So I'm not exactly the experienced speaker, but I'll do my best. And what I did was I tried not to produce a lot of slides with bullets.
Instead, I have a few pictures to sort of underline or illustrate what I'm trying to say. I'm professionally, I'm the co-founder and the CEO of a company that does e ID as a service. So our customers would go to us to integrate Swedish's Bank ID on Norwegian Bank ID or Danish, mid id as it's called, these different IDs that we use in, primarily in the Nordic, but also Belos in Germany. We have some, some answers for that as well.
Privately, I'm a concerned citizen of the eu and it's basically the basis for what I'm going to say here. It's not a, a pitch per se of our company. So with that, let's just dive in. How do I sort of move forward here? Do I just click the screen or, oh, there you go. A black slide.
Yeah. So this is an example from a couple of our friends here from Swedish Bank id. The thing is that this is a, a post on LinkedIn, and if you don't read it, what it says is that Swedish Bank ID managed to excellently fend off a denial of service attack. So that's good news.
And they're doing a webinar, I think next week where you can learn more about how they did that. Now, centralized systems being attacked is not specific to e I D. That's just the world we live in, that you have these people targeting centralized identity.
What is, of course, it, it's great news that this guy is his name, Andreas, I think he, him and his team managed to fend this off. What's less good news? What is bad news is that they need to fend it off, which is why this talk will, you know, talk about the vulnerabilities we're facing and what we can do to sort of get outta that situation where we need to fend off denial of service attacks and all that.
And obviously to the, those have stayed awake in just a few minutes during the last couple days. You know that the term decentralized identity and verifi credentials is likely to come up.
But also Fido actually has a, a key part to play in all of this, and we'll see an example of that. So these state infrastructure centralized infrastructures run by states or by banks, are extremely prevalent, especially in the ID space in the Nordics. So Denmark, where I'm from, Sweden, Norway, and Finland, we run national bank controlled, e i D infrastructures that citizens use for authentication and identification to basically all the sites to go to. They go to, especially in Sweden, which is the most successful of the eids.
And for those of you not from the Nordics, Sweden will use their bank ID for go buying groceries or for going to the bank or for booking a doctor's appointment.
It's basically the same thing across can Damian, but especially Sweden. It has re it's, and we have a couple guys from from bank ID here. They can probably confirm that the usage is substantial, let's just say that. Which also spells vulnerability, of course. And the thing is, these societies in the Nordics, everything is digitized.
So you cannot go to, well in Denmark, you can't hardly find a government office that'll open the door to you. You have to do business online, you have to take care of you, everything online, banking, insurance, there's no concept of a public notary in, in Denmark. You never go to an office and sign a document because you do it electronically.
So I buy, I buy my house, electron sign electronically, everything is done like that, which means that decentralized e i d infrastructure is my part of the world, is a key asset. It is what you could genuinely label a critical infrastructure because if it goes down, society is more or less down, which is why the, the guy we saw from SWS Bank Id, you know, is genuinely proud of being able to fend it off. But it is also a strong requirement for a guy like that. He really has to do his job.
Otherwise, the Swedish society will grind to a halt pretty quickly.
So grinding to a halt these days, I shouldn't do that. These days we have, we have new actors, they're not new. I just saw a threat thing or something coming out of the Danish intelligence, military intelligence that says one of the highest threats is ESP espionage from China. But right along there is attacks on critical infrastructure. In this case, it was a piece of physical infrastructure.
For those of you that don't recognize this picture, this is when they blew up the, the North Stream natural gas pipelines in the Baltic Sea, I don't know, half a year ago, a year ago or something. And that wasn't very robust to attack, let's just say that because now they're closed. They hadn't really opened the number two because the Germans had closed it off or something. But still very key infrastructure attacked. Same thing with these eids that you now see new actors that could potentially target this.
So we need to do something about that.
And if we can build infrastructure that are not as centralized, imagine here if you have a million tiny pipes going across the landscape and the sea, then you know, you could blow up one, you could blow up two, you could blow up 10, but it wouldn't affect the overall capacity or the abilities of the system. So, so that's what we are aiming for going forward.
