5

Given that it's possible to fake ID cards and fake social security numbers are created, I need to ensure that all users of my site are US or UK based citizens, and don't have more than one account.

A few examples where one human may have more than one identity would be

  • Getting married (name changes, SSN stays the same)

  • Dual citizenship (how do I normalize accounts where a user is active in both countries)

  • Hackers (the bad ones) that exploit flaws in creating fake IDs and assume the identity of a fictional, or dead persona, or even steal the ID of another user.

  • Previously hacked identities, not yet discovered to be stolen

Question

  1. Is it possible to outsource the verification of these tasks with a high level of certainty?

  2. What level of theft/duplication I must accept

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 1
    What level of assurance are you looking for? "High" is a relative term. For example, WITSEC is by design difficult to correlate new identity with old identity, so a high level of assurance here is *much* greater than say a high assurance by correlating identity based on name and street address. – Steve May 18 '13 at 23:35
  • @SteveS The cost of a duplicate account per human would cost my company 10,000 to 100,000 per incident over the span of 10 years. I need to extrapolate this cost by possible transgressions. How much duplication (fraud) is possible with each assurance qualification? – makerofthings7 May 18 '13 at 23:38
  • Fingerprints? DNA? – David Houde May 19 '13 at 05:02
  • 2
    I don't see any reason for a down vote.+1 from my side. It is a good question – Shurmajee May 19 '13 at 10:27
  • @MayankSharma You have read and answered this question more than 1 hour ago, yet you only realized it's a good question and upvoted it _after_ you saw a downvote. So do you really think it's a good question or is just to take revenge on the downvoter? "Yeah, I'll upvote that question. That'll show that downvoter". (NB: I don't think the question is bad. Also, I'm genuinely interested in your response) – Adi May 19 '13 at 10:37
  • @Adnan yes you are right but it is not a revenge. I did not feel like giving it an up vote initially but after seeing the down vote I though it is unfair because the question talks about a real world problem in identity management. So I up voted the question. I am sorry but I do not see any thing wrong with that. – Shurmajee May 19 '13 at 10:46
  • @MayankSharma Oh no, not at all. I'm not even remotely in a position to judge what did or didn't do. I'm just interested. – Adi May 19 '13 at 11:08
  • Makerofthings - you can assume that government-created IDs would be indistinguishable from real IDs. What is the likelihood of someone living under witness protection using your site? – Deer Hunter May 19 '13 at 11:27
  • @DeerHunter Someone under Witness Protection is something I'm less concerned about, but am more interested in understanding how much duplication could be seen in the worst case scenario. – makerofthings7 May 19 '13 at 15:52
  • In the worst-case scenario (your account creation routine being hacked) you'll be inundated with fake accounts through one or two fraudster groups, if a substantial part of the benefit (of 10k to 100k) can be converted to cash quickly. – Deer Hunter May 19 '13 at 16:02
  • CIA- and MI6-agents always have at least one 2nd identity. Double agents even have a 3rd. And all of their IDs are a legal fake. – ott-- Dec 24 '15 at 18:16
  • This is a classic problem where you need to think of the threat model. You say that it'll cost your company 10 to 100 Gs over 10 years. But what's the incentive to the attacker? Are you trying to do this over the internet, in person, what? You're trying to make this into a generalized question, but it's anything but. The way you perform your authentication can't be separated from the why. You're losing a huge amount of answers by making this into a generic rather than specific question. – Steve Sether Dec 24 '15 at 20:06

4 Answers4

6

An interesting question and I don't think there's one good answer to it. I'd say you could address this by a combination of measures. essentially no one measure can stop the fraud but using a combination you should be able to reduce the incidence of fraud to a potentially acceptable level

  • Request proof of identity and address. The standard for this in the UK is scanned recent physical documents. Of course these are forgeable but that's a first step
  • Verification of the address. Send a physical letter with a one-time code to the address and require that that is entered into the application. This provides some level of proof that the identity claimed is resident at that address.
  • Credit check the identity at the claimed address, and reject low or no scoring results. This check provides some proof that the person at the address, has been resident there for a period of time. Also will provide indicators of fraud. Also if someone hasn't used an identity for a while (e.g. name change on marriage) this would show on the credit check.
  • That leaves you with scenarios like family members at the same address. I'd say that checking that either needs an in-person check or perhaps using a phone call to catch out the person (i.e. if you phone and ask for the putative customer, when they know nothing about the application that's a fair indication there's a problem :) )
  • If you really want high level assurance and the profile of your customers is such that they would accept this kind of checking (I'm thinking something like high-end private banking), you could have an in-person meeting and as @david-houde mentions above gather a biometric identifier that can be compared against future registrations.
Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • +1 For the credit check. Great way to verify the residence address. – Adi May 19 '13 at 10:42
  • @Adnan Credit check only works if the person is still "on the grid." For instance if you lose your job and are self employed and move somewhere (in with family), but do not start new service that requires a credit check (activation of utility), your credit will likely not be updated to reflect the new address. – AbsoluteƵERØ May 19 '13 at 15:17
  • 1
    @AbsoluteƵERØ yeah that's why for this question I recommended rejecting people who no-score on the Credit check. Loses you customers but helps avoid fraud :) (although you don't just lost "off the grid" people, in the UK they're really slow at adding new estates, so people in new houses get it too) – Rory McCune May 19 '13 at 15:23
  • In the US if they're still paying their existing bills (credit cards and car payments) they may still have a good credit score. The only thing that changes residence is filing for new credit with a new address. Even changing a mailing address can be considered temporary here, so it may not to show up on a credit report. Credit changes in the US can be triggered by New Credit cards, auto insurance new service, new utilities such as electric or phone, new car purchase, mortgage signing, major lending, and new job history. – AbsoluteƵERØ May 19 '13 at 15:32
3

The problem is with the phrase identity itself.

