1. Protecting data
    1. Security of devices
      1. Physical vulnerabilities
        1. Device lost
        2. Device defection (not availability of device or no battery)
        3. Device stolen
      2. Lack of Device Security
    2. Security of Wallets → one App or wallet with lots of functionalities and different sectors.
      1. Phishing Attacks
      2. Malware and Viruses
      3. Social Engineering
    3. Security of Verifiable Credentials
      1. Just like with traditional passwords, weak keys or improperly stored credentials in distributed identity systems can be vulnerable for hacking
        1. by end user
        2. by service providers
        3. by issuers (tricky)
        4. by third parties → Misusing or reusing data by third parties through illegal access e.g. Intrusion through malicious App, social engineering, duplication, skimming 
    4.  Security of Services → dependency to service security
      1. relying parties
      2. intermediaries
  2. Losing data → lack of support mechanism by security issues
    1. Not enough recovery solution
    2. No insurance
  3. Dark Netsecurity economic → there is a business to generate fake ids or misuse of real ids, which could be used for washing money or any other illegal action 
    1. Fake ID 
    2. Misusing of VC
  4. Trust Infrastructure → any vulnerabilities causes by mistakes in Trust Infrastructure
    1. PKI
    2. Registry
    3. Any intermediaries
  • No labels

1 Comment

  1. Esther Ruiz Ben

    see the amendments to the eIDAS regulation: https://www.europarl.europa.eu/legislative-train/spotlight-JD22/file-eid

    The wallet should  ensure cybersecurity and privacy by design.

    Regarding security breach of the EUDIWs, the scope is the national level https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0281:  

    (11)the following Article 10a is inserted:

    Article 10a

    Security breach of the European Digital Identity Wallets

    1.    Where European Digital Wallets issued pursuant to Article 6a and the validation mechanisms referred to in Article 6a(5) points (a), (b) and (c) are breached or partly compromised in a manner that affects their reliability or the reliability of the other European Digital Identity Wallets, the issuing Member State shall, without delay, suspend the issuance and revoke the validity of the European Digital Identity Wallet and inform the other Member States and the Commission accordingly.

    2.    Where the breach or compromise referred to in paragraph 1 is remedied, the issuing Member State shall re-establish the issuance and the use of the European Digital Identity Wallet and inform other Member States and the Commission without undue delay.

    3.    If the breach or compromise referred to in paragraph 1 is not remedied within three months of the suspension or revocation, the Member State concerned shall withdraw the European Digital Wallet concerned and inform the other Member States and the Commission on the withdrawal accordingly. Where it is justified by the severity of the breach, the European Digital Identity Wallet concerned shall be withdrawn without delay.

    4.    The Commission shall publish in the Official Journal of the European Union the corresponding amendments to the list referred to in Article 6d without undue delay.

    5.    Within 6 months of the entering into force of this Regulation, the Commission shall further specify the measures referred to in paragraphs 1 and 3 by means of an implementing act on the implementation of the European Digital Identity Wallets as referred to in Article 6a(10).