Comments from a Fake ID Salesman

In case you thought a hard-to-forge national ID card would solve the fake ID problem, here's what the criminals have to say:

Luis Hernandez just laughs as he sells fake driver's licenses and Social Security cards to illegal immigrants near a park known for shady deals. The joke -- to him and others in his line of work -- is the government's promise to put people like him out of business with a tamperproof national ID card.

"One way or another, we'll always find a way," said Hernandez, 35, a sidewalk operator who is part of a complex counterfeiting network around MacArthur Park, where authentic-looking IDs are available for as little as $150.

Posted on June 6, 2006 at 6:33 AM • 41 Comments

Comments

Moshe YudkowskyJune 6, 2006 7:33 AM

He's a criminal, but he's also an expert on tamper-proof IDs? He knows how to break public-key signatures, for example?

It's one thing to take advantage of the inattentiveness of most people who look at IDs, and its another to duplicate the ID itself. I doubt his opinion is worth the electrons it's printed on.

OzJugglerJune 6, 2006 7:56 AM

> "He's a criminal, but he's also an expert on tamper-proof IDs?
> He knows how to break public-key signatures, for example?"

Who needs to break them? Why not steal a real ID card, duplicate it (including the internal charge pattern that represents the key pair) and then sell copies to clients that look vaguely similar to the real owner in the photo? It's a much less efficient way of running a counterfeit business because you need to steal heaps of cards from average looking people, but his current prices indicate that anyone who needs to make a transaction under a false identity will gladly pay 5 times as much as the real thing probably costs anyway.

I think what that guy means is that anything can be duplicated, at least in theory. In practice it's just a question of engineering and economics.

The Replay Attack will never die because it's so inherently simple and yet so powerful.

Dom De VittoJune 6, 2006 8:00 AM

Doh! He's a criminal, he'll PAY an expert in tamper-proof IDs to sort the problem out. Criminals don't manufacture their own guns either !!!

If you look at the UK ID card scheme, they added ""features"" which most experts agree make them easier to forge - multiple biometrics.

Are VISA and the other UK credit card companies experts in card fraud? Yes. However that didn't stop a £1m+ fraud happening to BP (and others), because the card companies didn't "get it", technically speaking.
[ exploit: Mag strip has 1 extra bit set on chip-and-pin enabled cards. You can copy the card to a non-C&P card, as long as you flip that bit => result, you can still skim chip and pin cards !! Doh! ]

Mike ScottJune 6, 2006 8:02 AM

It's very easy to break a public-key signature system used for ID cards. You simply slip $50 or $100 to one of the thousands of poorly paid public employees who will have the authority to generate keys, and you get a valid key.

Nigel SedgwickJune 6, 2006 8:15 AM

OzJuggler writes: "Who needs to break them? Why not steal a real ID card, duplicate it (including the internal charge pattern that represents the key pair) and then sell copies to clients that look vaguely similar to the real owner in the photo?"

Well, I'm with Moshe on the benefit of digital signatures.

How about the usual digital signature method for authentication, where all the internal information is certified together by a single digital signature. The public keys are distributed (changing perhaps every quarter for cards issue then on, so 40 per decade) by authenticated channel to those required to check.

Those required to check need to be able to read the digital information on the card (and it helps overall if they check it replicates the surface printed information). It is not possible (without finding the private key) to create a forged card; with cloned cards, one is stuck with a fixed name, address, date of birth and photo.

Then one just needs sufficient deterrent by means of, say, a 2 year prison sentence, for being found in possession of a forged card (say trying to use it where normally only the surface information is checked). Add to that (in the USA), a plea bargin down to 6 months in prison for disclosure leading to successful prosecution of the supplier (who gets 10 years minimum).

I wonder if Mr Hernandez can then run his business successfully, selling cards at $150 each.

Best regards

CathieJune 6, 2006 8:55 AM

tamper-proof is really hard
tamper-evident might be a better goal
But neither tamper-proof nor tamper-evident have to do with forgery!

