WP3 “Threat assessment and economical aspects”
December 2015
Tackling identity theft with a
“Harmonized framework, allowing a
sustainable and robust identity for
European Citizens.”
D3.1: Report on ID threat for both national and industry delivered ID
Deliverable ID :
Deliverable Name :
D3.1
“Report on ID threat for both national and industry
delivered ID”
Status :
Dissemination Level :
PU
Due date of deliverable :
M18
Actual submission date :
Work Package :
WP3
Organisation
name
of
lead
IDP
contractor for this deliverable :
Author(s):
Charles de Couessin
Raul Sanchez Reillo,Judith Liu Rimenez, Raimonda
Partner(s) contributing :
Admine, Leva Jansone, Marino Di Nillo, Marek Tits,
Giogia Lodi, Sebastien Lethiec,
This project is funded as a FP7- SEC-2013.1.1-2: “Stronger Identity
for EU citizens” – Capability Project. The project has received
funding from the European Community’s Framework Programme
(FP7/2007- 2013) under the Grant Agreement n° 607049.
Copyright by the EKSISTENZ Consortium
1|P a g e
WP3 “Threat assessment and economical aspects”
December 2015
History
Version
0.1
2|P a g e
Date
04/11/15
Modification reason
Structure
Modified by
Charles de Couessin
WP3 “Threat assessment and economical aspects”
December 2015
Table of contents
HISTORY ............................................................................................................................2
TABLE OF CONTENTS ..........................................................................................................3
LIST OF FIGURES.................................................................................................................5
LIST OF ABBREVIATIONS/ACRONYMS .................................................................................6
EXECUTIVE SUMMARY .......................................................................................................7
1
SETTING THE SCENE ...................................................................................................9
1.1
PHYSICAL VS CYBER WORLD .............................................................................................. 9
1.2
PHYSICAL WORLD IDENTIFICATION ................................................................................... 10
2
DEFINITIONS ............................................................................................................ 13
2.1
THE SITUATION ............................................................................................................. 13
2.2
ORIGIN OF ID FRAUD .................................................................................................... 14
2.2.1 ID FRAUD IN THE PHYSICAL WORLD .............................................................................. 14
2.2.2 ID FRAUD IN THE CYBER WORLD .................................................................................. 15
2.2.3 PHYSICAL ID VS DIGITAL ID ........................................................................................ 17
3
TAXONOMY OF RELEVANT ID DOCUMENTS .............................................................. 18
3.1
GOVERNMENT ID DOCUMENTS ....................................................................................... 18
3.1.1 CREDENTIALS ........................................................................................................... 18
3.2
TAXONOMY OF RELEVANT GOVERNMENT ID DOCUMENTS.................................................... 19
3.2.1 NATIONAL ID CARD .................................................................................................. 19
3.2.2 THE BREEDER DOCUMENTS......................................................................................... 20
3.2.3 DRIVING LICENSES .................................................................................................... 23
3.2.4 THE PASSPORT ......................................................................................................... 23
3.2.5 FRAUD PACKAGES ..................................................................................................... 24
3.3
INDUSTRY / PRIVATE SECTOR ID DOCUMENTS .................................................................... 25
3.3.1 HEALTHCARE ID ....................................................................................................... 26
3.3.2 TELCOS ID ............................................................................................................... 28
3.3.3 BANK ID ................................................................................................................. 31
4
TAXONOMY OF ID THEFT / THREATS......................................................................... 35
4.1
GOVERNMENT ID THEFT / THREATS ................................................................................. 35
4.1.1 DELIVERY ................................................................................................................ 35
5
CONSEQUENCES OF ID THEFT ................................................................................... 37
5.1
CONSEQUENCES OF GOVERNMENT ID THEFT ..................................................................... 37
6
CYBER ID THEFT ....................................................................................................... 40
6.1
CYBER THREAT VS PHYSICAL THREAT ................................................................................. 40
6.2
CYBER THEFT AGAINST GOVERNMENT ID........................................................................... 40
6.2.1 SETTING THE SCENE .................................................................................................. 40
6.2.2 CRITICAL DATA IN THE CYBER WORLD ........................................................................... 41
6.2.3 MOST FREQUENT CYBER ATTACKS................................................................................ 42
6.2.4 CYBER WORLD ATTACKS AGAINST GOVERNMENT DOCUMENTS.......................................... 43
6.2.5 TYPOLOGY OF ATTACKS AGAINST “GOVERNMENT” DOCUMENTS ....................................... 44
7
TAXONOMY OF VICTIMS .......................................................................................... 47
7.1
INTERNET USAGE IN THE MS ........................................................................................... 47
7.2
MOBILE AS A NEW VECTOR OF INTERNET DAMAGES ............................................................ 50
8
TAXONOMY OF COUNTRIES...................................................................................... 52
8.1
TAXONOMY OF COUNTRIES FOR ID THEFT ......................................................................... 52
8.1.1 SOCIAL AND GEOPOLITICAL CONTEXT ........................................................................... 52
8.1.2 SCAM EMAILS OR PHONE CALLS AS A MEANS TO GET ACCESS TO INDIVIDUALS’ DETAILS ......... 57
9
A COUNTRY USE CASE: IDENTITY THEFT IN LATVIA .................................................... 58
3|P a g e
WP3 “Threat assessment and economical aspects”
December 2015
9.1
GENERAL SITUATION ..................................................................................................... 58
9.2
USES OF STOLEN DOCUMENTS AND RELATED CRIMES .......................................................... 58
9.3
ACTIONS OF AN IDENTITY FRAUD VICTIM ........................................................................... 59
9.4
MOST COMMON TYPES OF IDENTITY THEFT IN LATVIA ......................................................... 60
9.4.1 CRIMINAL IDENTITY THEFT ......................................................................................... 60
9.4.2 DRIVER’S LICENSE IDENTITY THEFT .............................................................................. 64
9.4.3 FINANCIAL IDENTITY THEFT ........................................................................................ 64
4|P a g e
WP3 “Threat assessment and economical aspects”
List of figures
5|P a g e
December 2015
WP3 “Threat assessment and economical aspects”
December 2015
List of abbreviations/acronyms
EU
ICAO
WP
EAC
BAC
SIM
ID
MoC
IVR
PIN
TC
EN
NIR
OCMA
6|P a g e
European Union
The International Civil Aviation Organization
Work Package
Extended Access Control
Basic Access Control
Subscriber Identity Module
Identity
Match-on-Card
Interactive Voice Response
Personal Identification Number
Technical Committee
European Standard
UK National Identity Register
Latvian Office of Citizenship and Migration Affairs
WP3 “Threat assessment and economical aspects”
December 2015
Executive summary
Citizens become more and more aware of internet risks and have changed their habits
because of security concerns, for example by not giving out personal information or not
opening e-mails from unknown sources. The percentage of “internet awareness” is increasing
in proportion to new infrastructures and services provision. As stakeholders – both
government and industry – shall implement countermeasures, it is worth recalling that there
remain considerable variations between countries, socio-demographic groups such as age
and level of education with regards to internet access, expertise and awareness of potential
threats.
An average of half of Internet users have suffered the presence of a malicious software in
their equipment; but even though the proportion of real victims of ID theft remains quite low
(average 7%), the consequences – social, financial – can be extremely severe. Same as for the
physical world, gaining access to credentials opens the doors to multiple scenarios, such as
connecting to on-line services on behalf of their victims as well as building a new identity by
the means of the various data collected via social networks and internet providers.
Many issues shall be raised with regards to ID theft in the physical world. Government
documents – Driving Licenses, ID card, passport, resident permit – get more and more secure
and take advantage of a seamless delivery procedure. But the weakest point remains the
availability of key credentials – date / place of birth of applicant and parents - from social
networks or open databases which can be accessed quite easily for illegitimate purposes.
Certain EU funded endeavors1 are assessing both how to better structure breeder documents
to avoid fraud and strengthen the link with the holder to ensure that he is its real “owner”.
But, at this stage, one shall admit that impersonating another individual is not a difficult
challenge. What will be the future of physical identity? Shall the physical ID be controlled by
the means of an IT infrastructure at any usage like hotel stay, car rental or access control to a
secure building? Do we want to live in such a world that would replace an habit of confidence
by another world where credentials would not be recognized unless cyber tools replace
human judgment?
Concerning the internet world, the authentication procedure will immediately confirm the
legitimacy of the applicant when connecting on-line. Same as for the current credit card
infrastructure, revocation tools will be implemented to counter any fraudulent attempt, once
a theft has been declared. As mentioned in the previous paragraphs, this will be the role of
technology and infrastructures to replace trust and confidence which have ruled relationships
since the beginning of human exchanges. Same as for the physical world, enrolment will
remain the weakest stage of the process as basic credentials will be more and more available
from open sources data.
Identification and authentication do not constitute the main risks when connecting on-line
compared to malicious software and spams that can attack individuals. Counterfeit websites,
unsecure providers and software updates shall be considered as the main threats today. Even
though our citizens consider themselves as aware of internet risks, fraudsters are
1 ORIGIN http://www.origins-project.eu/links/ and FIDELITY http://www.fidelity-project.eu/
7|P a g e
WP3 “Threat assessment and economical aspects”
December 2015
implementing extremely invasive tools that can generate more severe damages – access to
diary, address book, credentials – than an illegal connection to a secure website.
8|P a g e
WP3 “Threat assessment and economical aspects”
December 2015
1 Setting the scene
1.1
Physical vs cyber world
The evolution of the society, facilitated by the diffusion of the Information and
Communication Technologies (ICT), poses a number of security challenges to be no longer
ignored. The increasing use of social networks and other digital means, in order to carry out
everyday life operations, leads to wonder about the future role of physical identities, and
whether digital identities would change the ways through which every person identifies and
then authenticates to obtain a whatsoever service.
In order to understand the possible trends in the usage of digital identities in contrast to
physical ones, it is worth distinguishing between two aspects: identification and
authentication. In general, identification refers to the action of a person claiming to be
somebody. In the digital word, identification simply entails providing any sort of username.
Authentication is a step forward since it involves all the operations that allow a person to
prove (s)he is who (s)he declared to be. In the digital world, authentication comprises all
those means (e.g., password, one-time token, etc.) used to demonstrate a username is
exactly the one asserted.
From the state of the art conducted in the context of WP2 of the EKSISTENZ project, it turned
out that the European trends in using only digital identification means, in contrast to physical
ones, are extremely heterogeneous and differ from country to country. Whereas there exist
Member States that started promoting and imposing by law the usage of digital identification
means since years (e.g., Estonia), other states, such as Italy or Spain, seem still facing
difficulties in letting these means take off. This may be caused by a variety of factors: cultural
and habits limitations, lack of available online services, complex online services that are more
a digitalization of old fashion processes than renewed processes that exploit the advantages
offered by the usage of ICT.
Owing to these considerations, it is likely that physical identification of people will not be
replaced so easily in the short time: even in scenarios where most of the services, both
private and public, will be available only online, the society needs to clearly identify its
members and new digital approaches are to be accepted and used by that society. However,
with a larger number of States ready to embrace electronic identification means, physical
documents can be substituted by their electronic versions. In this sense, we claim that these
changes will be even more effective if the relative legislations in the States are capable of
promptly adapting to the evolutions we are witnessing, imposed by the increasing
pervasiveness of ICT. A confirmation of this statement comes from the new eIDAS directive
that is focussed on regulating transactions that may principally happen online, thus strongly
requiring online identification and authentication mechanisms.
eIDAS, and other national regulations, represent significant drivers to enable the construction
of a single digital market, paving the way to a larger availability of digital services and to a
higher number of interactions between enterprises, governments and citizens. Despite the
inherent advantages that a digitalized service ecosystem can bring to the society, it is also
true that it can convey new opportunities for criminal activities of various types, potentially
leading to new forms of criminal organizations. On one hand, in fact, we are observing new
criminal threats such as sophisticated and distributed financial frauds carried out online and,
on the other hand, we are witnessing traditional criminal activities that are undertaken
thanks also to the pervasiveness of ICT means.
9|P a g e
WP3 “Threat assessment and economical aspects”
December 2015
With the very recent tragic terroristic events, news about the sale at a very low price, in the
dark web, of counterfeit physical passports or other physical identification documents are
increasing. The presence of a virtual market that is capable of offering specialized products
and services is transforming the way in which cyber threats and other criminal activities are
conducted. Criminal groups are now more distributed, and “liquid”, limited in time and
formed on the basis of specific actions to be performed. They tend to use professional cybercriminal freelancers who sell them skills and tools for performing cyber attacks. In other
words, crime-as-a-service is emerging, leading to a higher specialization of both cybercriminals and criminals who do not own the necessary technological skills to carry out cyber
crimes by themselves.
In this scenario, sensitive data, such as data regarding the identities of people, will be
important targets for criminals. Cloud computing, big data and Internet of Things paradigms
as well as the massive use of social networks and smart devices by anyone are pushing
towards an increasing collection, processing and storage of data of various nature,
augmenting the points of access to the network and the probabilities of intrusions that
exploit those accesses. Typically, the infringement of these types of data is committed
through traditional frauds related to credit cards or banks credentials, phishing, other
blackmail operations or cyber-spying. By reading a social network profile, it is also possible to
obtain a vast amount of information of a possible victim that can then be exploited to commit
crimes or to create fake accounts, due also to the rather unsafe e-ID mechanisms offered by
social networks.
The United Nations Office on Drugs and Crime (UNODC) estimates that identity theft is the
most common type of consumer fraud and the most profitable form of cyber threat capable
of generating approximately 1 billion dollars per year as revenue on the global scale [1]. The
same report states that the cost of identifying theft using cyber techniques in the US was
$780 million. Understanding whether threats against identification means can be better
prevented in a digital environment rather than in the physical dimension still remains unclear;
certainly, the characteristics of rapidness and pervasiveness of the digital world may require
more sophisticated, accurate and smarter mechanisms of prevention of cyber threats against
the identities of users.
This deliverable provides an assessment of ID threats for both national and industrial IDs,
discussing, among the others, the possible taxonomies of ID threats, the victims and the
countries in which the threats are monitored.