You know, if you can build identity infrastructures and you know, listening to all the talks, yes, you can build infrastructures that are less vulnerable to things like this.
There's a time down here saying 20 and it stays at 20. Does that mean I continue to have 20 minutes or it's just because then I could go on.
Okay, so there, that's one thing. And this is not new to E I D or the Nordic or anything. If you call there, you know, it's an industry in its own right. I'm sure defending these sort of, you know, systems against attack, I'm sure Akamai or guys like that can help you with with that. Another thing, which is actually where the real action is, because there's no action, successful action in the attacking central e i d infrastructures as witnessed by the guy we saw from sws Bank, id, you don't successfully attack these infrastructures.
Where you do successfully attack is teenagers with acne and bling bling, running a fishing console in there and having a few mules and things like that.
They do phish attacks and especially in the Nordics, there's an other vulnerabilities that is sort of a centralization thing that we use one app, we use one web application, everybody goes to the same site, they expect the same look and feel always of daily mid id, Swedish bank id, Norwegian bank ID, and so on. So they get the same user experience all the time, which means as a Fisher you can mark one site and then you are in business.
You don't have to, you know, do anything for a specific doctor or a specific hospital or a specific bank, maybe a specific bank. You, you should do something, which I'll show in a second. So just for those of you that are not familiar with Phish attacks, this isn't Danish, but these are the kind Nor Diaz. It says that's the bank. Big Scandinavian, actually Nordic Bank, they sent these messages out.
I'm the CEO of an E I D company and I'm fairly technical. I used to do spaceships and, and fighter jets and things like that in my younger days.
My wife is not, she's beautiful, she's clever, and she's an art historian. She's an art dealer she knows nothing about. So she doesn't even know to pick that URL out as being fake. So we switched banks, she gets a new credit card on the very day she gets a new card, she gets this text, text message similar to this one, not this one. She gets one that says in Danish, you've activated your new card. You need to approve the fishers, of course, sent these out to a million people because everybody has, and they know they'll, it's a numbers game.
They're, they're going to hit a few where this works. So my wife thinking about art clicks the link and the next thing happens is a mid ID looks the same to everybody.
So mid id, which is a Daisy, e i d that we use for everything, healthcare, banking, it always looks like the white box in the middle. The name will change. It says Noia Bank here. It has a little bit. That's the hacker over to the, the fishing site. Notice the url, that's the real Danish meat id.
Meat ID has to run on the domain meat id dk This is a queue for Fido that we heard about earlier because this, but, but fighting has no pH to be seen here. So my wife is on this screen to the left enters her mid ID username. This is the common user experience of the Danish, e i d. Everybody does this several times a day. She enters her username, not thinking about anything.
She's, she's expecting to authenticate herself to her bank and next thing she'll be approving it in her app on her phone.
And thirdly, she'll be in the bank looking at her account, activating her card or whatever she was expecting. So she enters her stuff, you know, phishing, most of you probably, she enters her credential up there, her username, the hacker and his hacking console. The guy with a bling bling, he's probably 20 years old. He has no education, he's lazy eating pizza. He gets this on his screen, his fishing console.
Bam, there it is. He goes to Nadia's real website over here, types in my wife's username in the split second. It's automated. So my wife pulls out her phone because she thinks she has to approve this. So she pulls out her phone. Sure enough, there's a request to approve authentication for the bank, which she thinks she's doing. So she approves it. Now the guy is inside our bank. Fortunately, to transfer money out of the bank, you have to do another authentication that by the time she called me and said, I think I think something wrong.
And I said, I'm sure you did.
And so, so we didn't lose any money, but this happens. This could be done by the dumbest person in the room because they just have to install basic software and run these phishing scams. These are the real successful attacks. These are the attacks that succeed.
You know, you are guaranteed to succeed if you do this on a large enough population, which is the danger of the Swedish or Norwegian population because everybody expects the same. So you can very cost effectively run fishing scams.
