Identity theft or impersonation is a type of fraud in which criminals manage to supplant the identity of the person being deceived, based on the theft of their personal information. There are particularly relevant cases such as the one described in this article in El País: “They impersonated me and spent 100,000 euros in my name. I’m still suffering the consequences” | Technology | EL PAÍS (elpais.com)
In this particular case, the victim lost his national identity card, or perhaps it was stolen on purpose, but either way, it ended up in the hands of fraudsters. Identity theft based on a stolen ID card is a technique that is unfortunately on the rise, largely due to the fact that since the advent of COVID-19, most transactions have become digital and are carried out remotely.
How to prevent phishing fraud
The most effective suggestion and solution is to reduce the amount of personal information shared as much as possible. For example, in the case of requests to send a scanned ID card, do so by partially blocking out information that is not strictly necessary, such as the expiry date, the postal address, or our photograph.
However, sometimes requests to send personal information go beyond the ID card and may ask for financial or tax data such as invoices, bank transactions or even tax returns. This type of request is common in banks to prevent money laundering, but it is also common for this personal data to be requested for procedures related to the evaluation of financial solvency, for example, by landlords in the case of rental housing.
Can we refuse to share this type of personal information? The current law requires the recipient of such personal data to process such information in accordance with the European Data Protection Directive (GDPR), but the recipient is entitled to request it.
In the case of fraudsters, they try to trick victims by posing as fake landlords, fake sellers, or even lenders. All of this is done to collect personal information that allows them to impersonate and gain access to credit, open bank accounts from which to launder money (through mule accounts) or make fraudulent purchases.
Digital Identity Wallets to the rescue
An ” ID Wallet ” is a cryptographic application that is installed on our mobile devices allowing us to store and share credentials related to our identity and its attributes https://business.blogthinkbig.com/europes-new-digital-identity-sovereign-identity-wallets/. These applications allow us to verify our identity without sharing our ID card, or for example to validate our financial solvency without sharing invoices, bank transactions or tax returns.
How do they work? By storing credentials linked to our identity that can be verified and validated by third parties. For example, we can store in the wallet our ID card along with our financial information issued by our bank. When a landlord asks us to prove that we live in Spain, that we are over 18 years of age and solvent, we can share our identity card (which is not the same as the DNI), together with the financial solvency card (which is not the tax return or bank details). In this way, we will be validating the conditions required by the landlord, without the need to share any personal data that could be manipulated or used without our consent.
The underlying technology in this whole process is blockchain and ensures that the information stored in the wallet is accurate, and that the issuing authority is trustworthy. In this way the recipient of the information can validate its legitimacy.
A not-so-distant future
The European Union is already working on this type of solution and aims for all EU citizens to have access to this technology by 2024. In Spain, several initiatives are beginning to emerge, such as the Alicante ID project, which aims to create a local digital identity ecosystem, so that citizens, administrations and companies can exchange verifiable credentials stored in identity wallets.
The aim of all these projects is to return control of personal data to those to whom it belongs, the users themselves. Privacy in the processing of personal information increases security and prevents online fraud.