Spelling Errors as a Counterfeiting Defense

This is a weird rumor.

ID cards in Belgium are being printed with intentional misspellings in an attempt to thwart potential fraudsters.

Four circular arcs on the ID cards show the country's name in different languages -- French, Dutch, German and English. According to the article, the German and English arcs will be spelled incorrectly, and misspellings will also appear elsewhere on the cards. The idea is that people making counterfeit cards won't notice the misspellings on the originals and will print the fraudulent cards with the names spelled properly.

More information is here:

To trick fraudsters, the Home Office has introduced three circular arcs on the card -- just beneath the identity photos -- where you will find the name of the country in the official languages spoken in Belgium -- French, Dutch and German, as well as in English. But instead of 'Belgien' in German, the ID card incorrectly uses the name 'Belgine' and instead of 'Belgium' in English, the card reads 'Belguim'. Vanneste has promised other errors will be printed on the card to "further confuse fraudsters". With any luck, these will not be revealed.

I'm not impressed with this as a countermeasure. It's certainly true that poor counterfeits will have all sorts of noticeable errors -- and correct spelling might certainly be one of them. But the more people that know about the misspellings, the less likely a counterfeiter will get it wrong. And the more likely a counterfeiter will get it wrong, the less likely anyone will notice.

I'm all for hard-to-counterfeit features in ID cards. But why make them grammatical?

Posted on June 1, 2005 at 7:58 AM • 44 Comments

Comments

Tom PhoenixMay 31, 2005 6:14 PM

Many currencies now include microprinting, sometimes in a hologram. This contains a many-times-repeated message. If every nth repetition within the microprint contained a small intentional error, not necessarily so large as a typo, it would act a lot like a copyright trap on a map. It's there (if it is) only as one of several non-disclosed features used to prove a counterfeit in the lab.

Missing any one of the non-disclosed features tells the senior lab tech that this is a known counterfeit. The next step is to assign the bill to a junior lab tech who can find some publicly-known criterion to use to denounce the bill, such as defects due to the printing method.

Hypothetically, of course. But (as with copyright traps) a counterfeiter can never be sure that all of them are found, no matter how few there really are.

And thus, when you print the bi-plane upside-down, you can claim you did it on purpose.

Bruce SchneierMay 31, 2005 9:19 PM

"I don't get it. How do I tell a misspelled fake from the real thing?"

No, no, no. Only the real ID cards will have misspellings. The fakes will have everything spelled correctly, just like those spam email you get.

dennisJune 1, 2005 12:24 AM

I can see people detained and questioned at border posts by clueless guards demanding to know how come your papers contain spelling errors, this is even worse than security through obscurity.

Ihre ausweis bitte...

Thomas SprinkmeierJune 1, 2005 1:43 AM

The problem is that the 'errors' will be uniform; all cards will have the same words misspellt.

The obvious solution is to mispeel something different on every card, e.g. the owners name!

I for one am used to having my name spelled incorectly.

Ralph BroomJune 1, 2005 9:25 AM

Actually, CitiBank Visa has been doing this for years. Check the microprint border around the logo. It's a repetition of "Visa" with the occasional "Vias" thrown in for good measure. Other cards probably do the same.

Bruce SchneierJune 1, 2005 9:52 AM

"Actually, CitiBank Visa has been doing this for years. Check the microprint border around the logo. It's a repetition of "Visa" with the occasional "Vias" thrown in for good measure. Other cards probably do the same."

Fascinating. It's not going to scream "counterfeit" to a merchant, but it's probably an easy check someone can do back at the forgery lab.

Israel TorresJune 1, 2005 10:10 AM

"Fascinating. It's not going to scream "counterfeit" to a merchant, but it's probably an easy check someone can do back at the forgery lab."

Common people wouldn't take notice to these small details the same way most don't take notice to phishing scams out there. Most of the counterfeiting countermeasures out there are so that the authorities can track down a source or at least fingerprint the source of the problem to a label. It is a lot easier to keep track this way and build cases upon these sources for eventual prosecution and further deterrence. Everyone knows we can't stop the problem; we can only evolve with it.

Israel Torres


DespoticJune 1, 2005 10:48 AM

Hey Bruce

How about you do some proper cryptanalysis, or find some new (difficult) side-channel attacks for some systems, instead of reporting the results of others and becoming an armchair pundit harping on about 'soft' security issues.

Don't get me wrong. They are important too, but you once had a great pedigree and reputation based on your academic ability.

Please don't take this the wrong way, but why not do some research instead of interviews and radio shows.