Yeah, and the URL is a problem. So I was at, our company was at a event yesterday and today in, in Copenhagen, security trade show. And we did this little thing on our booth where we had a QR code scan, it's a register and you could win the th the Millennium Falcon, the the Star Wars thing in Lego.
So a lot of people came up and wanted to win it, scan the QR code, type in their credentials and then say we are a security company, please identify yourself with Meet id.
Except we did one of those out of 180 people, about 80 people do right in without thinking, you know, they would type their at a security conference, they would type their credentials into a fishing website. It is so easy. I'm going to change line of business.
I, you know, I'm going to do something else. I'm going to be a Fisher pretty soon when I leave, leave this room. So you can do a few things and I, you know, the domain thing was a giveaway. So of course you need to do Fido, Norwegians, they did this, they built the, they built Norwegian bank ID biometric. And what they did was they basically tied it to the good thing about phyto, for those of you that are not familiar with one of the benefits is the URL and the keys you are using, the key pair is tied to the url.
So you cannot use your phyto credential at a phishing website.
So the situation we had before would never have happened if this instead of entering a username would be a FI credential, there wouldn't have been, she couldn't have done it. It would not have happened. It's not just fi it for all practical purposes. FI oh two is not fishing resistant. It's completely fishing proof in cases like this. So this is an excellent situation where you can do that. That's what the Norwegians did. The thing is that IDA and all the Etsy standards, and so they're so preoccupied, not preoccupied, it's just all about security stuff.
Phipps level, I asked about before qualified signatures, it's all about various HSMs. It's basically, I sometimes say things that are come out harsher than, I mean, but this is, this is the hardware lobby running EITs. So they have managed to put in their a lot of stuff about how you need this, these HSMs and blah blah blah, where all the action is in fishing and you can have FIPs level 2000, blah, blah, blah, whatever.
It won't protect against fishing. So that's the thing in Denmark and in Norway they have all the stuff stacks of hardware. They probably have HSMs in a mountain.
If you get it within a thousand feet, it'll set off a nuclear explosion or something. You know, the keys are definitely gone still. People are getting fished. They did this. So this is unfortunately because of that, that certification stuff, not unfortunately, but the, as a consequence, at least since the trust module is not the correct level and the access station that goes along with the trust secure enclave in this case is not sufficiently certified or whatever. This is the only substantial level authentication.
Whereas the real bank, Norwegian bank id, which is based on username, password ogp, which can be fist, all of them is level high. So now you have a level high authentication that's extremely feasible and you have only substantial, but for practical purposes, it'll never fail.
It'll never be stolen. So that's the situation. So if I had one thing I could ask the regulators, it was, let's look at this from a different perspective at least. Are there other ways where we can get this more widely used? I think there's one more country that's using it for, for their E I D. So that's very relevant.
This is a key to stopping. You know, my wife would never have, you know, done what she did have. They had a a Fido in there. So I'm a strong proponent of Fido. So if you get a chance, say yes.
So that's the centralized attacks and that's all good that, that you can attack. It turns out, you know, we can fend off denial of service attacks, but really it's sufficient where the action is. But the denial of service attacks still means we have to run extremely expensive central infrastructures to do all this. Because buying aite to protect the entire swes population is probably not cheap.
So we spend a lot of money, a lot of time and a lot of human effort on that. So inter distributed, what's it called? Distributed decentralized identity and wear fiber credentials.
Again, if you are not deaf or blind, you have heard about where five credentials or distributed identity at this conference or some other conferences before this in recent times. And just to reiterate, you go to a bar in the real world, the dormant says in the old username, password days, he'll issue an identity card for you. This is the card you used to, it's my bar. And you go to the next bar and he issues another card. And so you have a pocket full of those cards and now you're ready to go out and have a great time.
Now in the world we live in today, which is the world of federated identity, you go to a bar and you say, I want to enter your bar. And he says, just a second calls the police. And first he says, I've got Nils at the door.
