The allure of digital IDs
The evolution of a verifiable digital credential—more commonly referred to as a digital ID or a mobile driver’s license (mDL)—has gained momentum in recent years. These electronic credentials are pitched as a secure and convenient way to verify identity for everything from financial transactions to airport security.
Supporters highlight increased control over personal information and a shift away from easily lost or stolen plastic cards. Plus, it brings a smile of relief to vendors that promote biometric liveness as the primary process to find peace with a “trusted ID” where their systems have weakness in authenticating physical identity documents, including document presentation attack detection (DPAD).
Tread lightly for now
2025 is shining a bright light of possibility on the world of digital IDs—including on the path to implementing them in a remote scenario (although yet to be determined is which of the ISO, W3C, or OpenID4VC standards will reign supreme in a VHS vs. Betamax-type tussle).
But as with many shiny innovations, it’s worth pausing to ask: Are we placing too much trust in a system that might be far less secure than it appears? In this first installment of our blog series diving into the world of digital identity, we’ll explore an unsettling question: What happens when the foundation of trust in digital IDs is, itself, fundamentally flawed? Will digital IDs be the new form of “identity laundering”?
(Note to reader: As we continue our discussion below, we affirm that we are strong believers in digital IDs and are developing sound strategies to make them available to both our clients and the end users at large. That said, the industry should take pause in promoting this as a silver-bullet solution where there are known foundational challenges.)
Weak links in the issuance process
The first vulnerability begins at the source: the issuer. In the US, that is our local state department of motor vehicles (DMV). These agencies are responsible for vetting applicants and issuing credentials, but security gaps at this stage and when reissuing physical credentials can open the door to fraud.
Social engineering, insider corruption, and database breaches all create opportunities for bad actors. A state employee who accepts false documents or a hacker who exploits a weak government system can introduce fraudulent IDs into circulation.
Fraud rings have already taken advantage of loopholes. Scammers use stolen personal information to file a change of address or to transfer an ID from one state to another. This diverts important mail like license renewals and new state ID cards to a different address, allowing them to potentially steal the victim’s identity and/or commit further fraud by obtaining a new license in their name.
State agencies with known weaknesses are prime targets, resulting in tens of thousands of newly issued “legitimate” credentials.
Identity laundering: A digital fraudster’s playbook
The financial crime world has long used a three-step process to clean illicit money: placement, layering, and integration. It’s a system designed to make “dirty” funds appear legitimate—hence the term money laundering.
Identity fraud is evolving in a disturbingly similar fashion, and digital IDs may inadvertently streamline the process.
Step 1: Placement → Inserting fraudulent identities into the system
In money laundering, placement is the step where illicit cash first enters the financial system, often through cash-based businesses or structured deposits to avoid detection.
In identity laundering, the equivalent is inserting fraudulent or stolen identities into the system. This happens when fraudsters successfully obtain a government-issued ID—whether through social engineering, insider collusion, or document forgery. Once a fake or synthetic identity is granted legitimacy via a physical ID, it can then be fed into the digital ID ecosystem, where it will gain even more credibility.
Step 2: Layering → Masking fraudulent identities within legitimate systems
Money launderers move funds through a maze of transactions—shell companies, offshore accounts, and fake invoices—to obscure the origin of illicit cash.
In identity laundering, layering occurs when fraudsters use a compromised or fraudulent physical ID to obtain additional credentials. This can involve transferring an identity to another state, enrolling in financial services, or obtaining official records under a synthetic identity. The goal is to deepen the fraudster’s footprint within legitimate institutions, making it harder to trace back to the initial deception.
With digital IDs, this step is even more effective. Once an mDL is issued from a tainted source, it gains the appearance of authenticity and can be used for a range of high-trust transactions, from opening bank accounts to accessing government benefits. The layers of fraud become increasingly difficult to untangle.
Step 3: Integration → Using laundered identities for real-world fraud
In financial crime, integration is where illicit funds fully enter the economy, appearing as clean, legal money—often through real estate purchases, luxury goods, or investments.
In identity laundering, this is the point where a once-fraudulent identity is now functionally indistinguishable from a real one. A digital ID issued from a flawed process will be trusted by banks, employers, law enforcement, and other institutions. The fraudster can now operate without suspicion, accessing credit, making high-value purchases, or even securing official documentation (passports, voter registration, tax filings) under their assumed identity.
A need for tighter issuance controls
As states push forward with digital ID adoption, security at issuance and re-issuance (i.e., for change of address and state-to-state requests) needs attention and improvement. Strong authentication methods, document verification, and fraud detection must be in place before we can advertise that a digital ID system is more secure.
An mDL issued with weak controls at the state level will be treated as legitimate across countless services. From financial institutions to government agencies, a compromised identity will gain access without triggering suspicion. This is the risk that many digital ID proponents are not acknowledging in their future product marketing. Once a document is embedded in the system, many assume it has passed rigorous checks.
That assumption is dangerous.
The introduction of digital IDs brings efficiency and convenience and will minimize unnecessary personal data sharing. But without stronger verification and processes at the source, the system will continue to be a playground for fraudsters. Those responsible for the digital ID rollout need to address the difficult questions now—before the problem is too big to fix.
About the post:
Images and videos are generative AI-created. Prompt: POV, a hyperrealistic human hand presenting a driver’s license to a banker, the license is made up of strands of digital data. bank teller is in the background out of focus reaching to accept the license. Tools: Midjourney, Luma.
About the author:
Terry Brenner is the Head of Legal, Risk, and Compliance for IDVerse Americas. He oversees the company’s foray into this market, heeding to the sensitivities around data protection, inclusivity, biometrics, and privacy. With over two decades of legal experience, Brenner has served in a variety of roles across a diverse range of sectors.
