As digital IDs proliferate, states must consider security implications

In August, the New York State Department of Motor Vehicles launched a digital state-issued driver's license. The announcement added New York to a growing list of over a dozen states, including Iowa, Louisiana, Mississippi and more, embracing the power of digital IDs.  

Mobile IDs (mID) are a great way to improve citizen experience. They offer streamlined access to government services, improving accessibility for underserved populations and reducing burdensome wait times at places like the DMV. Beyond that, 97 percent of Americans under 50 own a smartphone, according to Pew Research Center, making them an almost universally applicable alternative to physical identification.  

However, as more states, including Virginia, begin to roll out digital ID initiatives for critical government services such as voting, driver's licenses and TSA checkpoints, it's vital that agencies ensure they are being implemented securely.  

It's unclear what—if any—precautions are being taken to secure the mobile devices housing mIDs. In fact, recent research revealed that over 60% of mobile devices run on vulnerable operating systems (OS).      

To put a finer point on it, as mID adoption increases nationwide, governments must ensure their security or risk exposing personal information to cybercriminals. 

Hijacking mobile IDs: The modern kill chain
Although the widespread use of mobile devices makes them ideal for mID deployment, it also makes them a prime target for criminals seeking to steal data.  

Early 2024 saw a significant increase in social engineering and phishing attacks targeting mobile devices compared to the previous year. Criminals are now leveraging mobile platforms such as social media, SMS, messaging apps, QR codes, phone calls and more to execute "modern kill chain" attacks.  

These attacks, often initiated by a criminal posing as a legitimate contact, involve delivering a socially engineered message with an embedded phishing link to the victim's phone. The messages are crafted to appear authentic and contain a link to a phishing site, prompting the victim to enter their credentials (and often an MFA token). Alternatively, the link could contain malware capable of harvesting device activity and data within seconds of being clicked.  

Regardless of the method, successful attacks grant criminals access to all the information needed to impersonate a victim and gain entry to their accounts, including the relevant mID app. With the victim's mID in hand, criminals can assume the victim's identity or sell the information on the criminal underground.  

Most devices managed by agencies will have preventative measures to block email-based phishing attacks. However, these protections do not include attacks targeting mobile vectors or unmanaged personal devices.

Another risk is cybercriminals acquiring and weaponizing the legitimate software development kits (SDKs) and libraries used to build apps. SDKs are prepackaged code that allows developers to quickly create apps and add features without constructing everything manually. If agencies design a mID platform using a library or SKD criminals inserted with malicious code, they risk compromising every mID stored in their database.

It's impossible for agencies to vet every app on every phone used by their employees, making it necessary for teams to go beyond traditional cybersecurity protections to combat the threat. 

Protection requires going above and beyond
Verifying a user's identity should involve more than just displaying an image on a mobile ID app. Secondary or even tertiary layers of authentication can significantly lower the risk of identity fraud. This additional authentication may include multi-factor authentication or the addition of a one-time QR code tied to the mID. The QR code would refresh every time a user opens the app, making screenshots of the mID useless.   

Other forward-looking technologies, such as blockchain, can play a role in securing these devices. Blockchain-based government IDs would offer more secure, tamper-proof and easily verifiable mIDs by ensuring that unauthorized individuals cannot tamper with the mIDs. The decentralized nature of blockchain also reduces the risk of cyberattacks compromising the data libraries that store the mID information.  

Aside from protecting against already stolen mIDs, agencies should aim to prevent them from being compromised in the first place. The best way to do this is by protecting the mobile devices themselves. Incorporating mobile endpoint detection and response (Mobile EDR) solutions can help strengthen security by enabling agencies to reconstruct attack chains and proactively block risky third-party app behaviors, including those caused by SKD compromise, on both managed and unmanaged devices.  

Furthermore, integrating mobile threat defense solutions into an agency's security stack enhances threat visibility and provides uniquely tailored mobile threat intelligence to help teams proactively address vulnerabilities. 

A well-thought-out, secure mID system greatly benefits all users and should—and ultimately will—replace physical IDs. But major security concerns need to be addressed. Current mID efforts need more security protections to truly serve as a viable replacement. 

As mID efforts across states become more prevalent, attackers will increasingly target the mobile devices that store them. Through a combination of solutions from blockchain to mobile EDR, state agencies can proactively protect both mIDs and mobile devices from criminals, creating a more secure, user-friendly system for all.