Currently, the number of processes that have been digitalized has increased exponentially thanks to technological improvements and the ease of access to the internet, smartphones, tablets, and computers. Numerous processes can be carried out virtually: opening bank accounts, applying for aid or government procedures, signing new insurance policies, telemedicine, etc.
As a result of this digital shift, the need to generate the same degree of certainty around identity in the virtual world as in the physical world has arisen. For this reason, we have seen the proliferation of solutions on the market that offer remote identity verification processes. Solutions in which validating the authenticity of an identity document and verifying that the person who carries it is the same person who appears on the ID document is critical to ensure that the person we interact with digitally is whom they claim to be.
But this increasing openness to the digital world has also increased the risks associated with fraud. Fraud whose origin (voluntary or involuntary) and object (identity documents or physical traits) can be diverse and for which not all solutions are equally robust when it comes to detecting and preventing it. In fact, the European eIDAS regulation on electronic identification and trust services stipulates in Article 24.1 that biometric methods must “provide security equivalent in terms of reliability to physical presence.” And how can a remote process based on the capture of evidence with a mobile device achieve the same level of robustness as a physical process?
This article will delve into what is considered one of the most critical moments of a Digital Onboarding process: the verification of identity documents, passports, or driving licenses.
Capturing and validating identity documents: a decisive moment
At a time when the media focus is being placed on the impact of advanced technologies such as deepfakes, when speaking about fraud, it is essential to remember that most fraud cases that we encounter in Digital Onboarding processes take place in the identity document verification phase. Therefore, we must demand technology manufacturers to be very effective in detecting and preventing document forgery in any of its forms and methods. There will be no adequate biometric verification without robust document validation.
It is worth remembering that any validation of identity documents will depend mainly on three fundamental aspects: the technology used to capture it, the device’s characteristics that capture it, and the level of security of the document presented.
- The technology used to capture: the technology to capture an ID Document can be performed in a web or native (iOS & Android) environment, the latter offering a higher level of security. This gain is due to the restrictions imposed by web technology regarding the use of flash (Veridas proprietary technology), capture resolution, camera focus control, etc.
- The device’s characteristics: there are many devices on the market, from high-end devices, with higher camera performance, to mid-range and low-end devices. The lowest level is a laptop camera, which generally offers feeble image resolutions (VGA or HD). Finally, it is essential to consider whether the mobile device provides NFC (Near Field Communication) reading, allowing the data included in the chip to be compared with the data printed on the identity documents.
- The document itself: there are documents with a higher level of security than others, from very advanced documents (e.g., DNI in Spain or Cédula de Identidad in Uruguay) to documents with hardly any security measures and in paper format (e.g., Identity Card in Italy). Therefore, the more security measures an ID Document implements, the more reliable its digital verification can be.
Assuming these necessary conditions when assessing the robustness of a Digital Onboarding process, the most common attacks when we talk about identity document verification can be separated into three main categories. We have ordered them from the easiest to the least easy to carry out:
- Presentation of documents on invalid media: photocopies, scans or photographs, printed or in digital format, of authentic documents.
- Presentation of manipulated documents: original documents whose data have been modified, physically or digitally.
- Presentation of false documents: documents that have not been produced or manufactured by the government entity associated with the issuing country or region.
First category: documents on invalid media
A physical manipulation of an ID document requires the fraudster to have a physical document, either his own to modify or one of the individuals he is impersonating. In most cases, this poses a challenge, as obtaining someone else’s document makes impersonation difficult.
In contrast, the most accessible form of impersonation is by presenting original documents on an invalid medium, i.e., by showing a photograph, photocopy, or scan of the person’s ID Document to be impersonated. This typology is categorized into two different methods for which Veridas has developed specific algorithms for their detection: Replay Attack or Print Attack.
- Replay Attack consists of displaying an identity document on a screen based on a photograph or scan of the original document.
- Print attack consists of displaying a printout of the original identity document after it has been photographed, scanned, or photocopied. These prints can be made through a generic printer, on paper, or high-quality polycarbonate prints.
Although these attacks in a physical environment (branch office, office, etc.) are relatively easy to detect by the person in charge of supervising the process, in a digital environment, it is not. This determining factor makes it the most common type of attack among all those mentioned, mainly because it is easy to perform.
It is important to emphasize that this type of attack cannot always be associated with fraud attempts: if a user does not have his physical ID Document but does have a photograph or scan of it, he could try to perform the remote onboarding process with this digitized sample and, although it is not an identity theft or fraudulent process, it is still a situation that must be detected and rejected.
Second category: manipulated documents
Manipulation of documents consists of changing the data of the physical ID Document to falsify vital or limiting information in a Digital Onboarding process. Any type of information can be modified, from dates, names, and identification numbers, to barcodes, photos, or MRZ (Machine Readable Zone).
