By Rob Cook
United States government-issued identification cards are replete with anti-fraud measures such as ultraviolet ink markings and holographics intent on stemming the reproduction of phony IDs. That, however, has not stymied a growing underground economy of sites servicing criminals wishing to obtain and use fraudulent U.S. ID cards.
While only relatively few of these sites can deliver quality fraudulent reproductions, there are some sites with high ratings and positive reviews within illicit communities that can deliver cards that will bypass the security measures protecting legitimate government-issued cards.
This poses a threat to facilities that scan IDs to allow entry, for example, or to businesses such as banks and other financial institutions that rely on Know Your Customer requirements to verify the identity of customers and put up barriers to synthetic identity fraud, for example.
Vendors Advertise Bypasses of Security Features
Legitimate identification cards in the United States not only contain sometimes complex fraud-protection measures including the stars on REAL ID-compliant driver’s licenses or properly formatted scannable barcodes, but they’re also made of specific materials that are durable and transmit light in order to support these measures.
Vendors running some of the highest-rated illicit shops will advertise their capabilities around replicating these security features on identification cards, such as the correctly formatted barcode, certain micro-printing, or laser perforations. A proper barcode, for example, is often enough to allow entrance into access-controlled facilities. This is a significant risk not only to government buildings, but anywhere—such as a school or corporate office—where entry is controlled by some sort of access mechanism attached to an ID card.
The availability of high-end printers is one factor facilitating these fraudulent reproductions by threat actors. A typical office photo printer has the capability to reproduce quality products, while laminating machines and plastic card printers can also facilitate these reproductions. Supplies such as ultraviolet ink are available on the open market as well. It’s unknown whether some fake ID producers are obtaining the actual blanks used by agencies, this likely includes the laminate that contains the holograms.
Some of supplies used by high-end ID manufacturers to create advanced security features are also sold in bulk by vendors within illicit communities. Some forums and markets advertise “holos,” “perf sheets,” “cardstock,” “OVI sheets” and more for relatively low prices; OVI stands for optical variance ink. Transactions are generally carried out via cryptocurrency to maintain a measure of privacy throughout the transaction, and deliveries also relatively quick—anywhere from five days to three weeks. Flashpoint analysts have also seen some advertisements where payment methods such as prepaid credit cards or wire transfers are accepted.
Although even the highest quality fake IDs will likely be detected once checked against law enforcement and-or Division of Motor Vehicle databases, many of these IDs will reportedly pass the inspection of untrained security personnel and numerous off-the-shelf (OTS) barcode readers/verifiers. It would therefore be difficult to identify a professionally crafted fake for commercial retailers such as liquor stores, or office or school building access control systems that aren’t able to verify government IDs against a database. As a result, the threat to physical safety or the risk of fraud is enhanced.
Retailers that sell alcohol and tobacco, for example, may be especially vulnerable to employees accepting fake IDs based on the multiple states and forms of ID they may be presented with during transactions, particularly in locations near college campuses. Fraudsters may also use fake identification to gain entry into student events or take advantage of student discounts.
Those vendors who deliver higher quality products are rated upon not only their product quality (look, feel, durability, and acceptance rate of the ID card), but also upon their trustworthiness, and the security features included in the cards. Customers rank vendors on several advertised security features, including the quality of their templates (similarity between legitimate and phony templates), quality of the hologram and use of optical variance ink, ultraviolet ink, and their ability to incorporate microprint into ID templates. Vendors are also rated on price, discretion of shipping packages, and shipping turnaround times.
Assessment and Mitigations
Entities likely to be impacted by threat actors selling or using fraudulent identification can take some steps to protect themselves.
Organizations operating in sensitive industries, for example, could mandate background checks through a law enforcement agency for new employees, or for employees with access to sensitive materials or data.
Employee training can also help retailers or public-sector organizations spot phony IDs. Various government agencies, for example, offer training that explains security features employed by the different states and how they work off of one another.
On a more granular level, retailers—in particular those selling alcohol and tobacco—could institute a policy where a second form of identification is required, even a credit card or school identification, for example.
In the meantime, threat actors will continue a frustrating cat-and-mouse game with defenders, attempting to bypass new security features as they’re implemented in order to service a growing underground economy built around phony identification documents.
Senior Analyst II, Physical Security & Counterterrorism
Rob is a dynamic and well-rounded All-Source Intelligence and Physical Security Analyst with 20 years of multi-discipline intelligence experience. His background includes managing and developing personnel security, physical security (certified DoD Physical Security Inspector), and operations security programs for the Department of Defense. Rob’s positions have entailed tactical-level intelligence collection and reporting, providing pattern-of-life analysis and biometric tracking of high-level personalities, as well as strategic-level positions requiring POTUS level assessments on foreign military operations and counterinsurgencies. His work in the private sector focuses on cyber threat actors, such as hacktivist and patriotic hacking collectives. Rob has held Vice President positions within two large financial institutions, where he served as a Senior Analyst on their respective cyber threat intelligence teams.