The only one and proper signer identity verification?

Introduction

A draft of regulation of the European Parliament and the Council on electronic identification and trust services for electronic transactions in the internal market has been published in June last year. The regulation will establish only two identity verification methods in process of issuance a qualified certificate. Is it possible to establish a single and proper identity verification method without a risk analysis?

Verification conditions resulting from the proposed regulation

Article 19 of mentioned regulation draft states the following:

Requirements for qualified trust service providers

1. When issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom a qualified certificate is issued.

Such information shall be verified by the qualified service provider or by an authorised third party acting under the responsibility of the qualified service provider:

(a) by a physical appearance of the natural person or of an authorised representative of the legal person, or (b) remotely, using electronic identification means under a notified scheme issued in compliance with point (a).

This entry limits the identity verification means of a person requesting a qualified certificate to a personal appearance of this person of his proxy with identity documents or remotely, with the use notify means provided by the Member State i.e. polish trusted profile (ePUAP).

To evaluate the effectiveness of such identification a risk analysis shout be carried out.

At the outset it should be noted that the electronic signature is not a solution that completely replaces a handwritten signature or other personal expression of the will in each transaction. The certification authority while issuing a certificate can, on request of the applicant, include a transaction limit in which the certificate can be used and the certification authority bears responsibility for that amount.

This amount can vary from low to very high so one must consider if the personal appearance is adequate to the threats related to identity verification.

Identity verification by personal appearance

Identity verification by personal appearance is based upon a single-factor confirmation of identity. The confirmation decision is made by a person, that is the weakest link of every process. The following vulnerabilities apply to this situation:

  • Inadequate skills and knowledge about fraud detection,
  • No adequate training for skill improvement,
  • Malaise/fatigue,
  • No work motivation,
  • Improper recruitment process,
  • Working under time pressure,
  • Desire for personal profit,
  • Deficiencies of verification processes and their monitoring,
  • No suitable policies and guidelines associated to performer activities.

Those vulnerabilities can lead to materialization of following threats:

  • Use of a counterfeited identity document,
  • Use of a counterfeited power of attorney,
  • Use of a genuine document by an unauthorized person,
  • Abuse of power of a person authorized to identity verification by miss use the verified identity,
  • Conspiracy to defraud of the positive identity verification.

It’s easy to note that the probability of such risks materializing is high and can be carried out in a short period of time. Safeguards, however, are expensive and inefficient. Those safeguards include training and turnover of staff positions and work monitoring by people not involved in this particular process. In practice, no such safeguards are used.

Identity verification with the use of notified means provided by the Member State

The proposed regulation also assumes a different identity verification mechanism which will be notified by the Member States. Currently it’s not possible to indicate a specific solution, but in Poland’s case it will probably be ePUAP.

Nowadays, the ePUAP has a large number of vulnerabilities, to be used as trustworthy mechanism. One of the largest vulnerability is that the control over the profile is protected by password only.

At the moment it is difficult to carry out any risk analysis for other mechanisms, since neither were introduced legislation sanctioning them or the mechanisms themselves have not been implemented.

Other possible mechanisms of identity verification

There are many traces of peoples activity in the world, both real and virtual, which, depending on the amount of the transactions can be used in the authentication of a person. These measures may be used separately, as well as in sequence in order to increase reliability of identity verification.

Social networking profiles.

User profile include data gathered over the years, includes history, a network of friends, the experience confirmed by clients / employers, etc. However, creating of such profile is the responsibility of the user and it includes the following vulnerabilities:

  • no formal procedures for user registration,
  • authentication mechanism based on a password,
  • poor security awareness of users,
  • lack of monitoring mechanisms of actions taken by the user.

These vulnerabilities could cause such threats to materialize:

  • using a fake profile,
  • using a genuine profile by an unauthorized person.

It’s easy to notice that the risk of a false profile use is relatively high. However, if we assume that the verification of identity is possible only with a profile which is existing for a number of years, we can consider using this profile to protect low-value transactions. Additionally, we can use an automated system to analyse the behaviour of users in different portals to catch anomalies, which may provide a more secure way of identity verification.

