ID Proofing Threats: A Complete Map of the Known Pitfalls

There’s not much that can go wrong during the initiation stage, when a user applies for services—unless they do it on a platform that’s only pretending to be legitimate. This is where phishing attacks come into play.

Phishing, a common cybercrime tactic, involves attackers adopting deceptive methods to masquerade as trusted entities like banks or retailers. Their goal is to trick users into revealing personal information. The tactics often include creating websites imitating well-known brands, or sending emails that appear to be from reputable sources.

The problem arises when a user provides their ID data to a phishing website. In such cases, the organization being impersonated by fraudsters is usually unaware of this activity, making it difficult to take immediate action.

What you can do as an organization is educate your clients, prospects, and employees about phishing attacks. Teaching users how to spot phishing scams involves clear communication of your company's guidelines. For instance, it's essential to emphasize that you will never require them to send a copy of their ID via email.

The attribute and evidence collection and verification stages represent the heart of ID proofing processes, but they also harbor the greatest potential for security vulnerabilities. Let’s explore what they are and discuss potential solutions.

Challenge. Identity proofing hinges on the reliability and accuracy of the identity documents used for verification. However, two challenges may arise in this domain: 

• The use of insufficiently secured identity documents. Strictly speaking, any non-electronic ID document can be considered not secure enough for remote identity verification.

• The use of identity documents that lack precision. These are mostly old types of IDs that might still be considered valid but don’t contain enough data to reliably verify a person.

Solution. Both of the above threats are relatively easy to prevent by accepting only electronic Machine Readable Travel Documents (eMRTD), such as passports and ID cards, equipped with an embedded RFID chip.

We say “relatively” because the fact is, a lot of non-chip documents are still in circulation. Moreover, some countries still don’t issue eMRTDs. At the moment of writing, citizens of India, one of the most populous countries in the world, still cannot obtain electronic passports (although Indian authorities announced such plans for the near future).

Accepting ID documents that can’t be verified with a digital signature is always a trade-off and a serious matter for risk management. Identity verification vendors are aware of this challenge and are working to find additional ways to address the issue, although it's important to note that none of these alternatives can match the effectiveness of chip verification.

One of the workarounds in terms of the process is requesting additional evidence to provide additional attributes and support verification results.

Challenge. If an attacker gets their hands on a genuine identity document that may have been stolen or revoked, it sets the perfect stage for identity theft. This is a common tactic, which is often combined with a presentation attack during the verification stage. The goal is to deceive either the verification software or the human inspector.

Solution. The approach to tackling this threat depends on what exactly the case is.

If it’s a genuine document stolen from someone else being presented by an imposter, it must be detected at the binding stage by running a biometric check that compares the portrait in the document and the appearance of its presenter.

The key here is what exactly is used as a source of reference data for this comparison: the data from the visual inspection zone (VIZ), or from the RFID chip. Ideally, you need to use the data from the chip, as fraudsters are likely to modify the VIZ: for example, they might replace or alter the photo. 

Furthermore, it’s necessary not only to read the chip data, but also to re-verify it on the server side to avoid the risk of the data being manipulated (more details in the Manipulations with captured data section below).

As for already revoked documents, the standards recommend using special document status services when possible, and—if it’s an eID—checking its signing certificates for validity against certificate revocation lists (CRLs). These are good recommendations; however, they aren’t always feasible. 

First, few countries have such online services. Second, if these services exist, they mostly cover only passports. This brings us back to the previous recommendation: always verify the chip data. If a document has a broken chip, it’s best to treat it as chipless, and, ideally, not accept such documents for remote identity verification.

Challenge. The approach to countering this threat varies depending on whether verification occurs in person or remotely.

Having a physical document at hand is an ideal verification scenario, where an inspector can scrutinize the security features embedded within the document, including holograms, watermarks, microprinting, UV patterns, and more. Plus, you can tell if something is wrong judging by the applicant’s behavior. This advantage is also lost with a remote process.

When verification occurs remotely, any imperfections that might raise red flags in physical documents can be overlooked. This may happen because of the limitations of static images, which often serve as the basis for remote document verification. 

If your solution allows you to only accept images, this risk is critical. Alterations can be applied to a scan of an authentic document in a photo editor. Also, static images may lack the necessary depth to effectively examine dynamic security features, such as holograms.

Solution. To mitigate this challenge, remote ID proofing requires video capture during document presentation. Unlike static images, video enables a more thorough examination of the document’s security features. This dynamic approach enhances the ability to detect even subtle irregularities, and provides a higher level of confidence in the verification process.

