top of page
John Erik Setsaas

Digital Identity Wallets - Maybe Good News for Criminals!

GTF Board advisor and Director of innovation in Tietoevry’s financial crime prevention unit, John Erik Setsaas gives his view of the implications of AI for digital identity wallet security. As all our eggs go into a single basket, have we anything to worry about?

It is much easier to hack people than to hack systems. Due to its widespread adoption, eID has become a popular target. With AI, the criminals have acquired an enormously powerful tool to deceive the eID owners.
The use of an eID for multiple purposes, creates a secure and convenient way for consumers to interact with service providers. This has become widespread in the Nordics, where most of the population uses the BankID, MitID or FTN (Finnish Trust Network) daily, for many different purposes: From the obvious bank login and signing up for a mortgage or a credit card, to selling electricity, setting up a trusted profile on the marketplaces, proving you are over 18 to get into a tanning salon, or giving your baby a name.

Due to the extensive usability, eIDs are attractive targets for criminals. There are stories in the news about people being frauded several times a week.

A common fraud is that the fraudster calls the victim, claiming to call from the bank or an authority and convinces the user to use their eID, to “prove who they are”.  The fraudster will then get access to the user’s account, and then transfer money to their own account, telling the user that another eID verification is needed just to be sure, and this second verification will then transfer the money.

Or the safe-account fraud, where they will tell the user that their money is in danger and needs urgently to be moved to a safe account. In this case the user will transfer the money to the account number given by the fraudster. The fraudsters are tricking the users to perform the actions. It is much easier to hack people than to hack systems, and with AI the criminals get enormously powerful tools to do just that.

The CEO fraud is traditionally done by someone masquerading as the CEO (or CFO). They send an email to somebody in the finance department, asking them to make an urgent money transfer. We have already seen the first example of not an email, but someone using AI to set up a deep-fake video call. In this case the employee in the finance department will see and hear the CEO with the instructions to transfer the money. Recently there was an example where the fraudsters managed to get 25MUSD.

We are all potential victims

We are just seeing the beginning of this. The eID providers are putting in place technical mechanisms for the user to authenticate, and even proving who they are by using the camera. But none of this helps when the human is being hacked, i.e. tricked into doing something. With eIDAS EUDIW (EU Digital Identity Wallet), the potential gain for criminals will be even higher, making this an even more attractive target.

There is still a bias that you must be stupid to fall for the fraudsters, but I think not. Daniel Kahneman in his book "Thinking fast and slow", talks about system 1 and system 2 in the brain. System 1 is always active, and monitoring the world around you, and acts when there is danger (i.e. a tiger jumping out of the bushes), or potential for gain (access to food). System 2 is the slow system, which takes longer to activate and uses lot more energy. This is where we do the rational work. But in most cases, system 1 has already made the decision, long before system 2 is even activated.
There are not a lot of tigers running around most of us today, but when somebody calls and tell us that our money could disappear, or as with the kidnapping fraud, our child calls (by the fraudster, using an AI to mimic our child’s voice) and tell us they are in danger, system 1 kicks in and we act. We are all potential victims of this.

A field day for the fraudsters

How do we protect against this? In financial crime prevention, we are monitoring transactions, and looking for deviations. What is John Erik's normal behavior? If I were to log in from a Mac or make a transfer at 2 am in the morning, these would both be strong indicators that something is not right. We at Financial Crime Prevention in Tietoevry Banking detect and stop more than 90% of the card transactions in this way. We are stepping up the game with more advanced mechanisms and AI to improve the success rate for detecting all kinds of fraudulent transactions.

In a survey we did last year in Sweden, 74% of the respondents were positive to collecting and profiling personal data for this purpose. But interesting to note that 14% did not want this under any circumstances.

I see a grave challenge with eIDAS. The proposal does not allow the issuer of the EUDI Wallet to collect information about the use of the EUDI Wallet, nor to combine personal identification data and any other personal data in or related to the use of the EUDIW.

If this means that we can no longer collect data and profile for fraud prevention, we will have huge problems going forward, and the fraudsters will have a field day.

I have taken the liberty to add a different text to the Peter Steiner's cartoon from 1993 "On the Internet, nobody knows you're a dog": “With AI, you can be anyone on the Internet”.




265 views0 comments

Kommentarer


bottom of page