A great deal of attention is being paid to the driver license in countries around the world. In India, a project is underway that could eventually result in more than 100 million contact chip-enabled drivers licenses throughout the country. In South Africa, a 2-D barcode-equipped license is being issued to the 6.5 million drivers. And in the United States, legislation has been or is being considered in nearly every state and even at the federal level to strengthen the driver license.
Because of the worldwide redoubled efforts with regard to security, it would be logical to assume that all these efforts are geared toward curbing terrorism by making it more difficult for individuals to establish false driving credentials in a foreign nation. In reality, however, this goal is the major driver some, but not all, countries. Other factors-such as curbing government assistance fraud, maximizing fee collections, and monitoring the movement of individuals-are often the true goal.
Whatever the goal, a key component in nearly every attempt to strengthen the license is in the credential itself. Technologies, including advanced printing processes, biometrics, 2-dimensional (2D) barcodes, integrated circuit chips, optical storage, and more are being evaluated and used in countries around the globe.
If technology is one of the keys to strengthening the license, the other key is certainly the process. The process can be broken down into three areas: the manner in which license is obtained, produced, and authenticated.
How is the license obtained?
When an individual makes a request to obtain a drivers license, the most important part of the process is initiated. It is at this point that the ultimate security or vulnerability of the system is determined. Regardless of the strength of the credential’s technology or the vigilance of the later components of the process, fraud at this stage renders the rest meaningless. If an individual can fraudulently obtain a strong credential, the opportunity to do harm or to exist without being detected is enormous.
Key elements to strong processes at this stage include the acceptance of breeder documents, biometric authentication or enrollment of the individual, and staffing processes and controls.
Breeder documents as defined in a report from the U.S. Citizenship and Immigration Service are “documents used to obtain other documents. For example, a birth parentage certificate is a breeder document for a driver’s license.” The decision as to what breeder documents will be acceptable proof of identity in the process to obtain a drivers license is key to fraud prevention. If the security of the acceptable breeder documents is not solid, the security of the driver license too will not be solid. To use the old adage, the chain is only as strong as it’s weakest link.
The biometric authentication and enrollment of the individual is recognized more and more as a key to complement, and eventually underlie the process. Biometric authentication begins with the basic process of comparing the individual’s physical appearance to photographs and physical characteristics on breeder documents and external systems. It can extend from this basic visual check on through the electronic comparison of fingerprints, hand geometry, or iris scans from the individual to templates stored in peripheral systems at earlier points in time. Biometric enrollment describes the collection of a biometric from the individual for storage and association with the license record. While biometric enrollment may do little to stop a fraudulent issuance, it can serve as a deterrent and enable the identification of fraudulent license holders at a future point.
Staffing processes and controls are arguably the most critical points in the chain. In poorly staffed and controlled environments, the bribing of a person responsible for making issuance decisions can be the simplest means to obtain a credential fraudulently. Staff must be selected carefully, scrutinized closely, and dealt with swiftly and harshly if rules are broken. Control procedures similar to those employed by money handling organizations should be followed (e.g. separation of duties, multiple staff involved in the process, strict human and electronic oversight, constant inventory accounting).
How is the license produced?
The license must be produced in a secure manner that reduces, to the extent possible, the opportunity for fraudulent production and alteration of the credential. At the most basic component, digital printing on plastic can be a first step. Though it may seem shocking, the majority of the world’s driving credentials issued today are simply text on paper. In the U.S., the majority of states have been issuing modern ID cards for more than a decade. There are a handful of states, however, that only recently have moved away from paper-based licenses. Alaska is the last state that is still using paper-based licenses though they are expected to begin issuing digital driver licenses later this year. In many other countries, migration from paper credentials is still not occurring.
The inclusion of secure overlays, holograms, and other secure printing techniques can improve the process, though they cannot ensure authenticity alone. Equally critical are the more fundamental elements such as the secure storage of unprinted card stock and adherence to a well-defined process of internal controls (e.g. separation of job responsibilities across multiple individuals, accurate accounting of materials, strict human and electronic oversight).
One of the most significant factors that effects the security of the license issuance process in the U.S. is whether the license is printed centrally and mailed to the customer, or if it printed on-site at the various DMV field offices (via a process known as “Instant Issuance”). In a recent survey of 37 U.S. states and Canadian provinces, Root Resource found that roughly one-half of all jurisdictions use the instant issuance process. Between 20 and 25% of jurisdictions use the central issuance model, while the remainder use some combination of central and instant issuance. The report indicates that many jurisdictions using the instant issuance model are now looking at hybrid issuance systems to provide greater security for the issuance of documents to new applicants, while allowing existing motorists to continue receiving their documents on the time of application. ( 2003 North American DL/ID Report , General Document Issuance Practices , February 2004. Root Resource.)
How is the license authenticated?
This part of the equation is more difficult to control as the authentication of a credential is frequently a decentralized occurrence. In many countries, driver licenses are used as identification in all geographic corners of the country and by many different entities. In fact, the drivers credential itself frequently serves as a breeder document for other credentials. Thus the vigilance with which the license is authenticated often varies greatly.
Techniques to aid in this authentication include the visual information printed on the card, electronic data contained within the ID technologies used on the credential, as well as off-the-card system checks.
Visual information can include biometric indicators such as the individual’s photograph, fingerprint, signature, and physical descriptors (e.g. height, weight, hair color, eye color, age). Electronic data can include digital representation of biometrics including those described above as well as digital signatures or keys. Off-the-card checks can include verification of the data contained on the card or current check of the cardholder’s legal status. This can occur via a radio or telephone call or via a direct network connection to an external system.