Schneier on Security
A blog covering security and security technology.
« Hacking Tamper-Evident Devices |
| Bioencryption »
January 25, 2011
According to this study, REAL-ID has not only been cheaper to implement than the states estimated, but also helpful in reducing fraud.
States are finding that implementation of the 2005 REAL ID Act is much easier and less expensive than previously thought, and is a significant factor in reducing fraud. In cases like Indiana, REAL ID has significantly improved customer satisfaction, resulting in that state receiving AAMVA’s “customer satisfaction” award of the year. This is not just a win-win for national and economic security, but a win (less expensive) -win (doable) -win (fraud reduction) -win (improved customer satisfaction) for federal and state governments as well as individuals.
Moreover, 11 states are already in full compliance, well ahead of the May 2011 deadline for the 18 benchmarks. Another eight are close behind. Some states, like Delaware and Maryland, have achieved REAL ID compliance within a year. Washington State refuses REAL ID compliance, but has already implemented the most difficult benchmarks.
Perhaps most astonishing is that from the cost numbers currently available, it looks like implementation of the 18 REAL ID benchmarks in all the states may end up costing somewhere between $350 million and $750 million, significantly less than the $1 billion projected by those still seeking to change the law.
Legal presence is being checked in all but two states, up 28 states from 2006. Only Washington and New Mexico still do not require legal presence to obtain a license, but Washington so significantly upgraded its license issuance in 2010 that the fraudulent attempts to garner licenses in that state are now significantly reduced. Every state is now checking Social Security numbers.
This might be the first government IT project ever that came in under initial cost estimates. Perhaps the reason is that the states did not want to implement REAL-ID in 2005, so they overstated the costs.
As to fraud reduction -- I'm not so sure. As the difficulty of getting a fraudulent ID increases, so does its value. I think we'll have to wait a while longer and see how criminals adapt.
EDITED TO ADD (2/11): CATO's Jim Harper argues that this report does not show that implementing the national ID program envisioned in the national ID law is a cost-effective success. It only assesses compliance with certain DHS-invented "benchmarks" related to REAL ID, and does so in a way that skews the results.
Posted on January 25, 2011 at 6:16 AM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Show me your papers !".
same old same old.
Makes it easioer for law enforcement to nail people. Whose benefit is this for exactly ? No wonder they got it in quickly. As an (the ?) outlaying government project one has to ask why is this one so special. What motivated such a change in performance. And if it casn be done with this why not everything.
How do most people obtain fake IDs these days? Back in my younger days (long past the statute of limitations by now), we used to make them by hand. Laminator, some UV-reactive ink, stencils, Photoshop v2 or v3, 24-pin dot matrix printers, etc. Granted, we were only using ours to buy beer, but at the time ours often looked better than the official gov't-issued ones.
$1bn to implement Real ID...that's $1bn that I think would be better spent on REAL security, say intelligence, instead of pretty-looking pieces of plastic that can probably still be created by a bunch of beer-hungry high school/college students.
Don't be fooled. The study assesses compliance with certain DHS-invented "benchmarks" related to REAL ID. It does not show that implementing the national ID program envisioned in the national ID law is a cost-effective success.
What the study does show is that the national ID builders are still hard at work, trying to corral us into a system that tracks law-abiding people very well while, at best, mildly inconveniencing law-breakers.
It will be interesting to see how the fraud will evolve with the real ID system, besides insiders who might want to supplement their low paying government income.
Maybe the same folks who gave the alleged Mossad agents the Irish passports for the Dubai job will be making Real ID Drivers Licenses?
@Sean - I went to college in this millennium rather than the last one. People (not me) who wanted to fake their IDs would use two techniques in parallel:
1) colored pencils to mark over the "date of birth" field.
2) maintaining a straight face when presenting this ID to a bouncer
That was it. The bars had a vested interest in believing the ID, after all.
"Every state is now checking Social Security numbers." For what? Collecting income tax or distributing social security?
That's all they have a need or right to use it for. TX doesn't do income tax, so they have no right to know anyone's SSN peridod.
Serious criminals will still find ways around this, usually with a variation of a "man-in-the-middle" attack, by compromising/bribing state employees to bypass the checks and issue valid ID's. Once that is done, all bets are off. So, yes, "bogus" ID's will get more expensive, but they will be effectively undetectable, because they will be REAL ID's registered with the state.