1.2
Physical world identification
Civil registries in Europe date back from the XVII° century, but there remains a long way until
the current credential constituted of the three main tangible data – name, surname, date of
birth – is recognised as a means to authenticate an individual. The modern passport template
transposes a European vision of the world - link to father (community) name, preceded by a
prefix, so that to indicate the relationship towards the community and the effective date
when the birth occurred. But this pattern is very specific and does not at all reflect the variety
of cultural habits that affect the way individuals are (or are not) registered. For these reasons,
Europe meets considerable issues for trying to transpose foreign credentials. In many
geographic areas, family names are not fixed and stable since individuals might impersonate
animals or natural phenomenon, while what we consider as “surname” is only a part of a
10 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
longer sentence that designates an individual. Furthermore, surname and name are not
mentioned in the same order that we are used to in Europe whereas the date of birth
corresponds to a well established social framework were new born babies are registered
since the very minute if their birth.
In certain countries, due to high
mortality rates, babies are not
immediately registered in civil
records – or not at all – but later
on, when the child is considered
as stable for life. Not to mention
that in other geographical areas,
the time of conception is
recorded as more significant than
the birth date.
All the issues mentioned above
confirm the difficulties to align
the European way of registering
credentials,
considering
the
various existing schemes and the
inconsistencies generated when
transposing names and dates so
that to meet our European coding
scheme.
Figure 1 ICAO Identity fraud will replace travel document
fraud due to the sophistication of the new generation of
passports
For these reasons, the concept of
identity fraud shall be addressed
carefully so that to match the
various situations encountered by
Member States due to migration
issues. As an example, foreigners
will take advantage of the
artificial nature of the ID they are
awarded when coming to Europe
and not consider this scheme as
fixed as it does not correspond to Figure 2 Shop proposing to reproduce, print or design any kind
their cultural encoding system.
of ID document
As shown in the drawing published by ICAO (Fig.1), the manufacturing of travel documents
has gained a considerable skill to fight against fraud and counterfeits. For this reason current
frauds will address more the “Identity” itself – or access to the credentials - rather than the
supporting documents. This means that both “Breeder documents” and “Birth certificates”
will become the cornerstone of further ID production. Therefore, these shall be ruled by new
standards and delivering procedures to match the current threefold scheme (name, surname,
date of birth) which might easily be captured from the internet and social media.
Credentials have always be linked to individuals by religious, medical or cultural records and
figured out by the means of tokens (paper, plastic, polymers, etc..) to allow individuals to
authenticate themselves since there is no need to carry on a passport for many “low security”
physical controls like renting a car, accessing a building, a gym club or being delivered a
11 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
registered mail. This means that the majority of societal activities do not require a strong
authentication procedure; individuals being used to trust themselves during physical contacts
or when engaging in business relationships. As several thousands of various ID card patterns
(national, resident, driving licences, student, etc.) exist in the world, there is a strong market
of counterfeiting to provide for low authentication demands, that constitute the majority of
situations in the physical world.
In South East Asia, specialised shops are able to produce any kind of ID document, either
based on a model to be counterfeited, either by producing a “fancy” pattern which has no
chance to be recognized as there does not exists a “world” data base of ID documents
currently in use.
By
chance
passports
require
professional
skills
and
therefore shall
be
manufactured by
dedicated and
professional
printers, rather
than
street
shops as it is the
case
in
the
picture here.
Figure 3 Certified copy o fa breeder document
12 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
2 Definitions
2.1
The situation
Identity
theft
was
considered as one of the
main complaints by a
market study made in 2013
by the US Federal Trade
Commission. It represents
14% of the complaints,
ahead of many other claims
made by individuals.
As “Identity theft “might
represent multiple cases, it
is worth defining this
concept since it is often
misleading and regroups
multiple patterns for both
physical and cyber world.
Figure 4 Ranking of consumer complaints by Federal Trade Commission
The two main cases can be summarised as follows:
Identity theft: ID impersonation, ID misappropriation
As it is not literally possible to steal an identity, this concept means that an individual can
access enough information about someone’s ID (name, birth, addresses, etc..) to impersonate
him for various legitimate or illegitimate reasons. The “victim”, or complacent ID provider,
can be alive or deceased; but the ID bearer utilizes a genuine ID document.
The “victim” can accept this
situation, such as to help
someone during a war
situation. But, stealing an
individual’s identity does not,
on its own, constitute
identity fraud and this is an
important distinction as there
might be no fraudulent usage
of this ID, apart from carrying
another name than one’s
patronym.
Figure 5 Passport credentials are often available on social media
Identity fraud (an action is carried on)
Identity fraud concerns the consequences of an ID theft or the usage of a fake ID. It
corresponds to an illegal activity to obtain goods or services by deception in another person's
name, without his knowledge or consent. In the world of ID fraud, there exists different types
of supporting documents, which can be broken down as follows:
13 | P a g e
WP3 “Threat assessment and economical aspects”
Category
Forged
Stolen blank
December 2015
Description
Market value
Changes are made based on the genuine
document: modified data, pages inserted or
removed, replaced photo, false stamps, etc..;
Recognized as Fraudulently Obtained Genuine
(FOG)
Medium
High
Counterfeit
Total reproduction of the original document
High
Fantasy
Typical market for low authentication
document : national ID cards, driving licenses,
resident permit, student card that cannot be
matched against a genuine pattern.
Low
2.2
Origin of ID Fraud
In the physical world, very rough methods and habits allow to have access to one’s data. As
detailed by the table below, no sophisticated skill is required to get a minimal set of data and
impersonate an individual. For the majority of cases, amateur pickpockets skills are sufficient
to steal some pieces of ID and conduct illegal activities. Surface mail and dumpster diving are
certainly among the easiest way to get access to critical information: name, address as well as
specific account details (telcos, banks, social benefits, health records…).
It is well known that mail boxes during vacation periods might contain a wealth of
information that can be easily stolen and further exploited. Business and personal activities
constitute easy targets since, in both cases, there is no systematic procedure to destroy
critical information or protect mail boxes and dustbins2.
2.2.1 ID fraud in the physical world
It is worth considering that the majority of illegal activities aiming at stealing personal data
can be conducted by individuals rather than being performed based on business practices.
This does not exclude that these data can be later exploited by very structured criminal
networks rather than by individuals themselves. Once an ID document – or critical data – is
stolen or obtained from an illegal manner, it can be exploited by a criminal network in a real
business mode. The same credentials can be distributed to multiple individuals, along a
specific cycle which depends from its life span itself and whether it will be recorded by law
enforcement agencies. But, contrary to passports and ID cards, which can be recorded by
Interpol databases, certain “low security” credentials (driving licenses, student cards, resident
permit) will never be checked against databases for standard usages in the physical world.
2Based on a market study
For Individuals: 30% of the bins analyzed contained more than 2 documents with personal data
For Corporate activities: 42% declared that their companies do not have a global policy to protect
identities. Furthermore, there is no policy to destroy sensitive data. 27% of bins surveyed contained
sensitive data (clients or employees)
14 | P a g e
WP3 “Threat assessment and economical aspects”
Physical world
December 2015
Degree of technicality
Origin
Retail transaction
Medium
Business
Stolen purses / wallets, pickpockets
Medium
Personal
Stolen personal documents
Medium
Personal
Stolen surface mail
Low
Personal
Dumpster diving
Low
Personal
Deceased person
Medium
Personal
Shoulder surfing
Low
Personal
Dishonest employees, corruption
Medium
Business
Call centers
Medium
Business
Imposters
Medium
Personal
End of business relationship
Medium
Business
2.2.2 ID fraud in the cyber world
Attacks against ID in the cyber world require more sophisticated skills. They might be
launched by individuals or robots against series of IP addresses of emails considering that
significant percentage might fail. As the on-line world does not establish contacts between
the parties, each module in the transaction chain constitutes a point of weakness.
User :
 He is the weakest point in the chain as he might open suspicious mails without any
care or avoids installing minimal barriers (firewalls) to prevent attacks.
Equipment (Hw, sw):
 Computers, smartphones and tablets might be vulnerable to virus, Trojans, worms,
etc... Irrespective of the degree of consciousness of the user.
ISP: security breaches
 Service providers might generate severe security breaches as they constitute the
link between users and the content carried by the network. Even though they are
usually well equipped, they might constitute a target in certain countries,
considering that the concept of ISP applies both to telcos and private Wi-Fi
providers.
 Wi-fi provision in public areas (hotels, public transportation, conference centers) is
certainly a weak link in the chain as many travelers are eager to access their mails
during travels, meals or any free time without to realize that they are using a
private module, open to external attacks (or generating these attacks).
 In many companies, corporate rules forbid to use both local and Wi-Fi ISP for
security reasons. Travelers might be allowed to access Points Of Contact to a
private network, with the risk that the last piece of the connection chain might
become a target.
15 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
Service providers
 These stakeholders bear a strong responsibility in the security landscape as they
store much critical information of their customers: name, physical address, IP
address, mail, billing references, etc...
Web sites
 Counterfeit websites constitute typical targets for illegal activities as users might
connect without to realise a slight URL difference whereas the layout and content
exactly counterfeits the target website.
Cyber world
Degree of technicality
Origin
Social engineering
High
Business
Hacking computer system
High
Business
Phishing campaigns
High
Business
Data base attack
High
Business
Account hijacking
High
Business
Forged social network account
Medium
Business
Stolen computer, smartphone
Medium
Business
Exploiting used IT equipment
Medium
Business
High
Business
Medium
Business
Contactless readers
Storage media , USB memory
Even though computers still represent the main percentage of connecting devices, tablet and
smartphones
will
constitute
in
the
future
a
rather
significant share of
consumers as detailed
by the market study
below; having in mind
that many individuals
use simultaneously /
successively
smartphones, tablets
and computers, each
representing a target
in the connection chain
Figure 6 Eurobarometer on Cyber Security, the growing share of
smartphones
As all equipment share
the same emails, files and storage facilities, any attack successfully performed against one of
them might be replicated to all devices.
Even though computers benefit of a large range of software tools, smartphones and tablets
constitute new and easy targets as defense capabilities are not that efficient and adapted to
the various operating systems.
16 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
2.2.3 Physical ID vs digital ID
Physical ID
Degree of technicality for getting access
Usage
Home address
Low
Government
secondary ID
and
Given name
Low
Government
secondary ID
and
Christian name
Low
Government
secondary ID
and
Medium / low
Health benefit
Low
Government
secondary ID
Social Security number
Birth Date
and
As individuals are more and more eager to communicate on their lives by the means of social
networks, their basic credentials are extremely easy to identify. Birthday dates are
communicated to their relatives or social networks and often the location of birth is indicated
to facilitate their identification. These very basic data are enough for the provision of multiple
low security ID that will be utilized in the physical world without any checks against database
for conformity.
Digital ID
Degree of technicality
Usage
IP Address
High
Access to
accounts
critical
User name / login
High
Access to
accounts
critical
Password
High
Access to
accounts
critical
PIN CODE
High
Access to
accounts
critical
Medium
Access to
accounts
critical
Account data
Social
account
network
Low
Access to network
Physical ID and credentials might be used in the real world for illegal activities once stolen,
provided that the authentication level remains low, and that there is no connections to law
enforcement databases, which is the case for the majority of controls; but they do not benefit
of the leverage effect that provides the digital world as authentication modules allow to
connect to various facilities.
17 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
3 Taxonomy of relevant ID documents
3.1
Government ID documents
3.1.1 Credentials
As stated by IMS
Research, ID Cards
constitute the main
share of government
ID credentials, Driving
Licences being second
ahead of Health Cards
and Passports, since
many people do not
travel and do not need
to bear such a secure
document which can
be securely controlled
against
law
enforcement
data
bases.
Figure 7 IMS Research: Type of government credentials in use
The majority of government credentials currently in use in the real world are not controlled
and checked for authenticity. There is no standard pattern for ID Cards, even though the
several countries have tried to regulate the provision of national credentials, as it was the
case for the European Citizen Card3.
Driving Licences follow the same rules; even though the international standard ISO/IEC
18013-1 provides a highly secure pattern to ensure the authenticity of the document as well
as confirm the link with the bearer by the means of PIN code and biometrics authentication,
the European Regulation4 only retains a few features from the ISO standard and allows the
MS for a large flexibility of implementation.
Considering that passports are over dimensioned for current usages - access control to public
buildings, staying in a hotel, domestic air travels, hiring a car, opening a bank account, etc….
– individuals use extremely low security credentials for a wide range of activities in the real
world which do not require government clearance.
The lack of authentication features – PIN code, biometrics, etc… to confirm that the bearer is
the real “owner” of the credential – in the physical world constitutes certainly one of the
main weaknesses of interpersonal relationship and it does not match the current security
context.
3
The European Citizen Card (ECC) is the standard produced by CEN TC224 WG15. Since MS have
different strategies for the provision of National ID cards, the initiative remains as a technical
specification without any obligation to be implemented. The eIDAs regulation has widened its scope by
allowing both government and industry to implement ID infrastructures with different security levels.
4 Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving
licences
(Recast)
(Text
with
EEA
relevance).
http://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=celex:32006L0126
18 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
As an example, 10 million of wrongly attributed health cards (out of 60 millions) are currently
in use in France5. Even though, there is yet a photo, its quality does not allow to perform a
quality match whereas proposals for a secure PIN Code (older and sick individuals will not be
able to authenticate) and biometrics attempts have failed since medical care to all is
considered as a fundamental right, even if provided under a false ID.
Due to illegal immigrations, many foreigners use low quality counterfeited credentials
without any possibility to control their legitimacy for standard usage. The identification rate
of these documents is extremely low6. As the law shall respect the presumption of innocence,
courts cannot sentence individuals whose real identity cannot even be proved.
Due to the new Driving License Directive, many countries are in the situation where several
patterns are currently in use7 without systematic means to control their authenticity.
Furthermore, the cost for being granted a license has increased8 together with the penalty
system for speed limit offense, have leveraged the use wrong documents9. For France only,
an assumption of 2,7 millions of wrong driving licenses currently in use is considered; 700,000
for driving activities, whereas the other 2 millions are utilized for identity purposes10.
In many African countries, driving is considered as a “right” for individuals above a certain
age, independent of their ability to successfully pass the license and they just need to pay to
get it. Due to bilateral agreements with Member States, they might be granted an official DL
at their arrival in Europe. Alternatively, there is also the possibility to show an almost “true”
DL from a Member State when they are back in their country so that to be granted an official
DL to be later exchanged against a Member State DL once returned in Europe. This modus
operandi can be done for other government cards and generate a flow of authentic
documents from wrong origin.
3.2
Taxonomy of relevant government ID documents
For the purpose of the study, it is might be worth to restrict our research to a set of
government documents that might both generate value for their holders and require
verification against their civil status.
