Proving we are who we say we are has been a constant concern in security since human beings, organized in small communities, started to interact with people from other groups that they did now know face-to-face. And from the rudimentary methods (even based solely on the other person’s word or presentation letters), this aspect has evolved with time until the identification methods we all know: ID cards, passports or driving licenses.
With these methods, the challenge of documenting ourselves physically in any part of the word and be able to do official procedures, open a bank account, drink in a bar or drive a car, was solved. But, are these documents that we carry in our wallet the most ideal solution to identify ourselves on the Internet?
After introducing the DNI-e (electronic ID card) as the method by default turned out to be a big failure, the online community is split between various alternatives for digital identification, with very different and significant security levels: from platforms that only requiere our name, surname and email, to others which requiere document validation of our physical ID card through video call or automated methods which check that the person (human) which carries the document is the same one. Between these, the options are almost infinite… and many are the situations in which our online cybersecurity is endangered.
Digital identity in Spain
In our country there isn’t a digital identity strategy as such, instead different criteria are applied based on the rules that affect each specific field of activity. For example, the central administration uses both the DNI-e (and its corresponding electronic certificate, which must be presented in person at a police station) and the Cla@ve system (with double verification, through SMS or mobile app) to identify people that want to do any procedure.
Meanwhile, the demanding bank regulation against money laundering requieres the person to be identified with their ID card if they want to open a bank account. The problem of doing it online is that sending a photograph of the document is not enough, as anyone could have stolen it wallet: they need to check that the ID card is with the correct person. After a lot of effort, public bodies first authorized video calls with human operators to carry out the verification, and now also allow assisted or automated systems.
Furthermore, we must recall that since 29 September a new European regulation on electronic identification is in force, which precisely aims to promote interoperability in access to information and public services in any EU country. It’s the eIDAS regulation, which establishes cross-border recognition of existing electronic identification (with documents such as an ID card or a driving license) when opening bank accounts in other parts of the Old Continent, accessing our medical registers or dealing with local public administrations. A measure that may seem secondary but that, especially for companies doing business on a community scale, represents an operational advance and a considerable saving when it comes to time and bureaucratic complexity.
When things aren’t done properly
Despite strict regulation in this field, companies don’t always choose to follow the security guidelines required for a fully reliable digital identification. One of the most notorious cases we have seen is the ‘fintech’ N26: a German bank account that allowed to open a bank account in just a few minutes.
As ‘El Confidencial’ reveled, their document validation method was weak, to say the least: a couple of photographs of both sides of an ID card was enough to open a fake bank account. In this way, anyone who found - or stole - an ID card could operate and carry out all type of transactions using an innocent victims name, without N26’s security system identifying that account as fake at any point.
This big security flaw is not only a risk for the bank, but also clearly breaches the strict rules of the regulation against money laundering and terrorist financing, established by SEPBLAC and included in the Regulation of Law 10/2010, which requires validating at all times the real identity of the person who opens an account, either face-to-face, through assisted video call or with automated system such as those provided by ADDALIA.