Identity document forgery

Identity document forgery is the process by which identity documents issued by governing bodies are illegally copied and/or modified by persons not authorized to create such documents or engage in such modifications, for the purpose of deceiving those who would view the documents about the identity or status of the bearer.[1] The term also encompasses the activity of acquiring identity documents from legitimate bodies by falsifying the required supporting documentation in order to create the desired identity.[2]

West German customs employee checking an alleged fake document.

Identity documents differ from other credentials in that they are intended to be usable by only the person holding the card. Unlike other credentials, they may be used to restrict the activities of the holder as well as to expand them.

Documents that have been forged in this way include driver's licenses (historically forged or altered as an attempt to conceal the fact that persons desiring to purchase alcohol are under the legal drinking age); birth certificates and Social Security cards (likely used in identity theft schemes or to defraud the government); and passports (used to evade restrictions on entry into a particular country). At the beginning of 2010, there were 11 million stolen or lost passports listed in the global database of Interpol.[3]

Such falsified documents can be used for identity theft, age deception, illegal immigration, organized crime, and espionage.[4]

Use scenarios, forgery techniques and security countermeasures

edit
 
Lee Harvey Oswald's fake service card with the name Hidell.

A distinction needs to be made between the different uses of an identity document. In some cases, the fake ID may only have to pass a cursory inspection, such as flashing a plastic ID card for a security guard. At the other extreme, a document may have to resist scrutiny by a trained document examiner, who may be equipped with technical tools for verifying biometrics and reading hidden security features within the card. To make forgery more difficult, most modern IDs contain numerous security features that require specialised and expensive equipment to duplicate. School IDs are typically easier to fake, as they often do not have the same level of security measures as government-issued IDs.

Fake ID cards can be ordered on the internet and some examples of these include the UK national identification card and a provisional motorcycle licence. There are a number of different types of false documents such as using another person's ID, a genuine document which has been altered, a form of ID that doesn't exist and a copy of an ID which has been made.

Modern fake ID cards almost invariably carry a picture of the authorized user, a simple and effective form of biometric identification. However, forgery of basic photographic ID cards has become simple in recent years with the availability of low-cost high-resolution printers, scanners and photo-editing software. Basic fake ID cards are commonly made using an inkjet or laser printer to print a replica document which is then laminated to resemble a real ID card. Most designs are made using computer programs, re-creating scanned copies of a license.

More complex ID cards are now being created by printing on a material called Teslin or Artisyn, which are paper-like materials that are actually micro-porous plastic sheets. When butterfly pouches and holograms are applied, the card is then run through a heat laminator, creating a professional-looking ID card.

Numerous security printing techniques have been used to attempt to enhance the security of ID cards. For example, many modern documents include holograms, which are difficult to replicate without expensive equipment not generally available. Though accurate recreation of these holograms is extremely difficult, using a mixture of pigments and base can create a similar shiny multi-colored look that may pass cursory inspection. Another form of document security is UV-light visible ink.[4]

In addition, some documents include a magnetic strip, which contains the similar information to that printed on the card. The data may thus be checked against other data on the card, such as printed information or a machine-readable barcode. Magnetic strips may also contain other secret identifying information. Although magnetic strips can also be faked, they provide another barrier to entry for the amateur forger. Other hidden security devices can also be added, including embedded secure cryptoprocessor chips which are designed to be very difficult to forge, and RFID tags⁠ ⁠—⁠ ⁠the two technologies may also be combined, in the case of contactless smart cards.

Another effective technique is the use of online verification of security information against a central database. In many cases, online verification can detect simple copying of a document by detecting attempted use in multiple places at the same time, or completely false IDs, as the information on the ID will be found to be invalid. A simple method of confirming that an ID is genuine is to print a serial number on it unique to the card and stored on a centralized database.[5] If checked, it will quickly become clear that the ID is false; either the number on the ID is not registered for the holder, or no ID has the number at all. Online verification also has the advantage that it allows easy revocation of lost or stolen documents.

