Are there unphotographable, but scannable ID cards?

Question

We have a client who hosts an event, with a tight budget, that uses lanyarded Photo-ID cards with barcodes on them. The barcodes are used to gain access to various areas at the event.

We were thinking of proposing a hashed code (currently the IDs are sequential), but then it occured that it's pretty easy to 'swipe' a card with high resolution photography, and then overlay one's existing barcode with a printout of the swipe.

Bearing in mind that we are using ean13 scanners, and there really is a tight budget (so NFC is out for the time being) - would an overlay, such as red cellophane, serve any purpose in mitigating this specific kind of attack?

---

What actually happened

This being the most popular post I have ever written on SE, I thought I may provide you with some follow-up.

First of all, thank you all so much for your thoughts. It helped by providing us with a list of things not to do just as much as what to do, which was of great value.

What we did

Security was given access to cheap laptops with their EAN 13 scanners using a USB port. The laptops were signed in (under unique IDs) to our security app.

The IDs used were generated using a well-designed RNG (not by me, so details are missing here - but it met a bunch of tests) which bore no relation to identities. There were just over 2,500 attendees over several days.

We did not use anything to obscure the EAN 13: It was easy enough to duplicate them. However, that wasn't enough to gain entrance.

On presentation and scan, the software (linked to our own monitoring service) checked the existence of the ID (fail #1), as to whether or not the ID had already been used (fail #2), and then returned the identity details (photo, name, etc) of the individual for whom that identity was attached. This last depended upon human check, (fail #3).

We also had people attending who did not have a lanyard ("I lost it" / "I don't need one" / etc...) and they were deferred to a separate security building where they were issued their missing lanyard, after having provided an ID document (passport/license,etc.). As everyone needed an ID card - even VVIPs, there were no exceptions.

Social hacking attempts were made - but they failed.

Several VVIPs wanted their partners (unregistered) to attend and that was escalated to senior management where the decision was made) - about 50% of them were given new registrations and corresponding printed lanyards/IDs. About 50% were turned down.

Duplicates did happen - which surprised us. Where it did occur, it was easy enough to identify whether or not they were the person that the card had been issued to.

We also had cards from previous events. They looked different, and also their IDs were different. Some attendees had actually just brought the wrong lanyard - they were given a replacement at security. Others were turned away.

I have to say that the security staff were incredibly professional - and they were treated very well by the event hosts, with meals laid on, and a free drinks bar for security at the end of the event.

Access to the event was highly controlled. All entrances and exits, even if locked, where monitored.

What we didn't do

The security personnel were 100% trusted. There could have been an 'inside man/team' among them, but it would have been quite hard to orchestrate and we doubt that there would be sufficient motive. The security company had already performed vetting - and really wanted to win this work again for following years (as it had for previous years), so maybe there was much less risk there than I imagine.

What I learned

Defense in depth and real-life MFA were the two things I learned. Expecting a single part of the security system to be enough for the entire security system would have been an unnecessary mistake.

Low tech is good, as long as it's used correctly, and without any ridiculous over-expectations.

OMG look after the security staff well. Since they are our eyes and ears, we have every reason to keep them happy and loyal.

TL;DR

There is nothing wrong at all with unprotected barcodes as long as you don't expect them to do much. They were used for both security and comms, and (if we ever get back to non-lockdown events) we will probably introduce restriction zones also (which, apparently, was poorly done using an alternative system - not designed by our team).

Everyone was safe, nobody was hassled, and it was a very successful event.

Answer 1

Simple answer: No

If you can see it, you can photograph it.

There have been countless attempts over the years to solve this part of DRM and all have failed.

Instead of focusing on the barcode, have you considered making it difficult to copy the id card itself? So that security for each area can quickly check it isn't an overlay? For example a hologram over the barcode that the scanner ignores but a human can check, or a high quality plastic card with the barcode in the coloured coating - a guard can spot a fake overlay.

