The media abounds with stories about the theft and unlawful use of personal identifiers. The question from a security perspective is why this is such a problem? The answer is simple enough. Committing crimes with someone else’s personal identifiers is are easy to do, the rewards are high in relation to the risks, and the certainty of getting caught in the act is low.
Digging deeper, governments implement policy and guidelines believing they are making the system more secure from personation and identity fraud. The question is rarely asked if protocols actually work in high reward for the risk situations. It is always easy to catch the low hanging fruit and too easy to assume that this activity is proof the system is keeping out really bad actors.
What screening processes successfully do is put people to more effort in obtaining government identification. This may reduce some threats where the potential reward is not worth the effort, or the potential attacker doesn’t have the understanding or resources. This is not the case with terrorist cells and organized criminal predators. There are other high stakes environments, such as someone in desperate need of medical treatment.
Every government issuer of identification makes security trade-offs. They balance a tension between increasing diligence, the costs and the delivery of customer-centered services. No voter wants to go to extraordinary effort or personal inconvenience to obtain a government identification.
The root of most government identification is a proof of status record. By far and away the the largest number of proof-of-status records are registrations of birth – inside the country and registrations of births of the offspring of citizens born outside the country. There is no biometrics physically captured at birth, linking the individual to the birth record. Birth certificates falling into the wrong hands are the keys to the insidious identification kingdom.
Government issuers of passports and a wide variety of other identification tokens, such as driver’s licences and social insurance numbers, request the applicant present a “proof of status” document. Some government agencies conduct data exchanges with the record holder. This process does not “authenticate” or “verify” a proof of status document. The data exchange affirms that there is a record retained by the issuer with similar personal identifiers and registration numbers provided. The identification handler doesn’t know if they are dealing with a fraudulent acquired or forged document. They would no know if it is a stolen/loaned document in the wrong hands. Because births and deaths are not registered nationally, the system is the most vulnerable to false personaton where there is a birth in one jurisdiction and a death in another.
Immigration proof of status identification these days, for the most part, incorporate a secured photo image. The challenge here from tests; humans don’t do much better than pure chance at making a positive association, and no-more-so than when there are changes of appearance (glasses, beards, hair styles etc.). There is even less success when the presenter is from a different race.
When asking for proof the residency, know what you are getting. These documents do not affirm residency. At best they affirm where mail is delivered. No one has physically checked to see if people live where they say they live. There are lots of examples when people maintain an address in one place and live somewhere else to qualify for something they are not entitled to.
Finally, sworn affidavits have their place. They don’t mean the information sworn by affidavit is true, only the that information is sworn to be true. It may have a preventative quality when the person swearing the affidavit is aware of the criminal implications from perjury.