Challenge. There are thousands of valid identity documents in use around the world. However, different providers may offer inconsistent support for recognizing each type of document.

Solution. It’s important to make sure the system can recognize and verify a broad range of document types, such as passports, ID cards, driver's licenses, and more. At the same time, the ideal solution should be flexible enough to update frequently and regularly as new types of documents and variations become available over time. 

Also, a piece of advice here would be not to just look for a provider with “the largest document template collection.” The right question to ask is how comprehensive the database is. For reference, Regula’s database includes over 13,000 templates scrutinized by forensic experts down to the tiniest attribute. This can ensure both global coverage and solid credibility of the results.

Challenge. When human operators are involved in the identity verification step, they may not possess the necessary expertise to perform this task in 100% of cases. This can be exploited by attackers: they can present a rare document, taking advantage of the operator’s lack of familiarity. Another challenge arises from the potential for human error.

Solution. It’s recommended to adopt automated processes where possible. Even if it’s an in-person process, it’ll be more reliable (as well as much faster and more accurate) if an operator is equipped with special document reader devices. 

In the case of remote workflow, there are purpose-built tools that are trained to do all the hard lifting in seconds. Regula Document Reader SDK allows you to fully automate the process, eliminate the potential for human error, and enhance the overall reliability of the identity proofing process.

Of course, you can also go for a hybrid approach. This method synergizes human expertise and automated machine-learning technology for document verification, thus adding an extra layer of protection.

Regardless of the case, it’s crucial to have an extensive reference database, as mentioned earlier.

Challenge. A significant ID proofing issue arises when identity documents are purposely captured in a way that makes them look worse. Fraudsters can mess with the quality of document images or videos that are sent electronically. For instance, they might deliberately constrain the bandwidth or tamper with the capture conditions, for example by reducing the ambient lighting. With such poor quality images, this makes it difficult, or even impossible, to spot a fake document or accurately identify the person submitting it. 

Solution. To combat this threat, proper ID proofing solutions establish requirements for the quality of submitted documents and reject the ones that fail to comply.

Challenge. Sometimes, attackers try to use images or videos instead of genuine ID documents for verification. In an attempt to fool automatic systems, they might use photos of fake documents. 

Other attackers go further and present videos of forged identity documents with simulated Optically Variable Devices (OVDs).

In both cases, fraudsters might put a screen in front of the camera instead of a genuine ID.

Solution. Identity proofing systems must employ rigorous video capture processes, enforce security feature checks, and avoid fully automated procedures for remote verification with non-electronic documents. Regula’s document liveness feature handles this procedure: it performs a screenshot check and verifies the presence of dynamic security features, such as holograms and moire effect.

Challenge. This kind of threat is quite sophisticated. Attackers can try to inject data directly in order to bypass validation, alter the data before it’s transmitted, or even intercept data collected when verifying the identity of a legitimate applicant, and resubmit the captured data. 

Solution. The golden rule here is never to trust verification performed on a user’s device. In the case of a remote process, there’s a risk that fraudsters can intercept and modify the verification results. The data needs to be re-verified on the server side to ensure it’s credible.

Importantly, the data must be securely encrypted during transmission from the client to the server for processing. The encryption must meet network security requirements (unique session keys, asymmetric encryption over TLS, etc.)

Also, it may be beneficial to securely store data on your server within a secured perimeter, so that you can always double-check the results in the future for any reason, whether in case of doubt or a security breach. To stay safe, an identity verification vendor ideally should offer on-premises options.

This phase involves linking the verified identity to the rightful applicant, and, as we will explore, it brings its own set of potential vulnerabilities.

Challenge. A significant challenge emerges when attackers attempt to deceive the system by presenting static images, such as photographs, instead of the actual live face of the legitimate applicant. Attackers can employ various methods, such as placing a screen or a printed photo in front of the camera, to mimic the presence of the applicant. 

Solution. To mitigate this threat effectively, a photo alone is deemed insufficient. Instead, you need a video recording of the applicant's live face. This dynamic approach ensures that the binding process involves a real-time, authentic representation of the applicant, making it significantly more resilient against static image deceptions.

Also, it’s important to pay attention to what kind of liveness checks vendors can offer. The most secure type is an active liveness check, during which systems ask a person not only to take a selfie but also to perform some random actions.

