News Report – September 22, 2024:
Fraud Using Citizen Digital Certificates – Eleven Victims Lose a Total of 150 Million NTD
Recently, a 75-year-old retired civil servant was deceived into providing their Citizen Digital Certificate (CDC, a government-backed digital ID) and password to scammers, resulting in the loss of real estate and cash worth over 60 million NTD.
Police stated that the fraud group "precisely targeted" elderly individuals over 70 years old with substantial assets, using the pretext of property investigations. These scams often involved liquidating both real estate and bank savings at once or taking out loans in the victims' names, ultimately allowing the fraudsters to illegally acquire a total of 150 million NTD.
Taiwan's Ministry of the Interior explained that whether in the form of a physical IC card Citizen Digital Certificate(CDC) or a mobile app version, the certificate provides identity verification, digital signature, and data encryption/decryption functions, offering the public convenient digital services.
According to Taiwan's Electronic Signature Act, a digital signature using the Citizen Digital Certificate(CDC) is presumed to have the same legal effect as a handwritten signature or seal.
However, with fraudsters exploiting vulnerabilities in digital identity verification using stolen certificates and passwords, security concerns surrounding digital identities are growing.
This is where ThinkCloud eWallet comes in—enhancing security and ensuring a trusted, verifiable digital identity.
ThinkCloud eWallet: Strengthening Security in Digital Identity
ThinkCloud eWallet adopts the "data minimization principle", ensuring that any data access must be explicitly approved by the user.
The system utilizes "cards" and "seals" within the digital wallet to securely store and access information. Furthermore, it follows the W3C Verifiable Credentials (VC) standard, employing authentication (Auth-N) and authorization (Auth-Z) mechanisms to restrict access to only authorized data.
This eliminates the need for physical documents or seals, reducing the risk of excessive personal data exposure while preserving user privacy and autonomy. However, while digital wallets enhance convenience, they also introduce risks of data theft by hackers.
To address this, ThinkCloud eWallet integrates with the SelfieSign biometric electronic signature system, creating a dual authentication mechanism that links identity verification to the individual.
This highest-level security setup ensures that every digital transaction between users and businesses is both secure and reliable.
Create your unique "digital identity" now!
Contents:
Citizen Digital Certificate(CDC) : A Convenience or a Security Risk?
To understand this, we first need to clarify: Is a Citizen Digital Certificate simply an ID, or is it a digital signature tool?
The Ministry of the Interior states that Citizen Digital Certificates serve both as identity verification and digital signature tools. But how does a Citizen Digital Certificate compare to handwritten signatures?
Let's consider the traditional paper-based process of applying for important documents, such as a passport, at a government office.
The officer first asks for identification, often requiring two different IDs to verify the person's identity.
Next, the officer compares the applicant's face with the photo on the ID to confirm they are the same person.
Only after these steps, the applicant is asked to sign the document by hand, leaving a physical signature and a biometric trace on paper.
Here, identity verification, personal verification, and signature authentication are three separate but essential steps.
How Does This Compare to Citizen Digital Certificates?
Authenticity of the certificate
Citizen Digital Certificates rely on security chips and encryption algorithms (similar to anti-counterfeit features on ID cards).
However, they lack the added security of dual ID verification like in paper-based processes.
Identity verification
In paper-based signing, officials compare the person's physical appearance with the ID photo.
Citizen Digital Certificates rely only on possession of the card and knowledge of the password, meaning if a fraudster obtains both, they can sign on behalf of the actual user.
Compared to paper-based signing processes, the lack of dual ID verification and biometric verification in Citizen Digital Certificate authentication weakens security.
So, the biggest difference between Citizen Digital Certificate digital signatures and handwritten signatures is that digital signatures do not contain biometric characteristics (Non-Biometric Signatures).
This means that:
When a person signs digitally, there is no physical trace of their unique handwriting.
There is no evidence tying the signature to the signer's biometric identity at the time of signing.
In case of disputes, it becomes difficult to prove whether the signature was genuinely made by the user.
Fraudsters exploit these weaknesses and loopholes in Citizen Digital Certificates, systematically manipulating victims and orchestrating large-scale financial fraud.
Citizen Digital Certificate(CDC) | Handwritten Signature | |
Function | Provides both identity verification and digital signing. | Captures handwriting-based biometric traits |
Verification Type | Relies on secure chips and encryption algorithms. | Matches the person's appearance with the photo on their ID 👑 |
Verification Method | Dual authentication: possession of the card + card password | Checks ID, verifies the person, and examines the signature 👑 |
Difference | Digital signature without biometric traits (Non-Biometric Signature) | Contains biometric traits: the person and their handwriting 👑 |
(Table 1) Comparison of Citizen Digital Certificate(CDC) and Hnadwritten Signature
E-Signature Law Reform: Does the Future Belong to Certificates?
The recent amendment to Article 6 of Taiwan's Electronic Signature Law grants government-approved certification authorities the power to issue certificates that are "presumed" to be personally signed by the certificate holder.
However, this amendment creates a gap between legal provisions and real-world scenarios.
Certification authorities issue certificates with varying levels of security, and low-security certificates—such as those below the C3 level—clearly do not meet the legal standard of "presumed" personal signing.
To address this, the Ministry of Digital Affairs intends to amend the subsidiary regulations, requiring certification authorities to issue certificates that meet at least ISO 29115 LOA 3, NIST IAL 2, or eIDAS SES security levels.
However, from our perspective, this amendment raises further concerns.
Whether ISO 29115 LOA 3 and NIST IAL 2 can truly support the "presumption" of a personal signature remains highly debatable.
After consulting cybersecurity experts from the Bankers Association, we found that most of them do not believe that LOA 3 and IAL 2 provide sufficient assurance to "presume" a personal signature. Likewise, the use of elDAS SES, the lowest level under the eIDAS framework, is even less likely to meet the legal standard of "presumed" personal signing.
In recent fraud cases, criminals have exploited high-security certificates—such as those at LOA 4, IAL 3, and eIDAS QES levels—to commit fraud. This indicates that even the highest security standards cannot entirely prevent fraud.
Lowering security requirements in a time when scams are rampant may only encourage more criminal activities.
The Electronic Signature Act is built on three legislative principles: technological neutrality, freedom of contract, and market orientation.
While the recent amendment clarifies the relationship between digital signatures and electronic signatures, it contradicts the core principle of technological neutrality.
The amendment states that certificates issued by government-approved certification authorities are "presumed" to be personally signed, implying that digital signatures hold a higher legal status than electronic signatures.
However, the principle of technological neutrality states:
"Any technology that ensures data integrity during transmission or storage and enables user authentication can be used for electronic signatures. It is not limited to 'digital signatures' based on asymmetric encryption."
By focusing solely on the role of certificates in digital signatures, the amendment neglects other forms of electronic signature technologies.
This contradicts the principle of technological neutrality and fails to accommodate real-world scenarios such as hospital procedures and legal processes. This oversight also hinders the healthy development of the electronic signature ecosystem.
To address this issue, future legislation should recognize the security limitations of digital signatures and integrate other technologies—such as biometric electronic signatures and blockchain-based decentralized authentication—to create a more secure, identity-bound signing process.
Additionally, a well-structured electronic signature certification framework should be established to ensure the legal effectiveness of electronic signatures.
User experience is also a crucial factor. How can we make the signing process more seamless and intuitive?
The answer lies in Say Goodbye to Citizen Digital Certificate Scams! See How ThinkCloud's SelfieSign Enhances User Experience(Part 2).
Find out how SelfieSign boosts security and streamlines user experience in this article!
Comments