ID proofing systems that use electronic Machine Readable Travel Documents (eMRTDs) such as ePassports, electronic identification documents (eIDs) and electronic residence permit documents are systems that banks depend on for ensuring the correct identification of customers making transactions. The eMRTD inspection applications are built and configured in such a way that they enable verification processes to run smoothly. However, manipulated documents can be used by criminals to cheat on identification information and pose as another person. How are these inspection systems verified to determine if they are working correctly?
Who needs eID proofing application?
There are several parties that depend on eID proofing applications working properly for every individual in the identification session. Banks and other organizations must be able to ensure that every system in use correctly identifies and verifies the eID. Banks rely on proper identity verification to ensure that a customer is who they say they are when making a transaction.
The primary security concern is ensuring that an eID proofing application does not allow anyone that has a phony/faulty identity document to commit identity fraud. There could be liability for allowing this to occur, as well as a brand protection issue. With increased concern arising over these types of activities recently, there is heightened awareness surrounding the fact that eMRTD-IS are not always properly tested and functioning correctly.
Recently in the US it was made public* that Automated Border Control kiosks, which also use eMRTD Inspection Systems, have not properly verified passports in over a decade. They are unable to authenticate the cryptographic signatures of ePassport microchips, and as a result, cannot detect if the information contained on the chip is fraudulent or tampered with. This issue is likely to be found in other verification systems used as well, such as in banks or government facilities. Proper testing of the kiosks would have brought this issue to light earlier, and periodic retesting (e.g. after a software or firmware update) helps guarantee that documents are inspected correctly over the lifetime of the system used.
In a European Frontex (European Border and Coast Guard Agency) technical report of the end of 2014, it is reported that “The performance of technical equipment shows a degree of variability, indecision, and inconsistency, with errors happening when optical authentication is performed, as well as problems with electronic authentication resulting in a number of false documents being incorrectly accepted as genuine (and ceteris paribus, genuine documents being rejected as false).”
Our experience with eID proofing applications that inspect eMRTDs such as ePassports, eIDs, eResidence Permits and eDriving Licenses is that the implementation of the eID proofing application including the (automated) interpretation of the verdict is more complex and error-prone than expected.
Testing is the answer
To ensure that eID proofing systems are performing trustworthy inspections, our advice is to first obtain a clear picture of the eID solution deployed. Responsibilities for system configuration and maintenance should be clearly defined, as well as who executes these activities and how often they take place. Control on configuration, software updates, firmware updates and patches should be in place.
We commonly see that basic tests are executed against these systems with a handful of real documents. These real documents cannot be modified in order to challenge the system on more complex issues it will likely encounter in a fraud case.
Our unique testing procedure utilizes tooling that allows for a customized approach that is capable of locating eID proofing application faults that cannot be realized when testing with real documentation. As our test team can see the traces of communication between the passport and the inspection system, issues can be quickly found and reported. Testing these applications has enhanced the quality and dependability of inspections and helped establish trustworthy identity verification procedures.
After an initial inspection of the system in order to obtain a clear picture of the eID proofing solution deployed, including the maintenance of the solution and responsibilities for the system configuration, testing can be initiated.
The eID proofing solution should be tested against the inspection standard or – if needed – to local extensions. Retests should be executed when needed. Proper training of employees who perform authentication procedures for customers will help ensure they are following the correct protocols and not overlooking fraudulent clients.
Please note that also on acceptance of an eID proofing solution this testing can be very efficient, as it becomes clear if the response of the solution matches the security requirements of proper identification.