Schneier on Security
A blog covering security and security technology.
« DOJ Privacy Breach |
| Top Ten Privacy Stories »
December 30, 2005
ID Cards and ID Fraud
Unforeseen security effects of weak ID cards:
It can even be argued that the introduction of the photocard licence has encouraged ID fraud. It has been relatively easy for fraudsters to obtain a licence, but because it looks and feels like 'photo ID', it is far more readily accepted as proof of identity than the paper licence is, and can therefore be used directly as an ID document or to support the establishment of stronger fraudulent ID, particularly in countries familiar with ID cards in this format, but perhaps unfamiliar with the relative strengths of British ID documents.
During the Commons ID card debates this kind of process was described by Tory MP Patrick Mercer, drawing on his experience as a soldier in Northern Ireland, where photo driving licences were first introduced as an anti-terror measure. This "quasi-identity card... I think—had a converse effect to that which the Government sought... anybody who had such a card or driving licence on their person had a pass, which, if shown to police or soldiers, gave them free passage. So, it had precisely the opposite effect to that which was intended."
Effectively - as security experts frequently point out - apparently stronger ID can have a negative effect in that it means that the people responsible for checking it become more likely to accept it as conclusive, and less likely to consider the individual bearing it in any detail. A similar effect has been observed following the introduction of chip and PIN credit cards, where ownership of the card and knowledge of the PIN is now almost always viewed as conclusive.
Posted on December 30, 2005 at 1:51 PM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
> "apparently stronger ID can have a negative effect in that it means that the people responsible for checking it become more likely to accept it as conclusive, and less likely to consider the individual bearing it in any detail. "
I think this is more of awareness training issue, rather then a issue with the identification method itself. I think the people responsible for checking should be trained before any new identification is issued, and they need to trained on a ongoing basis as well.
It seems a likely place for deploying some ID validation technology. Even if it isn't real-time, it should be better than this scenario. If the picture image on the ID were stored until validated, then the picture associated with the bogus ID would be available out in the field. Security personnel could start looking for the person immediately after a central location returned some 'bad' status (outstanding warrant, on watch/terrorist list, invalid ID detected).
The security personnel in the field still need to compare the pictures with the people.
I am continually amazed by the number of people in California who will look great askance at a passport if presented as ID, but cheerfully accept a driver's license which is far easier to steal, spoof, forge etc.
I personally feel that any ID which is not continually verified (i.e. at each point of use) against secured databases is worthless. The validation can be cursory (zip code of billing address against credit card) or comprehensive (criminal and driving records check) but without validation, it's just a bliddly piece of paper or plastic with funny writing on it.
Good points are made above, concerning forgery of photo ID, and that this can be prevented by access to a centralised database. However, this needs continuous availablity of on-line access.
Off-line checks can be made of digitally stored photos, on the card/token, with digital signatures used to prevent photo substitution. The equipment required is substantially the same: card reader and colour screen display. This approach does, however, require distribution of public keys, though that can be done earlier, with lesser requirements on WAN availability.
The best approach is probably a composite one, to allow for possible compromise of some public keys (assuming that key partitioning is used), by requiring on-line checks for cards with known compromised keys in lieu of, or prior to, reissue of all cards with a compromised key.
The same approach (of digital signatures) can be used for (stronger) biometrics with template-on-card.
As every measure has unintended and often undesirable side effects, the more important question is how a security measure changes the net frequency and severity of events. Sometimes counter-measures lower the liklihhood (frequency) of an event but the fewer events have a higher impact (severity).
Also important is how effective current measures are.
Although the ID card does have the weaknesses you describe, the current situation is even easier to circumvent and softer forms of ID are currently accepted. This ID card is a substitute - I'm not sure that it offers greater credentials than say a drivers licence does now.
Similarly with chip+pin, it lowers the frequency of card fraud but doesn't offer the card holder greater access or privilege thus holding severity constant.