Marc BanksJune 1, 2005 10:56 AM

In terms of cost to the company this is brilliant, they were planning on having logos, words, etc on the card, it just works out cheaper to have a marginal security mesure worked in that doesn't affect the cost or production time of the card.

DaldianusJune 1, 2005 11:11 AM

>But instead of 'Belgien' in German, the ID card incorrectly uses the name 'Belgine' and instead of 'Belgium' in English, the card reads 'Belguim'.

Eh, so how will you prevent the tricksters from reproducing these errors?

ZwackJune 1, 2005 11:41 AM

They are TOO cunning. Really they're putting this message out there so that counterfeiters will produce fake cards WITH those errors... Then they're going to issue the real cards without the errors and they'll be able to spot the fakes really easily.

Dang, I've just given the game away.

Oh well.

Z.

DonJune 1, 2005 11:53 AM

My, I'm glad my stature isn't such that I have people in the general public who feel they have a right to criticize how I choose to conduct my own career and time.

Israel TorresJune 1, 2005 12:08 PM

@Don
"My, I'm glad my stature isn't such that I have people in the general public who feel they have a right to criticize how I choose to conduct my own career and time."

Don, stop surfing the 'net and get back to work!

;)

ProbitasJune 1, 2005 12:25 PM

"How about you do some proper cryptanalysis, or find some new (difficult) side-channel attacks for some systems, instead of reporting the results of others and becoming an armchair pundit harping on about 'soft' security issues."

Yes, Bruce. Instead of getting the rest of us to think about security issues, why don't you just do it all for us. This whole being informed thing is such a burden!

AnonymousJune 1, 2005 12:36 PM

I guess the authorities are counting on the counterfeiters not doing any QA. If the counterfeiters bother to do, scanning a real and a fake and calculating the difference image would seem like an obvious QA check. (That single check can tell you whether the size, position, and color of any text and graphics are off.) Any misspellings not in a fake will be easily spotted.

Tim VailJune 1, 2005 12:47 PM

"Yes, Bruce. Instead of getting the rest of us to think about security issues, why don't you just do it all for us. This whole being informed thing is such a burden!"

No dice...if you don't do a good deal of the thinking too, you won't learn. Implementing someone else's idea never really works if you don't understand how it works. Start thinking over things yourself.

Israel TorresJune 1, 2005 12:51 PM

In all likelihood "purposeful misspelling" will only filter the lazy counterfeiters from the good ones. Therefore we are making better counterfeiters.

Israel Torres

Tim VailJune 1, 2005 1:01 PM

Actually, I have a comment of my own. I feel the best way to make things hard to counterfeit is to be pretty consistent, and precise in how the item is made. It is easier for the general public to notice a counterfeit if they know what to expect from the real thing. The better you know the real thing, the easier it is to spot the counterfeit.

Spelling errors actually could make it harder for the people as a whole to spot counterfeits since it risks introducing hard-to-catch inconsistency in the real thing. As for labs catching counterfeit -- guess what, I think labs have always been able to catch counterfeits. Even to track down exactly which mint a bill was made. It is pointless to conjure up an anti-counterfeiting device that only labs would know about because the real goal should be for people to be able to catch the counterfeit. If it wasn't a problem before, why should we bother now?

|---|June 1, 2005 1:37 PM

This has been done before. In Stockholm, Sweden, the local mass transit system (bus- and metro system) company SL, Stockholms Lokaltrafik (Stockholm Transit) used a misspelled watermark in a ticket (actual, "SL" spelled backwards - "LS"). It's unclear to me if this was an unintended misspelling, but the local police did in facto arrest some counterfeiting guys due to this misspelling. This is a kind of security which could work once. Mabye.

And if the marking is clearly visible to the eyes, it seems more than stupid. Surely, the counterfeiting person is probable go to examine the artwork more closly than others.

Israel TorresJune 1, 2005 1:48 PM

"It's unclear to me if this was an unintended misspelling, but the local police did in facto arrest some counterfeiting guys due to this misspelling."

Perhaps the real answer is that the people in charge of getting the names printed actually didn't bother looking the names up in a dictionary to see if they were correct instead assuming they were correct ... later to find in the final process that they were wrong. In a fast and furious brainstorming session to figure out how they could explain this away without looking like blundering idiots came up with the idea that yea.. this is a security countermeasure... yeah that's the ticket and that by purposefully spelling things wrong only the bad guys will spell them right... yeah and then they could patent this form of misspelling things like the usage of the word "loose" and "lose" and make up for any of their misdoings with all the profit generated... thinking even deeper these could be the very same team of people responsible for buying up all the misspelled domain names out there. All has been revealed today! Hurray.