Of course I've been thinking of a "movie plot" revolving around the murder of homeless people for their SSNs.
1.)Go to day labor sites and hire homeless people with clean criminal records, Have 'em sweap a warehouse or something.
2.) Kill them and make sure the bodies are never found.
3.) Acquire ID in their name with their SSNs.
Unless the ID is somehow biologic in nature, there is no way to guarantee that the holder of the ID is the person originally designated to hold that ID. Twins, people that look passingly alike, forgeries, IDs issued to the wrong person, government malfeasance, and more will allow ID checkers more of a pass while undermining real security.
After Real-ID is recognized as a failure, a government implanted chip will be the next step in the evolution of big brother in our Nazi occupied France.
When people get used to the idea that Real ID somehow prevents fraud, it will become next to impossible to get anyone to take you seriously when you do claim fraud. After all, the system is so secure!
So it is only costing $350 - 750 million instead of a billion? I live in Illinois, and even if Illinois suddenly became efficient and it only cost $350 M, that is still $350 M that the near bankrupt state can't afford.
The state of Texas has given itself the right to know your SSN. You would have a hard time arguing that the 10th amendment doesn't allow that. If you apply for a DL, it is (almost) required_ under the guise of hunting those who aren't current on their child support. (Think of the children!)
.. : http://www.txdps.state.tx.us/DriverLicense/...
Pretty much of a no-brainer this part of the world. We all have eID smartcards with a government issued X.509-certificate. See http://homes.esat.kuleuven.be/~decockd/site/... for a presentation in English. Apart from being rather difficult to forge, we've started to use it for most interactive and on-line dealings with government administration, law enforcement and other authorities. Many people even use it for on-line filing of tax returns. Fraud has been minimal to non-existant, and criminals are having a real hard time with it. The middleware for it can be obtained for free and for different platforms. M/S was going to integrate it with Messenger, there's an add-on for Firefox for it, Linux rpm's etc.
We are not a police state. For all practical purposes, we haven't even had a real government for over 220 days now, which is rapidly approaching the Iraq world record. Most people over here - even lefties - consider the ongoing debates in the US and the UK nothing more than a religious discussion like the ones between Windows and Mac users.
Notice the publisher: CIS is a noted opponent of immigration (legal and illegal)
It falls to the state governments to implement this, and half of them have voted at some point, at least symbolically, against doing so.
But if the elected officials won't vote to allocate the funds, that does not stop the executive from doing as much as they can with what resources they can muster.
And were I a bureaucrat involved with state-issued ID documents, you can be sure that any system upgrades or policy changes that would have been happening anyway would be done in such a way as to be congruent with the expected future requirements.
So the cost under-run (really a lower-than-predicted requests for Federal reimbursement) doesn't surprise me given the lack of popularity of REAL-ID with elected officials vs. the popularity of it with unelected ones.
A few years back I attended a talk where a major national bank (I'm not allowed to say) reported that they lost more money from transactions at tellers than from online fraud. The problematic transactions at tellers were people using state-issued identification based on false data. That is, the documents were not fabricated, but instead the information presented to the government was fraudulent. (I've not been able to independently verify that assertion, but if true, it is relevant to this discussion.)
@Rich - the difference is that banks carefully track how much they lose over the counter and are required to report it.
Online most is lost by their customers - so the banks don't know or care - and they don't report it.
REAL-ID compatible licenses have a standard bar code on the back with almost all of the human-readable info from the front on it.
Bars, cigarette sellers, etc will deploy readers that (1) display go/no-go if the presenter is or is-not above the required age and (2) save the info for use by anyone willing to buy the mailing list.
One of the major lobbying groups in favor of Real-ID was the direct mail marketing association.
It's great to live in a system that allows entities to grant rights to themselves...
I think that's how the SCOTUS got their start...
nobody: #grant root to nobody
@Dirk You can mock the attention we pay to civil liberties in the U.S. and U.K. The history in Europe is too gruesome to mock in return.
Since young looking people are more likely to be "carded" when entering bars, they are the ones who will end up on those marketing lists.
Luckily, us older looking folks aren't carded anymore, and will be free of this tracking method.
