• Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Posts Tagged :

ID

Fake ID Fabrication: The race to anti-fraud measures

960 640 Stuart O'Brien

By Rob Cook, Senior Analyst at Flashpoint

United States government-issued identification cards are replete with anti-fraud measures such as ultraviolet ink markings and holographics intent on stemming the reproduction of phony IDs. That, however, has not stymied a growing underground economy of sites servicing criminals wishing to obtain and use fraudulent U.S. ID cards.

While only relatively few of these sites can deliver quality fraudulent reproductions, there are some sites with high ratings and positive reviews within illicit communities that can deliver cards that will bypass the security measures protecting legitimate government-issued cards.

This poses a threat to facilities that scan IDs to allow entry, for example, or to businesses such as banks and other financial institutions that rely on Know Your Customer requirements to verify the identity of customers and put up barriers to synthetic identity fraud, for example.

Vendors Advertise Bypasses of Security Features

Legitimate identification cards in the United States not only contain sometimes complex fraud-protection measures including the stars on REAL ID-compliant driver’s licenses or properly formatted scannable barcodes, but they’re also made of specific materials that are durable and transmit light in order to support these measures.

Vendors running some of the highest-rated illicit shops will advertise their capabilities around replicating these security features on identification cards, such as the correctly formatted barcode, certain micro-printing, or laser perforations. A proper barcode, for example, is often enough to allow entrance into access-controlled facilities. This is a significant risk not only to government buildings, but anywhere—such as a school or corporate office—where entry is controlled by some sort of access mechanism attached to an ID card.

The availability of high-end printers is one factor facilitating these fraudulent reproductions by threat actors. A typical office photo printer has the capability to reproduce quality products, while laminating machines and plastic card printers can also facilitate these reproductions. Supplies such as ultraviolet ink are available on the open market as well. It’s unknown whether some fake ID producers are obtaining the actual blanks used by agencies, this likely includes the laminate that contains the holograms.

Some of supplies used by high-end ID manufacturers to create advanced security features are also sold in bulk by vendors within illicit communities. Some forums and markets advertise “holos,” “perf sheets,” “cardstock,” “OVI sheets” and more for relatively low prices; OVI stands for optical variance ink. Transactions are generally carried out via cryptocurrency to maintain a measure of privacy throughout the transaction, and deliveries also relatively quick—anywhere from five days to three weeks. Flashpoint analysts have also seen some advertisements where payment methods such as prepaid credit cards or wire transfers are accepted.

Although even the highest quality fake IDs will likely be detected once checked against law enforcement and-or Division of Motor Vehicle databases, many of these IDs will reportedly pass the inspection of untrained security personnel and numerous off-the-shelf (OTS) barcode readers/verifiers. It would therefore be difficult to identify a professionally crafted fake for commercial retailers such as liquor stores, or office or school building access control systems that aren’t able to verify government IDs against a database. As a result, the threat to physical safety or the risk of fraud is enhanced.

Retailers that sell alcohol and tobacco, for example, may be especially vulnerable to employees accepting fake IDs based on the multiple states and forms of ID they may be presented with during transactions, particularly in locations near college campuses. Fraudsters may also use fake identification to gain entry into student events or take advantage of student discounts.

Those vendors who deliver higher quality products are rated upon not only their product quality (look, feel, durability, and acceptance rate of the ID card), but also upon their trustworthiness, and the security features included in the cards. Customers rank vendors on several advertised security features, including the quality of their templates (similarity between legitimate and phony templates), quality of the hologram and use of optical variance ink, ultraviolet ink, and their ability to incorporate microprint into ID templates. Vendors are also rated on price, discretion of shipping packages, and shipping turnaround times.

Assessment and Mitigations

Entities likely to be impacted by threat actors selling or using fraudulent identification can take some steps to protect themselves.

Organisations operating in sensitive industries, for example, could mandate background checks through a law enforcement agency for new employees, or for employees with access to sensitive materials or data.

Employee training can also help retailers or public-sector organisations spot phony IDs. Various government agencies, for example, offer training that explains security features employed by the different states and how they work off of one another.

On a more granular level, retailers—in particular those selling alcohol and tobacco—could institute a policy where a second form of identification is required, even a credit card or school identification, for example.

In the meantime, threat actors will continue a frustrating cat-and-mouse game with defenders, attempting to bypass new security features as they’re implemented in order to service a growing underground economy built around phony identification documents.

