Technological achievements that change business and lives come fast and furious today. Across all the advances, those who would use technology to empower individuals and open society are facing off against those who would use it to exploit or control others.

Digital identity — fundamentally defining who we are within a society’s systems — is both a fertile and tangled ground for this inevitable fight. Digital identity includes any digital representation of physical documents, such as birth certificates, passports, licenses, voter registrations, medical insurance cards, and Social Security IDs, or the data therein. It also includes “soft” identities like online credentials, usernames, passwords, and one-time access tokens for multifactor authentication that enable us to use e-commerce, social media, and banking apps. Digital ID ecosystems can even use our mobile numbers to identify us, as well as biometric measures like fingerprints, voice patterns, faces, and our eyes.

As both digital protection strategies and digital attacks in this realm become more sophisticated, organizations that know the terrain have a better chance of navigating it. Here are three fronts where the battle for digital identity is especially complex and ferocious right now.

Liveness Detection vs. Deepfakes

Banks, insurance companies, healthcare providers, government agencies, and others are increasingly using liveness detection to verify an individual’s identity. This usually involves directing a person to look into their laptop or phone’s camera to determine they are an actual, living person and to match their face with their official digital ID photo or video on record. But widespread facial recognition technologies and computer vision have recently and repeatedly proven to be vulnerable to deepfakes powered by AI and machine learning. Deepfake images and videos — conveying synthetic human likenesses — have become so realistic that researchers at Penn State College of Information Sciences and Technology showed that “four of the most common verification methods currently in use could be easily bypassed using deepfakes.”

But all is not lost. Organizations can combat this deepfake onslaught by using multiple verification techniques such as comparative mobile location behaviors, facial depth sensors, device intelligence detecting emulators, and real-time readback of unique server-side generated alphanumeric strings during a verification check employing voice biometrics. Additionally, on-demand facial expression and movement instructions during the liveness check can help detect a fake, when leveraged in conjunction with the other techniques.

Remote Processes vs. Digital Impersonation

When the pandemic ushered in a new remote-based reality across the world, criminals seized upon hastily established automated processes and a lack of in-person engagement to expand their digital impersonation attacks. As a result, services like car sharing in Europe are rife with this kind of fraud.

It’s accomplished in a few steps. Increasingly sophisticated phishing emails, often appearing to come from large, well-known companies, trick people into sharing key personal information. With that, fraudsters can employ techniques widely available on the Dark Web to generate identification documents with machine-readable zones. All a fraudulent onboarder needs to access a car-sharing account or open a bank account online is a remote system with a verification process that fails to require a robust constellation of checks — background, biometric, and multifactor authentication. An effective process can no longer include one without the others.

Regulation vs. Crypto Chaos

Over the past year, industries such as banking and crypto have experienced a twofold increase in fraud. But crypto is particularly vulnerable because it lacks the array of regulatory protections that serve banks — as well as the guarantees that individuals and businesses rely on when using more traditional financial instruments. Confidence in crypto continues to be in limbo as poor leadership, hype-fueled speculation, confusion, and devaluation have plagued the industry.

Previously, crypto holders have been out of luck when someone steals their identity and wallet or transfers their coins without their knowledge. But regulators are finally steering markets around the world in a more mature direction that acknowledges the need for balance between data privacy and digital fraud concerns. For example, the “Travel Rule,” which subjects transfers of virtual assets (VAs) like cryptocurrencies and virtual asset service providers (VASPs) to global standards used across mainstream financial services, was introduced in 2019 but only now is coming into effect.

Requiring that senders and recipients of crypto exchange identifying information, guarantee its accuracy, and convey the data to government if asked, about 29 of 98 countries under the rule have enacted binding legislation, with more nations planning to do so.

Making progress on this front now lies in effective implementation of tools and digital identity ecosystems that will tame crypto chaos and stop anonymous money laundering.

Source: www.darkreading.com