User identification and authentication are under scrutiny in Finland, where a recent data breach in health services has resulted in various authorities issuing guidelines for how user identity should be verified.
In Finland, it is common to use personal identity code (PIC) in various services for identity verification purposes, for example in ecommerce when purchasing with invoice, or in health services. This practice, while not directly illegal, is now widely criticized by the authorities because it increases the rogue motivation for identity theft and misuse of identity information.
The Finnish Digital and Population Data Services Agency (DVV) has issued the following guidance:
“In different e-services, the personal identity code should only be used to individualize customers. The personal identity code should not be used to identify the customer.”
The Finnish government has also initiated a process to amend the Consumer Protection Act so that strong identification would be a legal requirement when for example online purchases are paid for on credit (invoice) or instalments.
This is how the crime usually happens: Online service with lightweight (e.g. password) login gets hacked. The criminal gets user information like name, address, and the most valuable - personal identity code. The cybercriminal then uses the personal information to place orders in webshops where payment with invoice or instalments is possible simply by providing the personal identity code.
Companies using ID number for identification when for example purchasing with invoice are increasingly under pressure from consumers who are now calling for the practice to be made illegal. As a result, relying on ID number for identification increases an organization’s risk of fraud, and reputational damage should there be a data breach, as the recent high profile breach highlights.
Signicat recommends service providers to always use strong customer authentication. The vast majority of the Finnish population use an electronic identity issued by a bank or a mobile certificate to prove their identity across public and private services. Authentication can be purchased as service(SaaS), which means implementing strong authentication via API as part of digital channels, or even telephone or chat-based customer service.
To increase transparency of strong customer authentication in Finland, Signicat has launched Trust Mark Turvallinen tunnistautuminen™ (secure authentication). All service providers that leverage Signicat’s authentication services to verify the identity of users, are allowed to display the trust mark on their website. The trust mark enables consumers to identify service providers that have taken the appropriate measures to secure customer data.