GTF Board advisor and Director of innovation in Tietoevry’s financial crime prevention unit, John Erik Setsaas gives his view of the implications of AI for digital identity wallet security. As all our eggs go into a single basket, have we anything to worry about?
It is much easier to hack people than to hack systems. Due to its widespread adoption, eID has become a popular target. With AI, the criminals have acquired an enormously powerful tool to deceive the eID owners.
The use of an eID for multiple purposes, creates a secure and convenient way for consumers to interact with service providers. This has become widespread in the Nordics, where most of the population uses the BankID, MitID or FTN (Finnish Trust Network) daily, for many different purposes: From the obvious bank login and signing up for a mortgage or a credit card, to selling electricity, setting up a trusted profile on the marketplaces, proving you are over 18 to get into a tanning salon, or giving your baby a name.
Due to the extensive usability, eIDs are attractive targets for criminals. There are stories in the news about people being frauded several times a week.
A common fraud is that the fraudster calls the victim, claiming to call from the bank or an authority and convinces the user to use their eID, to “prove who they are”. The fraudster will then get access to the user’s account, and then transfer money to their own account, telling the user that another eID verification is needed just to be sure, and this second verification will then transfer the money.
Or the safe-account fraud, where they will tell the user that their money is in danger and needs urgently to be moved to a safe account. In this case the user will transfer the money to the account number given by the fraudster. The fraudsters are tricking the users to perform the actions. It is much easier to hack people than to hack systems, and with AI the criminals get enormously powerful tools to do just that.
The CEO fraud is traditionally done by someone masquerading as the CEO (or CFO). They send an email to somebody in the finance department, asking them to make an urgent money transfer. We have already seen the first example of not an email, but someone using AI to set up a deep-fake video call. In this case the employee in the finance department will see and hear the CEO with the instructions to transfer the money. Recently there was an example where the fraudsters managed to get 25MUSD.
We are all potential victims
We are just seeing the beginning of this. The eID providers are putting in place technical mechanisms for the user to authenticate, and even proving who they are by using the camera. But none of this helps when the human is being hacked, i.e. tricked into doing something. With eIDAS EUDIW (EU Digital Identity Wallet), the potential gain for criminals will be even higher, making this an even more attractive target.
There is still a bias that you must be stupid to fall for the fraudsters, but I think not. Daniel Kahneman in his book "Thinking fast and slow", talks about system 1 and system 2 in the brain. System 1 is always active, and monitoring the world around you, and acts when there is danger (i.e. a tiger jumping out of the bushes), or potential for gain (access to food). System 2 is the slow system, which takes longer to activate and uses lot more energy. This is where we do the rational work. But in most cases, system 1 has already made the decision, long before system 2 is even activated.
Comments