Israel Torres

chuckJune 1, 2005 2:15 PM

This is so typical of government employees! These morons don’t realize that today’s forgers use high resolution drum scanners and laser imprinters, giving micron precision, so ANY protection including any errors remains intact.

me tooJune 1, 2005 3:07 PM

I agree that Bruce has become a bit of a talking head.

This would be excellent for presenting his material to PHBs but unfortunately saying things like 'Civil disobedience over airport security' makes him look like a crackpot.

Stop your NSA fanboyism (maybe we're only 2 years behind!!) and publish some crypto research already.

IthikaJune 1, 2005 3:16 PM

The thing is, if I've got a card of some type in front of me, and all the words are spelled correctly it's easier to state that all is correct. People know - or can very easily check - how to spell the names of countries, etc. If there's a spelling error it's really easy to spot.

If, however, the mis-spelling is intentional then forgeries with different mis-spellings will be harder to spot. The brain will easily differentiate between "correct spelling" and "wrong spelling", but less easily between "wrong spelling (official)" and "wrong spelling (unofficial)". I read the article just two minutes ago, and I can't say for certain whether the intentional mis-spelling will use "Belguim" or "Begluim" or "Beglium".

It just makes it harder to learn what an authentic card looks like. People will stop short of checking the exact spelling, and just look for a wrongly spelled word.

AnonJune 1, 2005 3:21 PM

Anyone who doesn't like to hear about the issues Bruce covers in his blog should stop reading and spend that time doing their own "hard core" crypto work or whatever. I find this blog to be an excellent source of news and opinion. If you don't find it valuable, and you read it anyway, what does that say about you?

Bruce SchneierJune 1, 2005 4:03 PM

"How about you do some proper cryptanalysis, or find some new (difficult) side-channel attacks for some systems, instead of reporting the results of others and becoming an armchair pundit harping on about 'soft' security issues."

Good question.

I have two answers, although the first is probably more of an excuse.

The excuse: I don't do much consulting anymore. I found consulting to be a wonderful breeding ground for cryptographic ideas, both design and analysis.

The reason: My career has been an endless series of generalizations. While I still enjoy academic cryptography, and still publish the occasional paper, my interests today are more about security policy, economics, and psychology. I have the luxury of being able to do (mostly) do what I want to do, and this is what I (mostly) want to do.

This is not to say that I don't miss cryptography. I just like this stuff more right now. And this is not to say that I won't change the focus of what I'm doing again in the future; that seems likely.

Tobias D. RobisonJune 1, 2005 5:13 PM

How about this scenario:

(1) They discover they've printed up a mess of cards with spelling mistakes.

(2) They make up a lame excuse for said mistakes.

ArnaudJune 2, 2005 2:42 AM

I'm belgian and there are no spelling errors (I checked on my ID). I also checked my sister's ID which has the new smartcard ID and I didn't see any mistakes...

kWeJune 2, 2005 4:05 AM

Call me naive, but in the case of a banknote or credit card, wouldn't you _want_ it to scream "counterfeit" to a merchant? I work in a busy retail environment, and I would much prefer that my cashiers be able to spot a fake in under 10 seconds than that it would be proven a fake in a lab or law court.

zorpaxJune 2, 2005 5:22 AM

I always think it's funny when people will post a comment without reading the comments above...

Arnaud has clearly explained that the rumour is not true, yet kWe has still described that if the false rumour were true, then it would be a bad idea.

Oh well.

BoerJune 2, 2005 5:29 AM

Actually this is quite an old defence used previously in money bills and passports in number of countries.

tunaJune 2, 2005 7:22 AM

Texas drivers licenses have an intentionally missing dot over an "i" in some printing on the back of the card. It's surprisingly hard to spot even when you know there's a missing dot but not exactly which letter. However, when you know where to look it's a really easy verification step.

Of course, as somebody mentioned above this kind of error is easily spotted with image difference analysis. Perhaps the creators of this card expect that counterfiters will spend more time on the much more complex front of the card, than the simple bare lettering on the back.

RampoJune 2, 2005 7:50 AM

Old technique, used for a different purpose.

UK's Ordnance Survey (the state's cartographic unit) puts "mistakes" into maps to catch copyright thieves. The Autobile Association got caught this way, and had to stump up £20M damages.

Since the "mistakes" are works of fiction, they're protected by copyright, as well as being clear enough evidence of copying.

http://www.shef.ac.uk/uni/projects/sc/cartosoc/...

