Remote Identity Proofing Hurdles Put Spotlight on Increasing Fraud Sophistication

As traditional forms of identification prove increasingly inadequate in the digital space, the necessity for innovative and secure solutions becomes evident. 

Remote Identity Proofing (RIDP), the process of verifying an individual’s identity without physical presence, has emerged as a crucial aspect of this digital evolution. But as digital interactions and attacks become more frequent and sophisticated, ensuring the security and reliability of RIDP mechanisms poses significant challenges. 

This challenge is particularly pronounced in Europe, where technological advancements and the evolving threat landscape often outpace regulations. Moreover, the lack of standardized rules across the region adds further complexity to the situation, resulting in rules that require frequent revisions and updates to effectively address emerging technologies and threats.

“The remote nature of identity proofing is still not recognised equally at the national level in all Member States,” the European Union Agency for Cybersecurity (ENISA) said in a recent report. “At the same time, the way and the rate at which the technological landscape is evolving, both in offensive and defensive aspects, shows that identity proofing is the most-targeted element of digital identity.”

The report, released earlier this month in response to this growing challenge, provides an updated view on shifts in the threat landscape targeting RIDP, while offering practical, up-to-date information and countermeasures to mitigate new attack vectors.

Among the key findings, deepfake presentations emerged as one of the top two biometric attack types deemed most difficult to counteract, based on insights gathered from surveyed stakeholders. That, and the fact that “recent technological developments in digital image synthesis set the stage for potentially more effective deepfake attack paths” emphasize the magnitude of the task ahead.

The other biometric attack type posing significant challenges involves the rising prevalence of injection attacks. These malicious acts entail criminals tampering with digital data or signals to insert unauthorized information into a system or process. In the context of RIDP, these attacks involve the unauthorized insertion or alteration of data related to identity verification processes.

To combat this threat, the report highlighted two critical “good practices” for defending identity documents during RIDP: the importance of status lookups in various identity document registries and the scanning of the near-field communication (NFC) chip, where available.

However, the report acknowledged that both practices encounter obstacles in their full implementation. First, several identity document registries are voluntary and lack a centralized, up-to-date repository of all member states’ document versions.

Additionally, while scanning the NFC chip could enhance security by verifying the holder’s personal information and biometric photo, its use is not consistently permitted for private entities across the EU, further reflecting broader challenges in the region’s regulatory landscape.

Despite the growing complexity of the threat landscape, ENISA said it remains optimistic and dedicated to raising awareness while offering risk-based analyses and reports to empower stakeholders.

Specifically, these efforts will “support informed decision-making for the various stakeholders of the landscape and contribute to the development of countermeasures, helping RIDP to remain trustworthy and reliable in the years to come,” the report said.