Driver's License Printer Stolen and Recovered

A specialized printer used to print Missouri driver's licenses was stolen and recovered.

It's a funny story, actually. Turns out the thief couldn't get access to the software needed to run the printer; a lockout on the control computer apparently thwarted him. When he called tech support, they tipped off the Secret Service.

On the one hand, this probably won't deter a more sophisticated thief. On the other hand, you can make pretty good forgeries with off-the-shelf equipment.

Posted on October 31, 2007 at 6:11 AM

Comments

gregOctober 31, 2007 7:04 AM

So how do we help increase the cost of forgives? Some kind of hashing so that a number on it gives credence to its validity?

Were are at the point where making things indistinguishable to the human eye is now cheap. We need something better.

and a little OT. I was in hungury yeasterday, and when we changed Euros to the local currency. They checked the ink spot and used a UV etc on every note. Including the 10s and 5s. Normally I only see them do this with 50s and 100s

NickoOctober 31, 2007 7:23 AM

@greg

The right answer is probably to put all the salient information from the drivers' license, including the photo, into a data block which is digitally signed and printed in a big 2-D bar-code on the back of the license. These days even the cheap digital cameras in cell phones can read a large 2-D bar-code and you could verify the digital signature before displaying the digital version of the photo. Thus only those who could produce valid digital signatures would be able to print licenses.

Of course this simply moves the problem; now you have to control digital signing keys rather than specialised printers. Bruce knows why I think this is a good idea :-)

Fred POctober 31, 2007 8:29 AM

@Nicko-

I would have thought that the data of the full photo would be too much for a relatively small 2-D barcode. Other than that quibble (which could be rectified by storing only part of the photo), I like the idea. Doing something similar, but storing it holographically would give you the space, but make the card less resistant to damage (and increase printing costs).

elizillaOctober 31, 2007 8:51 AM

Jennifer, some places do scrutinize them. I know of a beer store down near campus. that has papered every wall surface with confiscated fake IDs. If you wanted to see samples of forger's work, this place is like a museum of such items.

Maybe they ought to send TSA employees for training at a campus beer store, where the stakes are lower but there are far more people trying to pass fake ID or smuggle things past you. It might be better training for an airport screener job, than actually being an airport screener would be, because you'd have so many more true positives to learn to catch.

AnonymousOctober 31, 2007 10:15 AM

Only in America... are drivers licenses and utility bills considered ID documents. Maybe the whole system you people use is flawed?

AnonymousOctober 31, 2007 10:33 AM

Not only in America. Australia uses them as well, though only in part for a utility bill. You're required to produce several documents to make a minimum set of ID.

And believe me, it's difficult enough to identify yourself *without* a drivers license. Providing birth certificate, two credit cards, bank statements, countersigned legal documents signed by you (such as rental agreements), and you can still be told to go away, "need photo ID", despite that all that documentation more than exceeds the requirements to get a drivers license.

xreyOctober 31, 2007 11:14 AM

I appreciate the international comments about our ridiculous ID system. Our problems come in two categories:

1) Inappropriate use of existing IDs
-Driver's license should be for *driving*
-Social Security Numbers should only be used for payroll taxes.

2) Unnecessary ID checks
-Why do you need ID to get a hotel room?
-Why do you need ID to get a post-office box?

Whatever happened to anonymity? Once commercial entities realized there was money to be made by targeting advertisements, our privacy was doomed.

ZianOctober 31, 2007 11:35 AM

@Nicko, Fred, and Billy
Microsoft has done exactly what we're talking about: http://www.microsoft.com/products/msbit/...

It looks like the barcode stores a compressed and signed version of the photo in addition to a hash of the other information.

The barcode can also handle other forms of ID (e.g. iris scans).

Carlo GrazianiOctober 31, 2007 11:44 AM

The purpose of ID is for identification -- an authentication process between two parties, unknown to each other, who are not prepared to extend each other blind trust.

This process has an irreducible requirement: a mutually-trusted third-party introducer. Ideally, in order for the introducer's services to scale to millions of introductions, the introducer should have a well-deserved reputation for seriousness, integrity, and secure procedures.

There are two classes of candidate introducers: private corporations, and government (it's hard to imagine a non-profit organization operating at this scale without essential backing from government or the private sector, so at best this would be a hybrid category, if not merely a sub-category).

In most Western countries, the introducer role has been assigned to government, which associates it with assiduous census-type record-keeping on individuals, and which issues identification documents that present challenges to forgers comparable to, say, passport forgery. Not impossible, but not trivial, and enough to guarantee authentication for routine purposes. Most people seem satisfied with the level of integrity with which the government guards the data, and fears that access to the data will be used for anti-democratic purposes are not high.

In the U.S., government is traditionally regarded with suspicion bordering on paranoia, to the point where even procedures for conducting a modern, informative census constitute political lightning. The idea of a national ID in the style practiced by most Western nations, with the associated moderate guarantees of authenticity, is a non-starter here. Libertarian eyeballs roll back in their sockets, and spittle radiates isotropically in 12.6 steradians.

