How Enterprises are Detecting Expert Fake IDs

Do you have $200 and a computer? You could have an expert-proof fake ID in your mailbox within a few weeks.

New fake licenses and IDs are a burgeoning business in China and other overseas forgery operations, and the level of sophistication and detail in the mail-order cards has Homeland Security officials and State Motor Vehicles Agencies worried that digital security systems might not be able to catch them.

Digital holograms are replicated, PVC plastic identical to that found in credit cards is used, and ink that appears only under ultraviolet light is stamped onto the cards, according to news source USA Today. Buyers’ new cards come personalized with their state, address, name and photo of choice. After filling out the form, someone from the website will send a money-order request.

The cost of ID documents differs from website to website, and also depends on the level of complexity. For a driver’s license, $75 to $200 will get a fraudster a new identity. Five hundred dollars will produce a very authentic-looking passport.

Officials are especially disturbed by the ease of receiving such a document, which could open the door for incomprehensible havoc in the hands of terrorists.

In response, the Transportation Security Administration is testing machines at the head of security lines to scan any of the 1,300 types of U.S. government-issued IDs.

A pilot program is being used at three U.S. airports, including the George Bush Intercontinental Airport in Houston. Thirty machines will enhance the TSA’s current method of identification verification – a hassled officer equipped with no more than a hand-held black light or magnifying glass.

While the machines will not replace the officer, they will scan the ID for visible and invisible elements, such as barcodes or chips. The TSA agent will then visually verify that the traveler’s ID matches the boarding pass and his or her appearance.

The problem is – will this new generation of fake IDs fool the trained eye and the machine?

Aside from the TSA, the Federal Aviation Administration is also working to secure the skies. Government regulations continue to step up security demands at federal agencies, requiring ID cards to support multiple identity assurance factors and to be validated at various points of entry into a location. Unfortunately, because of the cost and infrastructure that typically accompanies security upgrades, these federal agencies must wait months if not years to implement new programs. The FAA is no different, but FAA HSPD-12 Program Manager Craig Auguston had other ideas.

As part of its security requirements, the FAA must validate Personal Identification Verification cards at checkpoints within its facilities. But when 5,000 people come into the Washington D.C. FAA headquarters every day, the old standard of visual verification by security personnel was neither efficient nor effective. The guards had no way of telling if the card was authentic, revoked or if the employee had access rights to a particular part of the building, according to a report. With the possibility of such easily-procured fake IDs, would a visually-verified badge be any more difficult to reproduce?

“The project needed to provide guards the ability to validate PIV cards at FAA facilities where the gates did not have PIV card readers,” Auguston says. “We also wanted a mobile solution for backup and for roaming guards to be able to validate secure areas, such as parking garages.”

A need to integrate with the current P2000 security management database from integrator Johnson Controls led Auguston to choose software from Codebench, which together enables roaming security guards to use mobile handheld devices in FAA parking garages and entry points that needed to be secured but lacked the stationary PIV readers.

In addition to mobility, the readers can verify an employee’s access rights on the spot. Security personnel are using them to verify digital certificates, revocation status and access rights, all while keeping an audit trail of every card checked into the system, resulting in additional accountability and cost-savings over installation and infrastructure.

But sometimes, visual authentication is all you need for a single, specific task.

At Sheridan High School in Sheridan, Wyo., hard-working students can earn the privilege to eat lunch off-campus, but Ryan Schasteen, the Technology Integrations Manager for the school district, needed an easy, hands-off way to make sure that only the worthy students got fast food.

“I needed a user-friendly system, because I’m not the one administering it,” he says. “One of our secretaries had to be able to pull information out of our student database and print a card on the spot, and I wanted to get an all-in-one solution. We got ID Flow software, card printers, everything, and after setting up the templates and protocols, I don’t have to mess with it.”

The program, provided by Jolly Technology, keeps track of the 900 high school students’ information and auto-fills it into a pre-set template that changes every semester.

“Students have to earn the right for an open lunch, and the students who have earned that privilege have the ID card as their pass in and out of the building,” Schasteen says. “We reprint all of the cards on a new template when the semester changes to prevent students from reusing the previous semester’s privileges.”

And while open lunch isn’t necessarily the same societal problem as underage drinking, identity theft or terrorism, the next generation of fake ID makers in the U.S. isn’t quite as sophisticated.

“Of course the students all want to leave for lunch, so the first semester this year, our monitors who check the badges as students leave and come back noticed a few IDs that were a bit off,” Schasteen says. “We found out that there was a student who made around five or six fake cards that were pretty easy to detect once we knew what we were looking for.

“Second semester, we found that another person had done a much better job of creating cards to the point where it was very difficult to tell that they were fake,” he says. “In making the card creation and dismissal process as easy as possible – we don’t want to bottleneck kids getting out for lunch with scanners – it isn’t a very difficult system to bypass with some student creativity. So we’re going to invest in some holographic cardstock to help deter the ability of students to easily produce fake IDs.”

While holographic image printers are available, Schasteen notes, it doesn’t make sense to spend so much money on a problem that currently affects 12 to 15 enterprising students.

“The biggest concern is what price point makes sense for the violations we’re seeing,” he says.

But getting off-campus privileges revoked isn’t the only threat facing people who order fake IDs. To add insult to injury, some of the fraudsters have reported identity theft and hundreds of thousands of dollars of debt in their names after buying from the Chinese forgers.

Using Badging Programs to Improve Efficiency and Legibility in Healthcare

At Tampa General Hospital, RF IDeas HID Prox Readers are everywhere and are used for just about everything – accessing electronic medical records, medication dispersal, attendance tracking and automatic badge deactivation on a predetermined date, which comes in handy for rotating med students.

In a hospital of more than 7,000 employees, access control and authentication is the key to keeping an accurate audit of who worked with whom and which nurse doled out the medication. In the last five years, the number of specific access groups, each with unique requirements within the organization, has grown from 24 to 118 groups, leading to tighter facility security and faster investigative capabilities.

“The biggest thing is our ability to disable someone’s access,” says Chris Hendrickx, Security Analyst at TGH. “Access needs are determined based on a job code, so nurses have access to the medication cabinets while, say, janitors don’t. But some jobs have an expiration date, like our single-semester students.”

Tampa General gets 60 to 100 new students every six months, and all of the badges are set to expire at the end of the teaching period. Within an hour of a card expiring or being disabled after a termination, that employee’s system access is revoked as well.

With the electronic medical records (EMR), nurses and other practitioners can keep track of patients’ records and treatment without the need for a handwriting translator after the doctor scrawls down a prescription.

"We wanted to leverage our existing fleet of multifunction devices throughout the organization to complement the existing EMR program,” says Barry Pope, IT Manager, Health Information Management Applications, at Tampa General. “We scan outside documents into the system, such as personal records, living wills, state regulatory forms, to keep them associated with the record.

“There’s a general lack of electronic exchange in healthcare, but that’s the normal state right now that they’re working to change. We add those external documents to our internal records because they’re part of our patient’s care.”

By using their access badge, the physicians in the hospital can go through a patient’s ongoing record by scanning a barcode.

“It’s a strategic advantage to our hospital,” Pope says. “There’s a regulatory impetus behind using electronic records systems; it’s better for patient care; it’s better auditing; legibility improves; and with the RFID cards accessing it, it’s just very convenient.”

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Many of the security screening standards in use today were put in place decades ago. They addressed the threats at the time and employed the security screening equipment that was available.