Hackers exploit ‘My Identity’ App authentication to hijack accounts

Despite ongoing efforts by the Public Authority for Civil Information and other government institutions to raise awareness about cyber fraud, scammers continue to exploit vulnerabilities —especially through fake links and websites that hijack bank accounts or hack personal and corporate devices.

A recent tactic targeted the “authentication” process within the “My Identity” app.

Experts warn that as government digital services expand, fraudulent activities have evolved, with attackers misusing the app’s identity verification feature to trap victims.

Although the app employs advanced security measures, user mistakes — such as unknowingly approving authentication or digital signature requests — can open the door to hacking. These breaches often result in theft of money or sensitive phone data.

Hackers frequently impersonate official government bodies or private sector companies like telecoms and banks, using deceptive links and false information to gain control of their targets.

Dr. Safaa Zaman, Chairwoman of the Kuwait Information Security Society, explained that authentication is a fundamental cybersecurity tool used across banking, government transactions, and e-commerce.

However, it has been recently abused through fake websites, fraudulent links, and weak encryption, making unauthorized access easier.

She stressed the need for constant improvements in authentication systems amid advancing technology and AI.

Zaman also highlighted the lack of sufficient oversight and accountability, which emboldens fraudsters to create fake sites without consequences.

She called for increased user education on handling these tools safely, including regular software updates, monitoring suspicious account activity, and minimizing the sharing of personal data.

Cybersecurity expert Bassam Al-Abdan described how “MFA fatigue” attacks work —bombarding victims with repeated authentication requests until they mistakenly approve one. Attackers also use social engineering tactics, pretending to be technical support to trick victims into accepting notifications.

Al-Abdan emphasized the importance of skepticism toward any authentication request not initiated by the user, preferring authentication apps over text messages vulnerable to interception. He recommended activating security alerts and using context-aware multi-factor authentication (MFA), which considers device location and IP address to strengthen defense.

Common fraud methods include impersonation of official bodies, use of fake links, misleading digital signatures, and requests for verification codes or screenshots.

The Public Authority for Civil Information continues to warn users not to approve authentication requests unless they personally initiated them and to verify service provider details before acceptance.

A spokesperson confirmed ongoing efforts to educate users and enhance app security, noting that neither “Sahal” nor “My Identity” apps have been hacked recently.

Dr. Zaman also called for establishing an independent Data Protection Authority to oversee compliance, handle complaints, impose fines, conduct security tests, and perform audits to close potential security gaps in government digital systems.

Follow The Times Kuwait on X,  Instagram and Facebook for  the latest news updates