3.2.1 National ID card
As there are many research projects and reports on ID cards in Europe, it is not the purpose
of this document to carry on a new study on how they are delivered and what are their
security features. But, apart from certain MS11 where the ID card is mandatory and its
provision is connected to a national civil registry, in most of the EU countries, either it does
not exist (UK) or its usage is optional. And in these cases, the card is delivered based on a
5 Christophe Naudin. Alias. La Table Ronde.
Paris 2005
Christophe Naudin. Alias. Paris 2005 p.72. The average identification rate of fake documents is 1/25.
Furthermore, there is only 1 sentence for 5 legal cases.
7 In France 5 different driving licenses are currently used.
8 Average cost is 2000-3000 Euros in France.
9 Average number of drivers without DL : France: 4%, UK: 3%, US : 3%. Christophe Naudin. Alias. Paris
2005 p.80.
10 The average cost of a DL is 300-500 Euros. Christophe Naudin. Alias. Paris 2005 p.80.
11 A list of MS shall be provided
6
19 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
breeder document or the provision of key credentials contained in the breeder document
(date /location of applicant’s birth and his parents).
As there is no direct link between the applicant and his breeder document, the national ID is
certainly a weak module in the identity chain. Even though certain MS are considering how to
include biometrics in a chip, the lack of strong link with the “birth records” will remain an
issue. All attempts to include authentication and signature certificates will ascertain the
connection between the card holder and his physical being rather that the individual with his
birth records.
 Even though ID Cards are currently accepted for standard usages in the
physical world, it is worth recalling that it can be obtained based on basic
credentials (date/ place birth) that are yet widespread on social networks. As
the principle of biometrics matching has not been retained by many countries,
it cannot be considered as a high authentication means.
3.2.2 The breeder documents
A very loose definition of a “Breeder Document” would simply be: a document that allows
you to obtain other documents. This generic term comprises different categories of
documents such as the various types of birth certificates and the family booklet. But we shall
recall that the concept of birth it is not equally shared by all countries, certain civilizations
considering that the only date to be recoded is the child’s conception whereas other
countries wait a significant period after the birth, due to high children mortality.
Having being granted a mandate from the UN to define a standard for travel documents,
ICAO has launched their TRIP – Travel Identification Program – initiative which considers that
identity is the cornerstone of the various travel phases.
Under the banner of EOI - Evidence Of Identity – member states have initiated various
activities addressing breeder document issues12.
In particular ICAO has defined a set of guidelines for governments called TDIA (Travel
Document Issuing Authority) issuance process which provide recommendations with regards
to documents, civil registry records, databases, and other media that are used to validate an
applicant’s identity with the following objectives:





12
Evidence that the claimed identity is valid
Identity exists and that the owner of that identity is still alive;
Evidence that the presenter links to the claimed identity
Evidence that the presenter uses the claimed identity
Claimant is operating under this identity within the community.
Status: Draft 4. Date: 1 March 2013. Part of the TRIP programme Transfer from TAG/MRTD to the
ICBWG Implementation and Capacity Building Working Group
20 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
Since many countries do not own civil registries or central birth data bases, TDIA shall:
 Ask for documents that show that the identity exists, such as a birth or citizenship
certificate.
 Documents should ideally be validated against source data to combat the risk of
forged breeder documents.
 Check against the death records to guard against fraudulent applicants using the
identity of a deceased person.
 There may be multiple valid versions of breeder documents available for use
Considering that the concept of “Breeder document” itself is an European vision of the birth
status, ICAO opens further the debate by accepting to recognize various procedures as a
means to ascertain the identity of an individual. For this purpose, the EOI working group
considers that an Identity might be the combination of three elements:
 Attributed identity: it consists of the components of a person's identity that are
given at birth, their full name, date and place of birth, and parents' names.
 Biometric identity: it consists of attributes that are unique to an individual, e.g.
fingerprints, voice, iris pattern, hand geometry.
 Biographical identity: it consists of a person’s social footprint, builds up over time.
o Life events and how a person interacts with society
o Details of education/qualifications, electoral register entries, employment
history, and interactions with organizations such as banks, utilities, and public
authorities.
Figure 8 The ICAO EOI, Evidence Of Identity program
21 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
Due to a lack of civil registries, ICAO is currently considering how various documents might
demonstrate that the applicant uses his identity in the community as a social footprint. This
approach is certainly more reliable than birth certificates due to the number and variety of
documents that might confirm the identity of an individual. Therefore, the social footprint
supports the claims that the applicant links to a particular identity, especially where there is
no other evidence available
Foundational documents represent the multitude of evidentiary documents issued to record
a person’s birth, death or their point of immigration or naturalization. They are usually issued
by authorities to establish an identity and confirm the citizenship. Used in combination with
other supporting documents, they provide a part of the evidential process required to
provide confidence that an individual is the true ‘owner’ of their claimed identity.
The fundaments of ICAO’s Protocols for acceptance of citizenship’s documentation are the
following:





Accept only original documents or copies certified by issuing authority
Verify documents against electronic / centrally-held records
Preferably accept only documents that are currently valid
Accept only full birth certificates
Full birth certificates list gender and parental details, as well as name, date, place
and country of birth.
 Require documented evidence of any name change
One shall not forget that an ID is a living identity from birth to death and shall include all
social events of the individual’s life. Therefore, a civil registration is a system by which
governments record the vital events of their citizens and residents: birth, death, marriage,
divorce, adoption. Furthermore, a ddecentralized approach is always preferred so that to
avoid putting the privacy of their citizens at risk.
It is worth mentioning how international organizations like ICAO are currently addressing the
issue of breeder documents by considering that a certifying procedure or a combination of
document might be substituted to the provision of a government delivered document.
Many activities are currently carried on to provide guidelines, recommended practices and
standardization activities for the provision of a standard breeder document that would be
accepted worldwide and contribute to the delivery of more advance documents like
passports and ID cards.
But there will still remain a lack of strong “physical” link between individuals and their
breeder documents. Society might contribute to establishing a “social footprint” whereas an
individual my take advantage of various documents and combine them to be granted a fake
identity.
The breeder document is certainly the basis of ID provision, but it is also its weakest link at it
might be able to constitute the cornerstone of more “operational” documents, that will be
utilized for physical life activities. Certain countries (eg. France) have cancelled the usage of
breeder documents, considering that they can be obtained in an illegal manner. They only
require – for the provision of government documents – the credentials (date / location of
22 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
birth of applicant and his parents), many information that can yet be available from social
networks!
 Considering the lack of strong link between individuals and their breeder
document, it is worth considering that this kind of credential does not match
the level of security required by the modern world. We consider that it shall
not be used “alone” but should be supported by another ID if used to prove
one’s identity.
3.2.3 Driving licenses
In many countries, a driving license can be used for identification purposes. US is certainly the
best example, considering that only a minority of citizens are travelling and would require a
passport. The paradox is that a DL can be purchased on the internet or bought from an illegal
agency although it will become in the future a true identity document or become a piece for
the provision of a more ambitious credential like a passport.
Even though ISO has contributed to the provision of a detailed standard referenced IEC
18013, it mainly addresses the issues of the delivery procedure, layout and security features.
In many countries lacking the provision of a secure birth registry (Eg. South Africa), the DL
becomes a recognized credential, since driving is considered as a right. In many African
countries, individuals purchase their DL as they are unable to pass the government exam and
the document constitutes further their proof of identity.
Even though the Driving License has been considered an ID, it is worth raising the issue of its
legitimacy, even for low security authentication. It looks like it is limited to national usages
and that individuals willing to travel – even within a “domestic area” like the Schengen zone
will need a higher security document to prove their ID even for standard usages: booking an
hotel room, travelling by air or proceeding to bank activities.
 Considering that the credentials of the Driving License can be obtained from
social networks, it cannot be considered as a highly secure ID document.
However, national usages can be considered in certain Member States, as
many citizens use them on behalf of national ID cards.
3.2.4 The passport
The European passport is certainly the most secure ID document as it allows a match
between individuals and their biometrics contained in the chip13. However, the lack of strong
link between individuals and their breeder documents constitutes certainly the weak module
in the provision process. As it is detailed in the previous paragraphs addressing national ID
issues, a passport is delivered based on the provision of basic credentials (date/ place of
birth) which are available from social networks. Additionally, many countries do not control
the likelihood of passport “duplicates”. As the passport delivery is not constituted as a
criminal case, government agencies do not proceed to a previous research to avoid that the
13 Council Regulation (EC) 2252/2004 of 13 December 2004.
23 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
applicant is registered under another name. As mentioned by ICAO, since the delivery process
and its security features have gained a high level of security, the fraud against passports
themselves has considerably decreased compared to the fraud against ID.
A major issue to the usage of passport for authentication remains to the chip access. Actually,
only government authorities can control the biometrics by the means of the various security
protocols (passive authentication, BAC, EAC). This means that, even though passports shall be
positioned at the highest level of the authentication procedure, current usages do not allow
taking advantage of the chip capabilities.
 Even though passports are the only ID documents to bear a secure link with
their holders, this security feature is not available for the physical world
standard usage. However, it shall be considered as the more secure document
currently in usage.
3.2.5 Fraud packages
As Data Protection bodies do not allow consolidating databases from different origins, illegal
migrants or even unemployed are offered typical “Fraud packages” that might include enough
data for being granted social benefits: electricity bills, national ID cards, health cards as well
as salary sheets for a cost of 1500-2000 Euros14. Even though the quality might not be
excellent, it might be sufficient to get some social advantages.
The fraud market has grown in an exponential manner, due to the lack of authentication
means in the physical world. The cost of a document depends of various factors: duration and
content/ state. A blank stolen passport, coming from a government agency has a considerable
value, whereas a similar low quality counterfeit document will not be that attractive since
border police and qualified staff will quite easily detect the fraud. Any stolen document has a
significant price – but lower than a blank stolen credential – since it requires a certain skill to
replace the photograph and modify critical data. Criminal networks take advantage of the low
knowledge of illegal residents to get rid of bad quality documents. In case of being identified,
the fraudster will become again a victim of this underground market and purchase a new (or
better quality) credential in exchange of illegal activities, such as smuggling goods, drugs or
human trafficking activities.
Type of document
Duration
State
Value
National ID card / passport
10 years
Stolen
Medium
National ID card / passport
10 years
Counterfeit
Low
National ID card / passport
10 years
Empty
High
Resident permit
5 years
Stolen
Medium
Resident permit
5 years
Counterfeit
Low
Resident permit
5 years
Empty
High
14 Christophe Naudin. Alias. Paris 2005 p.82.
24 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
Short term and temporary resident permits are not that valued as they are assimilated to
precarious situations. In parallel to authentic government credentials, fraudster also provide a
multitude of fantasy documents – World ID, European Refugee, Atlantic Driving License,
Monaco resident – which can be used for extremely low controls, due to their lack of
legitimacy. Christophe Naudin15, in his quite documented report on ID fraud, details the
market price of the most demanded government documents.




Blank stolen passport : 4000-5000 Euros
Blank stolen license: 3000 Euros
Blank stolen license: 1500 Euros
Diplomatic passport: 15000 Euros
Not only credentials have a significant prize, but many other “official” documents are
currently valued due their capability to generate social or professional benefits. In all cases,
they shall be supported by an ID, which might be legitimate or not. As an example, university
diplomas represent a means to access certain business activities, whereas pregnancy
certificates will allow the benefit of social allowances.
3.3
Industry / private sector ID documents
This section aims at setting up a taxonomy
of certain sectors’ ID documents.
Considering the need of industry, many
secondary IDs can be found. The
idiosyncrasy of how to perform individuals’
identification is huge, and therefore, the
types of documents is considerable due to
applications, scenarios of use, etc. When
considering identification purposes in the
private sector, it is worth to consider that
the features of the secondary ID document
are designed to meet losses or theft issues.
The theft or loss of a library card implies the
impossibility of borrowing books, but there
is no consequence to the us er ID and its integrity. Figure 9 A SIM card can become an ID card
However, in case of a credit card, the consequences are stronger for the various parties
involved in a transaction: bank, shop and, of course, the customer himself. Of course, the
efforts done in perfomirng a secure identification has lead to different strategies. Since too
many use cases might be considered, we have restricted our analysis to the following
domains:
 Healthcare
 Telcos
 Banks
The reasons for choosing these are the following:
15 Christophe Naudin mentions that on Feb 3rd 2004, a van was stolen; as it contained
several thousands of empty documents, it market value can estimated in the range of 55
million Euros.
25 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
 Healthcare is a major target for ID frauds, leading to important economic losses,
modification of medical records, etc. Additionally, healthcare identification usually
is based on a face to face process,
 In some way, ID theft in Telcos is an opposite situation: the losses are just
economical; there are no direct damages on the impersonated user.
 Banks are one of the main domains suffering from ID theft. Both real and cyber
world constitute targets from domestic and remote attacks. Face to face and online transactions are performed, each one being subject to specific weaknesses.
3.3.1
Healthcare ID
Healthcare is a typical sector which needs to securely authenticate users so that specific
attention can be paid to individuals: access to services, get an appointment, a suitable
treatment, visit a doctor based on medical policies.
In Europe, both public and private healthcare coexist. Public healthcare is part of a statutory
social security scheme. Different options can be met such as to use a national ID card or a
dedicated device, depending on whether separate activities would need different access
control for both efficiency and privacy issues.
National ID to access healthcare services
The use of a primary ID provides the following advantages:
 Security inherited from a government document, including counter measures to
meet frauds and attacks issues.
 Provision of PKI infrastructure: digital signature, authentication certificates.
 Cost reduction by taking advantage of an existing infrastructure.
On the other hand, there are also some disadvantages:
 Strong security features so that to access different services, taking into account
that only a subset of data might be required for healthcare services.
 Specific identifiers for each on-line service
Separate device to access healthcare services
Several cards and options can be found:
-
Plastic cards without magnetic stripe
o
-
Plastic cards with magnetic stripe:
o
-
Identification is done by presenting the card; this can be complemented by
matching the credentials with the primary ID. Security features may be
implemented (printing techniques or optical). The owners’ photograph is usually
included for face to face identification purposes.
The stripe allows including a set of data such as drugs prescription. As the stripe
can easily be read, physical countermeasure might be added.
Plastic cards with chip:
o
The chip allows implementing security controls (PIN, biometrics) so that to
protect data that might be stored within the card or access on-line services.
