We all know the story: James Bond, better known as 007, rescues the girl (most of the time), eliminates the villain and ultimately saves the day. Using a variety of identities, Bond talks his way in and out of scenarios, playing different roles and even speaking different languages to get any information he needs.
Though Ian Fleming left us with fourteen novels of thrilling stories, readers may finish these books thinking, “If 007 can save the world with fake identities, it’s no wonder that identity theft is a highly pursued effort by fraudsters.” Even though advanced technology is securing identities and personal information, the transition from physical licenses to digital can be seen by some as “shocking, positively shocking.”
So, what are the security implications of carrying around your ID information on your phone instead of just on a piece of plastic in your wallet?
Whether you’re using your digital driver’s license (DDL) to prove your identity to law enforcement or TSA (Transport Security Administration) or if you’re verifying your age when asking for your martini to be ‘shaken, not stirred,’ rest assured your information is safely secured on your smartphone.
Question: What if someone takes a screenshot or picture of a digital driver’s license?
My answer: It is technically possible for someone to take a picture of your DDL while it is displaying on your phone – but it would be useless. This is no different than someone taking a photo or making a copy of your plastic driver’s license. What could they possibly do with it?
It won’t be accepted by law enforcement as an ID, it won’t work at airport security, it won’t work for age verification, and it will quickly prove to be useless. The moment someone tries to use this copy or photo, it will be identified as invalid.
But more than that – DDL offers an additional layer of assurance. When a DDL is presented to Law Enforcement or TSA, you do not show an on-screen picture of your DDL. Instead, you present a QR code that represents the driver’s license data. This QR code is created with dynamic data that is only valid for one transaction.
The officer reads the QR code using a verification device, and the code’s validity is confirmed by a backend system. Hence, even if someone took a snapshot of the QR code to try to reuse it in the future, it would fail the validation test and alert Law Enforcement or the TSA of this fraudulent attempt.
Question: Is an individual’s personal information stored on the DDL verification device?
My answer: No footprint or user information is stored on the verification device.
Even when you are sharing information, for example presenting your age and photo when buying alcohol at a liquor store, the data is only visible to the merchant for a few seconds before it is automatically wiped. The entire verification process is fully compliant with PII policies.
Question: Can the DDL be hacked and/or fraudulently duplicated?
My answer: As a stand-alone piece of information, nothing is entirely ‘hack-proof.’ A skilled hacker or coder could indeed create an authentic-looking credential. However, it wouldn’t be usable beyond bragging rights of “I created a fake digital ID.”
As soon as the fraudulent credential was used in the field, it would immediately be revealed as counterfeit, because only a genuine document would have the correct cryptographic keys.
Bear in mind that Gemalto’s DDL solution is not just a document stored on your phone; it is the full environment from secure issuance, to usage, to verification. This creates an end-to-end system that can provide trusted document authenticity assurance at a level not possible with traditional, stand-alone credentials.
Question: Is the connection to the verifying party in a DDL transaction permanent?
My answer: Absolutely not! Our solution is designed to conduct the verification with extreme consideration for protection of PII and privacy compliance. The individual’s data is never stored on any verification device and the data required for the transaction is set to automatically disappear after the set amount of time required to process the transaction.
Additionally, the data transmission from the user’s phone to the verification device is a one-way communication channel that originates within the DDL application and does not allow any additional data transmission outside of the application. And of course, data – both in rest and in transit – is always encrypted using multiple layers of strong encryption to ensure your information is protected.
Are you excited about using digital driver’s licenses? Let us know by tweeting to us at @Gemalto or by posting a comment below.
Source: Gemalto – Payments
The FAQs of a DDL – Chapter 4: Fraud, Counterfeits & Stolen Data