Keep Your Friends Close and Your Identity Closer
The digital world touches everything we do: work, shopping, even your wallet. And the one thing that keeps your digital life secure is your identity. So what makes up your digital identity? Digital identities are broadly defined and include everything from your username and password to your gender, address, and date of birth. Think about it: Every time you input your address into a Web form when shopping online, every time you verify you're 21 or older, and every time you enter a password, you're sharing a part of your digital identity.
We are constantly disseminating the attributes of our digital identities across countless platforms, and this will only expand as we do more things online. However, with the broader adoption of digital platforms, there become more and more opportunities for threat actors to steal these attributes and hijack our digital identities.
The True Threats of Digital Identity Theft
In April, the National Council on Identity Theft Protection shared statistics from the first quarter of 2023, alarmingly showing that the Federal Trade Commission (FTC) has already received 5.7 million total fraud and identity theft reports.
So what happens when identity theft or fraud takes place? On the enterprise side, organizations that fall victim to data breaches, malware, or ransomware attacks could face legal repercussions and have to pay affected customers millions of dollars. In addition to monetary penalties, organizations also face reputational damages, which could result in massive business losses.
Individual victims of identity theft or fraud, on the other hand, may experience financial fraud or losses and spend considerable time and money dealing with the fallout. Additionally, some victims will be left with traumatic feelings of violation and anxiety or hypervigilance — similar to what a victim of a robbery may feel.
As we enter the era of Web3, the cybersecurity threats for victims of identity theft are worsening. Now that processes, appointments, and work life are digital, people are constantly sharing the attributes that make up their digital identity. What becomes very dangerous is people sharing their personally identifiable information (PII), such as their Social Security number, driver's license, and address, as this information is exactly what threat actors look for when breaching organizations.
Once threat actors gain access to digital identities and PII they can create synthetic identities — fictitious identities that are created using a mix of real and falsified information. These synthetic identities have the ability to disrupt people's lives and the way they do business. Consider, for example, that AI tools can be used to generate authentic-looking fake passports or ID cards that can bypass authentication and verification platforms. Additionally, ChatGPT can help fraudsters create more believable, native-sounding phishing campaigns, including emails and chat dialogue that trick or coerce users into giving up their authentication credentials.
How to Stay Secure
Last year, a Verizon report found that 82% of all breaches involved the human element, which includes social engineering attacks, misuse, and errors. So how do you prevent human error? Education. Empowering employees with the security basics they need and educating them as to what phishing, smishing, and vishing attacks look like can severely cut down on data breach risk. Organizations should also implement security standards for employees and ensure that these standards are taught during onboarding.
Similarly, the best way for consumers to stay secure is to educate themselves on social engineering attacks and remain vigilant when checking emails, text messages, and phone calls. There are plenty of free digital resources available for consumers that cover security basics, such as what to look for when opening a suspicious email, how frequently passwords should be reset, and what to do if you suspect your information has been compromised.
Customers should also be doing their own due diligence and checking to see what data organizations are collecting and what security is being used to protect that data. On the flipside, organizations need to implement responsible data storage practices by only holding onto data they can actually utilize, and having a centralized identity storage system. A centralized identity storage system will take care of internal mapping of various applications and ensure all digital identities are located in a centralized location, cutting down the propagation of these identities through multiple systems within the same organization.
Educating employees and cutting back on data storage are just two minimum standards for organizations. Additionally, organizations must implement secure systems and solutions such as systemized automation, biometrics, and other identity verification methods. This is where identity and authentication converge. Both parties, consumers and organizations, need to ensure there is trust. Consumers need to trust that organizations will keep their digital identity and data secure, while organizations need to trust that consumers are who they say they are.
The Future of Digital Identities
Awareness of digital identities is on the rise. It's promising that the US government has made a public statement announcing it plans to prioritize digital identity solutions, though the US remains behind other regions — specifically, the UK and EU.
In 2021, the EU introduced its digital identity framework proposal to create a sole "trusted and secure European e-ID." Additionally, this year European Parliament voted to move forward with creating an EU digital wallet to further protect European identities and transactions. Within the next few years we'll likely see the US follow in the footsteps of the EU and create a one-stop solution for digital identities.
My hope for the future of digital identities is that we create a seamless, trusted, and secure experience. To do this we'll need to implement a system where digital identities are provisioned in a secure way and can only be unlocked with a strong user authentication in place. In this system, instead of sharing every piece of personal information, users would only be disclosing the minimum information required for individual tasks. This would create the ideal environment to build a digitally secure and trusted world.
This article, written by Sameer Hajarnis, Chief Product Officer at OneSpan, was first published on DarkReading.com on May 19, 2023.