CUs Should Start Preparing for Digital ID Adoption: Fraud Expert

Last month, Apple announced that digital driver’s licenses and state ID cards would soon be accessible via Apple Wallet for consumers in eight states: Arizona, Georgia, Connecticut, Iowa, Kentucky, Maryland, Oklahoma and Utah. The inevitable widespread adoption of digital IDs nationwide is on the horizon, but the added convenience is likely to be accompanied by new opportunities for fraud, according to a new e-book from security and identity protection company Sontiq, “Protecting What Matters Most.”

In June of this year, Utah Community Credit Union ($2.4 billion, Provo) announced it had been selected by the Utah Driver License Division and GET Group North America, which provides the mobile driver’s license (mDL) technology platform GET Mobile Administrator, as the first financial institution in Utah to test mDLs as a legal form of identification for all banking transactions. Sontiq SVP, Data Breach Solutions Al Pascual said while early adopters of digital IDs such as Utah Community will have security on their side due to working with a digital ID-focused technology provider, he is concerned about credit unions that may begin accepting digital IDs before the necessary technology has been implemented.

“In order to validate digital driver’s licenses correctly and effectively, enterprises including credit unions will need to adopt the additional technology themselves,” Pascual said in an interview with CU Times. “That means more cost and it takes time too. I think that could lead some institutions to lower the bar for digital driver’s licenses, meaning they may ostensibly look to find ways to validate them that are on par with traditional driver’s licenses until they’re in a position to leverage the technology to take advantage of the additional verification benefits that come with it.”

“Lowering the bar” might look like manually typing in a member’s mDL information, as one would with a physical driver’s license, and perhaps looking for a distinguishing feature that exists on a genuine mDL, he said. “Inevitably, that’s the kind of thing criminals can take advantage of. Once you have something in the digital realm, the data and images are very easy to manipulate, to fake, to counterfeit,” he warned.

What’s more, the eventual widespread adoption of digital IDs will be accompanied by the creation of centralized databases containing digital ID data, which will make enticing breach targets, according to Pascual and the e-book.

Some countries were early adopters of digital IDs with dire results. In 2017, Estonia’s digital ID program experienced a setback when a major breach affected close to a million IDs, and in 2018, a security breach compromised personal data belonging to over a billion people in India who were enrolled in the country’s biometric ID program Aadhaar. The lesson from these large-scale incidents is that layering various forms of authentication will continue to be critical, Pascual said.

“It’s a tale as old as time in the identity space: A single form of identity verification becomes a single form of failure,” he said.

To get ahead of these threats, Pascual recommended that credit unions begin reaching out to their core processor and other technology providers and asking them how they plan to ultimately accommodate digital IDs. They can also start looking into companies that plan to partner with states on digital ID efforts, as they will providing much of the underlying technology, he added.

“By virtue of doing that, you’re also signaling your interest to the companies that provide the technology that you want to be able to accommodate it,” he said. “And the more they hear about it, the more quickly they’re going to want to be involved in it and support it.”

More Scams Targeting Children

Financial accounts designed for kids are becoming more common, as today’s youngsters are more likely to give and receive money digitally as opposed to in cash. That means fraudsters have a ripe new category of targets to prey upon.

Sontiq’s e-book warned of a rise in “mule colt” scams, or mule scams targeting children, in which fraudsters solicit young accountholders to help move stolen funds under false pretenses, promising the child that they may keep a small portion of the stolen funds and ultimately leaving them (or more likely, their parent) to deal with the fallout from the illicit transfer.

Pascual said these fraudsters typically connect with kids online via gaming or social media apps, using a false identity to build a relationship and eventually coercing them into becoming a money mule. And the fact that kids can unknowingly comply with a scam through just a few clicks on their phone raises fraudsters’ chances of success.

“The purely digital aspect of how we engage in finance and move money kind of lowers the bar for kids – it’s not like they have to go to a branch and do anything,” he pointed out. “They’re digital native, so it’s, ‘Hey, do me a favor and click a couple of buttons, and I’ll give you $50 in Roblox bucks if you could just help me do this because I have to send money to my sick grandmother in Romania.” (Roblox bucks are a digital currency used for online gaming.)

It’s incumbent on credit unions, he said, to educate their youngest members not only on how to manage money, but how to be on the lookout for scams. He added parents should also enable notifications for their child’s account so they can be instantly alerted to any new activity.

When it comes to raising awareness about fraud, however, sending out an educational email to members once in a while may not be enough.

“The problem with security education is that members tend to get so much of it that they tune it out,” Pascual said. “So you need to find a way to make it personal, speak directly to the member and their needs, and when you do that, that’s going to translate into the kinds of behaviors you want to see.”