Bank account or credit card

In order to open an account or get a credit card a personal identity verification is required. Unlike appearance in front of a civil servant, a bank clients identity is verified also by formal and strictly followed and monitored procedures. The verification process includes: identity verification, the accuracy of the information contained in the applications, credit history check, current income information, etc. These procedures were improved by the financial sector during the many years of use and have led to a state close to perfection. They eliminate most of the vulnerabilities associated with human being. It seems, therefore, that properly designed business processes associated with the issuance of a qualified certificate and securing transactions where proof of identity is based upon a financial transaction using a credit card or an account are more secure than personal identity verification by a civil servant.

Vulnerabilities that occur during identity verification by a bank employee:

Inadequate skills and knowledge about fraud detection,

  • No adequate training for skill improvement,
  • Malaise/fatigue,
  • No work motivation,
  • Improper recruitment process,
  • Working under time pressure,
  • Desire for personal profit,
  • No suitable policies and guidelines associated to performer activities.

These vulnerabilities could cause such threats to materialize:

  • Use of a counterfeited identity document,
  • Use of a counterfeited power of attorney,
  • Use of a genuine document by an unauthorized person,
  • Opening an account for a substituted person,
  • Conspiracy to defraud an account or a credit card.

As shown above, vulnerabilities and risks are similar to those in the process of verifying the identity by a public officer, however, verification and monitoring procedures in financial institutions are well-developed. This method also allows the use of mutual authentication through the exchange of payments in both directions, and send the relevant codes such as activation in the title of the transfer.

Delivery services

Delivery services companies are often used when transferring agreements between parties. Delivery services employ usually in such cases, verifies the recipient using the identity card and is able to verify the identity and address of residence.

Vulnerabilities related to process carried out by a courier include:

  • Inadequate skills and knowledge about fraud detection,
  • Malaise/fatigue,
  • No work motivation,
  • Working under time pressure,
  • Desire for personal profit,
  • No suitable policies and guidelines associated to performer activities.

These vulnerabilities could cause such threats to materialize:

  • Use of a counterfeited identity document,
  • Use of a genuine document by an unauthorized person,
  • Conspiracy to defraud of the positive identity verification.

Delivery services companies are not responsible for verifying the identity of recipients, unless they have a separate agreement for the implementation of the processes in which they carry out such verification on the basis of an identity document or i.e. telephone bill with name of the recipient and his address. Binding sites and documents may be a sufficient way to protect processes of the value of even a few thousand. Also, this method allows for mutual authentication, for example, by giving the ID placed inside the parcel.

E-mail

E-mail sent from any source is not an appropriate way to carry out the verification process at any level of confidence. If an email comes from a domain belonging to a well-known employers, public administration, etc., you can assume, after checking the information contained in the message header, a certain level of confidence in the identity specified by the user. This level may be higher if this domain is secured with cryptographic services like TLS, DNSSEC, etc.

Vulnerabilities related to process carried out by e-mail:

  • Lack of knowledge regarding safe use of computers and e-mail,
  • Operating systems and application vulnerabilities,
  • Desire for personal profit.

These vulnerabilities could cause such threats to materialize:

  • Abuse of computer equipment by an unauthorised person,
  • Conspiracy to defraud of the positive identity verification.

Summary

There are many other mechanisms that can be used in the process of confirming a person's identity:

  • confirmation by the employer (confirm the identity of the employee),
  • confirmed by the service provider (confirm the identity of the customer),
  • presenting an official receipt of submitting a tax statement.

These mechanisms are based on known users warranties and confirmations from companies.

Although each of the above methods has a number of vulnerabilities and risks associated with them, all of the mentioned above methods can be combined, depending on the value of the transaction to be secured by a qualified certificate. The use of multifactor identity verification helps to reduce the risk for two reasons. First, the individual factors are related to the verification of identity in different areas of sensitivity, which complement each other, i.e., the risk materialize during verification using a one factor is discovered in the implementation of the verification using a different medium. Second, batch fabrication of identity verification for multifactor is time-consuming and error-prone, so it’s easy to detect.

The used methods should address the risk to be bear by the centre responsible for the proper carrying out of the procedure. This means that the safeguards of the process should reduce the risk of taking responsibility for errors in the process of registering a user to the system.

Determining the single way to authenticate as equitable is not good for several reasons. It does not allow the use of additional verification mechanisms for these processes, for which, due to the security risk, different safeguards should be used, and forces the use cumbersome mechanisms where the risk is small and does not require the use of complex safeguards. It also does not allow the use of other safeguards adequate to the level of processes risk.

Przemysław Momot
 

Summary of the described vulnerabilities and threats to identity verification methods.