KyleJune 6, 2006 9:11 AM

Perhaps I'm missing some details, but if it's really as simple as making a phone call, then what's the control to ensure that the phone call happens?

Keep in mind who's being asked to actually examine the card. If an employer doesn't mind or even prefers an undocumented immigrant, then "it looked valid to me" is a good enough answer.

Today's Social Security card fakes are pretty poor imitations (you can get them for a lot less than $150 by themselves) but they're *just* close enough...

Lou the trollJune 6, 2006 9:12 AM

@ Nigel (sort of): I guess what gets me about these statically bound forms of secure information is that even though the data in question is encrypted using a 'key', the 'key' cannot be changed for one of these statically bound entities like an ID card. Since the key cannot be changed, isn't this is just a form of security through obscurity? Someone leaks or cracks the key and you've got a massive number of compromised IDs out there. Constrast this technique against SSL-styled negotiation and maybe my entirely too terse argument will make sense.

PeteJune 6, 2006 9:17 AM

@Nigel: "I wonder if Mr Hernandez can then run his business successfully, selling cards at $150 each."

But that's what economics is about ... if some of the technical challenges make them harder to create, then the fake cards will just cost more. People are remarkably ingenious at attacking a system when there's enough of an incentive - and there will definitely be people willing to pay for fake IDs (for a range of purposes). Eventually fake cards will become easier to create and may eventually come down to the current price point.

"Then one just needs sufficient deterrent by means of, say, a 2 year prison sentence ..."

Prison may be enough of a deterrent for most, but there are always some people (immigrants, fraudsters) who will consider the trade-offs to be worth the risk.

If the technical barriers are high enough then fake IDs will initially have to be genuine cards with fake details, issued by insiders - some government clerks that have been bought out.

BennyJune 6, 2006 9:39 AM

Lou said: "Since the key cannot be changed, isn't this is just a form of security through obscurity? Someone leaks or cracks the key and you've got a massive number of compromised IDs out there. Constrast this technique against SSL-styled negotiation and maybe my entirely too terse argument will make sense."

Every cryptosystem i'm familiar with relies on the secrecy of keys for security. By this definition, does that mean they all rely on secrecy through obscurity? That doesn't seem right, for some reason. And ditto for SSL; if the negotiated master secret is compromised, for instance, SSL's security is broken. I think "secrecy through obscurity" refers to systems that rely on keeping designs secret, not systems that rely on keeping keys secret.

Lou the trollJune 6, 2006 9:49 AM

@Benny: Please correct if I'm wrong. I was trying to contrast per-session key negotiation versus the static nature of key coupling with a physical document. If you have a document that relies on a key that cannot be changed, the value of knowing the key is immensely as it compromises a large set of documents and cannot those documents have a long lifetime, unlike a session.

If I'm not making sense, my apologies in advance.

Lou the trollJune 6, 2006 9:50 AM

Plus my apologies for my inability to proofread this morning... ack!!!

JamesJune 6, 2006 9:52 AM

@Pete: "if some of the technical challenges make them harder to create, then the fake cards will just cost more. People are remarkably ingenious at attacking a system when there's enough of an incentive - and there will definitely be people willing to pay for fake IDs (for a range of purposes). Eventually fake cards will become easier to create and may eventually come down to the current price point."

While I agree with you in theory, I do believe that such a system could be made that's more than 'secure enough'.

Look at DirecTV for example. The first 3 generations of their smartcards were thoroughly hacked (full read/write to eeprom). The latest generation? Nada..not even an eeprom dump...and they've been out since 2002. The incentive/$$ is there.

If a national ID system were modelled after satellite, then all they'd just need to plan on upgrading the security technology (but not the interface...too expensive) every X years and any known exploits would always be potentially 'fixable'.

I agree though that insiders will in the end always be the leaks. Those type of exploits can be mitigated, but probably not eliminated.

