Analysis of the development of document and identity verification infrastructure in the digital age …
Original material by Akshay Sharma
What is meant by the term 'personality'? The name that friends and family are called, or the appearance that certifies the document? If we choose the second option, then, naturally, a great emphasis will be on checking the legitimacy and correctness of the so-called identity card, proof of its existence.
Paper and plastic
Ask anyone, 'What's your name?' And the honest majority will answer truthfully. Slightly more cunning ones may not give their name. The reasons can be different, be it the need for increased privacy and anonymity or criminal intent.
And then, there are exceptions, for example, nicknames and names altered in a foreign manner. As an example, here are the spelling options for the simple Slavic name Igor. Depending on the spelling and language, it can take the following variations: Igor, Igor ', Ihor, Ihor, Igar, Ihar, Igor.
What is date of birth? The date known to you and your next of kin or indicated in documents (although there are mistakes in them)?
To avoid the chaos that occurs in such scenarios, we came up with documents: a simple sheet of paper that acts as an identity card, without much attention to the possibility of counterfeiting. A photograph is glued to the top of it, the name, date and place of birth are written, all this is supported by the seal and signature of the representative of the authority that issued the document. This was enough before.
We soon realized that the infrastructure was imperfect and prone to counterfeiting. We got smarter and started using UV signs, security tags, holograms, special inks. But what about sister Eliza, who looks a lot like her and pretends to be her on the day of her driving test? Similar violations still occur today in some jurisdictions.
Then there were NFC chips with encrypted biometric information – a photograph and fingerprints of the owner make it almost impossible to fake. If you have an electronic passport (ePassport), Biometric Residence Permit (BRP) or similar plastic document, then it is signed with an electronic signature and can be digitally verified to see if it was actually issued by the designated authority , and also whether there was a fact of forgery. All of this is available thanks to the public key certification infrastructure.
These measures make it almost impossible to forge an e-passport or BRP and evade responsibility. The scammers' calculation will be wrong. When trying to pass off a fake biometric document as an original, the fraudster will be caught, but only if the verifying document has access to the technology of reading and verifying the chip. And do you know what is most interesting? The information is not contained in the chip itself (and is decentralized), so there is no need for constant access to an online database of information that can be hacked or 'put'. You are responsible for the safety and security of your ID card.
But if you are even smarter, then you will never, ever get yourself a biometric ID. You are more likely to use fake documents and data to obtain paper documents. For example, by submitting a utility bill with a specified fictitious address and stating it as the real address. Or you can use the real birth certificate of the person whose identity you are trying to steal.
The ID paradox: This problem is similar to the egg and chicken situation. To get an ID, you need to have an ID. Sounds so-so, right?
Paper documents in the digital age
Even in the digital era, we trust paper too much. And the cloud passport is still in the testing process. But paper documents pay off as databases get hacked and servers crash.
Imagine that you are caught in a long queue at the border due to the failure of control systems. At least plastic and paper documents can save you. In the event of a system failure, border control officers can temporarily revert to the old document verification process, which includes UV or hardware read data (MRZ) checks. If they had to rely entirely on technology, then in the case of identity verification, they could only wish good luck.
And then, many are worried about the aspect of privacy. An international database using matching based on DNA, face recognition and fingerprints is likely to obviate the need to carry any documents or memorize information, but this approach, while sophisticated, can fit too much into our privacy.
Online identity check
But what happens when you want to prove your identity online? In this case, everything is not easy. Many business-critical applications today use one of the following methods for the verification procedure:
- Request a scan of your document to be sent over the network
- Performs dynamic authentication based on artificial intelligence, which in practice is a set of random questions about your credit history, if you have one
- They ask you to point your smartphone camera at a document for advanced authentication by features, they may additionally request a 'video selfie' to determine that you are not a robot, calculate the similarity of a face in a video and in a photo from documents, and so on.
But here's the problem with all of these approaches. You cannot check the authenticity of an identity card online in the same way as live. It will not be possible to illuminate the document with ultraviolet light, and the protection measures are reduced to zero, and they cannot be distinguished from a fake: in three-dimensional space it will not be possible to tilt the digital image and see the change in the hologram colors, and the MRZ code, which is a pretty good verification mechanism, can calculate and emulate skilful master of counterfeiting.
Reading embedded biometric and NFC chips requires dedicated infrastructure. Even if the user has an NFC-enabled smartphone to read and send information through apps, this process will not be as secure as holding a plastic ID in his hands and checking it with his own chip reader.
The Thin Folder Problem: Artificial Intelligence Authentication won't work for people with no credit history. There is simply not enough information to generate security questions. It is very likely that for this reason, the GOV.UK Verify verification system gives only a 47% chance of a successful verification, and after all, £ 130 million was invested in it, a big disappointment.
Basically, as long as there is an online database that can verify the information on your document, you will have to believe that digital images can be trusted. There is no global database of passports. As for driving licenses, immigration documents and biometric residence permits, everything is subjective and depends on the authority that issued the document, which restricts the use of such databases for special purposes.
Social networks, cryptocurrency, blockchain
Speaking of 'online databases': what about social media? Will my LinkedIn profile and Facebook be reliable proof of identity? Or only if the user has a lot of connections there? What about fake profiles? What about an impostor using a fake social media profile to add a person's real friends to his online acquaintances? These questions only complicate the problem.
Blockchain is the technology behind Bitcoin, and P2P systems, of course, can decentralize document information. But by themselves, they will not be able to verify the reliability of information, for example, to authenticate a profile on a social network as proof of reliability.
A solution to a very real problem is needed.
Dating apps, housing services (Airbnb), adult sites (which are now required by law to verify the age of users), fintech and online platforms selling age-restricted goods (drugs, firearms, fireworks, mariahuana, tobacco) – For all these services, the problem of online identity verification is very acute, and so far there is no reliable way to solve it. And while companies like Yoti, Jumio and ID.me are trying to overcome this barrier, you cannot rely on their thesis that it is worth stopping at checking the originals of documents provided by the user, not scans.
Just because a scanned copy of a document 'looks like the real thing' cannot be said to be true, no matter how advanced and 'smart' your AI / ML algorithms are. These systems will be able to 'hint' the fact of a fake if they notice it. However, they will not be able to determine the apparent absence of forgeries until the information has been verified in the official database.
There is a need to find a digital solution to the document problem that is reliable, less brazen, privacy-friendly, accessible and secure. Until this is done, all the data points we have present some degree of risk: how can I trust that the scanned image or 'video selfie' is real? Or how to determine that the person entering the credit card number online is in fact the rightful owner of it? Our comfort zone in relation to the risks we are willing to take determines the decisions today and the ones that remain in the future.
Original material by Akshay Sharma
Against the background of recent news about how a person almost lost an apartment in Moscow due to fraudsters faking his electronic signature, we can conclude that at this stage digital confirmation of identity is still lame or requires two- or even three-factor authorization. However, the news that we are about to switch to electronic documents does not cease, in the same China a system for paying for goods by looking at the camera of the terminal at the checkout is already working. And, of course, all this is a treasure for various criminal elements.
Do you think the digital personality and its online identification is an apocalyptic utopia or a necessary step into the future?