Fig.1 shows several examples of European healthcare cards: the two stages of the French
“Carte Vitale”; both include secure chips for data storage, but the most recent sample
displays a photograph for identification. Spanish healthcare cards are issued at the county
level, with specific layout and technical features (Extremadura includes a chip, whereas
Madrid shows only a magnetic stripe). In Spain, several attempts have been done to merge
26 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
the healthcare with the national ID; however, but no political agreement has been achieved
and each county continues to issue its card.
Figure 10: Healthcare cards examples
Figure 11 Healthcare cards in Europe
It is worth recalling the initiative of a European Health Insurance Card (EHIC). This document
is issued by several countries having a statutory social security scheme. It allows the bearer to
get medical treatments while visiting other EU country (not while residing in other European
country). The layout is similar for all Member States; it is a plastic card only, displaying basic
credentials such as name, identification number, nationality, expiration date, etc. It does not
provide any countermeasure and additional security features.
Figure 12 European Healthcare Insurance Card (EHIC)
27 | P a g e
WP3 “Threat assessment and economical aspects”
3.3.2
December 2015
Telcos ID
Mobile ID is becoming a new challenge for both government and telcos operators. As SIM
cards are able to include high security features and store various categories of data, specific
apps have been developed for both physical and remote access control purposes.
Furthermore, recent advances in biometrics allow securely authenticating smartphones
owners by the means of face, finger or iris recognition. Selfies16, minutiae or iris patterns
might be stored in the chip and be called by a government app to authenticate individuals17
when accessing a restricted area or crossing a border.
Mobile biometrics authentication will constitute a very significant market in the coming years
as it will provide an alternative means of securing and processing mobile transactions. This
increased level of security will be driven by the rise of identity theft and fraud and the device
inherent capability to authenticate the user and secure his transactions. As an example, the
US Federal Bureau of Investigation (FBI’s) Criminal Justice Information Services (CJIS) recently
launched an RFQ for the development of a mobile application able to capture biometrics on
android-based devices. The proposed app should be able “to collect fingerprints and facial
16
Branddocs
partners
with
BioID
on
e-signing
with
selfies
Cloud biometrics firm BioID and digital transaction management solutions company Branddocs
have announced a partnership to integrate BioID's mobile multimodal biometric authentication
into Branddocs' eIDAS Cloud Solutions platform. The partnership would see BioID's face and voice
recognition solution integrated with Branddocs tailored platform for authentication, signature and
secure custody of digital documents.
"As digital signing becomes increasingly common, particularly in legal or financial matters trusted user
identity has become a critical issue. Innovative tools such as those from Branddocs make it easier to do
business, without sacrificing security or trust," said Ho Chang, CEO of BioID. "We are glad to help
Branddocs develop the next generation of trusted digital signing solutions."
Saioa Echebarria, CEO of Branddocs, echoed these views on the potential of the project.
"Digital signing relies heavily on trust. When dealing with contracts and other electronic transactions, it
is critical to be able to count on the identity of the sender and signer," noted Echebarria.
"Using BioID's intuitive face recognition with liveness detection we can offer our customers strong,
fraud-resistant identity proofing that is as natural and reliable as signing face-to-face."
- See more at: http://www.planetbiometrics.com/article-details/i/3550/#sthash.fTfnrOzs.dpuf
17 Mobile facial recognition solution launched in Europe07 August 2015 12:36 GMT
Middlesex-based biometrics and identification tech firm Allevate has announced that it is bringing a
cloud-based facial recognition server system designed for government and law enforcement agencies to
Europe.Allevate says that by using Tygart’s MXMOBILE FaceID System for smart mobile devices,
European government and law enforcement agencies can access an MXSERVER system to identify
suspects of interest on the move. “MXMOBILE represents a huge technological leap forward for agents
in the field, providing them with the capability to identify individuals using facial recognition in virtually
real-time,” says John F Waugaman, president of Tygart Technology. Agents can now transmit photos or
videos captured on their smartphone through the MXMOBILE application, to be processed by
MXSERVER using automated face detection and recognition technologies.
The faces in the photos or videos are then matched by MXSERVER against watch lists to offer a short,
rank-ordered list of options that best match these faces, along with any other relevant information such
as biographical information, known aliases and previous comments regarding the individual.In addition
to field use for the identification of persons of interest (POI), law enforcement agencies can make
MXMOBILE available as a citizen policing tool, providing citizens the ability to upload videos and
photographs of suspicious behaviour. “Allevate has been working to make the power of MXSERVER,
already utilised by defense and law enforcement agencies in the USA, available to European agencies”,
says Carl Gohringer, founder of Allevate Limited. “We are pleased to be able to offer MXMOBILE to put
this capability directly into the hands of law enforcement officers on the move.”
- See more at: http://www.planetbiometrics.com/article-details/i/3363/#sthash.kAjKbHV6.dpuf
28 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
photographs for submission and receipt of a response, via an android-based application from
any domestic location with cellular service, the FBI writes in contract documents released this
week”18.,
Different use case can be met:
 A government issues a SIM card as a substitute or replica of its own ID card
 A telco issues a SIM card that will include both authentication and signature
certificates
Government SIM cards
Estonia is certainly the most advanced country for providing ID based SIM cards. The mobile
phone is mainly used to securely access remote services by the means of a PIN code. The
smartphone duplicates the national ID card by containing its basic credentials: date/ place of
birth, delivery date, identification number.
The Mobile operator association GSMA is quite active to take advantage of the Electronicidentification and trust service (eIDAS) Regulation to provide pioneering services based on
telecoms infrastructures. GSMA considers that the European Union is the first region in the
world to benefit a workable and balanced legal framework for cross-border use of electronic
identification (eID) and trust services19. The association precises20 that, by the means of
eIDAS, “citizens and businesses will benefit from higher security and more convenient access
for a wealth of online services, such as submitting tax declarations, enrolling in a foreign
university, remotely opening a bank account, setting up a business in another Member State,
authenticating internet payments and bidding for an online call for tender, among others.”.
GSMA is very active in supporting needs for authentication and through the GSMA’s Mobile
Connect solution which offers facilitated authentication services consisting of secure and
convenient access to online services from a mobile phone, desktop or tablet21.
18 FBI seeks vendors for mobile biometric app 05 August 2015 13:56 GMT
The Federal Bureau of Investigation (FBI’s) Criminal Justice Information Services (CJIS) is seeking
vendors for the development of a mobile application that can capture biometrics on android-based
devices. The app should be able to collect fingerprints and facial photographs for submission and
receipt of a response, via an android-based application from any domestic location with cellular service,
the FBI writes in contract documents released this week. The RFQ is a follow up to the Request for
Information (RFI) that was released in the summer of 2014 which described the mobile biometric
collection effort by the FBI to offer a Mobile Biometric Application (MBA) that will operate on the FBI
Android based phone and tablet, currently the Samsung Galaxy S5 and Samsung Galaxy Tab 4. The
software needs to be compatible with these devices and Integrated Biometrics’ Watson-Mini fingerprint
scanner, notes the document. It also needs to utilize Wavelet Scalar Quantization algorithm for
compression of fingerprint images captured at 500 pixels or greater. Meanwhile, it also has to have the
capability to collect thumb slap/rolled impression fingerprints separately, to collect plain/rolled
impression fingerprints and to collect fingerprints in a predefined order, among other requirements.
19 “The GSMA appreciates the work of the Commission and strongly supports the eIDAS regulation,
which will help boost economic growth in Europe and the promotion and deployment of eID schemes
across Member States,” said Afke Schaart, Vice President Europe, GSMA.
20 “The GSMA urges national governments and regulatory bodies to engage with the GSMA’s Mobile
Connect initiative to help ensure that the unique strengths of mobile for identification and
authentication are made available as widely as possible. Mobile identity services will play a key role in
unlocking the potential of Europe’s digital and personal data economy and drive trust and confidence in
the adoption and use of innovative digital content and services as we progress towards the Digital
Single Market.” http://www.securitydocumentworld.com/article-details/i/12319/
21 “The value of the GSMA’s Mobile Connect service for governments lies in its ability to drive an uptake
in e-government services. Mobile Connect will provide increased convenience and accessibility for
citizens, strong security and enhanced privacy, and lower implementation costs.”
29 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
A typical government app is the border clearance, as proposed by the TSA for providing in
advance flight details. The EC is considering how a similar application could be implemented
at the eastern borders of Europe to securely automate control procedures of commuters in
the context of a Registered Traveller program. Biometrics authentication and secure access to
a government database will constitute the basic infrastructure.
The concept of Mobile Passport Control (MPC) is currently implemented in several US airports
for arriving passengers. A dedicated Customs and Border Protection (CBP) MPC app allows
passengers to submit their customs declaration via their mobile device. Then, they receive an
encrypted QR code to present along with their passport to a CBP officer, who can complete
the customs and immigration process. This is a typical service that aims to reduce queuing
times by forwarding secure identification credentials. TSA is currently investigating how to
implement biometrics so that to ensure that the forwarded credentials belong to the mobile’s
owner22.
Telcos SIM cards
Telcos SIM cards constitute a typical example of secondary identity as operators are required
by law to control the ID of their customers23. In certain countries, telcos might provide
complementary services such as payment or wallet24. However, there is not always a direct
link between the SIM and the user, as it is the case for prepaid cards.
Regarding online services, users can be authenticated by various means, depending of the
security level of the on-line service - login/password might be enough in many cases, prior a
signature certificate is used for contractual issues. As said before, biometrics will become a
considerable market to ensure that online transactions are secured and initiated by the
device’s owner.
22
Mobile Passport Control is now available at five US airports, with San Francisco International Airport
the latest to introduce the service.
Mobile Passport Control (MPC) is now available to passengers arriving at San Francisco International Airport. The
airport becomes the fifth to offer the service, joining Seattle-Tacoma, Chicago O’Hare, Hartsfield-Jackson Atlanta
and Miami international airports.
The FTE Award-winning U.S. Customs and Border Protection (CBP) MPC app allows passengers to submit their
customs declaration via their mobile device. They then receive an encrypted QR code to present along with their
passport to a CBP officer, who can complete the customs and immigration process.
The service, which helps to reduce queuing times, can be used by US citizens with a valid US passport and Canadian
citizens with a valid Canadian passport and B1 or B2 visa status.
San Francisco International Airport Director John L. Martin said: “As international traffic grows at SFO, we continue
to seek innovative ways to expedite the arrival process for our international travellers. With the expansion of
Mobile Passport Control to SFO, our customers now have an efficient new option that allows them to bypass a
traditional queue.”
Assistant Commissioner for Office of Field Operations Todd C. Owen added: “With the continued expansion of MPC,
CBP is following through with our commitment to improving the international arrivals experience for travellers. CBP
remains committed to making a traveller’s entry into the United States as secure, paperless, and efficient as
possible.”
23
In Spain, a control of the ID became mandatory after the use of a SIM card for detonation in 2004
Madrid bombings
24 http://www.vodafone.es/particulares/es/descubre-vodafone/sacale-partido-a-tu-movil/wallet/
30 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
Access control by mobile
Considering the high level of security provided by mobile infrastructures, companies are
considering how to merge security and convenience by transforming smartphones into
trusted, easy-to-use digital credentials to replace keys and smart cards for access control
issues. The objective is to open doors in restricted areas by the means of mobile devices
taking into account the possibility of sending and revoking mobile identities in almost real
time. Therefore, mobile access control presents the opportunity to alter how we interact with
our environment. Technologies such as NFC, Bluetooth, iBeam and iBeacon constitute the
typical infrastructure to communicate with databases and monitor the access. Emulating a
credential by the means of mobile devices requires building up an ecosystem in the form of
Trusted Service Managers (TSM) to secure the access of restricted zones.
3.3.3 Bank ID
In some northern countries (Norway, Sweden…), eID solutions have been deployed for
citizens’ identification purposes (see WP2 for description of BankID in Sweden and Norway),
and banks shall be considered as major actors for the provision of new infrastructures and
solutions:
 In Sweden, banks have taken the role of eID issuers (primary ID): citizens can be
enrolled in agencies to get either a single eID, or a dual eID including a bank ID. By
the means of this bank ID, end-users can log-in to banks or administrative websites
as well as sign documents online.
 In Norway, banks are issuing bank ID which can be used for online authentication
and signature purposes.
It shall be pointed out that, in Europe (and even worldwide), there is no example of
interoperable credit/debit cards with eID credentials (There are no dual cards with both
credit/debit and eID functions). To ensure the interoperability of authentication
infrastructures between the financial sector and administrations, technology and processes
shall rely on standard protocols:
 Software mechanisms used to identify and authenticate online customers
(certificates, tokens…)
 Hardware infrastructure to monitor the customer relationships all over the
banking channels (branch…)
The most common mechanism for identification and authentication purposes is a centralized
PKI (Public Key Infrastructure, to verify the eID certificates). This infrastructure can be
provided by both public and private Certification Service Providers (CSP). The use of
governmental e-ID for the banking sector requires:
 A technical integration between the bank infrastructure and the Certification
Service Providers (or recognition of bank institutions as Certification Service
Providers)
 Provision of e-ID readers to allow different means of connection.
o In bank branch if eID is used for customer authentication.
o At customers’ premises for online connection purposes. This deployment can
be mutualized with other providers of eID program.
The European Commission, in cooperation with the EEMA (association for identity and
security) has already pioneered several initiatives to analyze the business case of banking
31 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
eID25 issuance. The objective is to identify the levers to remove the barriers and contribute to
the implementation of such eID schemes. Following a set of conferences gathering
representatives from banks, payment companies and banking associations, the following
arguments have highlighted the role of eID:
 First step and key enabler of the Digital Single Market (DSM) by contributing to
cross border business perspectives for the banking sector.
 Leverage the provision of banking online services by streamlining the customer
experience.
 Facilitate customers’ relationships, by optimizing AML and KYC requirements, and
accelerate the transition to paperless processes.
 Reduce the risk of customer onboarding, especially for credit activities.
To promote the exchange of experiences and perspectives among the banking sector, both
European Commission and EEMA continue to organize conferences and meeting with
appropriate stakeholders. The business perspectives for the banking sector could also be
analyzed from several points of view:
 Either the banking sector is considered as a user of eID infrastructures provided by
governmental services,
 The banking service becomes part of identification and authentication
mechanisms as a recognized service provider (taking into account that this sector
has already developed this kind of infrastructure).