EoghanJune 2, 2005 11:27 AM

Misspellings as an anti-counterfeiting measure does not make sense, it probably is a rumour.
I would add that most Western European Countries have long traditions of using ID cards, which also means that they have some standards in making counterfeiting more difficult. In the Anglo-American Countries & regions ( UK, US, Canada, Ireland, Australia, NZ...) citizens do not have ID cards.
With regards to anti-counterfeiting measures, western European states have used multiple security measures on bank notes over the past 50 years. These include Watermarks, metal stripes, holograms, colour that changes in light, braille markings etc... The last Deutsch Mark notes used 6 security measures. The present Euro notes use 5 security measures.

Returning to the original issue - misspellings as a security measure. With so many hi-tech measures that can be used and that are being used to make counterfeiting difficult I would be very surprised if the Belgian Government would turn to a low-tech misspelling in order to combat counterfeit.

TobiasJune 2, 2005 1:42 PM

Hi there,

I have an ID card from Belgium. I am currently getting a new one. I have seen current ID cards being handed out now.

In my opinion this rumor is exactly what it is: a rumor. My current ID card has no spelling mistakes. Neither will the new card have any.

Don't take this wrong, but I am really confused at the image Americans must have from Europe when they receive silly rumors such as this one. We have refridgerators like American citizens do (even better ones as they consume less electricity and are less dangerous to the environment), we sleep in beds and yes, we even have electricity (which doesn't break down at a sudden in wide regions if it starts to snow). Imagine that!
I can almost forgive the average American if he mistakes "Belgium" for the name of a company producing chocolate, but the rumor Bruce published here is absolutely embarrassing.

Bruce, if it comforts you, I'm willing to scan the part of my new ID card that is supposed to be misspelled and mail it to you. I should have the new card in a couple of weeks.

regards,
Tobias

Bruce SchneierJune 2, 2005 3:23 PM

"Bruce, if it comforts you, I'm willing to scan the part of my new ID card that is supposed to be misspelled and mail it to you. I should have the new card in a couple of weeks."

No need. It was a rumor, and I wrote about it as a rumor. I've had people tell me that it is an untrue rumor, and other people tell me that it will happen in the future.

FinnJune 6, 2005 2:24 AM

Bruce:
This actually is reality in old (pre-EU) Finnish passports where "Suomi" (the name of Finland in Finnish) has been deliberately mispelled as "Soumi" in one instance of the word in a microprint that runs "Suomi Finland Suomi Finland Suomi Finland ad nauseam. So not a rumour at least here, and widely believed not to be a cover-up for accidental typo :-)

Diego ZenizoJune 6, 2005 1:44 PM

This technique has also been used to protect maps, placing on paper inexistant places or streets, or exchanging one for another. I learned this the hard way, spending an hour trying to find a street that was misplaced on purpose.
Pirates are sometimes so dumb that they copy verbatim the cloned goods. This way, it's very easy to sue them.

PeterJune 8, 2005 5:17 AM

This sort of mispelling was what caught a ring of drivers license counterfeiters in California about 20 years ago (back when people believed that the hologramish logos were uncounterfeitable). The gang had made an almost perfect copy of the license, down to the logo that appears when you tilted the license, except that instead of saying "The Great Seal of California" they wrote "The Great Seat of California" (note for those not near CA, the seal is a picture mostly of a woman sitting down in a seat).

John HenryJune 16, 2005 4:15 PM

I do some work with product surety, including anti-counterfeiting, of packaged goods. One key to counterfeit protection is to have multiple layers of overt, covert and forensic (or secret) features. For example, a $20 bill has a number of features that most of us know about eg; the hidden strip, color shifting ink etc. These are overt, for the consumer.

It also has covert features that are not generally known to the public but that banks use to catch counterfeits. I'll not mention these here.

Finally, there are forensic features, highly classified, and known only to the treasury Dept. These are used so that if a bill is suspect, it can be sent to a lab and positive ID can be made.

I have been told, by a person in the business, that there are 20-25 different features in the $20 bill to combat counterfeiting.

It is a big problem in consumer goods. Some counterfeits are so good that the legitimate manufacturer can't prove they are not legit.

John Henry

somethingMarch 1, 2006 2:40 PM

Eoghan: euro notes have 5 *published* security features. Like John Henry says, there are many more. One example is the digital watermark embedded in the picture; it will stop photoshop from reproducing the note, and if your note doesn't have it, it's probably a fake. (This doesn't hurt really high quality forgeries, but still).

The ECB site doesn't mention even some well known measures, like the currency paper used, microprint, the use of non-cmyk inks, the see-through register print, UV- and IR-light properties, serial number checksum, EURion constellation, magnetic ink, and a barcode (though not a highly visible barcode as the one printed on older Dutch currency). Those are mostly off of wikipedia!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..