BennyJune 6, 2006 10:07 AM

@ Lou:

Ah, i see what you're saying now. I agree; for documents with this degree of importance and length of expected lifetime, having the security rely on a static secret would be a bad idea. I think James has a good idea: design only the general interface and allow for upgrading of the underlying security technology. Kind of like SSL's negotiated ciphersuites. But hopefully without the weak ciphersuite options.

Nigel SedgwickJune 6, 2006 10:32 AM

@Dom de Vitto, who wrote: "If you look at the UK ID card scheme, they added ""features"" which most experts agree make them easier to forge - multiple biometrics."

Well, perhaps mistakenly, I think I am an expert on multiple biometrics. I don't follow your argument, unless it falls into one of the obvious pitfalls in implementation of multiple biometrics.

Explain the problem you see, and I'll explain why you're wrong, or admit I am.

Best regards

Nigel SedgwickJune 6, 2006 10:46 AM

Pete wrote: "If the technical barriers are high enough then fake IDs will initially have to be genuine cards with fake details, issued by insiders - some government clerks that have been bought out."

James wrote: "I agree though that insiders will in the end always be the leaks. Those type of exploits can be mitigated, but probably not eliminated."

Agreed. With use of digital signatures, document forgery drops from highest risk (where it probably now is), and very likely gets replaced by staff subornment.

Concerning mitigation, every issue can be logged and assigned to a particular staff member. The first discovered use of a false document issued by any particular staff member is likely to uncover them. There-upon, every document issued by them could be re-scrutinised for validity. Anyone holding a forged document from the same issuer would suffer: (i) criminal sanction if using any valid identification (eg address); (ii) otherwise cancellation of document through a blocking list.

Depending somewhat on the document, I'd say that's pretty good mitigation of the risk. In any case, it's the best (or close) that can be done. According to the value of the document, vetting procedures of issue staff (and their pay) should be set appropriately.

Best regards

ndgJune 6, 2006 11:33 AM

The problem with with hard to forge/tamper evident/digitally signed etc national ID cards is that all ID's to date have a fall back scheme in case of damage to card components. Does the card look valid and does the picture look vaguely like the bearer? There are many cases where a bad forgery is good enough. If a good forgery is needed, the standard approach is to steal blanks to make the forgeries with.

ndgJune 6, 2006 11:33 AM

The problem with with hard to forge/tamper evident/digitally signed etc national ID cards is that all ID's to date have a fall back scheme in case of damage to card components. Does the card look valid and does the picture look vaguely like the bearer? There are many cases where a bad forgery is good enough. If a good forgery is needed, the standard approach is to steal blanks to make the forgeries with.

geoff laneJune 6, 2006 12:04 PM

There is a philosophical problem with identity, even with fingerprints and DNA. It always in the end relies on a trusted third party. The various ID card scams^h^h^h^h^hschemes all rely on the government (or its proxy) to act as the trusted third party. But governments are always trying to cut costs so many services including ID cards are awarded to the lowest bidder.

The result will be a complex, fragmented system where various components are owned and operated by different organisations. There will be many chances to inject bad data and have a good card produced.

erasmusJune 6, 2006 12:38 PM

@Nigel - perhaps Dom referred to the weakening of the stronger biometric by combining with a poorer biometric.

For Iris Recognition, Daugman currently recommends an Hamming Distance value of 0.32 that, using his data, would correlate to an optimal random mismatch 1 in 26M times. (Versus a UK population of 60M) This figure excludes the practical problems that we already know about from self-selecting medioum-sized samples.

However when combined simultaneously with a weaker digital face, fingerprint, etc. biometric, Daugman noted "the other error rate becomes worse even than that of the weaker of the tests." See http://www.cl.cam.ac.uk/users/jgd1000/combine/...

One question that hasn't been addressed is how the 'goats' will be handled... their existence may lead to plenty of opportunities to socially engineer work-arounds or even getting re-issued with a valid card after a fraudulent one fails.