Using digital signatures is another effective method of detecting ID forgery. The ID can include a copy of its data on an integrated circuit or barcode, digitally signed by the document issuer. The digital signature allows for easy authentication of the ID. If the digital signature of a fake ID is checked, it will immediately become evident that the ID is fake, because either the digitally signed copy of the holder's data does not match the data printed on the ID or the (possibly altered) copy of the ID's data is not signed by the document issuer.[6] The effectiveness of this security feature depends on the document issuer keeping the private key used to sign IDs secret,[7] as well as the strength of the cryptographic algorithm used for the ID's digital signature.

Many modern credentials now contain some kind of barcode. For example, many U.S. driving licences include a 2-dimensional code in PDF417 format, which contains the same information as on the front of the license. Barcodes allow rapid checking of credentials for low-security applications, and may potentially contain extra information which can be used to verify other information on the card.

Systemic attacks

edit

The combination of multiple high-security features, biometrics, and well-trained document inspectors with technical assistance can be very effective at preventing forged documents from being easily produced. Instead of acquiring the expensive specialized equipment needed to make fake documents, it may be more economical to produce a "genuine fake"⁠ ⁠—⁠ ⁠a legitimate document, but one which contains false information.

One way of doing this is to present the document issuing authority with false credentials, which they will then endorse by issuing a new document. In this way, false identities and credentials can be "bootstrapped" over a period of time.[8]

Another simpler way of generating false credentials is to suborn one of the officials involved in the document-issuing process through bribery or intimidation. This may also be combined with the bootstrapping process mentioned above to mount complex attacks.

Corruption in the document-issuing process is hard to counter, since as the value of a credential increases, the economic incentives for corruption also increase. This is particularly true in the case of fake ID cards that combine many functions in one document, and for documents which are issued in large numbers, thus requiring many thousands of people to have authorizing powers, thus creating a longer chain of people who can possibly be exploited. Detection of a "genuine fake" document is also a difficult process; as such a fake is a legitimate document, it will pass any tests for forgery. To detect such fakes, it is necessary to perform a background check on the individual in question to confirm the legitimacy of the document's information.

See also

edit

References

edit
  1. ^ Buchanan, James D. R.; Cowburn, Russell P.; Jausovec, Ana-Vanessa; Petit, Dorothée; Seem, Peter; Xiong, Gang; Atkinson, Del; Fenton, Kate; Allwood, Dan A.; Bryan, Matthew T. (2005). "'Fingerprinting' documents and packaging". Nature. 436 (7050): 475. doi:10.1038/436475a. ISSN 1476-4687. PMID 16049465. S2CID 4164867.
  2. ^ Bennett, Colin John; Lyon, David (2008). Playing the Identity Card: Surveillance, Security and Identification in Global Perspective. Routledge. ISBN 9780415465632.
  3. ^ "11 million stolen or lost passports in Interpol database". Havocscope Black Markets. Archived from the original on 2010-02-03. Retrieved 2010-12-06.
  4. ^ a b Turner, J. W. Cecil (1946). ""Documents" in the Law of Forgery". Virginia Law Review. 32 (5): 939–954. doi:10.2307/1068683. ISSN 0042-6601. JSTOR 1068683.
  5. ^ "Driver's License Verification". www.e-verify.gov. March 2019. Retrieved 2020-02-23.
  6. ^ "Levels of identity security and groups of secure features". thalesgroup.com. Thales Group. 2022. Retrieved 6 June 2023.
  7. ^ "Understanding Digital Signatures". cisa.gov. Cybersecurity and Infrastructure Security Agency. 1 February 2021. Retrieved 6 June 2023.
  8. ^ "Journalisten Rambam niet vervolgd voor fraude". NU (in Dutch). 2013-06-13. Retrieved 2023-04-26.