Dear policeman, he wants to enter by X, Y, Z. So now the police writes this down. So Nils is trying to enter by and he'll say back, yes. So now the doorman lets you in. Everybody knows this and the doorman lets you in, in the world of verifiable credentials and distributed identity or decentralized identity, go to the bar, you show your driver's license.
If you're old enough, which I happen to be, you get in. And that's what we want online. So verifiable credentials and decentralized identity is extremely easy to describe. Unlike all the blockchain, no authority, libertarian, you know, I want, don't want to pay, pay taxes, live on an oil reef in the middle of Pacific, whatever.
You know, all that stuff. So hard to explain. No developer ever wanted it. Nobody ever wanted it. You couldn't present a business case because the average population is okay with central authority.
We don't, especially my part of the world, we don't have a problem with the state of the government. Even big business we trust. There's quite a level of trust.
So anyway, this is easy stuff. And online, what it means is you go to a website, you take out your phone and you present your credential that you have on your phone, your ID card through the website, no talking to the police.
So no, not only is it robust because the police station can be blown to pieces and you can still authenticate to the dorm and at the bar. But also it's privacy observing of course, because they don't know. There's no surveillance in that regard.
Yeah. So final thing, this verifiable credentials will make it into the mainstream. It requires one more thing, which is of course the wallet where you keep those. The thing about verifiable credentials is that they're issued by someone that would probably be the Swedish bank id, the Danish meat id.
They will issue stuff into your wallet and you'll use it for authentication. And the then you'll say, but how do we know it's not been revoked? We'll solve all that. It is being solved and it can still be done in a privacy preserving way. But the EU is also working on this wallet thing. There's even a project to build a reference wallet, basically an EU wallet. That's an absurd thing, of course. So if you want to support something, support the open wallet foundation because that's where the action must be. That's because they built components.
So you can build wallets.
Why do we all need the same wallet? No more than we need the same mailbox out by the street. Out by the street. We have a mailbox in my part of the world, it says there's a postal law, it says you cannot break into it, so it must be locked, blah, blah. There's a few things you are not supposed to be able to reach in and pull out the mail. That's it. Same thing with these wallets. Of course they need to be certified, at least for, to hold certain kinds of credentials. You don't want to that I install some specific wallet.
Turns out it's just a scam that takes my identity and sends it off to some third world country. So we do not need member state wallets. We do not need an EU wallet, but we need wallet technology because I like my wallet, you like yours and so on.
That also makes it harder for officials because now they have to target very specific wallet implementations so they can't Fisher anymore. So with decentralized identity and a heterogeneous space of wallets will get, the security we want will be much more robust.
We'll be like the little house with the windmill and the solar panel and a bunch of batteries around you off the grid. You can do whatever you like. That's where we can get with identity. If we take two verifiable credentials and a heterogeneous wallet space and then the scammer is the fishing guys, they'll just have to get a real job and go do something useful for society instead. That's it.
Okay. I I think there's probably a, a lot of people that are saying who he's turned on. Quick question. So is your, what should we say, you are not sold on having a nation state identifier.
You like the bank ID approach or do you like the approach where we've got bank id, we've got nation state, we've got our local loyalty program. What is it that you wanna see in a wallet?
So basically the wallet ecosystem has something called an issuer and something called a verifier or a relying party. Issuers are probably state slash and or banks issuing because those are the central, trusted, most trusted entities, at least in Northern Europe and maybe even in in the whole of eu. So I do want these trusted issuers. I have no problem with, you know, having a state authority or nation state.
Not at all what I'm is simply due to the vulnerabilities of the systems we've built that I think we need to distribute that because it's not self-sovereign in the way, it's just self proclaimed. It's not something I say there has to be an issue that I trust. And those would be states and banks.
Yeah. And do you see the, the, the standard, does it support Fido?
Honestly, it, it is whatever you want it to be. Right now the Open Water Foundation has a few registered projects and it's about selective disclosure and and more to come.