Over the last decade, banks have implemented new services over digital channels and gained
a valuable experience in online relationship management. Especially, they have reached a
suitable balance between security of identification and authentication mechanisms on one
side and customer facilitation on the other side. Ensuring a convenient customer experience
has become a key issue for the banks as mobile apps considerably facilitate regular access
(more than once per week) far more often than to administration (2 times per year).
The ease of use is one of the reasons why - even in countries where interoperability with eID
exists, such as in Spain - banks often propose several ways of identification or authentication
for both customer onboarding and access to financial services. Typically, individuals prefer
not to use their eID to access financial services and rely on the banks own credentials.
Banks have already deployed secure identification and authentication mechanisms, especially
for their own needs, such as to meet the most up-to-date fraud cases and attacks. Indeed,
over the last years, financial institutions have become the main targets of criminal
organizations, especially for digital channels (web and mobile). Security could thus be an issue
for interoperability:
 Any interoperable e-ID mechanism shall be able to provide a high level of security
and evolve continuously in order to meet up-to-date in fraud threats and trends.
 In case of interoperable e-ID mechanism, a Service Level Agreement and
associated responsibilities in case of fraud should be defined.
The evolution of the banking sector regulation is also modifying the way European financial
institutions are managing the security of their customers for digital channels. Indeed, a set of
25See:
http://ec.europa.eu/digital-agenda/en/news/eid-business-case-banking-and-financecommunity
32 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
regulations is under analysis or deployment with the objective to provide the European retail
banking with enhanced protection. Two initiatives shall be highlighted here: the European
Banking Authority (EBA) security guidelines and the Payment Service Directive.
EBA guidelines.
New recommendations have been published by the European Forum on the Security of Retail
Payments (SecuRe Pay), namely the Final guidelines on the security of internet payments
(December 2014) which promotes strong authentication features for internet payments.
Payment Service Directive
The first Payment Service Directive (PSD 1, 2009) aimed at providing legal foundation for the
creation of a European payment single market. A new release (PSD2, 2014) recommended
new roles and responsibilities for payment, in particular:
 The possibility for new actors to have access to European customers accounts
operated by financial institution (access for information and payment initiation)
 The implementation of strong authentication mechanism for all electronic remote
transactions (including consultations).
As a consequence, interoperability issues between primary ID and banking sector credentials
should take into account the upcoming regulation, in particular:
 New actors and related eco-systems.
 Authentication schemes between payment actors (financial institutions, account
aggregators…)
Interoperability schemes within the financial sector should address the various banking
processes, from customer onboarding to on-line services provision. Nevertheless, the main
interoperability issue is related to the process of opening a bank account for a EU citizen in a
Member State which is not his place of residence. In 2012, a Special Eurobarometer (Retail
Financial Services, European Commission, February 2012) indicated that in the EU, only
around 3% of consumers have opened a payment account in another Member State.
The Directive 2014/92/EU on transparency and comparability of payment account fees,
payment account switching and access to a basic payment account was adopted in July 2014.
This Directive is a step towards a single market for retail financial services, since it provide all
EU consumers, even those that are not resident of the country where the bank is located and
irrespective of their financial situation, with a right to open a bank account. For instance, in
article 11 of this directive, an obligation is given to former financial institutions of the citizen
to provide assistance to the consumer who requests to open a bank account in another
member state. At this stage, the two main constraints address the basis for opening of a bank
account in another country:
 Identity proof: since primary IDs are heterogeneous in all Member states, financial
institutions often require that citizens provide resident credentials. These are the
only one to be able to comply with KYC regulations. Based on Directive
2014/92/EU, resident credentials may not be necessary any more, but financial
institutions do not have any other ways to identify their customers.
 Evidence of financial resources. This constraint should disappear with the
2014/92/EU regulation.
33 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
Within EU member states, where no eID scheme exists, several minor initiatives have been
launched to allow the private sector to propose alternative options. This is the case in
Switzerland, UK and other countries where industry has implemented on-line authentication
procedures. The current low level of interoperability is due to several factors:
 Technical interoperability: there is no standard at this stage to allow a seamless
authentication interoperability between several private actors
 Business perspective: there is no clear business perspective for banks, telcos,
insurance companies, etc.. to provide an authentication service that will benefit
other stakeholders of the private sector.
 Risk and responsibilities issues : there is no regulation today precisely defining
both roles and responsibilities of identity service providers
An alternative might arise from major software players; a kind of electronic authentication
interoperability is growing, based on the initiatives of GAFAs. Indeed, Google (with Google
Connect), Amazon (Login with Amazon) and Facebook (Facebook Connect), but also Paypal,
Twitter and Microsoft are providing login services which might become major players in the
future. Based on Oauth 2.0 and OpenID standards, these services can be used by end-users to
log-in on retailers or service providers websites. The level of security associated to these
mechanisms is not that sure at his stage. Moreover, identity theft of social networks
credentials shall be considered as quite easy and widespread. For these reasons, the provision
of GAFA’s authentication services remains quite limited at this stage and banks will remain
more reliable stakeholders for the provision of on-line services and initiate interoperability
schemes with other providers.
34 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
4 Taxonomy of ID Theft / threats
4.1
Government ID Theft / threats
4.1.1 Delivery
As detailed in the previous pages, the main threats arise more from frauds against ID
credentials themselves rather than against government documents which become more and
more secure. A blank stolen document (quite difficult to obtain!) has as a very high value
whereas a counterfeit or stolen passport might be detected by police forces. Threats again
passports can be summarized as follows:
Type of threat
Severity
Prevention
Access
to
basic
credentials (date/ place
of birth)
High
Recommend individuals not to disclose sensitive data
on social networks
Duplicates
High
Ensure a biometric check prior delivery.
Applicant presents himself during the delivery
Blank stolen document
Counterfeit
High
Medium
Transport procedure should be secure
manufacturer to government agency.
from
Educate police forces and staff in charge of document
authentication.
Authenticate documents by the means of dedicated
readers.
Stolen
Medium
Utilise Interpol STLD database.
Access to basic credentials constitutes one of the main threats as exchanges in the physical
world have always been built on thrust. Individuals are not used to suspect each other. For
this reason, they really give up part of their identity during day to day private or business
relationships such as (not exhaustive):
Type of action
Type of threat
Prevention
Retail transaction
Copy or reference to ID Ensure the legitimacy of both
documents.
Name, stakeholders
address, bank
Stolen purses / wallets, “Physical”
document Surveillance of belongings
pickpockets
becomes available
Stolen
documents
personal Name,
data
address,
critical Surveillance of belongings
Stolen surface mail
Name,
data
address,
critical Secure letter box and mail
delivery
Dumpster diving
Name,
data
address,
critical Destroy documents
Deceased person
“Impersonation” by means Secure belongings after death
35 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
of stolen credentials
Shoulder surfing
Dishonest
corruption
Critical data
employees, Name, address, (bank, Employees recruitment
data/ place birth…)
Call centers
Name,
data
Imposters
Critical data
End
of
relationships
Public places not suitable to
consult sensitive information.
address,
critical Employees recruitment
Ensure the legitimacy of partners
business Name, address, (bank, Ensure the legitimacy of business
data/ place birth…)
partners
Although the list of cases detailed above is not exhaustive, it shows that the likelihood of
threats against ID in the physical world is extremely wide. As most of the social and business
relationships have been built on thrust, individuals are used to abandon sets of critical data
during their day to day activity: name,
address, date of birth, banking information,
Type of data
Importance
etc… which can be further consolidated and
help
building
an
identity
and Home address
Medium
“impersonating” someone without his
Given name
High
consent or even the knowledge that his ID
has been stolen. Most of the “prevention” Christian name
High
rules shall be considered as basic
“guidelines” but, in many cases, they cannot Social Security number Medium
prevent an illicit action if the fraudster is Birth Date
High
determined to attain this objective.
It is worth recalling
that ID controls
remain
quite
infrequent
in
Europe,
even
though the security
context has been
heightened.
Citizens are not
required
to
systematically
authenticate
themselves
as
confirmed by the
IBS (Institute of
Baltic Studies).
As an example, the
French citizens use
Figure 13 Institute of Baltic Studies, Survey on ID issues
their “government
issued document” less than once a year to prove their ID, be it in government or private
buildings. This survey confirms that frauds occur more based on attacks, deliberate intents or
negligence rather than during controls.
36 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
5 Consequences of ID theft
Stealing an individual’s identity does not, on its own, constitute a fraud and this is an
important distinction. The “victim” can accept this situation, as an example to help someone,
by passing a university exam on his behalf. And “strict sensu”, one cannot steal the ID of a
living person or even a deceased individual. On the contrary, Identity fraud describes what
action might be carried on as a consequence of ID theft or a fake ID. In this case, an individual
will engage in a criminal activity by the means of a fraudulent ID to obtain goods or services
by deception.
5.1
Consequences of government ID theft
Depending on the type of «captured document, the consequences of ID theft can be multiple.
As an example, a passport is ranked at the highest level as it opens a wide range of activities
from physical world practices to government related activities. Most of the time, the illegal
ownership of a passport conducts to criminal activities:
Government related consequences to ID theft
Type
of Type
stolen
activity
document
Passport /
ID card
of
Severity
Prevention
Illegal
immigration
Medium
Interpol
database
STLD
Contraband /
smuggling
Medium
Interpol
database
STLD
Flight
justice
High
Interpol
wanted
individuals
Escape a sentence
High
Interpol
database.
Impersonation of an unsuspected
individual to conduct illegal
activities against government,
people and civil infrastructures.
from
International
terrorism
Action performed
Cross borders
Obtain status (refugees, migrant)
in destination country.
STLD
Interpol
wanted
individuals
Illegal trade on narcotics,
weapons as well as human
trafficking under another name.
INTERPOL’s Stolen and Lost Travel Documents (SLTD) database enables National Central
Bureaus (NCBs) and other authorized law enforcement entities (such as immigration and
border control officers) to ascertain the validity of a travel document in seconds. The SLTD
database was created in 2002, following the 11 September 2001 terrorist attacks in the USA,
in order to help member countries to secure their borders and protect their citizens from
terrorists and other dangerous criminals using fraudulent travel documents26.
The STLD Database is not at all the panacea as its connection is not mandatory, even for
border control purposes. The recently implemented Checkit system constitutes an easy
interface for ensuring the legitimacy of a passport. Organized criminal groups and terrorists
use stolen travel documents to conceal their identities and cross borders undetected. Given
this threat, and faced with increasing volumes of international passengers, countries urgently
26
http://www.interpol.int/fr/INTERPOL-expertise/Border-management/SLTD-Database
37 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
need to heighten their border control and identity management measures. I-Checkit is an
innovative solution that complements and enhances national border security systems by
allowing the law enforcement community and trusted partners to conduct advanced
passenger checks in real time.
In
November
2015,
INTERPOL’s
member
countries endorsed the ICheckit Airlines solution as a
key component of the
Organization’s global border
management strategy.
This decision followed a 16month pilot project with
AirAsia which demonstrated
the value of I-Checkit in
mitigating the criminal risks
that are behind identity fraud
and
gathering
police
intelligence, especially in
countries
without
fully
integrated border solutions27.
Type
of Type
stolen
activity
document
Resident
permit
Figure 14 Typical "fake" passport that need trained border control
to be identified
of
Severity
Prevention
Action performed
Social benefits
Medium
Biometrics
authentication
Take advantage of various social
services: health, financial support
Working
permit
Medium
N/A
Working activities under a false
identity
Type
of Type
stolen
activity
document
of
Severity
Prevention
Action performed
Breeder
document
of
Medium
Definition of a
recognised
international
standard.
Biometrics sample
within a chip.
Obtain a passport or ID card by
impersonating a wrong identity/
Provision
national
credential
27 http://www.interpol.int/fr/Expertise/I-Checkit
38 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
Social consequences of ID theft
Category
of
consequence
Type of activity
Severity
Action performed
Industry
Employment
Medium
Being employed under a wrong identity
Industry
Hostile
intelligence
Medium
Illegal access to confidential information, as
would be the case for the proper owner of
the stolen credential. Might conduct to
considerable economic loss for victims in a
business context
Industry
Economic crimes
Medium
Carrying on a wide range of financial
activities
without
to
bear
their
responsibility: opening a bank account,
then being granted a credit card, etc…
Social
Get
again
Medium
Being married under a wrong identity to
avoid bearing the social responsibility of a
previous family situation.
married
Identity Fraud represents a holistic process starting with stolen credentials which allows an
imposter to build up an entire new life. Either there will be a profit based on fraudulent data,
or the theft scenario conducts to human trafficking or terrorist activities. Western European
countries constitute typical targets as social benefits become a “right” for ID holders and due
to privacy protection; there is no consolidation of databases to prevent the misusage of
fraudulent acquired credentials.
Figure 15 Typical Identity theft Scenario
39 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
6 Cyber ID Theft
6.1
Cyber threat vs physical threat
As more and more procedures can be
conducted on the internet, the cyber world
constitutes a new challenge where both
personal and business relationships shall be
structured.
Since only a few Member States28 have
delivered secure eID cards containing
authentication and signature certificates,
the internet world represents a new and
profitable target for illicit activities.
Even in MS where secure government cards
have been distributed, citizens remain
extremely slow to change their habits and
use on-line tools to engage in contractual
relationships.
The Eurobarometer, published by the
Figure 16 Downloading or updating software
Commission contains very useful figures to
constitutes a new risk as it might contain malicious
evaluate how our fellow citizens are gaining
SPAMs
in confidence when connecting online. One
notices a growing interest in on-line activities, a better awareness of the risks incurred while
an extreme cautiousness modify the habits gained in the physical world.
6.2
Cyber theft against government ID
6.2.1 Setting the scene
Due to the lack of secure national ID cards in Europe, many business exchanges yet mix both
physical world and internet practices: critical documents are yet scanned and forwarded by
mail (ID Cards, driving licenses, passports, electricity bills, bank/ telcos records...).
On the other hand, individuals are requested to fill in forms on-line containing basic
credentials and critical data (address, credit card numbers, etc… ) .
By definition, on-line world does not offer a face-to-face contact with the party in presence,
be it a social relationship or a potential new client. This means that each stakeholder of the
exchange process becomes a point of weakness.
Stakeholder Type of weakness
Prevention
28 See EKSISTENZ D2.1 “Draft inventory of citizen ID processes and constraints in EU”
40 | P a g e
WP3 “Threat assessment and economical aspects”
User
Equipment
December 2015
Communication of sensitive data.
Identify receiving
communication.
party
Usage of shared IT equipment
Shared IT equipment shall never be
used to communicate critical
information (credentials)
Connection to unsecured sites
Identify receiving
communication.
