Digital fraud has never been more prevalent, potentially costing the world $10.5 trillion USD annually by 2025, a truly staggering sum. In the U.S. alone, $382 million was stolen in COVID-19 related scams, often by fraudsters registering for stimulus checks and unemployment benefits with stolen identities. Criminals have used multiple avenues to steal money from unsuspecting Americans, including crimes around financial relief like stimulus checks and unemployment benefits, fake treatments for COVID-19 and fraudulent charities.
Americans began submitting more than 3,000 complaints mentioning coronavirus keywords nearly every month starting in April 2020, according to the Bureau, a federal agency that polices financial wrongdoing impacting consumers. Identity theft has also been a frequent problem relative to unemployment benefits collected during the pandemic. Around 60,000 people have reported identity theft to the FTC since last year. The U.S. Labor Department on Monday launched a website for Americans whose personal data was stolen and used to claim fraudulent unemployment benefits.
The fundamental problem at the heart of online fraud is how can organisations tell that a person is who they say they are? In real life, there are clearly identifiable identity markers – from faces to fingerprints and DNA are supplemented by certified documents like passports and driver’s licenses – that limit a person’s ability to pass themselves off as somebody else.
Online, a bad actor (or increasingly an automated bot) who enters the correct username and password on a website has access to everything the person who set up the account does. Digital identities clearly must be as strong as offline identities.
Congress has already identified this problem and introduced a bill aimed at providing a solution. The Improving Digital Identity Act aims to develop standards to guide government agencies when providing digital identity services, upgrading existing systems and creating interoperable tools for verification. It is a promising start, but it may be hampered by the lack of clarity around digital identity itself.
Digital identity documents are already used in applications like the biometric IDs that are issued but these are not interoperable – they have specific use cases and are not an “all in one” digital identity that could be used anywhere. Even with the Improving Digital Identity Act, there is unlikely to be a single government-mandated ID in the U.S., but there may be multiple private-sector suppliers offering approved digital IDs under a regulatory framework established by the legislation.
Any framework will have to be based on a public-private key architecture. Asymmetric cryptography, where freely available public keys can be used to verify a private key held by one person, is a highly scalable, robust method for keeping digital IDs secure. It is already used in thousands of applications in the public and private sectors.
The private keys must absolutely remain secret, which makes hardware security modules the ideal choice for generating and securely storing strong private keys. Unlike software solutions, the keys themselves are not read into the main memory of a computer, which means that they cannot be compromised remotely.
With online fraud as pervasive as it is, it is no surprise that the government is looking for digital identity solutions for immigration, deterring identity theft and speeding up government services, even those as mundane as renewing a driver’s license. Given how important getting it right will be and the substantial benefits from doing so, both the government and private sector must work toward meeting the very highest standards of security.