Technically Possible with History

There is no way to do this without using some sort of biometric verification. Retina scans would in theory be the only way (since you would not be able to replace an eye [2010]). If you were to do something like blood tests, even then in the case of twins they would carry the same DNA. Also blood transfusion recipients can also carry the DNA of their donors. More on DNA and transfusions. This is all provided that some other form of identification was used when the DNA was taken. The only way for this to be fool-proof is at the time of birth when someone in the room is verified taking DNA, a retina scan, and fingerprints at the moment of birth. At the point it's logged, then it can be tracked as verifiable.

This is only the case provided the persons in the room have been tracked and verified in the same way.

If you were to use fingerprint scans they would have to be done in person with another verifiable biometric test because fingerprint scans can be faked with modeling clay. If a follow-up comparison matched the same samples then you could prove that you had the same person, however you could not technically prove their true identity without performing DNA analysis and comparing it to samples from their parents (who would also need to be verified).

Realistically

In-person, 3rd party verification is the only way to do something like this. Every other transaction can be faked. This is the reason that probation officers show up unannounced at residences and job sites to verify that the person they're supervising actually is holding up their end of the bargain. This happens when the person is at the location and when they are not. They will take a photo ID of the person they're looking for and if the person they meet does not match or if the people at the location say "never saw them," it immediately violates the terms of the probation. Even this however can be faked with planning and there are false positives.

By "site" I'm guessing you mean website? Likely you would not want something this invasive to happen to your web visitors, that being said you can look for private investigators and research firms that can visually verify a client and research with the 3rd parties. They will typically perform credit checks at random intervals and visually verify the target. They can follow the clients to other locations and determine if in fact they are residing where they say they are. In government this is handled by foreign intelligence agencies.

For employers

For jobs, most potential employees must provide "verifiable" references. This can also be faked. Without double-checking contact information and doing research to try and verify the information on an application, employers can potentially hire anyone seeking to exploit the company unknowingly.

An example might be someone from Company "A" wants inside information from Company "B". They list Fake Company "C" on their resume with a lengthy employment. They purchase 4 throw-away phones (or IP phones) and list the contacts as fake names. 3 of the phones are used for references. The 4th number is used as the main line for Fake Company "C". After initial interviews the person is hired. Without a follow-up some months after the check there is no way to know whether a one-time verification procedure was legitimate or not. In highly sensitive industries a post-hire verification follow-up should be standard procedure.

Online accounts

With more and more online accounts cell phone authentication is being used since 1. most people do not carry more than one cell phone 2. most people do not share cell phones 3. it will use a different service than their internet connection

This allows companies to call and talk to the person for verification, you can track their location and login when they're required to have a new temporary password for a new device.

The online account companies are not concerned with singularity though. That being said, even this is spoofable because:

  1. someone can carry multiple cell phones
  2. they can swap out sim cards
  3. prepaid cell phones are cheap now as well

Business verfication

We recently updated contact info for several of my clients on Google maps. Google maps calls (outsourced overseas) the contact number of the business on file for verification of the new business address and contact information. This is often a one-time verbal check. If they were to show up in-person to a temporary office for verification, then the business might look legitimate.

After several months if they were to return to update their listing and found the business did not exist then they could remove the listing. This is not their practice though. Because of this there are several businesses listed on Google maps that are either inaccurate or a duplication of the same company because the company has either closed, moved their location, been purchased by another company, or updated their contact information. Some businesses also use DBAs so there may be more than one company at a location.

AbsoluteƵERØ
  • 3,104
  • 17
  • 20
1

Fraud prevention has always been a problem for Identity Management systems. Of course there is no silver bullet for this problem but I would like to suggest a few ideas.

  1. The registrations to your service may involve some kind of physical verification of the user before he can really use the service. The idea is not to depend entirely on technology for user registrations. The accounts will be created by an official only after the physical verification of the applying party's identity documents. This will be feasible only if you are targeting a relatively smaller user base (assuming that your service will be used only by a specific group of people from US/UK and not the entire population) but as you mentioned in one of your comments that there is large amounts of money involved you might want to think about this.
  2. Assuming that your application is going to provide n number of different services you may want to create trust levels for your end users. Each of the services can demand a certain trust level and only the users fulfilling the criteria will be allowed to use the service. The trust levels will depend upon what kind of verification the user has gone through. The users who have undergone physical verification will posses a higher trust level than those who have only registered online. In this way only the users who need to use a high criticality service need to go for a higher level of verification.
  3. You may define multiple trust levels depending on the identity documents used by the citizens of these countries (about which my knowledge is limited) and of course you need to categorize your services based on their sensitivity
  4. For dealing with stolen identities and passwords you can use mobile based One Time Passwords along with the credentials (Two Factor Authentication). Again this will depend on the criticality of service being used.

p.s. I do not recommend biometric authentication unless you are the government. here is a relevant discussion that you might find interesting.

Shurmajee
  • 7,285
  • 5
  • 27
  • 59
0

I need to ensure that all users of my site are US or UK based citizens,

There is no method which will work for both UK and US citizens.

Unless you are part of the UK government, there is no method by which you can acheive this online. You will need a face to face meeting and physical evidence of identity (I expect the same will apply to US citizens).

If this is not cost effective, then you need to change your business model.

symcbean
  • 18,278
  • 39
  • 73