More and more organisations are requiring ‘Proof of real identity’ by asking their users, members or customers for a scanned image of their passport of similar official document. At first sight this may seen a reasonable thing – why should your doctor, or your bank, or Google not know who you really are?
The problem is that an electronic scan of a document is a digital piece of information, which can be copied, bought and sold and re-used.
A lot of effort goes into making real passports hard to copy, but a digital image is essentially just a very long password.
The problems of re-using passwords across accounts are well known. There have been many cases of large organisations having known security breaches, Experian, Zoom, Disney+, Capita, Gmail and many more.
There financial risk to the organisations which fail to adequately secure the information they hold in trust, particularly this information is then used to steal money or resources. There is also a risk to staff in the organisations who have access to this data and could be bribed or threatened to disclose it.
Discouraging re-use of images of official documents
Turning an image into a single-use password reduces the risk to both ends of the transaction. I modify images with an appropriate watermark, allowing that organisation to verify my identity,
There are better ways to do this, but I wanted something quick and easy, although my method is Linux orientated.
Suppose I bank with the well known bank.example.com, I could create a watermark image with convert from the ImageMagick suite
convert -size 693x471 -font Helvetica caption:bank.example.com bank.example.com.jpg
and then use ksnip (although I could probably have used ImageMagick) to use bank.example.com.jpg as a watermark to produce this.
The image can be used to verify identity, but someone trying to re-use it to verify identity at health.example.net should have it rejected.
Recipient/Verifying organisations
The watermarking process is fairly technical, and is unlikely to be implemented widely at the user/consumer end, but if the verifying organisation does retain the data it should watermark it before storage, or possibly even on upload, before it it verified to reduce the risk of information being leaked in a usable way.
Other thoughts
Steganography
It should be possible to use steganogrphy to add a message the image which would make it identifiable from a computer point of view, but would not be visible to a person examining it. This would be useful if there was a widely deployed system and it was desirable to mass screen identity documents to check that they were intended for the right organisation.
Cryptography and Webs of Trust
Standards for using cryptography, and a building a web of trust have existed for a very long time, but usage is low, and we are suffering the consequences. If my bank had my PGP public key as part of my profile, and I had theirs, they could send me encrypted important emails, and would not have to “prove” that the message came from them because they know my Postcode. With a proper rollout of that type of infrastructure (and while there are still real bank branches left) I could take my passport into a bank, and they could sign my digital key with theirs, and this could be used to demonstrate identity. The functionality could be built into smartphones, preferable with the source code inspected and verified by a trusted agency, so it would not need end users to understand the underlying mechanisms.
Detecting large scale security breaches
Large organisations, and government agencies should be ‘seeding’ large identity databases with special false identities, each one specific to a database, so that if these identities are used ‘in the wild’ they can detect that a security breach has occurred, and where.
Hi- thanks. I don’t understand, I’m sorry, why should a second organisation know to reject a watermarked image?
Suppose someone (say Mallory), employed at Bank.example.com wanted access to Angela Zoe’s medical records, for example suspecting Angela was having an affair or some such. If they had access to the unwatermarked passport scan they could use this to set up an online patient record access account, using mallory@mail.example.net as the email address, but Angela Zoe’s passport scan as the proof of identity.
The person verifying the account at the doctor’s surgery would have no reason not to trust the document and would set up the account.
Mallory would be taking quite a big risk anyway in presenting an image watermarked ‘bank.example.com’ to try access medical records, as not only should the administrator at the doctors be suspicious of it, but investigating the identity fraud would start with ‘who at bank.example.com has access to this record?’