A Scam tied to the spid (Public digital identity system) is arousing not little concern between cybersecurity experts and Italian citizens. The fraud in question, renamed by the media “double spid scam“, Although it is a far from new phenomenon, his resurgence in recent times has attracted attention to it, especially with the approach of the tax season and the tax return, a period in which millions of Italians use Spid to access the online services of public administrations. The Vulnerability of the system can be exploited by criminals for clone digital identity of a user with different emails and telephone numbers to perform theft of moneyby changing sensitive data such as IBAN and various financial information or personal data on the PA portals.
How the “double spid scam” works and because it is dangerous
The scam develops in Three main phaseseach of which exploits a specific vulnerability of the SPID system.
- Phase 1 – Acquisition: Criminals buy online (for example in special marketplace on Telegram or Dark Web), packages of documents that include sensitive information such as identity card, health card and other identification information. These data are sold to a few tens of euros and then used to perform the subsequent stages of the scam.
- Phase 2 – Cloning: The digital identity, therefore the activation of a second Spid linked to the same tax code of the victim, is carried out by the scammers. In fact, the IT criminals exploit the possibility that the SPID system offers in creating more digital identities valid for the same tax code, differentiated only by another e-mail address and telephone number. And to bypass the various security checks required by the various certifier entities, today as today they can take advantage of the AI (for example to clone the face of the victims with the DeepFake technique). This gigantic security flaw present in the public digital identity system allows attackers to record a second spid using a different provider from the original one. Once the new Spid has been activated, the scammers are able to access the victim’s tax and financial data, such as tax refunds or INPS communications.
- Phase 3 – DIVIGATION: Thanks to access to the SPID system, the scammers modify the IBANs recorded on the public portals, such as those of INPS, the Revenue Agency or NoiPa, and this allows them to divert tax reimbursements, salaries and pensions on the new user created fraudulently. The victim, therefore, not only loses control of his Spid, but also finds himself with the compromised bank accounts and stolen funds.
In describing this dangerous phenomenon Ivano GiacomelliNational secretary of the Citizen Rights Center, in describing the danger of this scam, reported:
Cybercriminals steal the victim’s documents and personal data online with which they record a spid for their criminal operations. Attention, let’s talk about very dangerous actions. With the SPID, for example, you can access the tax drawer of the Revenue Agency and change the IBAN, thus diverting any reimbursements for taxes, you can open accounts or activities. It is clear that the first step is up to the managers of these services, who must strengthen security measures.
How to defend itself from the scam of the cloned spid
If, on the one hand, the SPID system has vulnerability that are difficult to solve on a technical level, on the other hand there are different precautions to be adopted to defend oneself from the “Double spid scam” and from other fraud related to digital identity.
The first and fundamental preventive measure consists inActivate theautwo -factor tender or 2fa (Two-Factor Authentication) for each online service that requires sensitive access, SPID included naturally. This tool adds an additional level of security, preventing unauthorized access even in the event of the theft of the credentials.
It is also important Periodically check the IBANs recorded on the public portalslike INPS, Revenue Agency And Usaso as to verify that no unauthorized changes have been made. Also frequently monitor access to your accounts And Use complex and unique passwords For each service it can help reduce the risk of compromise of their accounts and online services of the public administration used.
If you are suspected of being victims of an identity theft or cloning of the SPID, we suggest you denounce the incident to the Postal police and toAgid (Agency for digital Italy), so that the second fraudulent Spid is blocked as soon as possible.
