I always tell my clients that I have four letters stenciled across my forehead “R I S K”.
When someone applies for a job in your enterprise or, appears at a counter wanting to be served or, is wanting to deal with you electronically, verifying their identity should be based on risk. Let’s use Jane Doe as an example.
Jane wants to apply for a job. You ask her for some identity documents. Usually this includes birth certificates, driver’s licenses, etc. Let’s assume it’s a low risk position. What might be more important is knowing the contact information for Jane.
Now let’s assume the risk is higher. There might be a need to do a background check on Jane to see if she has a criminal record or a bankruptcy. The documents now become more important. Her name and say driver’s license are submitted to see if she passes.
In some jurisdictions, Jane’s fingerprints may be obtained. These are then checked against police databases.
Is Jane really Jane or, is there some way it might be Molly Smith masquerading as Jane Doe?
30 to 40 years ago, might have been a high degree of assurance that Jane IS Jane if she’s in possession of her birth certificate and driver’s license. Today, it’s not necessarily the case as technology is easily available to successfully produce real looking fake documents.
Criminals know this. They also know that in many jurisdictions around the world birth certificates are not checked electronically if they are issued in another jurisdiction. I’ll give you an example.
I was the identity architect for a government. Their security auditors said they were one of the first jurisdictions in North America to use facial recognition on driver’s licenses (now used for many, many years by almost all jurisdictions around the world). They then stated it was no longer working as well. Why? Fake birth certificates. Criminals were moving across the country using fake birth certificates from other jurisdictions.
There isn’t one solution BUT there are incremental steps governments can take to address this:
In Australia, they have a combined national/state identity document verification service available to business and enterprises wanting to validate an identity’s documents. This checks the numbers of birth, marriage and change of name, replying with a “yes” or “no”. In Canada, this service is not available. Does this solve the problem?
No. It only confirms if the identity document is valid. However, it does prevent what I call “identity fraud by dummies.” So, if Molly Smith is using a fake birth certificate for Jane Doe with the wrong numbers on it or, if Jane Doe has died, this system will catch it. However, it doesn’t catch Molly using Jane’s birth certificate with the right number on it.
Long ago, police and border control agencies figured out that identity fraud is now relatively easy to do. Their answer was to obtain biometrics from the identity and attach it to the identity documents. Thus, when the documents are presented to government officials, they can be verified not only electronically but also by the biometrics of the person presenting them. Does this solve the problem?
No. Biometrics can be spoofed. If you look at this video from 2017, you’ll see a variety of different ways to spoof biometric readers. Also read this forecast by Experian predicting an increase in biometric hacking. So, depending on the biometric reader used and the skill of the criminal, the biometric may or may not be accurate, i.e. Molly might be able to successfully masquerade as Jane.
As a result of weak identity assurance, there is a booming industry in products to assist enterprises in verifying identities, i.e. “Know Your Customer” (KYC). These are tools that your enterprise should likely be integrating with as people use them to apply for jobs AND using them to reduce your own identity verification risk. Examples include but are not limited to Trulioo, and Securefact,. Does this solve the problem?
No. If the underlying identity document, like a fake birth certificate was successfully used to obtain other identity documents, then these systems won’t catch it. HOWEVER, they will catch many identity frauds where existing metadata can quickly prove that it’s Molly trying to masquerade as Jane.
In a previous blog I discussed my vision for rethinking civil registration systems by obtaining biometrics from the infant when born and attaching these to the birth registration. This requires new laws, application of technologies like Blockchain/Sovrin, EMP proofing data centers and new types of biometric readers/data entry/telecommunication devices. One can easily see this will take years to implement. So, if you’re a local government what can you do in the meantime?
Identity fraud is now rampant. Modern technology and communication are now rendering old identity verification systems less reliable. It’s time to reduce your enterprise risk by knowing who you’re dealing with much better than relying on what used to work.