Re dealing with counterfits by tracing back each batch, I do not believe such data is mandated to be held against each ID record in the ID Card Bill. Nor does it fit the culture of the civil service. More significantly I think you are being naiive if you think that all affected ID cards will be cancelled if one batch or writer falls under suspicion - the political fall out will make public disclosure unacceptable.

Also note that there is no budget assigned for technology refresh in the scheme. Govt denies that card renewal will be needed more than every 10 years - in spite of evidence to contrary from other European high tech ID cards.

Anyway, how good does a forgery need to be? It seems likely that most validation outside of govt will not involve biometric validation - and even a lot of Govt interaction may just need a PIN.

jayhJune 6, 2006 12:42 PM

If there is capability in the field to read and validate the electronics or other internal code, then there is a difficulty to counterfeit. However, if the majority of uses involve visual inspection by a relatively untrained member of the public, all those internal checks are meaningless.

And herein is the likely problem. Other than government agencies and certain large private concerns, sophisticated validation will not likely be available.

jayhJune 6, 2006 12:43 PM

If there is capability in the field to read and validate the electronics or other internal code, then there is a difficulty to counterfeit. However, if the majority of uses involve visual inspection by a relatively untrained member of the public, all those internal checks are meaningless.

And herein is the likely problem. Other than government agencies and certain large private concerns, sophisticated validation will not likely be available.

JohnnyJune 6, 2006 12:44 PM

>"One way or another, we'll always find a way,"

Yeah right! All the so-called "expert hackers" were also bragging such nonsense when DirecTV released their new security smartcard.

Guess what?

MinimeJune 6, 2006 12:51 PM

Quote:
Why not steal a real ID card, duplicate it (including the internal charge pattern that represents the key pair) and then sell copies to clients that look vaguely similar to the real owner in the photo?


I have an American State ID with my fingerprint encoded and digitally signed in a 2D barcode.

How do you get pass that ?

Nigel SedgwickJune 6, 2006 1:44 PM

@Erasmus, who wrote: However when combined simultaneously with a weaker digital face, fingerprint, etc. biometric, Daugman noted "the other error rate becomes worse even than that of the weaker of the tests." See http://www.cl.cam.ac.uk/users/jgd1000/combine/...

Ah! In that very same link, you seem to have missed the second reference (to me), and the text: "This short note has considered only a case of decision-level fusion, or layering. Other methods of combining biometrics include sensor fusion (combining feature data before applying any decision rule), or combining similarity scores before applying any decision rule."

Erasmus also wrote: More significantly I think you are being naiive if you think that all affected ID cards will be cancelled if one batch or writer falls under suspicion - the political fall out will make public disclosure unacceptable.

Well, ask yourself what happens currently with passports. There was a recent case in the UK of a staff member being involved in fraudulent issue. And another case I remember concerning USA driving licences (I cannot remember the state). And one only cancels fraudulently issued documents, not all those issued by the suborned staff member. Am I naive thinking these cases make the press and that reasonable efforts are made (eg information in a plea bargin) or by targetted search through all recent issues. I saw no embarrassment, just publicity to deter likeminded people by showing how bad it gets.

Concerning John Daugman's recommended Hamming distance threshold of 0.32, I think you will actually find it's more sophisticated than that. The threshold is determined by the acceptable False Alarm Rate. In a watchlist application, such as that in the UAE immigration system, that varies with the number of enrolled persons (which is continually changing). For a watchlist-like application in the UK National Identity Scheme (NIdS) for detection of multiple applications, a different threshold would be appropriate. This is not least because of the large population (as you point out); also the time available for NIdS registration is different from that at UAE border points. In fact, as I understand it, the UAE requirement is for zero false alarms and the best miss rate that goes with that. For UK NIdS registration, it is most likely that two irises and several fingerprints would be used, as an acceptable FRR/FAR operating point would not otherwise be obtainable. In any case, there would need to be some tolerance of false alarms, which would require secondary checks on identity.

