
The “wallet wars” have been heating up lately as vendors galore enter the identity wallet space. This notion of identity wallets has been bubbling up for a few years, brought about by the self-sovereign (or decentralized) identity movement.
The concept of a digital wallet that contains one or more identity elements is compelling. After all, most of us are used to carrying identifying documents around with us to prove our age or domicile – driver's licenses, passports, identity cards, and proof of age are all potential candidates for digitization and placement in a digital wallet.
Wallets are convenient – many argue that they give users control and are respectful of privacy. However, the watchful eyes of cybercriminals will no doubt be turning towards the rich pickings in the digital identity wallet. As banking trojans have become a significant threat to safe banking, identity trojans will do the same for secure identity transactions.
Are identity wallets as good a target as mobile banking apps?
Many people like the idea of mobile banking – it's convenient, and anything that makes it a little easier is welcome. A study from Chase backs this up, finding that 87% of customers use their banking app at least once a month. As a result of the popularity of mobile banking, the apps have become a target for cybercriminals – research from Kaspersky shows a 100% increase, with 200,000 new mobile banking trojans appearing in 2022. Banking trojans steal credentials and then your money.
Trojans are typically activated when a person installs an infected app. But what about the equivalent attacks on identity wallets?
Identity wallets are an app that let you store identifying information, such as identity documents or verified credentials. The latter could be anything from a university degree to proof of profession and employee record. Identity wallets are helpful because they offer convenience, user control, easy access and authentication, and encryption.
Increasingly, governments are exploring the potential of identity wallets to access government services. The EU Commission and eIDAS wallet are going a step further, mandating that the wallet is used to access large online platforms, such as Facebook, and to offer verified identity credentials when creating a bank account. Cybernews has already discussed concerns in the industry regarding the privacy of the eIDAS wallet.
I may be wrong, but once identity wallets become widespread and, more importantly, used to facilitate online access and transactions, cybercriminals will move trojan targeting to identity wallets.
Are there any safe identity havens?
To help mitigate the impact of a trojan on the use of an identity wallet, we need to look at how mobile banking apps handle the trojan threat. Banking app developers use a variety of techniques to mitigate the threat of banking trojans, including the following:
- Biometric authentication: Biometrics authentication springs to mind when considering mitigating a trojan's impact. However, the Android banking trojan, "SharkBot," found by the Cleafy Threat Intelligence Team in 2021, can take over a user's device and bypass multi-factor authentication mechanisms, including biometrics.
- Mobile app shielding: involves using various code techniques, such as obfuscation and Runtime Application Self-Protection (RASP), to add complexity and detect and respond to attacks. However, bypassing RASP is possible, especially as ensuring that protection is consistent across all operating environments can be challenging. RASP may also find it difficult to inspect encrypted data, such as that found in identity wallets, preventing the detection of an attack.
- End-to-end and storage encryption: this is security 101 and must be fundamental in any identity wallet. However, encryption is only as good as encrypted data's authentication and access control – see biometrics and Sharkbot above.
- Auto-updates: again, security 101, and besides, the access control aspect overrides the protection afforded by timely patches.
- Blockchain-based wallets: blockchain was the starting gun, making the noise needed to kick-start the identity wallet industry. Organizations like Sovrin developed a governance framework based on public blockchains to provide the backbone for decentralized self-sovereign identity: a laudable goal. However, blockchain doesn't offer any additional security against trojans. Once wallet credentials are compromised, the blockchain credentials are also at risk, and your data can be used to perform online transactions.
Your identity wallet or your life (or both)
Many trojans are specifically developed to target Android apps pushed out via the Google Play Store. A recent example was the Anatsa Trojan, which used overlay phishing screens when a user launched a legitimate banking app. The malware then stole the banking app credentials and, ultimately, the person's bank and financial data.
Apple iPhones are known to be less susceptible to trojans, but they aren't immune, especially if the phone has been jailbroken. If you run an identity app (wallet) on your mobile device, it will potentially be as vulnerable to a trojan as a banking app.
Identity wallets contain valuable data and can be the entry point to other applications. For example, a recent Cybernews post about the EU's eIDAS identity wallet mentioned that the EU was to mandate the use of eIDAS wallets for access to large online platforms such as Facebook. If a trojan takes control of an eIDAS wallet, the owner would potentially lose control of any other online account connected to the wallet.
The EU is also suggesting that banks use the eIDAS wallet to perform at least part of a KYC check to open a bank account…you can see where this is leading. Cybercriminals are bound to target identity wallets. It's too much of an opportunity to miss.
I believe that the convenience of the identity wallet, like its banking counterpart, will make it attractive for the consumer. However, wallet developers must do everything in their power to bake security in – after all, security is about reducing risk, as there is no such thing as perfect security. It’s always a trade-off.
Final note: On November 8th, 2023, the App Defense Alliance announced the formation of a founding steering committee with Google, Microsoft, and Meta at the helm. App Defense Alliance, under the Joint Development Foundation, is part of the Linux Foundation family. The hope is that a suite of industry standards for app security will follow.
Your email address will not be published. Required fields are markedmarked