Remember Dolly the sheep? It was 1996 when in Scotland for the first time in the world it was possible to clone a mammal, how far from that experiment that aroused amazement and wonder as well as understandable feelings of fear in public opinion, that experiment in fact demonstrated that cloning was possible.
Imagine another you who replaces you in the bank and in relations with the PA, you will think it is impossible in the era of digitalization, there is the Public System of Digital Identity (SPID), conceived as a tool for simplifying and democratizing access to Public Administration services, well this system is not able to guarantee the uniqueness of the digital identity, because it was poorly conceived. In fact, whoever conceived it, did not worry about establishing a centralized notification and control system, but thought of something else, allowing private parties to issue digital identities, it seemed to me at the time to be yet another "smart trick" to weaken the State administration, an opportunity that could have been seized by the PA to strengthen its IT skills, to finally interconnect and manage the digitalization of the country, a missed opportunity, which now has repercussions in its nefarious effects directly on citizens.
But what is SPID? I'm writing this for those (hopefully very few) who don't know.
SPID represents the Italian implementation of a digital authentication system that allows access to services provided by the Public Administration and by private entities with agreements. Its architecture provides for the release of digital identity by accredited providers (including Poste Italiane, Aruba, InfoCert), structuring itself through credentials consisting of a username, password and, in higher security levels, two-factor verification mechanisms.
The activation process requires fundamental identification elements:
- A legally valid identity document
- The interested party's tax code
- An email address and a mobile phone number
It is significant to note that these last two elements do not necessarily have to be formally registered in the name of the applicant, but simply be available to him.
This procedural flexibility, together with the lack of a cross-verification system between the different identity managers, constitutes one of the most exploited points of weakness in fraudulent dynamics.
The vulnerability of the system is based on a particularly significant regulatory anomaly: the possibility for each citizen to activate multiple SPID identities, one for each accredited manager, using the same tax code but diversifying the associated electronic and telephone contact details.
This configuration allows individuals who come into possession of a citizen's identification documentation (including through photographic reproductions or digital scans) to activate a parallel digital identity with a different manager than the one originally chosen by the victim. The particularly critical element lies in the absence of a notification system to the owner of the pre-existing identity, thus creating a coexistence of formally legitimate digital identities but with a significant asymmetry of control.
Through this second identity, the fraudulent subject can:
- Access the institutional portals of the Public Administration
- Change bank details for receiving pension, salary or tax refunds
- Proceed to open bank accounts or economic activities in the name of the victim
- Use the profile for further illicit activities, in a context of substantial invisibility for the legitimate owner
An additional criticality is represented by the absence of a centralized database that allows the verification of the number of active SPID identities for a given tax code, a gap that even affects the public authorities responsible for control.
Could such a macroscopic "oversight" have escaped the lords of the scam? Of course not, in fact it has not escaped, and thanks to the forced digitalization that occurred post Covid, in a country with Bulgarian percentages of computer and functional illiterates, scams have begun to the detriment of citizens who are for now completely defenseless in the face of this problem.
And that's how criminals, or rather cybercriminals, have dived into the scam paradise that our country represents.
The analysis of the strategies adopted by cybercriminals reveals a complex repertoire of techniques for acquiring the documentation necessary for the scam:
- Social engineering through phishing and smishing: the development of fraudulent communications that simulate institutional officialdom, inducing the recipient to interact with compromised computer connections and the consequent disclosure of personal data.
- Document acquisition through clandestine channels: the existence of a parallel market emerges, particularly on the dark web, where complete document packages are available, including identity documents, tax codes and additional identification material.
- Interception of unprotected communications: Documents transmitted through communication channels without adequate encryption protocols are vulnerable to interception or illegal resale.
- Device compromise through malicious software: Implementation of malicious computer code aimed at recording temporary authentication codes or extracting data stored in browsers.
- Identification Circumvention: Some digital identification methodologies have inherent vulnerabilities, which are particularly evident in cases where providers do not implement in-person verification protocols or qualified digital certifications.
The peculiarity of this type of scam lies in its silent nature: you only notice it when it is too late, in fact the discovery of the compromise coincides with the manifestation of the economic damage already materialized, highlighted through:
- Failure to receive pension credits
- Disappearance of tax refunds
- Unauthorized alteration of bank details registered with public systems
- Discovery of illegally activated financial relationships
In particularly sophisticated cases, fraudulent individuals even obtain falsified service certifications or modify essential parameters on institutional platforms.
The issue of recovering unduly stolen sums presents significant complexities: the resources are frequently already the subject of multiple transfers or physical withdrawals. In the absence of evidence of direct responsibility of the identity provider, the economic burden tends to weigh on the victim, configuring a paradigm of systemic vulnerability, which as usual is passed on to citizens.
Risk mitigation activities, currently entirely at the expense of the citizen, exist, but they are not accessible to everyone; for example, the elderly who barely know how to use a cell phone will certainly have problems activating them.
Periodically accessing institutional platforms (INPS, Revenue Agency, NoiPA) to verify the integrity of the recorded data, paying particular attention to the bank details is a mitigation activity that if carried out could limit but not exclude the damage, as well as regularly contacting ALL SPID providers (currently twelve accredited operators) to verify any activated identities.
Other useful but not definitive practices are represented by:
- Systematic adoption of multifactor authentication: favor temporary code generation systems based on cryptographic algorithms (Authy, Google Authenticator) over SMS transmission methodologies.
- Strengthening device security: maintaining operating systems up-to-date, implementing restrictive policies when installing applications, and adopting antivirus solutions with advanced heuristic capabilities.
- Activation of notification systems for financial transactions: configuration of real-time alerts for each economic movement, facilitating the timely identification of unauthorized operations.
- Periodic credential rotation: Implementation of high entropy credentials, diversification across platforms, and adoption of secure methodologies for storing login data.
What to avoid
- Transmission of personal documentation through unprotected communication channels, even in the face of apparent institutional requests
- Interaction with hyperlinks contained in communications of dubious origin
- Reusing the same credentials on different platforms
- Storing sensitive data in inadequately protected systems
- Underestimation of communications that evoke verification urgency, frequently indicative of attempts at psychological manipulation
In the European context, the implementation of the Digital Identity Wallet (EUDI Wallet) is under development, a digital identity system designed with potentially superior security parameters, based on the eIDAS 2 regulation. This innovative model aims to overcome the structural limitations of the current SPID architecture through the adoption of a unified and centralized system.
However, pending the implementation of solutions with greater architectural robustness, risk management remains primarily the responsibility of the citizen: the current system configuration does not provide public tools that allow for the centralized verification of SPID identities activated with the same tax code.
The digitalization of Public Administration services, while representing a significant evolution in the relationship between citizens and institutions, highlights how, in the absence of adequate systemic security measures, the innovation paradigm can translate into concrete vulnerabilities. In this context, critical awareness, continuous vigilance and an attitude of constructive skepticism towards anomalous requests are the most effective tools available to citizens.