Answer 2

Simple answer is yes. Unfortunately I think you might be struggling to do so on a tight budget, barcodes can be printed using inks that are only visible under UV/IR light, so they aren't visible to the naked eye and can't be replicated without specialist equipment and inks.

Unfortunately the scanners that can read these codes aren't cheap and neither is the ink so unless you're going to be having more than a couple of thousand attendees the NFC route is going to be cheaper. And as the question indicates this isn't something you think they will pay for so that probably puts the "unphotographable" barcode solutions out of your price range.

Answer 3

While a simple red cellophane does little to hide the barcode, you could apply multiple colors to hide the barcode from human eye. If the barcode scanner only uses a single wavelength (such as red), it will see the colors differently than a human or a color camera.

This would be more difficult to photograph and print successfully, because cameras and printers will blur the colors more easily than they would blur a black and white image. Further, you could experiment with making the foreground and background some kind of random pattern, so that it is not obvious that it is a barcode at all.

For example, you replace black with blue and green, and white with red and orange:

To a red-light barcode scanner, this should appear like a normal black and white barcode. But I expect it would be more difficult to copy successfully.

---

Theoretical background: The human eye is most sensitive to brightness variations, and less sensitive to color variations. Most of our equipment, such as cameras, printers and image formats reflect this, and methods such as Chroma subsampling and Bayer filter are in common use. But a scanner at a single wavelength is completely insensitive to brightness variations in other colors, and very sensitive to color variations that affect the amount of red in the color.

Thus the pattern should be designed so that it has a lot of brightness variation to make copying difficult, while keeping the brightness seen by scanner the same. One way to do this in image editors is to separate red/green/blue channels and only edit the green and blue channels.

Answer 4

The cheapest solution for your situation in this case is utilising the human security guard to do photo check. Use the barcode tag to quickly lookup the user's record from the participant database, the database should store participant's photo and the guard should check that the participant that presented themselves match the photo on the database.

The barcode in this case should not really be considered part of the security, it's just a quick way to lookup database records, so it doesn't matter if it gets copied. The real security comes from the photo matching. Obviously, you can't really enforce security on self scan spots in this case, which is the main weakness.

Answer 5

You can’t, because as long as both a human and a barcode scanner needs to be able to see the whole thing, so can a camera and copier.

A barcode is no different than printing a string of text, except a machine can read it faster. Security-wise it adds no protection.

This issue might not be part of the threat model — have you checked that?

Answer 6

Is NFC really too expensive? I found a 50-pack of MiFARE NFC stickers for $13.20, making them < $0.27 per attendee; if you plan on 500 attendees, that's $132 which really isn't that much in the scheme of a catered event of that scale. If you can manage to swing $0.89 per attendee, you can actually get inkjet-printable MiFARE cards, saving the step of printing and separately applying a sticker (though you'd have to have a flat-paper-path printer that the cards could be fed through).

Since NFC can't be photographed, it can't be easily duplicated, but tags are easily read by any smartphone and a variety of other devices, and are often less finicky. For example, if the badge is in a plastic holder, a barcode scanner might pick up too much reflected ambient light to be able to read the barcode, and the person would have to tilt it this way and that (pausing a bit each time to give the scanner time to focus), hoping to reduce the glare enough for the scanner to read the code; with NFC, just pressing the card against the reader and maybe wiggling it around a bit until you hit the sweet spot. By the 10th or 15th scan, the security person should have a pretty good clue where the sweet spot is and be able to scan almost instantaneously from there on out.

EDIT1: Even basic, cheap non-cryptographic NFC tags programmed with simple ID numbers are more difficult to duplicate -- you need to either have close proximity access to a tag (generally less than a foot). This makes them significantly more difficult to clone than a barcode that can be captured by a decent camera from several feet away or across the room or further with a good DSLR and zoom lens. Optimum read range on NFC chips is based on the loop antenna radius of the chip: the radius divided by ~1.414. On a 2"x3.5" NFC card the radius can't be more than 1 inch (2.54cm) since the loop's antenna can't be more than 2 inches in diameter, giving us an "optimum" read range of just under 2cm (less than an inch). Even with a powerful reader, I seriously doubt you're going to be able to read the tags at distances greater than a foot.