What many people here do accept here is the idea that the private sector can do anything the government can do, but better. This is not a nuanced, context-dependent view, but a general ideological program. So naturally the introducer role in the U.S. frequently devolves upon private institutions -- banks, utilities, DNS registrars, etc.. This despite the fact that there is little empirical evidence that those institutions satisfy any of the reputational requirements that are necessary in an introducer, and much reason to believe that those requirements may easily be neglected by such institutions if they should come to be viewed as a drag on the bottom line (think Verisign).

As a result we have a hodge-podge of authentication procedures, based on documents and institutions that were never designed to support the authentication burden that they bear (think Social Security number). For personal ID, the most common resort is, ironically, to a government-issued document -- the driver's license -- which is usually well-designed for bearing information related to driving (within which context forgery problems have a modest scope), but not so great for information relating to, say, banking (for which forged credentials are a much more serious problem).

My personal view is, obviously, that the introducer role is a perfect example of a service that the government could and should be supplying, and for which it is much better-suited than the private sector. But I happen to believe in useful government. In the U.S., that is a minority view.

canadian, eh?October 31, 2007 11:51 AM

I have shown by driver's license approximately 30 times in the last 1.5 years. Each of those was because the clerk noticed that there is no signature on my credit card. Only once did anyone glance at my card long enough to see if I resembled the photo.

You may also be interested to know that I have used my unsigned credit card for approximately 5000 in-person transactions in that period -- it's an experiment I am doing after reading about the zug.com 'experiments' in slip signing.

This site (http://www.schneier.com/blog/archives/2007/10/drivers_licence.html) is where I first heard about zug.com's experiment. Since that time my signatures have evolved to the point that I do not think signatures serve any valuable purpose.

For air travel within the country (Canada) I never use my DL for ID purposes. By my reasoning they (airlines) have to -- due to time pressures and the fact that they are not representing an 'official' agency but merely protecting their financial interest by discouraging ticket resale -- accept anything I give them with a photo on it. I almost always use an expired school id card and occasionally my employee card. The airline employees have never once asked, "Do you have anything else".

I have skipped over the 10 or so times I have handed by DL over to car rental employees because I don't really call that "showing it to them". They just copy what they need without looking at you of the signature.

Another GooglebotOctober 31, 2007 1:33 PM

VISA/MC merchant regs require that they force you to sign the card when they see that the card is unsigned. Interesting that you have had ~30 cases where they noticed the card was not signed, but did not require you to sign it before processing.

BTW, the signature on the card is not for identification, it is verification that you have accepted the terms of the credit agreement with your bank.

jimbobjoeOctober 31, 2007 2:24 PM

elizilla: Though you were making a humorous argument, as far as I know, TSA agents don't look at your ID, and don't care what it is.

Someone who works for the airline examines it, and then, when you get into the security line, someone else examines it. The second examining people always wear a different uniform from TSA.

MikeAOctober 31, 2007 3:14 PM

OT @Carlo Graziani

While I agree that folks in the U.S. are generally distrustful of government, when it _really_ counts they trust government more than private industry. I refer, of course, to state-run lotteries. One reason such lotteries can operate in spite of their huge "load" (portion of wagers not paid out) is the potential of very large awards. That potential is only possible because they are parimutuel (winnings are split among all bettors with the same numbers). Only the government (OK, and some racetracks) can operate parimutuel games because only they are trusted not to fabricate "other winners" to cheat the actual winners. Can you imagine taking your local bookie's word that 50 other guys "just happened" to pick the winning numbers?

Another AnonymousOctober 31, 2007 7:13 PM

@Anonymous
>Not only in America. Australia uses them as well, though only in part for a utility bill. You're required to produce several documents to make a minimum set of ID.

If you read the back of the driver's license it states quite clearly that the using the license for identification purposes, other than for policing road traffic, is at the risk of the user.
(or at least the South Australian one does).

However that hasn't stopped everyone else deciding it's a good authentication mechanism and using it :-)

sohbetApril 22, 2008 4:47 AM

elizilla: Though you were making a humorous argument, as far as I know, TSA agents don't look at your ID, and don't care what it is.

Someone who works for the airline examines it, and then, when you get into the security line, someone else examines it. The second examining people always wear a different uniform from TSA.

max headroomMay 11, 2008 11:55 PM

all you need is a birth certificate after all that is all it takes for a baby to get registered.
with a birth certificate and going to the right government departments you can get any id/driver's licence etc... at certain levels these things become cummulative ie where you will need 2 or more pieces of id. But if you think about it if you lose everything say in a fire or theft to get your ID's remade you start with a birth certificate at the city you were born in. If you know what these documents or replacement documents look like they can be forged with any name. currently they do not take DNA/fingerprint samples of babies so they do not have that info. And if you were in a foreign country where you are no where on file and obtain a false birth certificate, you can get any ID made. They ask you questions along the way to collect information which they can use again for verification purposes but all of that can be made up. I think this is the main reason governments want to ban human cloning, because if you can make multiple copies of you more fraud can go on. One thing about cloning is that you can make(in some other country) a separate person with the same DNA but the fingerprint\retinal pattern will be different. In the future lasers can be made to duplicate(temporarily) even fingerprints for espionage etc... If we do not kill ourselves by then.

Comments on this entry have been closed.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..