As more and more businesses are operating remotely, they face a corresponding rise in both the number of cyberattacks, and their sophistication. Many of these attacks exploit vulnerabilities during verification of personal data via mobile devices.
This article discusses the strategy, known as “Zero trust to mobile,” that can prevent the manipulation of personal data during remote identity verification processes.
Let’s get started.
What is zero trust? And why the emphasis on “mobile?”
Zero trust is a security approach that treats all connections and devices used to access a service as potential threats. Security professionals who apply it must audit and protect all resources, limit and strictly enforce access control, and inspect and log all network traffic.
The zero trust method contrasts with traditional perimeter-based security, which relies on strong outer defenses (like castle walls) to protect a trusted interior.
The weakness of the latter is that, while companies try their best to secure their systems well, users’ mobile devices tend to be more vulnerable. And this makes them attractive targets for cybercriminals.
In the zero trust model, every time someone requests access to a system, say when a person signs up and does onboarding for a banking app, the request is checked inside and out. This involves authorizing the client app, confirming the identity of the user and the device, and examining the details of the request, for instance, whether the user should have access and if the request appears genuine.
Zero trust in identity verification
ID documents are an integral part of identity verification, whether it’s a remote process or not. However, in a remote-first scenario, this leads to two questions:
Can we verify this document with confidence without having a chance to physically examine it?
Can we trust the data obtained from this user’s device?
Let’s comment on each of them.
Can we verify an ID document remotely with confidence? — Yes, if it’s an electronic document
To verify traditional documents (without a chip), you have to rely on optical solutions. This means literally evaluating snapshots taken on a mobile camera. Unfortunately, this can be risky. Such documents and their snapshots are easier for fraudsters to manipulate and are harder to verify remotely.
Some companies, however, might need to handle such documents, especially if they operate in countries that don’t have electronic IDs. (That’s currently the case for India.)
Seasoned identity verification providers offer ways to reinforce the reliability of handling chipless documents. Regula, for instance, checks dynamic security features, such as holograms, Multiple Laser Images (MLI), and Optical Variable Ink (OVI). We also confirm that the ID shown is not just a screenshot from a device but a real physical ID.
Companies that accept non-electronic documents might also request customers to provide additional evidence to support verification results, for example, utility bills.
Electronic documents (with chips) are a different story. They are nearly impossible to fake because the data within their chips is encrypted and digitally signed. (We covered this in detail in our guide on RFID technology.) So you don’t only examine how the document looks, but can also confirm the integrity and authenticity of the chip data using asymmetric cryptography. This makes identity verification based on electronic documents only the most secure out there.
Also, if a user’s mobile phone reads the chip of an ID, it implies the user really has this document at hand. Thus, it effectively addresses document liveness issues in remote processes.
But as good as this all sounds, it’s a bit too early to relax.
Can we trust the data obtained from a user’s device? — Nope.
Even when a document is impossible to fake, the verification session is still vulnerable. So, verification performed right on a user’s device isn’t reliable enough, especially for such sensitive and low-risk tolerance industries as Finance and Banking. To get reliable verification results that prove your user is trustworthy, it’s vital to shift the point of trust from a user's device to a more controlled and secure server-side environment.
If the backend blindly trusts the client app, and there are no additional re-verification measures, there’s a risk of verification results being modified by fraudsters directly on the same device. They might try to replace all or part of the client app and tamper with the verification results. For example, they may alter the result of an ID check from “failed” to “passed.”
Scammers can also present a genuine passport equipped with an RFID chip containing information cloned from someone else’s document. Such counterfeit documents might then be mistakenly verified as valid when submitted online.
Fraudsters can try manipulating the session data that is being sent from a mobile phone to a server.
All of these are deliberate fraud attempts.
In some cases, end users may have no connection with fraudsters whatsoever—they just use public Wi-Fi. Fraudsters can overhear the traffic between the client and the server, and try to access that traffic in order to steal users’ private data.
The solution: Encrypt all the data, prefer electronic IDs, and enable server-side verification
Let’s address this one by one.
→ Encrypting sensitive data
It’s essential to incorporate end-to-end encryption, ensuring that data transmitted between a client and a server remains intact from any unauthorized access or tampering. Remember the last time you saw a small lock icon in your browser's address bar? That’s a vivid example of a site that takes care of encrypting sensitive data.
→ Accepting electronic IDs only (when possible)
As we’ve said earlier, verifying ID documents equipped with a chip is currently the most reliable way to confirm a customer submits a legit ID. In fact, this decision alone protects you from the majority of identity proofing threats.
In a nutshell, electronic documents allow you to verify their data for integrity and authenticity via Document Signer Certificates (DSCs) and Country Signing Certificates (CSCAs).
If you can’t include chip verification in your workflow for some reason, then look for additional checks that help you verify document liveness. One of these methods is detecting the presence of dynamic security features, such as holograms, in IDs.
→ Enabling server-side verification
While using electronic IDs is one of the most advanced ways to authenticate customers remotely, there’s a loophole for fraudsters. All chip authentication mechanisms were designed for use with trusted devices, which isn’t always the case when it comes to the variety of users’ devices.
The idea here is to perform the actual verification session on your server. In this case, the client acts only as a reader, while the server takes an active part in the process: it generates session keys so that it can decrypt the session data transmitted to it once the chip is read.
As all verification data is kept in your secure perimeter, you can request it anytime and re-verify it if necessary.
Please note that you need to have all the necessary certificates for passive authentication in place on your server to guarantee successful verification of the chip data.
Real-world case study and workflow
Enough theory, let’s have a look at how it works hands-on.
UBS, the largest bank in Switzerland and the world's largest private bank, has partnered with Regula, to create a totally new experience for remote account opening and accessing banking products. Previously, UBS required real-time video interviews to verify new customers. Now, the process is fully automated through their mobile banking app.
One of the prerequisites and eligibility criteria is that it’s accessible to biometric IDs only.
This new process integrates Regula’s complete server-side verification flow, which ensures the biometric documents are authentic, the information is trustworthy, and the chip isn’t cloned or its data manipulated.
The value of such server-side verification is that it’s possible to tell when exactly the chip was read using Regula Document Reader SDK, and use the results of the session to verify that the data was delivered fully encrypted and unchanged to the backend.
From a business perspective, the updated service is now not limited to working hours, but is available 24/7 (as opposed to working hours), while reducing the workload for employees. This efficiency not only lowers the cost of onboarding, but also improves user conversion rates and significantly reduces drop-off rates.
How Regula can help
The concept of zero trust isn’t new. In fact, this is how most modern mobile banking apps operate today. These apps don’t just exchange data without solid protection; however, this protection is enabled thanks to comprehensive development efforts by the companies themselves.
Regula’s contribution to this ecosystem is a solid ready-to-use solution that handles the whole identity verification part. Aside from supporting a zero trust model, its advantages include (but aren’t limited to) the broadest coverage of ID documents from around the world, and numerous intricate checks and cross-checks performed on the client and server sides. Plus, the solution complies with the most authoritative regulations and standards set by the ICAO and BSI.
If you're concerned about mobile-based identity verification, or looking to streamline your current verification processes, we can help. We’ve already helped numerous clients, including global banks like UBS and others, by providing robust, server-side identity verification solutions that ensure both convenience and security.
If you’d like to learn more about how your organization can benefit from our identity verification technology, do not hesitate to get in touch with Regula. We're ready to assist, with no obligations involved.