EDIT2: As @Falco pointed out in the comments below, if you print a barcode on the badge too, a potential ne'er-do-well might not even realize there's an NFC tag and attempt to just clone the barcode... but of course their counterfeit badge wouldn't scan with NFC, exposing it as a fake.

Answer 7

Not sure how you are planning to carry the id cards, whether hung directly from the lanyard with a simple hole punched through the card or if in a carrier or plastic wallet hung from the lanyard.

If you use the clear wallet style of carrier you could have something printed, or a sticker applied, on the outside that covers the area of the barcode but leaving the photo and other identifying information visible to human readers, make sure this is on both sides if there in case the card is placed in the carrier reversed. This would mean a 'drive by' photo of someone would not reveal the barcode at all. The card would have to be removed, or moved within the carrier, for scanning the barcode however.

If using a more substantial plastic carrier print the barcode on the reverse of the card ensuring it is obscured from view while in the carrier.

Answer 8

One thing you could do that's been a staple of anti-counterfeiting for millenia is to introduce a deliberate flaw into your barcode that causes it to read, for example, the last two characters "incorrectly." Make it look like an accidental misprint of the card.

You then instruct your scanner/software to ignore the error and pass you the data anyway, leaving out the invalid bits.

Someone forging cards will likely assume that their photograph was imperfect or that they got a smudged card and manually correct the "error".

Your software can then notice that it's being sent the "this card is a forgery" code and alert security.

This is not the best security mechanism as it depends on an attacker both not knowing what you're doing and not just blindly copying the card without checking that it printed correctly.

Pair this with some kind of watermarking. Either a literal watermark if you're using a paper card, or say stamping all the cards with an additional code that only shows up under UV light.

If you stamp on a QR code, building a scanner that consists of a box with a slot in the front containing a camera and a UV lamp would be the work of an afternoon. Pipe it to the QR reader program of your choice. As long as you manage to keep the presence of the watermark a secret it should be nearly impossible for anyone to forge a card.

Answer 9

Yes, there is a way to do it*

Use fluorescent materials for the barcode itself, making it so that duplication cannot be done by photograph without ruining the duplicate's "invisibility", which distinguishes fakes. Modern ID cards use this.

*This only works for polycarbonate cards, not PVC. Unfortunately, this may not fit your client's budget.

Answer 10

How about if the first time they're scanned in at the door by a human, the security person (i.e. scanner) checks the photo to make sure it matches the person with the badge. If it matches, the security person puts on one of those inexpensive tyvek wristbands of a specific color. These are often used at amusement parks, ball games, etc. to indicate specific access levels, age qualifications, etc. This would at least prevent unauthorized people from getting into your venue in the first place.

These wristbands are one-time use, and are very difficult to take off and put on someone else without noticing that they've been removed. If you keep secret the "wristband color of the day", or get some specially made with a specific color or colors, then they should be fairly secure from copying. I also believe that these are typically rather inexpensive in bulk.

Though in general, if security is this critically important at this event, then security should have been allocated enough funds up front to support its importance and value.

Answer 11

I know I'm late to the game, but here are two suggestions from me:

1) Make the barcode really small, just big enough to be picked up by the a barcode scanner. This makes it difficult (but not impossible) to take useable copies with a camera without making it obvious that you're trying to do it.

2) Split the barcode in two pairs (for instance, just every other bar) and print one half on the ID card, and one half on a transparent overlay -- you would then have to manually align the two halves to make a useful barcode. This makes it more tedious to actually use, but makes it unlikely that the parts will line up while dangling on the lanyard (especially if you make the transparent part with a different balance).

