As Malaysia races to upgrade its national identity system amidst USD12.8 billion in scam losses, it has to realize that the most sophisticated technology can’t outsmart social engineering—unless humans become the strongest link in the security chain.
Malaysians lost approximately USD12.8 billion to scams over the past year.
Some are due to Malaysians having had their identity cards stolen or forged, in which case their identities have been ‘stolen’ and are used for nefarious purposes. When databases of identities are compromised or leaked or stolen, individuals become vulnerable to not just financial losses but having their identities abused.
Synthetic identity fraud is one where criminals would create identities from a jigsaw of real data; they do not need to know everything about an individual but just enough to be able to create a synthetic identity that is used to open new bank accounts for lending, for example.
Fraudsters often cultivate these synthetic identities for months or years to build a good credit history and larger credit lines which they will eventually use to take out money in someone else’s name.
To be able to carry out their schemes, fraudsters want to know as much as they can about their unsuspecting targets using social engineering tactics. The Global Anti-Scam Alliance (GASA) discovered that vectors to compromise targets vary from phone calls to instant messaging, to social media platforms like Whatsapp, Telegram, Facebook, and more.
The role of identity technologies
Amidst news that identity fraud is on the rise in Malaysia, the Prime Minister has urged for the faster rollout of an upgraded MyKad, the country’s national identification document. This identity document is meant to be integrated with the MyDigital ID system and aims to streamline public and private sector services.
The Malay Mail reports the MyDigital ID system as one that verifies users’ identity, and it is to be the only platform needed to sign in to government services and other online services offered for example by financial, education, and healthcare sectors.
MyKad is a physical document while MyDigital ID is a verification system, and the goal is to ensure that physical and digital identity claims are from the same person whom the identity belongs to, as well as to provide a seamless and secure experience for users across both physical and digital identities.
Lee Wei Jin
And when it comes to issuance of physical identity cards, HID’s regional director of Secure Issuance, Lee Wei Jin, highlighted that it is important to understand the use case, lifespan, and logistical requirements of the document to determine the issuance solution that would be suitable.
To ensure that issuance of identity cards are secure, there are hardware and software components to consider according to Wei Jin. HID has visual security features like laser engraving that are applied to cards to prevent forgery, and the company also ensures that the right data is encoded into smart chips before they are ‘printed’ onto the physical card.
In this aspect, HID would work with system integrators to ensure the secure flow of data from government or corporate customers to the hardware for programming and printing.
Trends in national identity issuance: Integrating physical and digital identities
Wei Jin shared that the pandemic has definitely accelerated the growing adoption of digital identity solutions. Governments have lifted physical contact restrictions, but the convenience of digital identity has kept it still in use. However, this doesn’t mean physical ID cards are going to be discontinued anytime soon.
“You can’t rely on someone’s claim that they are who they say they are. There must be verification.” – Lee Wei Jin.
Wei Jin said, “Even though governments are promoting digital identity solutions, people still prefer to have and use physical identity cards. So, there is a gradual transition to digital identity, and physical IDs are still in demand especially in situations where data security and privacy are of concern.”
In fact, he recognized that digital identities can complement ID cards and there is a role for both types of identity depending on context.
“Most of the national ID projects today are not only for (proving one’s) national identity, but also for various other applications,” Wei Jin pointed out.
For example, Estonia’s e-ID system integrates public key infrastructure (PKI) certificates with physical and digital IDs to provide secure access to services like e-voting, e-banking, healthcare, and more. India’s Aadhaar provides a unified digital identity framework that underpins various government services and financial inclusion initiatives by the government.
With regards to Malaysia’s own MyDigital ID project, Wei Jin commented that it is a very good initiative. “Today, many people are using their mobile phones for many online transactions. The MyDigital ID will ensure that you are who you claim you are.”
Identity verification requires comparing said identity against an original.
He opined that there are two important elements to ensure this, one being a KYC (Know Your Customer) feature to first ensure that the right person with the right identity is onboarded to the platform. The second element is the linkage of the platform to Malaysia’s national registration database.
“You can’t rely on someone’s claim that they are who they say they are. There must be verification,” he emphasized.
The best line of defense against social engineering
While cutting-edge technologies and robust identity systems like HID’s can form crucial defensive barriers against fraud, they represent only part of the solution in a world where scam losses have reached a staggering USD1.03 trillion in 2024.
Governments, businesses, and individuals may have the best technologies in place to protect themselves from fraud, but the best strategy lies in a three-pronged approach: technological innovation, institutional vigilance, and comprehensive public element.
It can be difficult for many to detect they are in the middle of a social engineering tactic because of how subtle and convincing it is. Education and vigilance cannot be overstated because while the human element remains the greatest vulnerability it is also the strongest potential safeguard.
