new services. On the commercial side, it is fair to say that every larger service/every service introduced in the last 10 years supports BankID for onboarding. And, in many cases, only supports BankID. This covers everything, such as creating and registering a will and testament, selling your car, buying a house, or accessing an automated sun tanning booth. 

One important point to remember is that solutions such as BankID are not identity eWallets - they are solutions for signing and authentication. While an identity eWallet can store many types of information, such as driving licences and certifications, BankID is based on a central register and the solution is only used for identification and signing. 

Here is a simple way to look at it in use: instead of having your driving licence in the identity wallet, you instead install a driving licence app on your smartphone, and then use the BankID to link it to your identity. Ultimately, from an end-user perspective, there is probably little difference between a centrally managed system and a distributed wallet, at least for financial transactions.

The private company running BankID is not very forthcoming when it comes to providing statistics on crime involving BankID. The data in the report from the University of Oslo is collected by three volunteer legal aid organisations, which often get involved with people requiring legal assistance. 

The 292 observations are thus only based on observations where the victim has sought support from free legal aid, and where the case has been followed by the aid organisation. This limits the representativeness of the study, but it makes it possible to create much more detailed statistics than what is otherwise possible. 

There are some interesting findings from the report:

• Young people (19-30) are twice as often a victim compared to older people (61-67)
• Most victims have been victimised by someone close to them, such as a relative or cohabitant. For women, 80% are in this category. For men, the numbers are a bit different, with 46% of perpetrators being a relative or cohabitant, 46% by someone they don’t know, and 18% by an acquaintance.
• About 40% of victims have given the password to the perpetrator themselves. Traditional causes, such as written-down passwords (2.86%), using the same password as other passwords (1.90%), or keyloggers (1.90%) were not as common. Almost 50% were other or not known.
• The BankID one-time-code generator is by far the most common target, with 68% of observations. This is interesting, as this is more of a legacy solution, which does not support signing on the device itself. Mobile BankID, which is the most common mechanism today, was only used in 3% of observations. 
• Most of the fraud is related to signing up for loans and credit cards (61%), shopping (17%) and money transfers (17%). In all cases, the fraud was for financial gain by the perpetrator.
• For fraud of above 50.000 NOK, the distribution of fraud was equal. But above 50.000 NOK, loans and credit are the most common fraud methods, with some amounts going above 2 million NOK.
• 56% of fraud cases that were reported to the police were not investigated, and only 9% were investigated and considered resolved in court. 30% were still under investigation.
• Of the 9% investigated and considered resolved, 77% were settled with convictions against the fraudsters.
• In the cases where the investigation was dropped, the victim was most likely to have to carry the loss by themselves.But, if the case was resolved in court, there were no reported cases where the entire loss had to be carried by the victim. 
• In the 8 cases where the perpetrator was convicted, the creditor still tried to direct claims to the victim.
• In the cases where there was a civil case, the victim was responsible for covering the fraud 33% of the time, the creditor 47%, the creditor and perpetrator 10% and the perpetrator alone had to cover the cost 7% of the time.

What is clear from the report is that most eID-related crimes in Norway have been “crimes of opportunity”, where someone has needed cash and taken advantage of a friend or family member. This type of crime is quite short-sighted, as it is typically easy to see where the funds end up. 

From a legal point of view, it is more complicated, as you’re not allowed to share your BankID in any way, which puts some of the liability on the owner of the identity. This is also the reason why so much of the cost ends up having to be covered by the victim. Seen from the credit institution's point of view, they have a legally binding contract with the victim, regardless of the victim never having had access to the funds.

From the report, there is one statistic that stands out: a large majority of the fraud was relying on the old one-time-pin generators. This is why phasing out these generators in favour of the more modern app-based authentication and signing apps should be a priority as the industry moves forward. With modern authentication methods, it is not enough for the perpetrator to steal or borrow a password and a dongle, as the victim would have to sign the payment on their phone. Using an app makes it also possible to do extra biometry tests so that the security level of a signing process can be improved. An example of this is requiring the user to reverify using biometry for important transactions. 

Securing the app becomes very important as well, as it would be a very tempting target for a hacker. As I mentioned earlier, you can use your Norwegian eID to sell your house, set up a last will and testament, and even apply for new loans. The amount of cash that a perpetrator can extract from even a poor victim is a lot higher than what most people ever will have as a balance on a bank account. So, it is certain that when we will be seeing Europe-wide identity eWallet solutions they’ll become a very tempting target for criminals.

From a consumer perspective, what is really scary is that seen from the service provider's point of view, you are responsible - even if you can argue that someone stole your identity. This is quite different from the consumer protection that is built into the PSD2. In my view, it should be required of an identity eWallet solution to have a strong app and identity protection, at least for important life-event scale events such as buying or selling your home. 

If you’re interested in securing payments, either through SCA or eWallets please sign up for our newsletter, and follow us on LinkedIn.