I am amazed by ID perceptions myself. In Massachusetts, until recently license-to-carry-concealed-firearms holders were issued paper laminated IDs that appeared pretty easy to fake, but were much harder to obtain than drivers licenses, requiring a criminal background check, characters of reference, agreement by the local chief of police to allow exercise of constitution rights, etc. I was stopped by a police officer conducting an illegal search. When he discovered I was (legally) carrying a weapon he did not care one whit about my LTC ID, but instead my driver's license!
Even more interestingly, in the end, my weapon was not returned to me until nearly a week later. I had committed no crime, but in MA it would be publicly embarassing for the police to admit such a fact and return it in full view of a street full of people.
When it was returned to me (after I drove nearly an hour out of my way to a state police barracks), I presented no identification and was able to take possession of the handgun.
This was all after September 11, 2001.
Well, one of the big problems with the South African ID card scandal seemed to be related to the fact that remote "officials" were accepting just about any old scrap of paper as proof of a valid "foreign" drivers license. I lost the link to the article, but I'll post it when it pops up again...
So that not only supports this idea that by forcing stronger ID controls you may increase fraud (demand will spread to acquire the newer, more "legitimate" ID through the easiest path) and that if you don't take into account ALL the weak upstream links in the system then you're just asking for a real mess of confidentiality and integrity woes.
In Switzerland, each resident has his/her residential address registered with the state. Each person has associate with him/her a authorized and officially signed, stamped and sealed peace of paper (Heimatschein) which is kept in the state archives and is issued at birth. Without this "Heimatschein" you cannot obtain a passport or State ID. The high security State ID (in credit card format) has your name and birth date, height, sex and place of birth on it, as well as a machine readable code (optical only) of all the information on the card. When asked to identify yourself (hydro, telephone, post office, bank, police (unless for traffic related things)), no other card will suffice and this is enforced. This State ID is also good for travel in and out of any European Union country.
Sometimes we Europeans get the impression the US State does not want bulletproof security. One suspects, if you weave the grid to tightly, some embarrassing criminal activity involving well-known and highly respected names would come to the fore.
The corruption that occurs in Switzerland is not because you can easily get around the system, but because lots of financial (and other) activity, which is outlawed in most western countries, is legal in Switzerland!
The major theme of Bruce's posting is, I think, that of the difference between perception of the reliability of ID documents and the actuality of their reliability. This is particularly through the use of forged documents.
It seems to be suggested that any new ID document will have a greater difference between the perception and the actuality than existing ID documents.
Apart from the issue of "newness" and hence lack of familiarity (which will fade with the passage of time), can anyone offer any substantive arguments in favour of this view?
I ask this, as it strikes me that new ID documentation is likely to be more resistant to forgery than old ID documentation, through the use of automatic protections such as digital signatures and on-line access. However, this contributes little or nothing to the difference between perception and actuality. That difference is one that could be reduced by staff training, and general "education" of the public.
But is there good reason to believe that such training, familiarity, etc will be less effective for new ID docuementation than for old/existing ID documentation?
I haven't looked into the proposals for RFID cards like I should have. I just keep reading about all the problems that they'll have.
Would this help solve any digital ID card problems?
The card contains the data required to identify an individual (photo, address, etc.), along with an authoritative digital signature (from DMV or a local court...) for each piece of data. Visual verification probably wouldn't be possible (don't put any data on the outside of the card -- also make the cards less expensive); forced digital verification.
1) Makes all the cards identical, keeping costs down.
2) Forces digital verification of all data and signatures.
3) The human security person still has to verify that the photo matches the human owning the card. Signatures are verified before the photo is even shown (hopefully to prevent the problems mentioned in this blog entry).
On the issue of photocard ID strength and weakness...
Similar thoughts to those in the post occured to me recently. I just opened an "Advantage Checking" account with Bank of America. This account comes with a Visa Check Card. The Check Card comes with the option of having your photograph on the front of the card. Sounds like a nice security option doesn't it? But what does it really do? It is effective at preventing precisely one form of fraud : somebody stealing the card and pin and using said card in a store. This of course assumes the clerk even goes so far as to check the photo versus the person (more on that later). The card and I are still vulnerable to on-line fraud. The feature also makes any forged card seem stronger. If it has the face of the guy holding it on it, then the card and all of its accompanying information must be his, right?