You also need to separate timescales for card life through wear-and-tear from technology refresh. A primary need for technology refresh would be reassessment of the length of hash in the digital signature. That might affect on-chip memory requirements; however, a transparent upgrade path with the same hash algorithm but different hash length could easily be provided in the chip reader interface definition, with all software written appropriately. Reader subsystem life is likely to be less than the 10-year card re-registration period, so even hash algorithm upgrades would not be a vast problem.

That will have to do for now.

Best regards

Alberto CozerJune 6, 2006 3:25 PM

No matter the employed technology, there will allways be a way to bypass it. The work (and money) needed depends on the purpose of the fake ID.

The point here is to make them more expensive to fake then the money someone can make by using a fake ID. For attending ilegal aliens there are plenty of alternatives rather than breaking public-key cryptography.

betabugJune 7, 2006 2:22 AM

@James:
"Look at DirecTV for example.
...
If a national ID system were modelled after satellite,..."

I think the incentive of criminals to forge ID cards is much, much higher than the incentive of someone to watch pr0n movies on TV without paying. It's even much, much higher than someone who sells you fake sat systems.

The exercise of putting public key encryption into ID documents is really interesting. So far only the spy industry has had an incentive to try their luck with breaking public key crypto. Now the international crime scene will likely try too.

As usual I don't expect the break in right where it's hard (public key crypto itself), but rather attacking the weaknesses of the overall system. Come on, *someone* will have f* up with those cards, it would be the first time that a new system comes out just perfect.

The bad part about the experiment is that break ins will probably get as much publicity as if they had happened through the spy industry.

NocturnJune 7, 2006 4:31 AM

I saw a documentary a couple of years back of a journalist who obtained a false identity and components for a bomb and got to a large government summit with it.

It featured an interesting attack vector on such a scheme. He obtained a false identity card over the Net from some country where that was easy.

Using his fake passport, he got a real one from another country. So in effect, his alter ego became a 'real' person.

The point is indeed that this scheme will fall back to less secure systems (like foreign passports, fake birth certificates) which will make it possible to obtain a real ID card under a false name. I suspect that criminals will start making money from fake birth certificates or hacking databases to create identities that are later legally transformed to ID cards.

erasmusJune 7, 2006 7:36 AM

@Nigel, thanks for the response.

Sure I understand that there are "right" ways to get a statistically valid False Reject Rate or False Acceptance Rate, but the point is that there is a choice.
There may be operational reasons why a weaker choice is selected.
Or it may be done through willful ignorance. (Which, to my way of thinking, is a more significant & worrying issue, considering that studies have shown that even medical doctors don't generally understand statistics correctly!!)
You note the choice of a practical HD setting will also dictate the error rate. But this will influence the selection of an appropriate method. A single-modal test might be preferred operationally if the reject rate is considered low in that application...

Re: disclosure of compromises - a UK National ID card has been described by Ministers as a "Gold Standard" that trumps those old paper documents.
It is in the current govt's interest to disclose as many errors in the current old-fashioned mechanisms in order to justify its policy. But the incentive to publish information about errors in the card & database will be different depending on the govt in control and its stance.
(call me cynical, but its only recently come to light how subtle peer pressure has ensured that politically unacceptable data has not even been *collected* within the UK Home Office for several years.)
There is also a difference in the legal framework - passports are issued under the Royal prerogative and hence are outside Parliament. Whereas a National ID card is a Home Office project and is only mandated as far as Parliament allows.

Re: "You also need to separate timescales for card life through wear-and-tear from technology refresh"
Tell that to the govt, then. Their budget planning info. does not record this for cards or equipment.

BTW - do you know why the body of knowledge gathered through irodology has been ignored? Notably that iris patterns could change.
I have not heard of any testing in this area.

