Rotating picture is not the magic wand to prevent fake IDs
As government agencies consider the deployment of mobile driver licenses (a.k.a. digital driver licenses or DDLs), much attention is being placed on the use of facial recognition technology for the acquisition and verification of a digital driver license. According to the American Association of Motor Vehicle Administrators (AAMVA), there is a broad list of functional requirements associated with a mobile driver’s license (mDL) solution and facial recognition technology is merely one possible solution component.
As described in this CNET News Video, some vendors and government agencies are embracing the notion that digital drivers licenses should contain photographs that move like images from The Daily Profit in the world of Harry Potter.
The CNET News Video implies that vendors are using facial recognition technology for these mDL scenarios:
- Validating a selfie against the photo in a DMV system of record to authenticate an individual during acquisition of a mDL
- Contributing a selfie for an updated portrait to an individual’s DMV system of record
- A rotating photo that signifies a live connection between the DMV and the device hosting a mDL
- A rotating photo that depicts the validity of a mDL
Scenarios 1 and 2 make sense and can be well positioned within a mDL solution that is compliant with the AAMVA Specification. Scenario 3 is vague and implies an online solution when the AAMVA Specification clearly states the need for disconnected (off-line) support.
Scenario 4 raises concern as this approach does not inject an obstacle to prevent false IDs because the creation of a fraudulent DDL , like the one used in the CNET New Video, is easy.
Fraudulent Identity Cards
Today, fake identity cards are pervasive and the business of forged identity cards is lucrative. Recent studies of American university students found that 17% of freshmen and 32% of seniors owned a false ID. These numbers increase annually as laws change and technology and online services make it easier to create fake identity cards.
According to the Bureau of Justice Statistics, 17.6 million US residents experienced identity theft in 2014. In one notorious identity theft case, the US Department of Justice noted that the criminal, a convicted felon was able to perform the following transaction all using false identity instruments:
- spent more than USD 100K of credit card debt
- obtained a federal home loan and bought homes
- bought motorcycles and handguns
- filed for bankruptcy
Digital Identity Upgrade
AAMVA describes a mDL, as a driver’s license that is stored on or accessed via a device such as a smartphone or tablet. Industry expectations for a mobile driver’s license should be based on a vision of a solution that is an improvement over the current physical paper/plastic model. To this end, AAMVA has established a minimal set of feature requirements for a mDL. Pertinent to this discussion, AAMVA’s requirement 2.3 – Trust Establishment outlines why it should be possible to establish a level of trust in the authenticity of a mDL. For example, how can a verifier (a mDL consumer) trust a mDL if one or more identity traits contained within the mDL can be generated by stakeholders other than the Issuing Association (DMV)? Clearly, if it is easy to hack a DDL the desired level of trust will be an issue.
Current Industry Approach
Don’t be fooled by a moving photograph!
Today, very few vendors are offering mDL solutions that meet the requirements of the AAMVA Specification. As a result, DMV agencies across the USA are settling on solutions that offer the same level of security as the current physical IDs without a clear understanding of the ease at which these non-compliant solutions can be hacked.
For example, some vendors and DMV agencies believe that:
- A rotating three-quarter view of both sides of your face makes it a lot easier to identify you, and a lot harder to forge a license.
- The process to create animated “live portraits”, as seen in the Harry Potter movies, is not common knowledge.
- The addition of identity structures such as a moving picture are considered security features when in fact they are simply nothing more than obstacles to fraud.
Some vendors and government agencies are advocating for the use of technology which allows for mDLs to be easily hacked. With minimal web development skills, ten lines of HTML and a web site, anyone can create a mDL that can be created on a smartphone.
Here is a step by step hackers example:
Using the sample mDL that was generated for the State of Louisiana in the CNET News Video, we can take a snapshot of the image from a real mDL on a device that does not belong to you.
Create a few selfies of yourself and stitch them together as an animated .gif file or use services like GifMaker.
Use these ten lines of HTML to generate a new image for your mDL using your animated .gif picture and the original mDL snapshot.
Host the HTML on an accessible web server.
Open the web browser on your smartphone to add a bookmark for your new fraudulent mDL.
Optionally, create a service to allow others to create fraudulent mDLs.
The current industry infatuation with one specific identity trait, namely the portrait image, is distracting government agencies away from the broader use cases and requirements pertinent to the mDL vision outlined by AAMVA.
Issuing Associations should consider these points:
- The goal of a mDL should be to have a lower risk of fraud than the physical card model.
- Verifiers need to be able to trust that the credentials in the field can only be issued by Issuing Associations. A Verifier can not establish trust in a mDL if aspects of the mDL can be hacked. While it is true that facial recognition services can be used to match a selfie against a system of record at the Issuer, the Verifier has no way of knowing at time of an identity challenge that the mDL in question has been verified by the Issuing Association and not fraudulently altered.
The industry needs to aspire to provide a solution beyond what is considered status quo. Vendors promoting solutions that claim to carry the same level of trust and security as our current driver’s licenses and ID cards is not good enough. Issuing Associations and standards organizations need to demand and expect more from vendors. Minimally, mDL solutions should address:
- Protection against fraud, tampering and counterfeiting
- Prevention of fake IDs
- Reductions in human errors during validation and governance tasks
- Prevention of privacy threats and theft
- Face-to-face identity validation
IBM Mobile Identity addresses the broader AAMVA Specification requirements. It is based on the concept of a digital identity document which is a collection of identity traits defined by an Issuing Association that can be used by a Verifier to determine if the holder of the document is authorized to receive services provided by the Issuing Association. These identity traits, when taken together, uniquely identify the user. By way of example, an assortment of personal traits such as height, weight, eye color and license number are defined by a state’s Department of Motor Vehicles and exist on a driver’s license to uniquely identify a driver to a highway patrolman. A digital identity document is procured from an Issuing Association by an identity owner. This document, once acquired, can be stored on the identity owner’s device.
In IBM Mobile Identity, a digital identity document, such as a mDL, contains identity traits that are cryptographically secure. As a result, Verifiers can trust the authenticity of all identity traits, like the portrait image, within a mDL.