You can of course combine the two approaches.

Answer 12

Easy solution: Print the barcode on the lanyard and not on the badge.

Everybody can print out a Photo-ID made out of paper with a barcode. It is rather complicated to print a barcode on a lanyard with your home printing equipment.

If your PhotoID looks something like this:

It is very hard for a guard to tell if this barcode is the real deal or just a printed and glued on version of the barcode. If your event is attended by 300+ people, it gets very tedious to check these things. The bigger the barcode the better. If you are planning to use PhotoID that are made out of paper then it becomes impossible to tell if a printout is real or fake.
If the barcode is on the lanyard it is extremely easy for the guards to tell if this is fake or real. But keep in mind this is by no means a failsafe method. It is really a "we have no more money left" control, and not something you should rely on.

Answer 13

While not a complete solution to the problem, you can make life slightly more difficult by including the EURion Constellation on your cards. This may be used in conjunction with other approaches.

EURion constellation is a pattern of symbols incorporated into a number of banknote designs worldwide since about 1996. ... [It] consists of a pattern of five small yellow, green or orange circles, which is repeated across areas of the banknote at different orientations. The mere presence of five of these circles on a page is sufficient for some colour photocopiers to refuse processing.

Answer 14

While it might be simple to take a photo of one side, it's much harder to capture both sides in a casual attack. You can do various things to build on that idea, depending on the event.

• Unique barcodes on each side, attendee puts card between two readers
• Barcode on one side, human-verifiable information on the other. Manually compared against account.

---

Or you could add a second factor. Send the participant a registration SMS when they first scan in, that captures their beacon with the local wifi and then you can do approximation checks every time they scan in the future. If their phone isn't where it should be, block access and send another SMS-link. You could two-factor all the way, but you'd probably want an app to provide a quicker notification.

---

Or you could just obscure the barcode entirely. Your idea was red cellophane... Why not just a blackout cover? This could be as dirty as a postit or some high-tack tape, or as pretty as a sleeve that only obscures the barcode.

Answer 15

As stated in other comments, it is unclear what the threats you are facing are. If you are purely worried about people photographing the identification, just do something so that the natural physical state of the pass obscures the barcode. For example, you can distribute the passes folded in half (the lanyard can help keep it in half) and the bar code can be on the inside. When people go to scan them, you can have security 'unfold' the pass to reveal the barcode. Or you can have people wear ID's but carry a bar-coded card in their pockets for entry.

Answer 16

Theoretically you can print in something polarised. Then view it with polarised light or through a polarised filter. Not necessarily cheap though.

Presumably you can choose linear or circularly polarised in order to avoid any filter that might typically be in a common camera.

Answer 17

Strictly speaking, there isn't. If the scanner can read it, it can be recorded and reproduced. But that doesn't tell the whole story.

Although cameras and screens/printers these days are pretty universal, they can't capture and reproduce every single color. There are actually colors that the human eye can see, but which are difficult to capture on camera, display on screen or print on paper:

Some simple examples include fluorescent colors, actual fluorescence triggered by a certain color light emitted by the scanner (for instance, green plants glow orange under UV light), non-visible colors like UV or infrared. You could also go the reverse way and include features that are visible normally but invisible to your scanner, for instance perhaps part of the barcode is sandwiched between sheets of paper and which becomes properly transparent only under your scanner. Many banknotes incorporate such security measure based on transparency, special dyes and paper, glowing/hologrammed elements and so on.

This doesn't mean your card is unphotographable, since obviously your scanner can detect it - an adversary could build a similar device and record your card. But it does mean that readily available consumer cameras won't be able to, so the adversary will have to obtain specialized equipment (which may not even be legal to purchase) or even build their own device. Similarly, reproducing will also be a challenge. If you use a color outside the CMYK space they can't print it, and if outside RGB their phone screen won't show it. Again, they can obtain or make specialized screens/papers that can do it (after all, whoever made your legitimate ID cards was able to) but it will be harder. Not to mention it will be easier for law enforcement to find them, because not many people would have such specialized equipment with no good reason.