Image by Simeworks from Pixabay

INDUSTRY SPOTLIGHT: One ID for all access – Secure, convenient & manageable

960 640 Stuart O'Brien

Hybrid smartcards are the most secure and cost-effective solution for providing staff with just one credential for all identity and access applications – making life easier for employees and strengthening security by enforcing desired behaviours. 

Organisations typically have many different  systems that require user identity verification in addition to building access control, such as secure logon to the IT network, the release of documents from printers and cashless canteen vending.

Making it possible for each staff member to use just one ID for all these identity and access applications not only makes life easier for them, which aids their productivity, but also strengthens security across the organisation by enforcing behaviours that ensure protective measures are not circumvented (such as by the loan of door access cards to colleagues, or by leaving logged-on computers unattended).

Furthermore, having just one user identity database for all applications, enterprise-wide, avoids wasteful resource duplication and significantly reduces overall costs.

Why smartcards

Hybrid smartcards can combine a separate contactless RFID interface chip with a contact chip in the same card body. This enables the best choice of standards-based contact and contactless technologies to be selected for an organisation’s specific requirements.

Contactless applications, including building access, can make use of up-to-date technologies, including DESFire, iCLASS and SEOS, which support mutual authentication with card readers before transferring encrypted identification information. It’s also possible for multiple RFID chips to be incorporated, in order to support migration from insecure legacy technologies, or to accommodate completely separate physical access control systems.

Contact smartcard chips are ideally suited to PKI-based 2-factor authentication (2FA) security applications, such as network logon, disk encryption, email encryption and digital signatures. They provide the ‘gold-standard’ in security by utilising private keys that are generated and stored securely in the chip, protected against external access, and never shared. The chip hardware from established manufacturers includes design features that prevent keys from being extracted, even if probed by an electron microscope, and so achieve certification to the highest international standards, such as EAL 5+ and FIPS 140-2.

The actual security of any digital credential ultimately depends on how well its encryption keys are protected. As mentioned already, contact smartcard chips have been certified to the highest security standards. Mobile devices support 2FA by hosting various app and cloud-based implementations of cryptographic algorithms; software-based solutions are at greater risk from malware attack and the security of encryption keys depends very much on the particular mobile device and OS in question.

Mobile device based credentials appear to offer a convenient alternative to having to issue each staff member with smartcards, they do however introduce the burden of managing and maintaining multiple apps and device platforms, a task that becomes even more complex as these proliferate over time.

Issuing employees with smartcards commonly supports wider site security requirements, as they can be printed on for use as an easily recognisable company ID, bearing a photo of the user and worn on a lanyard.

While mobile credentials solutions for an ever widening range of identity and access applications have become increasingly available, their adoption is currently limited by their much greater cost in comparison to well-established smartcard solutions.

Security benefits of converged credentials

Process

Combining the forms of identification required for both logical access and physical access, into a single ‘converged credential’, facilitates streamlined management and administration for critical process like staff on-boarding and off-boarding.

Card Management Systems (CMS’s) help organisations deploy and manage smartcards quickly, efficiently and securely. Hybrid cards can be managed easily with CMS tools that connect to enterprise directories, card printers, certificate authorities, and more.

People

Staff always tend to find the most expedient ways of getting their work done, even if short-cuts may result in security vulnerabilities. Issuing each staff member with a single card for door access as well as IT-access (amongst other uses) naturally compels them to always carry their ID-cards with them at all times, strengthening overall security by:

  • Ensuring credentials with photo-ID are consistently worn by staff moving around a site.
  • Quashing the practise of lending door access cards to colleagues.
  • Automatically logging-off or locking computers whenever left unattended by users, who have to remove their ID card to pick-up a coffee or collect a document from a printer for example.

Technology

Hybrid smartcards allow organisation to mix-&-match established standard contactless and contact technologies to fit their precise needs; providing the flexibility to integrate with an extensive range of identity and access applications using just one ID card.

In addition, fully-online and integrated door access control systems can be used to ensure that users can only log on to their PC, or access other IT resources, if they have badged through a door, thus eliminating most ‘pass-back’ and ‘tailgating’ issues with building access cards.

For more information on converged identity and access management solutions contact Dot Origin:

www.dotorigin.com/smart-card-based-solutions/converged-access/

+44 (0)1428 685 861