Blog | G5 Cyber Security

Scanning ID Security: Is it Reliable?

G5 Cyber Security

TL;DR

Scanning ID systems like Trusona offer improved security over passwords alone but aren’t foolproof. Their reliability depends on strong implementation, device security, and user awareness. They are vulnerable to presentation attacks (spoofing) and data breaches if not properly secured.

Understanding Scanning ID Systems

These systems use your phone’s camera to scan a government-issued ID (driving licence, passport) and verify it against databases. They often combine this with biometric checks – usually facial recognition – to confirm you are the legitimate owner of the ID.

How Secure Are They?

  1. Stronger Authentication: Scanning IDs add a second factor (something you *have* – your phone and ID) on top of something you *know* (a password). This makes it harder for attackers.
  2. Liveness Detection: Good systems use ‘liveness detection’ to ensure the face being scanned is real, not a photo or video.
  3. Database Security: The security of the databases holding ID information is crucial. A breach here could expose sensitive data.

Potential Weaknesses & How to Mitigate Them

  1. Presentation Attacks (Spoofing): Attackers might try to use high-quality photos or videos of IDs and faces to trick the system.
    Mitigation: Look for systems with advanced anti-spoofing technology, like 3D face mapping and challenge-response tests.
  2. Device Security: If your phone is compromised (malware), an attacker could potentially access the scanning process.
    Mitigation: Keep your phone’s operating system updated, use strong passwords/biometrics on your phone, and avoid installing apps from untrusted sources.
  3. Data Breaches: The company providing the ID verification service could be hacked.
    Mitigation: Choose reputable providers with a proven track record of security. Check their privacy policies to understand how they store and protect your data. Look for compliance certifications (e.g., SOC 2).
  4. Privacy Concerns: Your biometric data is being collected and stored.
    Mitigation: Understand the provider’s data retention policy. Some systems offer options to delete your data after verification.
  5. Accessibility Issues: Not everyone has a compatible smartphone or government-issued ID.
    Mitigation: Providers should offer alternative verification methods for those who can’t use scanning IDs.

Checking System Security

  1. Look for Anti-Spoofing Features: Does the system explicitly mention protection against presentation attacks?
  2. Privacy Policy Review: Read the privacy policy carefully to understand data collection, storage and usage.
  3. Reputation Research: Search online for reviews and security audits of the provider.
  4. Data Encryption: Ensure data is encrypted both in transit (when being sent) and at rest (when stored). This isn’t always publicly stated but good providers will have this.

Example Security Check (Command Line – for advanced users)

If you are technically inclined, you can check the SSL/TLS certificate of the website used for ID verification to ensure it’s valid and uses strong encryption:

openssl s_client -connect :443

Look for a secure connection (e.g., TLSv1.3) and a trusted Certificate Authority.

Conclusion

Scanning ID systems are generally more secure than traditional passwords, but they aren’t perfect. Their security relies on the provider’s implementation, your own device security practices, and awareness of potential risks. Always choose reputable providers and take steps to protect your phone and data.

Exit mobile version