@ Dirk Praet
I like how theyve done their rollout. My main technical objections are that the user's certificates and crypto use 1024bit RSA, which is considered risky. The system needs 2048bit at a minimum. The other primitives were SHA-1 and DES. Didnt say TripleDES so i hope thats a typo. All this weak crypto bothers me.
I also saw a mention of "soft" certificates. Do those signing functions run on the user's PC? This would put the certs at great risk of compromise. Id prefer an external device with an lcd screen that definitevely shows what im signing. Putting a private key on a desktop os is just asking for impersonation. This is worth considering becausr current malware is capable of impersonation and defeating 2 factor auth in real time for certain banks. Id expect similar attacks on soft certs.
@ tip them at home,
"Luckily, us older looking folks aren't carded anymore, and will be free of this tracking method"
Sorry if marketing data is being collected then "us older looking folks" being the ultra wealthy "baby boomers" with mega buck penssion pots will get "carded at every available oportunity"...
Youngsters don't have very much spare money so they are not worth marketing to, the "grey hairs" can afford top of the range Mercs/BMWs etc.
Oh and you will be told about all lifes other "little luxuries" you realy don't want to know about such as "tefflon coated underware for maximum stain resistance, with built in activated charcoal odor absorber, and absorbant pad pockets to stop embarising patches, just a snip at 200 bucks a pair"...
Was that really necessary? We could just point out that our government has a long history of abusing any power it gets to the detriment of individuals here and overseas. The people of a neutral country would have to look back to ww2 to understand what will happen to Americans if they loose all their civil liberties. Our country would look a lot like the one that occupied Belgium during that time. Hence, we must tread more carefully.
@ clive robinson
Actually, in the US its kind of backwards. The older folks in retirement have less cash and higher bills than ever. They are careful on spending. The young crowd have more opportunities and desire to buy luxuries, yet have few to no bills. Hence, teens are a reliable market for apparel, tech and entertainment. I know many kids who can afford more stuff than me on certain months.
Why not just use those yellow ear tags they staple to cows?
My VA license had a visible barcode on it until I used a sharpie to black it out. This hasn't stopped me from getting on US Army bases. The non-Army police at the gates scan all licenses upon entry and just let me through when it fails to scan.
@ Nick P.
I agree with the weak crypto elements. They were deemed good enough at system creation time, but will get upgrades in due time. Typically, an eID has a maximum validity of 5 years, but most people will lose it once or more during that time. As carrying the eID is mandatory, it's in a person's best interest to report loss asap. , especially if the pin-code is somewhere written down too.
In Firefox for example, it's implemented as an additional security device called Belgian Identity Card #PKCS11 (Preferences, Advanced, Encryption, Security Devices) next to the Builtin Roots and NSS Internal #PKCS11 modules. Importing the key to your desktop is a really stupid idea indeed, but is not required for anything.
Reminds me of the discussions I used to have on this topic with my late uncle Louis who moved to Philadelphia in the late 1930's. I honestly believe we have much less reason to worry about our civil liberties than most people in the US. Anyone even suggesting AIT's and pat-downs at airports would have no political career left the next morning. We also have good healthcare, unemployment benefits, retirement programs, minority protection etc. all of which uncle Louis found very communist stuff 8-) .
Clive: "Youngsters don't have very much spare money so they are not worth marketing to, the "grey hairs" can afford top of the range Mercs/BMWs etc."
Nope, wrong. TV advertisers market almost exclusively to the 18-49 demographic - which is why if your favorite TV show does not do well in the demo, it gets canceled.
Old people are usually set in their purchasing ways and usually cannot be sold anything they don't already buy. Young people can still be conditioned, and they have more disposable income than old people because they have no or smaller families.
This is once again control masquerading as security. One of my 401ks was just looted by a former employer (despite being administered by a major insurance company). Identifying who it was didnt help prevent this fraud.
It reminds me of the movie "Demolition Man". 99% of the populace are under control, so pretend we dont notice the 1% who are not; and ignore the damage they do to the 99%.
In this case, estimating final cost by the states who have already implemented (part of) the Real ID requirements is particularly specious. Many of the states that refused implementation did so because they expected their costs to be too high, while the states that pushed implementation were generally the ones that expected lower costs. All we get here is that the implementing states' expectations were OK, within a factor of two or so.
