I always tell my clients that I have four letters stenciled across my forehead “R I S K”.
When someone applies for a job in your enterprise or, appears at a counter wanting to be served or, is wanting to deal with you electronically, verifying their identity should be based on risk. Let’s use Jane Doe as an example.
Verifying Identities for Government Employees, Contractors and Citizens
Jane wants to apply for a job. You ask her for some identity documents. Usually this includes birth certificates, driver’s licenses, etc. Let’s assume it’s a low risk position. What might be more important is knowing the contact information for Jane.
Now let’s assume the risk is higher. There might be a need to do a background check on Jane to see if she has a criminal record or a bankruptcy. The documents now become more important. Her name and say driver’s license are submitted to see if she passes.
In some jurisdictions, Jane’s fingerprints may be obtained. These are then checked against police databases.
How Secure is the System?
Is Jane really Jane or, is there some way it might be Molly Smith masquerading as Jane Doe?
30 to 40 years ago, might have been a high degree of assurance that Jane IS Jane if she’s in possession of her birth certificate and driver’s license. Today, it’s not necessarily the case as technology is easily available to successfully produce real looking fake documents.
Criminals know this. They also know that in many jurisdictions around the world birth certificates are not checked electronically if they are issued in another jurisdiction. I’ll give you an example.
I was the identity architect for a government. Their security auditors said they were one of the first jurisdictions in North America to use facial recognition on driver’s licenses (now used for many, many years by almost all jurisdictions around the world). They then stated it was no longer working as well. Why? Fake birth certificates. Criminals were moving across the country using fake birth certificates from other jurisdictions.
What’s the Solution?
There isn’t one solution BUT there are incremental steps governments can take to address this:
Identity Document Verification Services
In Australia, they have a combined national/state identity document verification service available to business and enterprises wanting to validate an identity’s documents. This checks the numbers of birth, marriage and change of name, replying with a “yes” or “no”. In Canada, this service is not available. Does this solve the problem?
No. It only confirms if the identity document is valid. However, it does prevent what I call “identity fraud by dummies.” So, if Molly Smith is using a fake birth certificate for Jane Doe with the wrong numbers on it or, if Jane Doe has died, this system will catch it. However, it doesn’t catch Molly using Jane’s birth certificate with the right number on it.
Using Biometrics Attached to the Identity Documents
Long ago, police and border control agencies figured out that identity fraud is now relatively easy to do. Their answer was to obtain biometrics from the identity and attach it to the identity documents. Thus, when the documents are presented to government officials, they can be verified not only electronically but also by the biometrics of the person presenting them. Does this solve the problem?
No. Biometrics can be spoofed. If you look at this video from 2017, you’ll see a variety of different ways to spoof biometric readers. Also read this forecast by Experian predicting an increase in biometric hacking. So, depending on the biometric reader used and the skill of the criminal, the biometric may or may not be accurate, i.e. Molly might be able to successfully masquerade as Jane.
Know Your Customer (KYC)
As a result of weak identity assurance, there is a booming industry in products to assist enterprises in verifying identities, i.e. “Know Your Customer” (KYC). These are tools that your enterprise should likely be integrating with as people use them to apply for jobs AND using them to reduce your own identity verification risk. Examples include but are not limited to Trulioo, and Securefact,. Does this solve the problem?
No. If the underlying identity document, like a fake birth certificate was successfully used to obtain other identity documents, then these systems won’t catch it. HOWEVER, they will catch many identity frauds where existing metadata can quickly prove that it’s Molly trying to masquerade as Jane.
Rethinking Civil Registration Systems
In a previous blog I discussed my vision for rethinking civil registration systems by obtaining biometrics from the infant when born and attaching these to the birth registration. This requires new laws, application of technologies like Blockchain/Sovrin, EMP proofing data centers and new types of biometric readers/data entry/telecommunication devices. One can easily see this will take years to implement. So, if you’re a local government what can you do in the meantime?
Suggested Action Steps
- Lobby the state/provincial and national governments to quickly implement an identity document verification system similar to what Australia has implemented. This service applies not only to governments but also to businesses. It can begin to mitigate the risk of identity fraud.
- Establish a set of identity assurance levels within your enterprise. Too many enterprises are like marshmallows inside. Once someone’s gone through the initial identity verification hoop they’re all the way into the enterprise. Establish stronger levels of identity verification as the risk rises within your enterprise.
- Create a cybersecurity team that’s up to date on biometric fraud. Too many enterprises rely upon either the existing technology that they have or the biometric salespeople calling on them. Yesterday’s readers might be susceptible to modern day attacks. Build some expertise inside your enterprise to be aware of this.
- Get up to speed on KYC products. Your enterprise should likely be using them as well as integrating with many of them to facilitate ease of use when people apply for jobs or citizens show up claiming to be someone.
- Keep an eye on human cloning. Yes, what was once thought of as science fiction is now literally upon our doorsteps. In a later blog, I’ll take a deeper dive into this.
Identity fraud is now rampant. Modern technology and communication are now rendering old identity verification systems less reliable. It’s time to reduce your enterprise risk by knowing who you’re dealing with much better than relying on what used to work.
Posted by Guy Huntington
Guy Huntington is an expert identity architect and has worked on a large number of high profile identity fraud and identity management programs including Government of Alberta’s Digital Citizen Identity and Authentication Program.