JamesJune 7, 2006 9:03 AM

>I think the incentive of criminals to forge ID cards is much, much higher than the incentive of someone to watch pr0n movies on TV without paying. It's even much, much higher than someone who sells you fake sat systems.

I see that you have absolutely no clue about the pay-tv piracy business.

Sorry, but smartcard manufacturers say that the pay-tv security vendors are their worst customers. Why? Because they are the only one under real attacks. Even the bank smartcards are not attacked on that level.

derfJune 7, 2006 10:08 AM

Just give your local congressperson a few thousand bucks to stash in his office freezer and he'll make sure you get an official card making machine.

ProbitasJune 7, 2006 1:12 PM

"If a national ID system were modelled after satellite, then all they'd just need to plan on upgrading the security technology (but not the interface...too expensive) every X years and any known exploits would always be potentially 'fixable'."

The above comment, along with some others, ignore some very important facts.

1) The top officers at DirectTV are not subject to public electinos
2) they do not have to rely on the generousity of contributors, many of whom benefit from the presence of people stealing DirectTV

Thus, they have little or no incentive to create a system which creates the illusion of security, while still permitting it to be easily bypassed by a person with a small to medium sized risk/benefit tolerance. Can the same be said of those designing and promoting the National ID program?

JamesJune 9, 2006 9:52 AM

@betabug:


I wasn't referring to the 'freetv' incentive. There's lots of money to be made if DirecTV is hacked again. Just look and see how much money some of the Canadian pirate dealers had frozen when they were busted. Millions.

As usual, money is the incentive, but it's not working in this case.

JustthisguyJune 12, 2006 4:31 AM

Methinks the issuing authority, if it's as corrupt as the general run of humans, will provide perfect biometric IDs for a few special favorite people, with whatever name seems appropriate. General public databases need not agree with this, comparisons being forbidden.

"But, Officer, that's the guy who raped my daughter! I'd know him anywhere!"

Officer replies, "Sir, I believe you're mistaken. Official records prove he was nowhere near there at the time. He's just smirking at you like that because he has Bell's Palsy, or something."

Yah, I know you can't fake iris or retina details, but if yer the keeper of iris and retina records, you can fake the records.

I believe that the State does not need to know who anyone is, exactly. You are who you say you are, absent any intent to defraud.

Pay cash and shun the banks- er, shame the Devil

Cali ParksJune 14, 2006 1:20 AM

When you are looking at these issues you must notice that people will always be able to copy anything that man makes. No matter how much time and money the government puts into new security features they will always be able to duplicate them.

When barcodes came out, they said that would hold the key, it did not. Then we saw mag strips, same thing. Now we have all of the talk about bio features and security. Every fiver years something new will come out and the bad guys will find someway to get around it. Look at how many people are sneaking over both the Mexican border and Canadian side, they can easily make it over or just try till they make it.

The job the government is doing is important but it's an up hill battle. We see stories every day on CNN, local papers about id theft. Then you can type into any search engine and order id cards right off of the internet. Just right now I typed in fake id and sites like fluxcard.com, theidshop.com, and many more show up. You can from the comfort of your home order ID's and not even leave your seat.

We are never going to stop the supply of cards whether they are coming from the internet or parks in Cali. The key's will fall into the hands of everyday people who want to make sure our country is safe from terror and id theft of sorts.

great blog, keep up the work.

FoxOctober 17, 2006 4:39 AM

Best diet diet fat smash
honky sausage
Strongman
strongman
honky sausage
diet diet ever fat last need smash youll
Big Pizza Sausage

ShimaharaJanuary 6, 2007 11:01 AM

Fake or not fake is not the problem! only 1000 years ago the world was free to travel place and people could just deside where to make a living, so then why the idea of national Id´s. Unless you are a bone-hard-racist a xenophobic-primate or blood-hungry-patriot you dont need such divices to state you are from anywhere. Make it legal to go and work anywhere and immigration problems will end. we will just have to concentrate on beter economic and social models. less work for sure!!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..