Poor authentication procedures
Select Login/ pw that cannot be
guessed from illicit parties.
Connection via public WI-FI
Shall not be used for secure
transactions
party
prior
prior
Lack of basic security features Provision of basic hw/sw protection
(antivirus / spam / trojans, firewall)
Unsecure telcos connection
Select reliable provider
ISP
Security breaches
Ensure reliability before subscribing
and basic security features
Service
provider
Unreliable
Ascertain the legitimacy of partners
prior exchanges on the internet
Not used before
Avoid too critical data being sent to
new business partners
Fake service provision
Ascertain the legitimacy of partners
prior exchanges on the internet
Counterfeit service provider
Ascertain the legitimacy (eg. URL) of
partners prior exchanges on the
internet
As detailed above, each module in the exchange process can become a target for illicit
activities. Critical credentials exchanged on the internet might be hacked at any stage of the
process, each module offering vulnerabilities and weaknesses. For these reasons, many
defense companies do not allow their employees to communicate when on the move,
whatever the security of their IT equipment and the likelihood to access private networks.
On the internet, both business information and critical credentials can be accessed. Even
though industry exchanges have their specific concerns, hacking credentials has the same
value as it is the case in the physical world for dumpster diving or stealing surface mail.
6.2.2 Critical data in the cyber world
As both cyber and physical world coexist, exchanges on the internet constitute a huge
opportunity for fraudsters to illegally take advantage of basic credentials. User name / pw,
PIN Codes as well as social networks leverage their likelihood to get access later on to basic
credentials that will be used in the physical world for social, business or criminal activities.
41 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
Credentials in cyber world
Usage
Prevention
User name / login
Access individual’s account
Avoid easy login scheme
Password
Access individual’s account
Avoid “guessable” pw
PIN CODE
Access individual’s secure Avoid “guessable” PIN
account
Social network account
Access private information, Secure access
relationships etc.. for further networks
illegal activities
to
social
6.2.3 Most frequent cyber attacks
As EKSITENZ focuses on ID threats and consequences in both physical and cyber worlds, it is
not our purposes to detail the various categories of attacks that can be launched on the
internet29. We are here more interested in how ID and various credentials might become a
target for illegal activities, as a consequence of cyber exchanges. The following list of frequent
attacks is not exhaustive; but it aims at showing how cyber exchanges can be used as a means
to take hold of basic credentials which will be used for building wrong identities. Therefore,
the cyberworld constitutes a wide repository that will cross fertilize with physical world fraud
attempts by allowing taking advantage of basic credentials currently used for the delivery of
government documents.
Type of attack
Usage
Hacking computer system
Getting access to computer Install basic hw/ sw security
and personal information
features
Phishing campaigns
Invite individuals to connect Ascertain the legitimacy and
to
websites
to
steal address (URL) of service
credentials, financial records providers.
Account hijacking
Getting access to critical Secure access to accounts.
information
Avoid
“guessable”
connection procedure.
Forged
account
social
Stolen
smartphone
Exploiting
equipment
network Impersonate individual to Get informed “in time” to
take advantage of relatives prevent damages
and business relationships
computer, Get access to personal Secure
“physically”
information, contacts details, equipment
used
Contactless readers
Storage media
memory
Get access to credentials
,
IT
IT Get access to personal Suppress hard disk before
information, contacts details getting rid of IT equipment
Implement access control
features to read credentials
USB Get access to personal Secure
“physically”
IT
information, contacts details, equipment and storage
etc…
facilities.
29 This is the typical scope of the eCRIME project.
42 | P a g e
Prevention
WP3 “Threat assessment and economical aspects”
December 2015
Even though it is not the purpose of EKSISTENZ to assess the various threats that can occur in
the cyber world, it is worth recalling how “phishing” proceeds for getting hold of both
credentials and financials sensitive data; but in the framework of this report, we will
concentrate only on credentials issue.
The phishing scenario is quite straightforward: a deceptive email message sent from a so
called “ legitimate” source to verify individual’s account information. The website can be
similar in appearance to a legitimate site, even though a thorough exam of the address might
indicate a suspicious URL. Upon the user’s acceptation, malicious software will be
downloaded automatically to record basic credentials to access target services. Messages
from false charities request direct donations in cash or credit card data. Fake social networks
contain a link to compromised websites (social phishing). Phone calls might ask to dial a
phone number and enter credentials and authentication codes.
Figure 17 The phishing scenario
6.2.4 Cyber world attacks against government documents
As detailed in the previous paragraphs, threats and damages against government credentials
are not that significant in the cyber world, since eID cards are not that common among MS.
Most of the illegal activities concern the exchanges on the internet with the view to get hold
of basic credentials rather than attacking the documents themselves.
On shall regret that MS are that poor in terms of electronic ID although considerable efforts
have been done to promote the concept of a European ID card – as well as driving license and
resident permit - that will hold authentication and signature certificates to connect to
government websites and engage in contractual relationships.
Concerning the attacks against national eID cards usages in the cyber world, they will take
advantage of the weaknesses of the exchange architecture security procedure. Contrary to
current Login/ pw standard connections, certificates contained in the card are used for
authentication purposes. This requires that an end-to-end procedure has been put in place
from enrolment to the end of the card life cycle.
43 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
Action
Threat
Prevention
Enrolment
Impersonation of an individual
Applicant shall present himself for
delivery
Fake identity
Control of basic credentials (date/
location of birth)
Access control to card features
Provide strong authentication means
based on PIN by login/pw or
biometrics
Authentication Illegitimate usage
Illegitimate use
revocated cards
Signature
of
stolen
Illegitimate usage
Illegitimate use
revocated cards
End of cycle
Authentication certificate activated
by PIN code or biometrics
Misusage
/ Monitoring of
Revocation Lists
CRL,
Control
of
Authentication certificate activated
by PIN code or biometrics
of
stolen
/ Monitoring of
Revocation Lists
CRL,
Control
of
Control
of
Revocation procedure
Monitoring of
Revocation Lists
CRL,
6.2.5 Typology of attacks against “government” documents
As detailed in the previous paragraphs, it is too early to set up a typology of attacks and
threats against government documents in the cyber world as their usage remains quite
limited, even in the countries benefitting of electronic credentials.
As detailed by the slide
realized by our partner
IBS (Institute of Baltic
Studies),
Spanish
citizens remain quite
reluctant to use eID to
authenticate
themselves
in
the
cyberworld.
Indeed, the “daily”
usage represents only a
few % whereas “never”
corresponds 40-60% of
the responses.
Concerning the usage of
electronic signatures, the
Institute of Baltic Studies
44 | P a g e
Figure 18 Institute of Baltic Studies, survey on ID. The usage of
eSignatures
WP3 “Threat assessment and economical aspects”
December 2015
indicates that only a few
citizens are yet prepared
to change their habits
(Average 10%).
In most of the surveyed
countries,
eSignature
constitutes an exception.
A part Italy, a high
majority of individuals
“Stongly disagree or
disagree” with this new
way
to engage
in
contractual relationships
on-line.
Figure 19 Conclusion of the IBS study concerning ID theft
For these reasons, IBS
concludes their survey by
stating that “ID theft
involving
government
issued identity documents
is relatively rare”.
However, it is worth
mentioning
that
EU
citizens are much in favor of an “Electronic Card and secret PIN code” to authenticate
themselves for secure
Figure 20 Institute of Baltic Studies, survey on ID. Conclusion
internet
services
(government and banks).
In most of the surveyed
countries, a secure eID card
is ranked #1, slightly ahead
to passports. An opinion
which confirms the global
confidence of citizens in
their
governments’
documents.
Depending of the country,
then come “fingerprint
checked with a special
device” and mobile phone
authentication systems.
Figure 21 Institute of Baltic Studies, survey on various ID
authentication schemes
This last slide clearly indicates that our fellow citizens are accepting to authenticate
themselves online by the means of a secure ID. But the signature remains linked to the hand
45 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
and a physical presence of the parties. This statement is quite contradictory since the
Directive on electronic signatures already dates back from 1999 30 whereas the eIDAS
regulation which clearly addresses authentication means is quite recent.
This various statements clearly demonstrates that – for the time being – the main threats
again government eIDs still arise from the physical world rather than from the cyber world.
Type of threat
Context
ID document Theft
Physical world
Low
High
ID document counterfeit
Physical world
Medium
Medium
Blank stolen document
Physical world
Low
High
Negligence on credential
Physical world
High
High
On-line signature theft
Cyber world
Rare
High
authentication Cyber world
Rare
Medium
Medium
High
On-line
theft
Negligence on credential
Cyber world
Risk
Consequences
As stated above, cyberworld does not constitute yet a considerable risk for ID and eSignature
issues, as their usage remains quite limited in the Member States. The main threats arise
more from low security exchanges on the web where either credentials can be intercepted
and help building an ID or conduct to severe financial damages by the means of stolen critical
data (bank account number, credit card number, etc…)
It is anticipated that threats against government credentials in the cyberwolrd will certainly
growth in the future, if national eID become a rule or if more service providers propose offers
on the web, where authentication and signature will be considered as a standard. The recent
trends coming from migration issues and towards more security in Europe, as a consequence
of the extreme travel flexibility within the Schengen zone, might conduct to more MS
initiating national ID programs for better authenticating their citizens and facilitating on-line
services.
30
Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a
Community
framework
for
electronic
signatures.
http://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=celex%3A31999L0093
46 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
7 Taxonomy of victims
7.1
Internet usage in the MS
Citizens are not equal vis à vis
fraudsters. Becoming a victim
depends from various factors
ranging from country, age,
internet education, etc…
Many surveys help better
understand the strategy of
fraudsters and how implement
security services that might be
able to counter the threats.
Two surveys dated 2005 and
2013 clearly demonstrate that
young individuals (18-39), the
more involved in life and
business activities, are the main
victims of ID thefts.
Figure 22 Survey on ID fraud by age. 2005
As people get older, certainly
because they become more
cautious and stable in their
business and social activities,
they are less prone to become a
victim.
In 2008, Experian conducted an
analysis into some of the
10,000+ victims of identity
fraud. It found that the typical
victim of identity fraud was the
following individual:
Figure 23 Survey on ID fraud by age. 2013
 26-45 years old
 Working in a
professional
occupation
 Owner/occupier (usually in a
detached house)
 Earning over £50,000 (these are 3
times more likely to be victims)
 Directors of companies.
This means that the “profile “of the
typical target is a young professional
individual, educated, internet skilled
with substantial revenues.
47 | P a g e
Figure 24 US Federal Trade Commission. Survey on
consumers complaints 2013
WP3 “Threat assessment and economical aspects”
December 2015
Based on these figures; fraudsters tend to target – for obvious reasons – those individuals
likely to have significant credit ratings, where their chances of both rewards and success are
greater. Even though it depends of the country, a rough estimate of 14% corresponds to an
average of people having suffered an ID theft during a calendar year. This case can be ranked
#1, ahead to debt collections, scams and other complaints.
The Eurobarometer on cybersecurity is a survey Conducted by TNS Opinion & Social, in a
response to a request by the European Commission, Directorate-General for Home Affairs
and co-ordinated by Directorate-General for Communication31.
This survey addresses security issues in the 28 MS, considering that cybercrime becomes a
borderless problem, consisting of criminal acts that can be conducted across countries and
take benefit of national weaknesses.
The scale of the problem becomes a threat to law enforcement response capability bearing in
mind that more than 150,000 viruses and malicious code circulate with the consequences of
attaining a million people victims every day. This survey aims to understand EU citizens’
experiences of cyber security issues so that both regulation and technical measures can be
implemented in the future.
At first, the survey indicates that a substantial minority of EU citizens (24%) responded that
they do not access the Internet at all; this includes 18% who never access the Internet and 6%
who say they do not have any Internet access. However, among the people who use the
Internet, the habits can considerably differ, by age, social and business activity. Therefore,
63% of EU citizens use the Internet every day (or almost every day), while a smaller
proportion (13%) uses the Internet less often32.
The highest levels of Internet usage can be seen in the northern countries: Sweden (96%), the
Netherlands, (95%) and Denmark (94%). A high proportion of respondents in these countries
access the Internet every day, whereas very few say that they never use the Internet or do
not have Internet access (4% in Sweden, 5% in the Netherlands and 6% in Denmark).
It is not surprising that eastern and certain southern European countries - who do not yet
benefit of high speed infrastructures – are the lowest internet users: Romania (54%), Portugal
(56%), Greece (58%) and Bulgaria (60%). Respondents in these countries are also least likely
to access the web on a daily basis (36% in Romania, 47% in Bulgaria, 47% in Greece and 48%
in Portugal)33.
31 http://ec.europa.eu/public_opinion/archives/ebs/ebs_423_en.pdf
32 More than half of EU citizens (60%) use the Internet at home every
day or almost every day. A further
14% of respondents use the Internet at home less frequently (two or three times a week, about once a
week, two or three times a month, or less often), while around one in four (26%) say that they do not
access the Internet at home at all; this includes 17% who never use the Internet at home and 9% who
say they do not have any Internet access at home.
http://ec.europa.eu/public_opinion/archives/ebs/ebs_423_en.pdf p.9
33 A similar pattern can be seen for Internet use at work. Respondents in Sweden (67%), the
Netherlands (65%) and Denmark (64%) are most likely to use the Internet at their place of work, while
the lowest proportions can be seen in Romania (22%), Greece (23%), Portugal (25%), Bulgaria (27%),
Spain (27%) and Hungary (29%).http://ec.europa.eu/public_opinion/archives/ebs/ebs_423_en.pdf
p.10
48 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
The age itself is certainly a factor of internet maturity as detailed by the EU survey, people
over 55 are much less likely than younger groups to access the Internet (only 47% of those
aged 55 or over ever use the Internet), while the youngest age group (15 -24 year olds) is
most likely to connect every day (92%). A statement which confirms that internet damages
will growth in the future, as the young generation will never give up their habit to regularly
surf on-line.
The main “internet population” is constituted of those who need to access the web for both
social and business activities; students and white collar workers are also more likely to
regularly surf on the web. For example, 95% of students, 91% of managers and 85% of other
white - collar workers indicated that they connect every day34. A very high ratio indeed that
shall anticipate that more stringent measures should be put in place, should the web continue
to offer a sound means of exchange between individuals.
Let us also recall that gender also impact the habit of users, internet usage being higher
among men than women (67% of men access the Internet every day, compared with 59% of
women).