So it's basically, if any of you want to build Wallace, you know, go contribute to the water foundations, which is a huge open source umbrella. Yeah, yeah. So fi but if you ask me, Fido has a lot of potential also because you can, verifiable credentials has this concept of issuing a credential and inside the credentials is your public key. Then you sign it with your private key and you hand it off to present it to someone. That private key is of course your, your Fido key. Okay. Same thing with encryption. You can derive encryption keys out of pH credentials.
Something called pseudo random functions and extension for Fido.
Okay. Yeah. Sounds good.
Okay, questions.
Thank you.
Thank you for the presentation. I was wondering, you talked about the substantial and the medium trust level with the bank ID and that substantial is unfortunately not the biometric way. Do you see open wallet as the next logical step with no intermediary intermediary steps? Or should there be somebody in the driver's seat to push as you portrayed and as I'm sure everybody here in the room is with you, that by there needs to be a focus more on biometrics that that is the new substantial level because it's so widely adopted.
The bank ID that Yeah, going with the old way and saying that's a substantial thing to do is might not be the right choice.
So honestly, it's not about open wallet or not the whole, the open wallet is just foundation as a organization is there to help us build these wallets that are key components of the decentralized identity infrastructure, the biometric thing and the the Fido thing. That's something for us to work on, you know, at least bring that into the conversation with the legislators and the guys advising them and so on.
Unfortunately, I'm not advising anybody, but I'd love to, we need to bring that into the conversation that there are other elements. You get what you measure. So if you only talk about, you know, what's in the Etsy and all that, you get only that you don't, you're not concerned with fishing. I think we need to introduce that into the conversation, all these fishing concerns because that's really what's hitting us is fishing. And I've heard that several times today, which is why fighter was great.
So I don't think see any opposition or anything, but I, I think we need to introduce these past keys and things like that to a wider audience and make it, the Norwegian one was at level substantial. There are three levels low, substantial and high in, in, in eu. Yeah.
But if we go to, if we go to biometrics, we potentially move to high.
So
If, yeah, if we can get, get the at station. Right. I think you touched on Atest station in your presentation. Yeah. Because to get to level high, you need the right level of Atest station and you talked about, you know, ubikes or whatever being Yeah,
Well the, the, you know, the iOS and Android can do. Yeah. That strong authentication level. Okay. Other questions?
Deloitte, thank you for the presentation and for saying some of the more sensible things I've heard about wallets and the security risk in this conference.
I was just wondering, looking beyond phishing, what is the, the single most, the the largest danger that you see coming next from the, the wallets? Because these guys that you mentioned, the guys that, that show off on Instagram of what they make on the fishing, they're not gonna get a real job and they're gonna try and do the next thing.
So what, what do we have to be afraid of with the wallets?
I, I wouldn't know, honestly. I think right now I'm most afraid of that. We get lost in all these discussion about what can you do with a theater ticket and what if it, you know, you need a refund and how do you, and there's all these mobile driver's licenses and what if I'm in the desert and there's offline and Bluetooth low energy doesn't work. So we get lost in all our developer concerns and we think of these weird, what about just presenting an ID to a website, which we do with bank id and those sort of things solve that.
So that's one thing where we will definitely go wrong. The other thing, I think the real, the danger in Wallace is being scammed into installing what appears to be a legit wallet, which is not, which is the Fisher wallet. Which is why we, honestly, I'm getting on EU today or IDAs and all that, but really we do need certification cuz you need some sort of, and built into all that open Verifi, the EU framework, something where you call, there's a trust service basically that verifies your wallet is authentic before presenting a credential to someone.
So the issuer can say, I will not issue a credential into your SI's fishing wallet. That should be possible. So if we don't get that set up and that again requires central infrastructure, there's some hard thinking to be done around that. So I would think, you know, fake wallets would be, and then for us as EU citizens, we know two big wallets, what will happen there, you know, so the apple and the Google wallets.
Okay, look, we've gotta draw this to a close. Yeah, we're already into tee time. Let's have a big round of applause for Neil Space.
