Since the mid 1990s much media attention is drawn to “identity theft” and what consumers can do to prevent victimization. It is rare that a clear distinction is drawn between theft (the supply) and unlawful use (the demand) for personal information. A lack of clarity at times creates confusion and underachieving counter strategies. Although the problems intersect, the prevention strategies for each are not the same and, generally, the responsibilities for reducing the threats of each fall to different people.
What we do know: As long as the effort is worth the potential gain, and the malfeasors don’t feel vigilance or certainty of getting caught in the act each and every time the attack, this problem is unlikely to go away.
Police learn the folly of perfunctory acceptance of identification at face value early in their career. They experience firsthand the difficulty of detecting the new generation of counterfeit documents. They frequently encounter fraudulently obtained government identification. They routinely seize stolen and false documents during money laundering, drug trafficking, human trafficking, stock market manipulation, mortgage fraud and transnational organized crime investigations. They discover those avoiding detection or arrest don’t reside at the address on their driver’s license. Try arresting someone from a photograph and it doesn’t take long to realize how difficult it can be to make a positive association – much less a small image on an identification card. People routinely doing photo to bearer comparisons intuitively get this. Maybe this is why you don’t feel vigilance at the ticket agent counter or security when boarding an aircraft.
Finally, experienced police don’t focus on the ID. They focus on the presenter. They begin every interview with total belief in what they are being told. They know that their person of interest’s reality – whether to be truthful or deceptive – is found in the context of the language they speak in response to questions. Police will also watch for changes in nonverbal behavior. They trust their training, experience and instincts when something doesn’t make sense, or doesn’t feel quite right. Then they drill down to verify or refute concerns they might have.
This article for critical infrastructure risk managers, prevention and security specialists offers some key threats to think about in the design of identification harms prevention, with some suggestions for upping your identification security game.
Rule # 1: Don’t get trapped by security hyperbole
Be mindful that:
- Secure document manufacturers routinely upgrade security features in identification blanks. These blanks are enhanced with tamper-proof features added when they are validated with personal identifiers and registration numbers. Yet, even document examiners struggle to detect a new generation of counterfeits at first blush. They often have to use advanced technical aids
- Thanks to the internet, unlawfully acquired legitimate personal identifiers and social security numbers are hacked, purchased and resold on an international scale. They are added to the counterfeit blanks. The result, know data verification checks don’t “authenticate” the document as some posit. What they do is affirm the issuer has a record, based on the information provided. Nothing more.
- Some identification issuers are either unaware or misspeak about the residual threats posed by the security trade-offs they make. Therefore, good security from dependency on identification must be layered to avoid a single point of failure
- Proof of address documentation doesn’t affirm someone resides at an address. Nobody physically checks. At best you know where the presenter receives some mail
- People swearing under oath to something being true doesn’t make it true, only that they are swearing it to be true
- Scientific studies show people aren’t much better than pure chance at positively associating a photo ID with the document bearer than they seen physically in the past, and even worse if the person is from a different race
- Outlier attacks on privileges (i.e. driver’s license), benefits (i.e. medical care) and services (i.e. mortgages) are insidious. They can go on for months and even years without being detected
Rule # 2: Know what each type of identification is telling you and, more importantly, what it isn’t telling you.
In deciding which forms of identification to request, consider three characteristics which form a human identity (attributed, biographical, bio-metrical). Know what each tells you:
Identification documents (ID) point you to a record of personal identifiers retained by government as proof of status in the country of issue. This is the bed rock of any identification management system.
There are two categories of attributed identity.
Status by “right of birth”: Records retained regionally on persons born inside the country, or federally retained records of children born to citizens outside the country. In most jurisdictions these birth records include a long form containing additional legislated information for registering a birth. These records are not linked inter-provincially (Cda) or inter-state (US).
Status by “law or privilege”: Immigration and citizenship records retained by the federal government in Canada and the U.S. Today’s immigration and citizenship records include a biometric (i.e. photograph, fingerprints).
You should be able to trace every other legitimate government form of identification back to a record of status. These include travel documents issued by national governments and some United Nations designated agencies, and identification tokens (i.e. driver’s license, medical health card, social security number).
Accepting travel documents and identification tokens as proof someone is who they say they means accepting the security trade-offs made by the issuer. This may be an appropriate risk to accept in some case such as consumer fraud, but more risky when a security compromise might have catastrophic consequences (i.e. terrorist/anarchist access to transportation, water treatment plants, nuclear facilities etc).
A biographical identity is a transaction-based record accumulating over time. It is the details of someone’s interaction with the record holder. Examples include tax files, credit ratings records and a driver’s license abstract. These records are powerful aids in the hands of skilled interviewers.
Biometric verification is any means by which a person can be uniquely, physically identified by with a biological trait. Unique identifiers include fingerprints, hand geometry, retina and iris patterns, voice waves, DNA, and signatures. The most common form of proof of status, birth certificates, aren’t linked to a biometric.
There are prevention strategies from the security trade-offs made by identification issuers which help mitigate threats posed by fraudulently acquired, counterfeit/forged and stolen/loaned identification:
- Increase the feeling of risk at the point-of-service with a message of vigilance
- Apply behavioral insights to the application process
- Improve detection with education and training on non verbal “red flag” patterns of human behavior
- Hire people who are emotionally intelligent, improve frontline judgment and decision making
- Work from a well thought out information gathering plan
- Implement policy and guidelines for escalating front-line concerns for more in-depth review
- Encourage a continuous learning environment with timely feedback to front-line judgments and decisions on escalated events