Figure 25 Eurobarometer survey by age, occupation and gender
34 The
highest use of the Internet at other locations (such as at school, university or at a cyber-café) can
also be observed in Denmark (63%), the Netherlands (60%) and Sweden (59%). Respondents in Romania
(22%), Hungary (22%), Bulgaria (23%), Greece (24%), Portugal (25%), Slovakia (25%) and Lithuania
(25%)
are
least
likely
to
use
the
Internet
in
other
locations.
http://ec.europa.eu/public_opinion/archives/ebs/ebs_423_en.pdf p.10
49 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
The table above clearly indicates differences in the way our fellows connect to the internet,
depending of their age, gender, social or business situation. Theft and damages are not
always linked to the web usage as frequent users are also quite educated and conscious
about dangers and benefit of tools and security shields that they share with fellows with
similar concerns.
7.2 Mobile as a new
vector of internet
damages
Although computers remain
the most common means to
connect on-line, over half of
the
respondents
(61%)
indicated that they access
Internet
through
a
smartphone. A substantial
increase compared to the
previous year.
As mobile users take
advantage of public Wi-Fi and
telcos networks, this increase
shall be considered as a new
threat in the future as users
will certainly less benefit of
secure IT protections.
As the usage of mobile
equipment to connect on
Figure 26 Eurobarometer usage of computers vs other connection
the internet has almost
means for internet access
doubled in one year (20132014), protecting the smartphones and individuals on the move will become a challenge in
the coming years35.
Since the majority of individuals use alternatively their computers or mobile equipment for
similar purposes, but depending of their current situation (office, home, transport, on the
move), very similar activities will be operated with equipment benefitting of different
protection means. This means that internet service offers shall provide extremely secure
authentication means (certificates, PIN or biometrics authentication) to allow both secure
and mobile usage.
35
The main socio-demographic differences in means of accessing the Internet are by age. The use of a
smartphone for Internet access is much higher among younger people, ranging from 85% among 15-24
year olds to 30% of those aged 55 or over. Use of a tablet is also lower among those aged 55 or over
compared with younger age groups (22% compared with at least 31% in other age groups). The use of
all of the various devices is higher among those leaving education at a later stage. The differences are
most pronounced for use of a smartphone and for a touchscreen tablet.
http://ec.europa.eu/public_opinion/archives/ebs/ebs_423_en.pdf p.19
50 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
Indeed, mobile internet considerably depends of the telco infrastructure. It is extremely
developed in northern hi-tec countries - Latvia (98%), Netherlands (98%). The proportion that
accesses the Internet via a smartphone varies considerably by country.
The highest proportions can be seen in Spain (85%), Sweden (79%), Denmark (74%), the
Netherlands (73%) and Austria (72%). It is not surprising that the lowest proportions can be
found in countries where telcos infrastructures are not that mature: Bulgaria (35%), Slovakia
(38%), Portugal (38%) and Poland (40%)36.
Figure 27 Eurobarometer: Internet culture and security varies considerably among MS
36 http://ec.europa.eu/public_opinion/archives/ebs/ebs_423_en.pdf
51 | P a g e
p.16
WP3 “Threat assessment and economical aspects”
December 2015
8 Taxonomy of countries
8.1
Taxonomy of countries for ID theft
8.1.1 Social and geopolitical context
Based on the Eurobarometer, just under half of EU citizens (47%) say that they feel well
informed about the risks of cybercrime; specifically, 10% feel very well informed and 37% feel
fairly
well
informed.
However, 29% do not feel
very well informed and
21% say they do not feel
informed at all about the
risks of cybercrime37. The
IT
culture
of
the
respondents
greatly
influences their awareness
of danger when surfing on
the web.
ID theft and damages
greatly depend on the hitec education of our fellow
citizens. In this perspective,
the
Eurobarometer
provides some significant
information.
Almost
47%
of
the
respondent have declared
to be “Very/ Fairly well
informed of the risks of
Figure 28 Eurobarometer Awareness of internet risks
cybercrime, with a slight
increase (3%) since the 2013 survey.
This is rather encouraging, but shall not hide the fact that more than half of the users are not
informed and will become a target of attacks in the future.
As detailed in the previous paragraphs, there are considerable variations between the
countries, corresponding to the infrastructure provision and the education of the users. In
northern countries, where the internet usage and the connection frequency is the most
developed, citizens are well informed of the risks38 they incur when surfing on-line.
37 http://ec.europa.eu/public_opinion/archives/ebs/ebs_423_en.pdf p.44
38
There is some variation by country in the extent to which respondents feel well informed about
cybercrime. Respondents in Denmark (67%), the Netherlands (67%), Sweden (66%) and the UK (65%)
are most likely to feel very or fairly well informed. The highest proportions that say they feel ‘very’ well
informed can be found in Denmark (23%) and the UK (22%), as well as Ireland (21%).
http://ec.europa.eu/public_opinion/archives/ebs/ebs_423_en.pdf p.45
52 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
It is not surprising that the countries starting their internet activities are less aware of the
risks. Therefore, people are least likely to feel well informed in Romania (31%) and Bulgaria
(34%), and respondents in these two countries are also most likely to say that they do not feel
informed at all (35% and 36% respectively). To a large extent, these differences reflect overall
levels of Internet use.
Figure 29 Awareness about the risks of cybercrime per country
The table above clearly reflects how the country IT maturity might reflect an awareness of
risks to be incurred on the internet.
Denmark, Netherland, Sweden, UK, Ireland
and Finland are the best prepared to
attacks. However, it is quite surprising that
countries like Belgium, Spain and Italy
appear amongst the less aware of the
dangers!
The same applies to age classes, gender and
business category. But compared to the
previous tables, the most frequent internet
users (young, students, white collars, etc..)
are also the best prepared to meet internet
risks.
15-39 years old citizens who regularly surf
on the internet are the best prepared to
meet the risks and are aware of the
dangers. This statement is quite reassuring
as we expect a new population of frequent
web users to emerge in the coming
decades; and it is of prime importance that
they are aware of the risks incurred and
that sufficient security shields are installed
to meet potential attacks.
53 | P a g e
Figure 30 Awareness about the risks of cybercrime
per social category
WP3 “Threat assessment and economical aspects”
December 2015
Furthermore, a clear majority of Internet users agree that they avoid to disclose personal
information online (89%, including 54% who totally agree), while 85% agree that the risk of
becoming a victim of cybercrime is increasing. Only small proportions of respondents disagree
with these statements (10% and 12% respectively). A majority is quite concerned that their
online personal information might not be kept secure by websites (73%). Most respondents
are also concerned that this information is not kept secure by public authorities (67%), with
30% disagreeing with this statement39. Comparisons with the 2013 survey indicate that
respondents have become slightly more concerned about cybercrime and access web services
accordingly.
This last statement confirms the danger of “phishing” attempts; although internet users are
aware of the dangers, certain sites counterfeit so perfectly the genuine service provider that
they disclose sensitive data without care. A detailed analysis of the current surveys carried on
internet risks confirms that secure authentication providers do not constitute themselves the
main danger whereas counterfeit services and direct attacks on computers generate the main
threats. Despite these concerns, around three in four Internet users (74%) agree that they are
able to protect themselves sufficiently against cybercrime, a statement which confirms the
danger of cyber attacks since threats succeed to hide malicious software behind genuine
service provision (i.e. update a standard desktop tool ).
The highest proportion of risk awareness can be found in northern Europe, where individuals
connect
the
most frequently
on the internet Finland (94%),
Sweden (92%) The lowest levels
of
agreement
can be seen in
eastern Europe Hungary (70%),
Slovakia (70%),
Czech Republic
(71%) – but also
in
Baltic
countries where
on-line services
are
extremely
secure
and,
therefore, risks
are quite low.
Figure 31 Awareness of internet risk by age and connection habits
The following table provides an optimistic view on how risks can be mitigated in the future,
considering the growing awareness of internet users of the risks incurred when they connect
on-line: minimal data forwarded, consciousness of the risks, choice of secure websites, self
protection against internet threats, etc….
39 http://ec.europa.eu/public_opinion/archives/ebs/ebs_423_en.pdf p.48
54 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
Based on this statement, a major threat would arise from a non-conscious communication of
personal data, the connection to a counterfeit website or an attack from malicious software
that will steal sensitive information from the user, even though he would be informed of the
dangers and benefit of enough security protection.
Based on the table below, a majority of respondents have confirmed their concerns about
experiencing or being a victim of different types of cybercrime, in particular identify theft
(68%), a bit ahead of those discovering malicious software on their device (66%), being the
victim of bank card or online banking fraud (63%) or even about their social media or email
account being hacked (60%).
The large percentage concerning ID threat issues confirms the awareness of EU citizens of the
new risks incurred when connecting on-line and how their ID might constitute a target if
security barriers are not implemented.
Figure 32 Identity theft ranked 1st risk by EU citizens
The highest levels of concern about ID theft can be observed in France (80%) and Spain (79%).
Two large countries with different context, since France has not succeeded to implement its
eID program; whereas Spain proposes many on-line services although citizens remain quite
conservative and prefer paper based procedures rather than proceed with pioneering digital
services. Respondents in Estonia and the Netherlands (48%) are least likely to be concerned
about identity theft; a more detailed analysis should be able to explain these figures: small
country on one side, with highly secured services; larger country on the other side with quite
skilled and experienced users. It shall be highlighted that EU citizens are more concerned
about identity theft than they were in 2013. Across Member States, there has been an
increase of 16% of very or fairly concerned individuals against internet risks.
Even though our citizens are quite aware of identity theft risks, real victims represent 7% of
the respondents, quite less than malicious software attempts (47%), email hacked (12%),
bank card fraud (8%). This figure is quite significant because the consequences might far more
severe than computer attacks. The percentage is quite similar in most EU countries, although
respondents in Hungary and Romania (11%) are more likely to say they have experienced
identify theft. The lowest levels (3%) can be found in Bulgaria (low development of internet
infrastructures) and the Netherlands (quite skilled users, small country, secure
55 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
infrastructures). The largest increases since 2013 can be found in Romania (up 6 %, poor
infrastructures) and France (up 5 %, lack of strong eID program).
Figure 33 Identify theft represents 7% of the attacks
As detailed by the table below, both Romania and Hungary show the highest scores of ID
theft (10%). Not much ahead certain large countries like UK (10%), Portugal (9%), France (9%)
and Italy (8%) who do not have implemented strong eID programs. Many of these figures
could be considered in the perspective of whether governments or industry have
implemented secure ID solutions; which is not the case for these countries.
Figure 34 Romania, Hungary, UK, Portugal, France ranked first for ID theft
56 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
8.1.2 Scam emails or phone calls as a means to get access to individuals’
details
As said in the previous pages, the most dangerous attacks against credentials do not arise
during the connection to on-line services but rather from being victims or malicious emails.
The Eurobarometer indicates a strong level of concern about such threats that might ask for
computer access or other details. The percentage depends considerably from the country (IT
infrastructure) and the internet culture of the respondents. Not surprisingly, quite low figures
can be found where both internet providers are secure and customers quite aware of
potential threats when surfing on-line40.
As emails often allow access to secure sites and/or contain sensitive data (telephone,
address, company name), on average, 60% of Internet users across the EU say that they are
very or fairly concerned about having their social media or email account hacked. The highest
percentage can be found in Spain (74%), Portugal (72%), Malta (71%) and Croatia (70%),
certainly due to previous attacks or poor protection from service providers. As usual,
northern countries benefitting of secure infrastructures and skilled users are the less
concerned: Sweden (37%), Estonia (44%) Netherlands (46%).
Even though the awareness of internet risks might be very high, real victims represent only an
average 12% of Internet users who admit that they have had experience of their social media
or email account being hacked. This rather limited amount shall be put in perspective with
the social and financial consequences that will affect these victims. Social media and emails
are the entry points for fraudsters to access on-line services on behalf of targeted individuals.
The financial consequences can be extremely severe; but this issue will be detailed in the
context of the EKSISTENZ Deliverable D3.2.
40 By far the
lowest figure can be found in Sweden (just 29% are concerned), while relatively low figures
can also be seen in Estonia (38%), Finland (40%) and the Netherlands (43%).
57 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
9 A country use case: Identity Theft in Latvia
9.1
General situation
As this study aims at highlighting the main trends on ID document in member States, it is
worth addressing the context of a particular country, since there are many similarities, even
though each government has implemented specific means to combat fraud. The wide
coverage of the EKSISTENZ consortium does not allow addressing all the countries
represented; for this reason, it was decided to provide more information on how the Latvian
government responds to threats and attacks and what are the services and tools at the
disposal of victims.
Identity theft in Latvia constitutes a large problem. It is hard to produce reliable statistical
data on this issue, since most of crimes end up by being classified under a different name,
such as “signature forgery” or “falsification of document” and there are also several
institutions responsible for the forensic examination of such cases, making the collection of
cumulative data difficult. According to data from the Latvian Forensic Service Department, in
2013, 401 forensic examinations of signatures were performed, of which 147 were classified
as forged.
9.2
Uses of stolen documents and related crimes
There are various uses for stolen identity documents, depending on the imagination and
intents of criminals. In many cases, they can be used to impersonate someone with the intent
of leaving the country, to fraudulently register companies (e.g. the company is registered in
the name of a fabricated identity but in reality is run by other people), to buy various
expensive goods like mobile phones, computers etc., to apply for loans, to shift criminal
blame on someone else (e.g. a vehicle is stolen and at the crime scene an identity document
of an innocent person is found, presumably left behind by the actual perpetrator in order to
misdirect the investigation and gain time).
In regard to falsification of documents, the main desired purpose is to receive additional
money as benefits from the Latvian state and acquire discounts for the use of public transport
or other public services. Such documents are disability certificates, orphan certificates etc.
Perpetrators tend to change the photos in order to receive benefits.
Falsification of security and other certificates enables offenders to pretend that they possess
certain skills without having gone through or having paid for the necessary courses and for
the certificate itself. The situation is similar with falsified Sanitary Books for retail sellers,
which help to prove that they don’t carry dangerous diseases.
Falsification of primary documents (passports and national eID’s) is also common although it
is not as easy and the use of certain technologies is required to do so. Usually those types of
documents are stolen and used for various purposes (some of them were mentioned in the
previous sections).
Secondary identity documents – bank cards and driver licenses – are also frequently falsified.
As bank cards are harder to falsify, criminals tend to steal data that will help them to use
already stolen bank cards, otherwise avoid using bank cards at all. Identity data can in many
cases be gathered online, not just by stealing someone’s wallet or going through their trash.