So really, this is a tradeoff. On one hand, you make a single form of fraud very difficult or impossible. On the other, you make other forms of fraud easier to get away with.
All of that wouldn't be an issue if clerks did things they're supposed to do when taking credit card purchases. They're supposed to check the signature on the back of the card, which they almost never do. My father never used to bother to sign his cards because of that. One day a clerk checked the back of the card, saw there was no signature, told him to sign his card, THEN checked it against the signature on the receipt. I was stunned. Clerks should also be obliged to ask for a second form of ID, preferably with a photograph attached to it. A friend of mine who worked in retail wrote "ask for photo ID" in the signature space of all his cards. Smart thinking. Although, again, this only (in theory) prevents somebody from using the card in person. On-line fraud is still an issue.
Probably the same as Mr Shneier : seemingly better ID is often no better than ID already in place; or it strikes a new tradeoff on how it can or cannot be mishandled.
Crooks will always be looking to get around security measures. It's what they do all day every day; just like squirrels at your bird feeder. The point of security is to make it tougher to get into the feeder than the seed is worth to the squirrel.
Like many other European countries, we have mandatory ID cards in Germany since decades. The security of these cards is very good and the number of forged ID cards caught is very low. Also, forgery of an ID card or passport can get you in jail for a good while. The ID cards and the laminated page of our passports look almost the same and use the same anti-forgery technology. In the discussion about RFID passports, an argument against the RFID chip was that it will not be able to reduce forgery noticeably and therefore not be cost-effective in this respect.
Due to laws against money laundering, you cannot open a bank account or credit card account without presenting your ID card, either at a branch or via "PostIdent" where you present your ID card at a post office for verification. Consequently, there is practically no identity theft here.
One exception is eBay where no verification is required when opening an account and identity theft and fraud are rampant.
The 'identity check' here is not a one-stage process. The first stage compares the ID badge presented to the mental image of what a proper badge looks and feels like. The second stage compares the presented face with the photographic image from the past. If there is additional information, such as height and weight, more comparisons may be made (or may be skipped).
The operator has to mentally correct for normal wear and tear of the card, plus abnormal wear and tear (gouges, toothmarks, chips, dents, pinholes, and adhesives), aging of the face, hair growth and grooming, hair loss (or gain!), clothing for cold or wet weather, color distortion from outdoor artificial night lighting, and the deplorable practice of having people smile for ID photographs.
In Northern Ireland, the 'improved' security badges were used in a context of low-quality verification technology -- a pair of eyeballs. The design guaranteed poor performance in detecting bad cards and bad matches.
The design also favored ease of operation and speed of processing, which they no doubt got.
I would guess that the people who funded this wanted better security, but that the money was spent on greasing the wheels. The trade-offs were weighed and decisions made.
1. I once worked at a well-protected government site, where ID badges were checked twice by armed guards (with different employers, giving the two sets of guards no reason to cover for each other). One day a guy in our van had forgotten his badge and used a dummy item to get through both gates, on the strength of the item looking enough like a badge to fool the guards. The item? A pack of cigarettes. It was about the right size, held for inspection like an ID badge is held, it wasn't blank, and it had a shiny surface. (The guards' employers? The US Army and Wells Fargo.)
2. Another place I worked had layers of armed guards (all with the same employer, alas) and at the innermost checkpoint a guard backing up a badge reader. Initially, the guard was supposed to check the picture against the face, but with thousands of faces to check every day, the guards would look at the badge but see little, and soon enough the guards just watched people coming in, letting the badge reader do all the thinking. (Those readers read a magnetic strip only, doing no image processing, so a blank form with valid data on it would pass the intruder.) (And there are rumors of a married workers using the spouse's card in a pinch, and succeeding.)