Challenge. Attackers may employ edited videos instead of the genuine live face of the legitimate applicant. They create videos that mimic the requested action sequence required by the system to authenticate the applicant, such as smiling or rotating the head, and then demonstrate it on a screen in front of the camera to impersonate the applicant convincingly.

Solution. To counteract this threat effectively, liveness check capabilities must be implemented. Such functionality is pivotal in safeguarding the binding process by ensuring that only genuine live interactions are accepted.

Challenge. Attackers resort to using masks to impersonate other people, often through stolen identity documents. There’s a myriad of techniques to create convincing masks, ranging from cut-out photos to highly realistic latex or silicone masks.

Solution. To address this threat effectively, requirements pertaining to liveness detection and presentation attack detection are mandated.

Challenge. Attackers employ AI-based software to generate real-time videos of the legitimate applicant’s face, mimicking the behavior of the attacker. This video can be pre-recorded or generated in real time. Attackers may use screens in front of the camera, or manipulate the camera's video stream to seamlessly insert AI-generated content.

Solution. Again, liveness detection measures are essential for distinguishing genuine live individuals from AI-generated content, bolstering the security of the binding process.

Challenge. When a human operator is involved in the process, a significant issue arises if they lack the necessary competence to identify individuals accurately. For instance, they might not have prior experience of working with individuals from different ethnic groups or races.

Solution. This challenge is solved by training akin to what border control officers go through. Some businesses choose to outsource manual ID review; however, it’s difficult to guarantee the sustainability of such services.

At the same time, automated biometric verification solutions have made a huge leap forward in this direction. Such solutions can effectively compare and conclude whether the person in front of the camera is the same person whose photo is presented in their ID.

Challenge. Using biometrics for binding can be tricky when individuals closely resemble the legitimate applicant, especially in cases involving twins or close family members, and when reference identity documents are somewhat outdated. This resemblance creates a risk of impersonation.

The fact that some identity documents can remain valid for an extended period can also create issues when the appearance of the person has significantly changed compared to the photo on the document. In addition, the photo itself can be of poor quality.

All of the above can be exploited by attackers for “lookalike” attacks, where a resemblance to the legitimate applicant is used to deceive the system.

Solution. This is a tricky one. In biometric systems, there are more than just two values: “match” and “no match.” There’s also a fuzzy boundary that can raise some doubts. An automatic system always has a decision threshold, which is a balance between “everyone is welcome” and “no one shall pass.” 

Facial recognition systems operate with two metrics, which can be adjusted: 

• False Rejection Rate (FRR), meaning how many legitimate individuals were rejected 

• False Acceptance Rate (FAR), how many wrong people were let in

You can set up the system so that twins will never pass; however, it’ll lead to a large percentage of legitimate people not being able to pass as well (due to changes in appearance, age changes, etc.). In other words, raising the threshold creates issues with conversion. You can also set the threshold lower as a compromise for the sake of operational efficiency so that as many legitimate people as possible are verified correctly.

Companies have to find the right ratio for themselves depending on their business case. Naturally, services for sharing scooters and financial organizations will treat these metrics differently.

Challenge. In identity validation processes that rely on reference data, issues related to data inconsistency or inaccuracy can arise. This might include variations in transliteration, homonyms, or other inconsistencies. 

Solution. Using ID parsing solutions over conventional OCR or manual data entry can ensure that data inconsistencies and inaccuracies are effectively addressed. 

Algorithms are generally more effective at resolving conflicts arising from differences in name representation from various sources or evidence, encoding issues (e.g., lack of diacritics), variations in name representation (such as using initials vs. full names), typos, and other potential discrepancies.

But it’s more than just typos. Data parsing also performs lexical analysis, and can validate that every field in the document says exactly what it should say.

You need to be very careful when choosing ID proofing software. There are many providers on the market, but not all of them can authenticate and verify identity documents at the required level. 

When it comes to ID proofing, the emphasis is on the completeness of your solution. While we've underscored the significance of chip verification in this post, it's just one vital facet of a much broader process. To ensure credibility, the entire ID proofing process must be meticulously constructed.

Consider this: with every additional component integrated into the system, the probability of errors stemming from disjointed components compounds. It’s not only a matter of the ease of integration. When you bring together components from various vendors, you also introduce a multitude of individuals into the integration process, each with their own level of expertise.

Ideally, opting for an ID proofing solution from a single vendor that has honed their skills in identity verification can significantly mitigate all of the challenges above.