Manipulations of documents can come in many different forms, from chemical and more effortful modifications to more obvious and detectable ones. Most of the manipulated documents presented in Digital Onboarding processes do not have the necessary recurrences in the data present (e.g., logical sums of the MRZ) or sufficient security measures, which allows them to be detected directly by an automatic system, based on artificial intelligence, such as Veridas.
In this sense, the best tools to detect this type of attack are the use of recurrent information in the documents, the application of specific security measures for this attack, and the analysis by Artificial Intelligence algorithms that can identify the security measures present in the ID Document.
One of the most critical security aspects is the MRZ code, which is an area in which machine-readable information appears and is more reliable than the visual information present in the document. This area follows a standard defined by the International Civil Aviation Organization (ICAO) and usually consists of two lines of information, in the case of passports, or three lines, in the case of identity documents. In addition, the MRZ code includes several checksums of the numeric fields present, such as dates or identification numbers, to verify that the data present are authentic. Some of the manipulation attacks usually do not consider these checksums, so it is possible to detect them by identifying these inconsistencies in the data.
Another of the most common cases is photo impersonation. This case occurs when a user has the physical identity document of the individual to be impersonated, which may be an old document, an invalid document, or, in some other cases, a damaged document. To successfully “fool” the system, the user must make the biometric process identify him as the same individual, so the fraudster usually tries to superimpose a photograph of himself over the authentic document, as seen in the following example. This is why it is critical to detect this type of manipulation before moving on to the next steps of Onboarding.
Finally, the most robust method to prevent this type of fraud is by reading the NFC chips that are increasingly present in more and more identity documents worldwide. These chips, whose scanning is done through NFC reading technology, contain the information present in the document (biometric content and main data of the document) encrypted and digitally signed by the issuing state, which makes it completely impossible to be modified by the person trying to manipulate the document. A correct comparison between the data stored on the NFC chip and the data on the document makes it possible to detect this type of fraud effectively. It is worth remembering that this technology is only available in native environments (iOS and Android), as the web environment does not yet allow it to be read.
Third category: false documents
As described above, a document is considered fake when it has not been produced or manufactured by the government entity associated with the issuing country or region. This supposed document will attempt to imitate, with more or less success, the properties of an authentic document: security measures, colors, backgrounds, typographies, or emblems, among others.
Although this type of attack is usually more challenging to identify in physical processes, due to the high precision of some of these imitations, counterfeit documents typically fail to recreate NFC chips because, as mentioned above, these are encrypted and digitally signed by the issuing state. Therefore, a correct reading of the NFC is a very effective measure for its prevention.
Another appropriate way to prevent the impact of the appearance of false documents is using solutions to detect duplicate identities. These solutions are based on the application of 1:N facial biometrics algorithms, capable of comparing, in the case of Veridas, one face against a million faces in less than a second. By applying these solutions within a Digital Onboarding process, we could detect whether the person trying to sign up is already in the customer database or a database of “forbidden identities,” preventing fraud before it occurs. Also, we could apply this solution to the existing customer base, detecting duplicate identities that have been previously registered. This is possible because Veridas can perform identification or clustering on databases of more than 13 million identities with his state-of-the-art deduplication software.
In addition, this measure is incredibly convenient if we consider that NFC reading is only available in native environments and, therefore, we would not be perfectly covered in web environments.
Veridas, a safe bet against fraud
At Veridas we have bet, and continue to bet, on the development of leading technology, based on artificial intelligence and deep neural networks, capable of verifying identity documents, accurately declaring whether the evidence presented in an onboarding process corresponds to an authentic document or not. In fact, Veridas deploys more than 30 proprietary artificial intelligence algorithms for each ID Document it verifies, extracting, and analyzing all data contained in the visual inspection zone (VIZ), machine-readable zone (MRZ), barcodes or QR codes, and NFC chips.
In addition, as already mentioned, we have state-of-the-art security measures capable of detecting photocopies (print attack), screen attacks (replay attack), and manipulated or forged documents. All this is under a controlled and guided capture process, which includes a self-classification of identity documents, favoring funnel conversion—one of our obsessions, along with security.
Finally, our Digital Onboarding process, capable of verifying more than 400 identity documents in 190 countries, is connected to PEPs (Politically Exposed Person) and AML (Anti-Money Laundering) databases based on the information extracted from the document. This information can also be contrasted with government databases from countries such as Spain (Secretaría de Estado de Digitalización e Inteligencia Artificial), United States (AAMVA), Peru (RENIEC), Mexico (INE and RENAPO) or Colombia (REGISTRADURÍA) among others.
Every step of a Digital Onboarding process is critical to be genuinely reliable. That is why employing the best technology is vital. Document verification is not a commodity, nor are all onboarding providers capable of doing it excellently. Trust only the best. Trust Veridas.