Really the ideal solution here is to just use RFID chips with encryption. Few people have the technical skills to reproduce those, and even if they do, they won't be able to easily find out the encryption key in the chip. As a lower cost option, magnetic cards should be cheaper, those can be easily cloned but it requires equipment. The time tested physical access control solution is of course a plain key (also not so simple to copy). Or you could just forget it all and go with memorized passwords.

If you really have to use the scanners, I would either look into fluorescent ink, or printing on some material that doesn't look right except for a specific wavelength (which the scanner would presumably provide. But it's hard to be more precise without knowing what your scanner is.

Answer 18

If you can ensure all barcodes are printed at the exact same spot, you could modify the slot of the barcode reader to position the ID exactly with something covering the borders. So if someone tries to print a photo but it is slightly off-center, the barcode wont be read.

However I would suggest that the reception do not have such thing, and just the ones with sensitive data. This way a "cheater" gets in thinking it worked, then he is stuck inside when trying to pass thru restricted areas. Depending on the person, it would be risky to go out and try to get it fixed and reveal their intention. If he gets blocked before entering the "common area", they might have a chance to fix that and try again with another person.

Answer 19

I think you are too much focussed on copying the barcode. The correct way to do this is to issue an unique ID to each and every visiting person and keeping track of that ID, checking it in to (and possibly out of) the different venues. If an ID already is inside a venue then entry would be prohibited. There still is the possibility that a visitor gains entry with a copied barcode before the rightful ID owner. But in such a case the rightful owner could prove that he is the rightful owner of the ID by means of some type of receipt. You could then invalidate that ID in the computer, thus locking out the copied ID form further attendances.
But is this worth the effort? What harm is done by a few unrightful visitors? The best security measure might be just to tell people there is a security measure to prevent fraud. "Please note that we will keep track of issued IDs and should we find that somebody has gained unrightful entry we will have our security guards take care of him until the police arrives" or similar might just do it... :-)

Answer 20

If protecting the guard-supervised access points is enough, how about two-factor authentication on the cheap? Along with the ID card, hand out a plastic token, casino chip, rubber ducky or other trinket that cannot be obtained quickly by would-be gatecrashers.

It should have a hole or other way to attach to the lanyard, otherwise you'll have people losing or "losing" it right and left.

Answer 21

It actually is not THAT easy to photograph without at least the wearer noticing it if the barcode is sufficiently small (think about the height of 8pt or 6pt lettering...)

Let's assume we are talking handheld mobile phone cameras here, no high-end (dual lens) phones, clip-on teleconverters, professional/enthusiast grade cameras, optical zooms, RAW processing, or tripods involved. Someone affording all that bother can probably afford to pay your tickets.

Let's assume a 12MP phone camera, yielding an effective resolution of 2000 pixels on the longest side of the photo. Not 4000, there will be either aliasing or antialising in your way once you try to faithfully reproduce structures smaller than 2 pixels.

In many cases, you can again halve the effective resolution available for exact reproduction due to the image being automatically postprocessed by the phone firmware to correct for lens defects, especially in off-center parts of the image. Pixels get bumped off their raster to do that....

Let's assume a standard phone camera lens, which will be a 24mm or 28mm equivalent wide angle with no optical zoom, so increasing magnification will not give you extra resolution.

If your barcode would need 100 pixels resolution to work, that would mean someone would have to photograph it in a way that it fills 1/20th of the frame, and would have to do so without introducing perspective distortion, shake, other errors...

A 1cm long tiny barcode would merely fill 1/100th of the frame width snapped with an 28mm equivalent lens from a distance of 1 meter.... or 1/50th if somebody came up to someone at half a meter distance, probably getting told off for encroaching.