58 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
The falsification of driver’s licenses is very common. There have been especially weird cases,
where Latvian citizens were caught bearing Paraguayan driving licenses. To illustrate some
numbers and extent of such cases as well as main sectors in which they are used, the Forensic
Service Department has collected the statistical data of falsified handwritings/signatures used
in above mentioned cases over a number of years.
.
Year
2008
2009
2010
2011
2012
2013
2014
33
28
29
24
17
37
60
Telecommunications
contracts
92
57
75
31
43
33
34
Loan
agreements
(mainly - fast credit
applications)
66
63
67
27
51
20
48
Other financial documents
(rental contracts, etc.)
35
43
46
49
44
28
26
Cases of
Register
Enterprise
Figure 35 Falsified signatures in various business sectors (Latvia)
It should be noted that the table shows just numbers of cases where falsification of
documents were found. The actual number of falsified documents varies significantly from
case to case and could be from a couple documents per case to several hundreds of
documents per case. The statistical data on identity documents’ falsifications is presented
below.
9.3
Actions of an identity fraud victim
There are no clear guidelines as to what victims of identity fraud should do. Usually people
discover that something is wrong when they receive a large bill for something they have
never bought.
Usually, they first of all go to the police and make a statement regarding the incident, but
they don’t get much help because they need to provide evidence. At minimum, they need to
provide a contract or any other document (agreement), which could be checked for signature
forgery or be provided as evidence. If signature forgery is proven by the Forensic Service
Department, the victim can write an application and hand it in at the police department. After
that, the case becomes a criminal case and investigation can proceed. Unfortunately, victims
have to cover the expenses of forensic analysis themselves.
Camera records can also be used as evidence, in order to prove that a particular person
(meaning, the victim), wasn’t visiting the particular shop where a crime took place. Of course,
the actual criminal can be smart enough to cover his face or a camera’s picture quality may be
too poor to positively identify or disqualify someone as the perpetrator of a crime. Usually,
when any suspect is arrested, his DNA sample and fingerprints are taken and checked, which
helps to detect his real identity even if that person possesses fake identity documents. This
also helps avoid situations where a person is arrested for a crime they never committed.
In regard to the situation where a person realizes that his identity documents have been
stolen or they simply can’t find them, they have to call a corresponding phone number. For
59 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
example, if an ID card, which contains a certificate, is missing, he must contact a trusted
certification service provider (LVRTC - Latvian State Radio and Television Centre) by calling
67018989. To verify the caller’s identity, the operator will ask a secret question, which was
decided when the citizen had filled in the application for issuing his identity card.
Similar actions are expected if a person has suspicions that someone else is using his identity
card without his knowledge. To renew blocked/cancelled certificates, a citizen must attend
the Office of Citizenship and Migration Affairs (OCMA) or a Latvian diplomatic mission, if
abroad. This also applies in order to report the loss of identity cards and hand in applications
to get new ones.
Currently lost/stolen documents are stored in an “invalid documents” register, which shares
information with the Interpol and Schengen information systems as well as other registers
within the country such as the vehicles and drivers national registry, the company register,
the unified event register and the passport system.
The main institutions that provide information for the invalid document register are the State
Police, the State Border Guard, the Office of Citizenship and Migration Affairs, the Consular
Department of the Ministry of Foreign Affairs, the Road Traffic Safety Directorate, the Latvian
Maritime Administration and other organizations deemed reliable by the State.
9.4
Most common types of identity theft in Latvia
Below are described several of the most common types of identity theft in Latvia.
9.4.1 Criminal Identity Theft
Until recently, most of the falsified passports detected in Latvia or at its borders, which are at
the same time borders of the Schengen Zone, were forgeries. In most cases, the photograph
and/or personal data had been changed. In 2014 a new type of forgery was detected– a
counterfeit Latvian e-passport data page in which the chip and antenna had been imitated.
Summarizing statistical data on registered criminal cases in the Republic of Latvia, the
following statistics have been acquired over the past years.
Year
Number of
criminal cases
2009
91 cases
2010
63 cases
2011
47 cases
2012
28 cases
2013
36 cases
2014
16 cases
Figure 36 Cases of Criminal Law, Section 275 “Forgery of a Document, Seal and Stamp and Use
and Sale of a Forged Document, Seal and Stamp”, 2009 – 2014 (Latvia)
60 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
Year
Number of
criminal cases
2009
4 cases
2010
0 cases
2011
2 cases
2012
0 cases
2013
2 cases
2014
4 cases
Figure 37 Cases of Criminal Law, Section 281 “Concealing Personal Identity”, 2009 - 2014 (Latvia)
In these criminal cases, the following forged documents have been identified:
a) The most frequently counterfeited documents (in terms of number and ignificance):
 passports
 identification cards
 driving licenses
 vehicle registration certificates.
b) Other documents:
 disability certificates
 orphan certificates
 politically repressed person’s identity card
 sanitary books
 licenses for transportation of dangerous goods
 state police officer certificates
 military police certificates
 security certificates of the Interior Ministry’s Security Guard commission
 graduate diplomas
 certificates of high school education
 veterinary service certificates
 other documents.
Statistics of the Latvian Forensic Service Department’s findings on falsification of document
types over the years are given in the table below.
Type of document
Yea
r
200
8
Country
Latvia/ LVA
Lithuania/LTU
Ukraine/UKR
Great
Britain/GBR
Poland/POL
61 | P a g e
Passpor
ts
ID
Cards
36
1
1
Type of falsification
Driving
licenses
Tot
al
Counterfe
it
Falsificati
on
28
11
10
10
12
10
54
64
12
10
2
2
2
2
1
3
2
WP3 “Threat assessment and economical aspects”
Type of document
Yea
r
Country
Russia/RUS
Ireland/IRL
Israel/IRL
Switzerland/CHE
Moldova/MDA
Total:
200
9
201
0
201
1
December 2015
Passpor
ts
37
Latvia/ LVA
Lithuania/LTU
Ukraine/UKR
Poland/POL
Russia/RUS
Ireland/IRL
Israel/IRL
Belarus/BLR
Czech
Republic/CZE
Denmark/DNK
Norway/NOR
Switzerland/CHE
United
States/USA
Estonia/EST
Sweden/SWE
Brazil/BRA
Total:
15
Latvia/ LVA
Lithuania/LTU
Ukraine/UKR
Great
Britain/GBR
Russia/RUS
Israel/IRL
Paraguay/PRV
United
States/USA
Pakistan/PAK
Total:
7
1
Latvia/ LVA
Lithuania/LTU
Poland/POL
2
62 | P a g e
ID
Cards
1
Type of falsification
Driving
licenses
Falsificati
on
5
2
1
2
1
64
Counterfe
it
5
2
1
2
1
47
26
12
4
2
7
6
4
2
10
12
4
2
6
5
4
2
31
1
1
8
0
1
5
2
1
2
1
102
41
12
4
2
7
6
4
2
2
2
6
2
1
2
6
2
1
1
1
1
69
1
1
1
1
59
1
2
1
1
94
11
1
4
8
1
4
1
2
2
1
1
2
2
1
6
8
1
1
1
2*
17
55
Tot
al
1
1
24
1
20
15
3
1
13
4
1
1
35
10
1
18
2
4
1
2
2
1
1
12
4
1
1
32
17
4
1
WP3 “Threat assessment and economical aspects”
Type of document
Yea
r
Country
Ireland/IRL
Denmark/DNK
Estonia/EST
Pakistan/PAK
Georgia/GEO
Total:
201
2
201
3
201
4
December 2015
Passpor
ts
ID
Cards
Type of falsification
Driving
licenses
Falsificati
on
2
1
25
Counterfe
it
1
6
2
2
1
30
12
2
1
2
2
1
1
1
9
2
1
2
1
1
2
1
29
1
2
4*
2
2
Latvia/ LVA
Lithuania/LTU
Ukraine/UKR
Poland/POL
Russia/RUS
Ireland/IRL
Estonia/EST
Germany/DEU
Afghanistan/AFG
Total:
26
Latvia/ LVA
Lithuania/LTU
Ukraine/UKR
Russia/RUS
Great
Britain/GBR
Czech
Republic/CZE
Sweden/SWE
Rumania/ROU
Total:
5
1
Latvia/ LVA
Lithuania/LTU
Ukraine/UKR
Russia/RUS
Great
Britain/GBR
Czech
Republic/CZE
Total:
3
7
1
1
27
1
1
6
3
1
0
4
1
1
31
1
6
2
2
1
34
38
2
1
2
2
1
2
1
1
50
22
19
6
1
1
4
3
1
1
3
1
1
1
1
1
1
16
1
2
1
13
1
2
1
23
8
2
1
1
7
2
1
1
5
5
5
1
18
1
17
1
21
8
1
1
10
4
4
Figure 38 Types/ origin of documents and falsifications 2008 – 2014 (Latvia)
63 | P a g e
Tot
al
11
2
1
4
11
2
1
1
WP3 “Threat assessment and economical aspects”
December 2015
An interesting case came from Denmark, where the falsified document was presented as an
ID card, however, this state does not issue such documents (Denmark does not have ID
cards). These fraudulent documents are forwarded for forensic examination purposes by the
State Police. Statistics also include the documents that are sent from the consular authorities
of the Republic of Latvia abroad. In all the cases specified in this table, a criminal case process
has been initiated. But these statistical figures do not include the data from the State Border
Guard.
9.4.2 Driver’s License Identity Theft
This case may be considered as the easiest form of ID theft to commit and it is widespread
both in Latvia as well as elsewhere. Somebody’s purse or wallet gets stolen, and that person’s
driver’s license is sold to someone. It then becomes easy for the buyer of the document to
issue other forms of IDs in the name of the rightful owner of the driver’s license. This type of
ID theft usually spreads to others, especially criminal identity theft. Statistics of the Latvian
Forensic Service Department’s findings on falsification of driver’s license over the years are
summarized in the table above. It is worth detailing several Identity theft cases of driving
licenses as this scenario might be replicated in other countries:
Case No 1 “twin / close relative case”
There are several cases discovered last year (2014) during the driving license issuance
procedure. An individual who already owns a driving license pass the exams of the road traffic
safety directorate on behalf of a relative. Once he is awarded the license, he hands over it to
the applicant who might even be unable to drive a car.
Case No 2 ”stolen passport or id card case”
A person being banned from driving gets a new license from the Road traffic safety
directorate by submitting another’s person passport or ID card with a quite similar face and
claiming a theft. By this means, the applicant gets a new driving license under another name.
9.4.3 Financial Identity Theft
Latvia is not immune from credit card fraud; however, concentrated efforts by law
enforcement have helped to reduce the number of incidents. Authorities have cracked down
on notorious crime establishments dealing with financial identity theft and, as a result,
incidents of scams and fraud in these areas have decreased over the years. However, it is
worth detailing certain cases as they might be considered as generic and countermeasures
shall be implemented to meet them. In Latvia, on-line authentication of persons, by the
means of banking access details, is a relatively unique case in European countries, besides
traditional means of identification such as a passport and ID card. Such procedures have been
launched by commercial banks and this solution is very actively used in the country. Such a
situation arose purely historically, when government bodies clearly demonstrated that they
were not able to create a personal identification tool in the electronic environment for a long
time.
This explains that this niche has been occupied by the private sector which has created an
appropriate tool for internet banking. The usage of the Internet banking (e-banking, Online
Banking) is very popular in Latvia and person’s identification tools quickly gained acceptance
and widespread among clientele. Since commercial banks have implemented strict
authentication procedures, customers have begun to rely on the service: the electronic
identification of persons. As a result, in parallel to the personal identification tools issued by
64 | P a g e
WP3 “Threat assessment and economical aspects”
December 2015
the Latvian State such as passports, ID cards and electronic signatures, industry generated
identification tools have been widely used for both private sector and public institutions
concerns. Same as for identity theft case studies, there is no accurate statistics in this area.
Law enforcement agencies, in charge of identity theft, usually take into consideration the way
in which the loss occurred. Namely, an identity theft might be qualified as a simple theft or
fraud. Most of the municipalities or government authorities, most often classify simply as
fraud cases/offences where identity theft is engaged.
Most of the banks do not communicate much on the subject as they are very keen to ensure
the financial security of their customers. There are no comprehensive statistics here as cases
that are reported to the law enforcement authorities in the final are re-classified as simple
theft or fraud. In order to preserve the anonymity of their customers: dates, places and
names of persons involved are not mentioned.
Case no.1. Attempt to open a bank account on behalf of brother
A person arrived at the Bank in order to apply for an online banking service and to deposit
some money in the account. The bank clerk considered that the passport’s photograph did
not match the individual’s appearance, although the Lost&Stolen database of the Ministry of
Interior (NDR) turned it out as valid. An additional check such as the address was confirmed,
but the telephone details did not match against the bank's system files. After further queries,
the applicant admitted that would open an account on behalf of his brother who was unable
to present himself. For this reason, the online banking was denied.
Case no.2. Identity impersonation between relatives
This case corresponds to an impersonation between relatives. A female customer closed their
account when leaving the country. But her sister opened an account based on her passport to
benefit of credit facilities. Only small amounts have been granted before being identified.
Case no.3. Stolen bag allows thief to take advantage of the victims account
A bank customer is victim of a thief in a bus. His bag with documents were stolen, including a
bank card, online banking code card, access details and telephone. As he had been very busy
at work, he did not report the loss to the bank. For this reason, the thief presented himself at
the bank branch and asked to unlock the online service, on presentation of a passport and
signature, both checked as valid and started to withdraw cash and apply for credits. The fraud
was discovered when the genuine customer presented himself at the bank.
Case no.4. Impersonation of a customer with a similar face
This is the typical case where a customer reported the opening of a bank account following
the theft of his passport. The fraudster took advantage of a tight similarity between him and
his victim. He succeeded to claim credits before the fraud was identified and the issue solved.
Case no.5. The client's son organizes the fraud
This is a typical case were bank details are known from family relatives. Several on-line
withdrawals are performed; access details are changed after presentation of the customer’s
passport at the Bank branch until It became clear that the client's son organized the fraud.
The customer has written an application to the police.
Case no. 6. Hotel staff takes advantage of a customers’ passport
This is the typical case of a customer behaving negligently and leaving access to his passport
during a hotel stay. A staff took advantage of the document, opened a new bank account and
succeeded to withdraw cash and be granted several credit until the fraud was discovered.
65 | P a g e