"Luckily, us older looking folks aren't carded anymore, and will be free of this tracking method"
What happens is that EVERYBODY gets carded. They even have signs in some stores about being required to check ID of everyone and that you should consider it a compliment.
I ran into this here in the states nearly a decade ago where a liquor store refused to sell to me without swiping my ID. It didn't matter that I was obviously well over 21 years old, or that the clerk could easily read my birthdate on the ID. They flat out refused to complete the transaction without swiping the card through some sort of reader. I ended up refusing them my business, drove to the next liquor store down the road which didn't have that policy.
@ Jenny Juno
I experienced the same thing traveling through Tennessee a while back. Their state has a law that says everyone must be carded for any transaction involving alcohol. The employee was concerned about the undercover county and ATF agents that had gotten stores during crackdowns. There were sixty or seventy year old people who bought beer every day and had to be carded every day.
They were also carding people in that area for medicines that had a key ingredient of meth... just to make sure they were 18. So, if you are 18 and want to make meth, you're good to go. If you're 16 and sick, you're parents better be with you. I said, "How is this supposed to stop meth production again by collecting their birthdays?" I still haven't heard an answer to that, which is why I didn't buy anything like that from them. I also dodge like the plague the stores that physically scan ID.
I don't get this part: "REAL ID has significantly improved customer satisfaction" I can't see how one is connected to the other. My "customer satisfaction" with the DMV depends entirely on how much hassle it is to deal with them -- how would this stupid change improve that?
Those who have strong feelings one way or another about REAL-ID would do well to familiarize themselves with the SICAM proposal/draft coming out of the states' CIO organization NASCIO.
A couple of high-level references:
Latest draft of the SICAM Roadmap at this time:
The sometimes-controversial federal NSTIC proposal would likely be linked to state identity providers and IdP services developed along the SICAM framework.
Personally, I think SICAM could benefit from more eyeballs, especially from a privacy perspective.
"As to fraud reduction -- I'm not so sure. [...] I think we'll have to wait a while longer and see how criminals adapt."
And how. Seems terribly fallacious to start measuring its effectiveness in such a primordial stage, let alone tout its success.
@bob roberts. good one Bob. How about one on the hand or the forehead,makes for easier scanning
Even a cursory look at the Real ID law would show that none of the states in the artical have implemented what was legislated as "Real-ID," with its unachieveable system and performance objectives.
Most of them had started on license moderenization before the "Real-ID" law was passed. The study author has made a career as a Real-ID champion, ignoring all the facts and issues. Harper at Cato has it ALL right.
@Jenny Juno: "They flat out refused to complete the transaction without swiping the card through some sort of reader."
I experienced something similar to this when I bought a single can of "compressed air" (for removing dust/dirt) from a Target department store. The clerk, who was half my age, needed to scan my ID through his register so it would complete the transaction. At least I paid cash for it, so my ID and Credit Card weren't linked.
A few weeks later I noticed that Staples was having a sale on the stuff, so I bought 4 cans from them, and they didn't bat an eye.
It wouldn't surprise me if there were unanticipated savings from the economies of scale of so many states adding these new ID card features at once.
Fraud reduction in this context is mostly meaningless. It's more economically efficent not to even look at signatures for credit cards and a ID only authenticates you when physically present so I don't see much commercial benefit. In THEORY the bank could more closely scrutinize cards when opening accounts but it would piss off the valid customers and cost more than paying for ID theft.
That leaves government 'fraud.' The situation with purely financial interactions like social security is as above and the government is wasting money if it tries to over police fraud. But it's useless for terrorism or high security.
It's benefit will likely be efficences from easier scanning of info by buisnesses
Thanks to the 2005 Federal Real ID act, I no longer have a mother! She was born Elizabeth Jean Casper. At some time during her adult life, she started using the name Betty instead of Elizabeth. She files her taxes under Betty. Her cars are registered under Betty. Her social security number says Betty and her Social Security is issued under Betty. Her apartment is owned by Betty. But, unless she gets a court-ordered document stating that her name was changed from Elizabeth to Betty, I can no longer establish that she is my mother....so says the Maryland Department of Motor Vehicles. If any of you out there have found out you are orphans as a result of the Real ID act, please help me find out how I can get my mother back.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.