The problem at both sites was that a guard was being asked to verify faces against photos in large numbers. Doing a really good job of this is taxing on humans, and we tire quickly, getting sloppy, especially so as the lines get longer and we are pressed to speed things along. This scheme cannot work well, ever, with a high volume of traffic.
If the NI guards had to process only one person per hour, they could have been very good at catching bad guys. But doing the same work orders of magnitude faster is simply not going to happen.
Interesting SmartGate technology with Aussie customs. It involves biometric face mapping technology. For the technology evaluation, the face topology only resided in airport servers. Future plans involve updated pasports with imbedded smart chip containing encrypted face topology.
Is this the future of large sporting events? I know they've been playing with crowd cameras with facial recognition technology.
This story reminds me of some saying like "A face you can trust." In this case, it's a picture-of-a-face-on-an-ID-card you can trust.
What about cheap throwaway ID? Like a sticker on a car license plate, the ID is replaced every year. Every year it's printed in a different color that isn't known until it's released. Each state could add their own picture on it with an expiration date and a human readable random number. The number could be verified by a state clearing house. Sure, it could be copied, but depending on the speed of the bad guys, yould have a few months where copies aren't ready yet, and if the card is stolen or copied, just go back and have it canceled and get a new random number and the clearing house marks it as bad until the next year when a new one comes out.
Sheesh. That's one long run on sentence.
It seems to me that a lot of people are looking for a technological silver bullet to solve the problem of ID Fraud, all offering a single point of failure.
Perhaps the solution lies in a more distributed system, with muliple forms of existing ID, ie strengthening existing systems and cross checking each other for accuracy.
For example, in Australia there are more medicare cards than people. There's talk now of an Australia Card. What's the bet that we end up with more Australia Cards than people?
I can't say I'm convinced about the Customs system, as SmartGate was launched in Nov 2002 and in Sep 2003 they had a mainframe stolen from Sydney Airport. The current AU$250m stuff up with Customs doesn't instill me with confidence either.
The brazen airport computer theft that has Australia's anti-terror fighters up in arms
I can't find the article on the BBC I was referring to above. I'll keep looking, but in the meantime I ran into this story and found it interesting since it shows an odd loophole in South African ID security (from '04).
"Leslie Mashokwe said that criminals were using stolen identity papers to set up fake weddings to help foreign men get residence permits. [...] Nicolene Saunders was refused a marriage certificate because she was already married, The Star newspaper reports on Monday.
'I don't know this man from a bar of soap,' she said.
Last week, Bronwyn Gower went to pick up her new identity card and was astonished to find she was now 'Mrs Fabian Oshi'."
Imagine if the ID data in the system was considered conclusive. How would you prove the marriage was not authorized? Or would you just demand alimony?
I'm a security guard. This is how it works.
1. Are you motivated to do your job? If the job is too hard, people quit trying and you can't replace them.
2. Are you allowed to do your job without being fired? It's happened to me more than once that a client asked that I be transferred because an employee was mad at me for doing my job. The director of security would tell me that I was doing my job correctly.
I didn't mind so much because I just report to work at a different site since I'm a contract guard and we have lots of sites, but still, what does the next guard do?
3. Is it possible to do your job? Does your place of employment even have a list of the people that work there? My current site doesn't.
4. Do you have locked doors, or do they not latch when someone goes out the back. If I'm carding people out front and the back door is unlocked, that's it.
5. Do you have equipment that works like it's supposed to, like cameras to watch the back and motion sensors to tell you when to watch the cameras? If the cameras don't work, or you are supposed to watch them at the same time as you are doing other things, you are gapping.
It's not just personnel. It's personnel, policy, procedures, peripherals, and perimeter. You flunk one and it's over.
Interesting SMH article! I was in transit at the time, and totally missed that one!
Looking further, it seems the hard drives at least were recovered. Does anyone know what else happened with this?
It's the common point of failure again.
I have a photo license, and a passport, but they are based on my birth certificate which has ZERO identification actually tied to me.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.