id reader authenticators k 09iscwest_di02.pdf · 2018. 4. 30. · march 31-april 2, 2009 id reader...

March 31-April 2, 2009

ID Reader – AuthenticatorsA Survey of New Technologies to

Read and Validate IDs

Theodore Kuklinski, Ph.D.Director of Research

AssureTec Systems, Inc.

200 Perimeter Road, Manchester, NH USA

603-641-8443

www.assuretec.com

[email protected]

Topics to be Covered


• The Importance of Identity

• Types and Variety of IDs

• The Problem of Fake IDs

• Manual ID Checking

• Automatic ID Checking

• Reader Authenticator Devices

• Steps in Reading and Authenticating IDs

• Application Areas

Identity is Key!

Who am I?

How do you know who I am?

How do I prove it’s really me?

What can I provide?


Building Blocks of Identity

• What a person knows …

– password, PIN, fact (mother’s maiden name)

• What a person is or does …

– Biometrics: face, signature, fingerprint, iris, DNA, hand geometry

– Characteristics: gait, speech

• What a person has in their possession

– Social security card, birth Certificate, tax return, credit card,

diploma

– ID such as passport, drivers license, green card, military ID



• Terrorism

– 9/11 brought home the message

• Identity Theft

– Huge number of cases, $$$$ to correct

– Bank fraud, bad checks, credit card

• Underage Drinking

– Drunken driver deaths

• Employment / Hiring Fraud

– Job Qualifications, legal to hire

• … and more

IDs are important!

Where do you use an ID?

• Board a plane

• Open a bank account

• Cash a check

• Check into a hotel

• Rent a car

• Get a job

• cross a border

• Enter a secure building

• Purchase liquor

• Buy firearms

• Get some Sudafed at the drugstore

• Take a professional test

• … March 31-April 2, 2009

• Government

• Military

• Banking

• Transportation

• Hospitality

• Employment

• Casino

• Underage products

• Motor Vehicle Dept

What are Some Types of IDs?

• Passports

• Visas

• Driver’s Licenses

• ID

• Military

• Government (PIV)

• Voter ID

• Employment Authorization

• Alien Registration

• Border Crossing Cards


ID Standards

• ICAO

– ID-3 Passports Visas

– ID-2 IDs

– ID-1 Green Cards, Border Crossing, Employment Authorization,

Passport Cards, EDL

• AAMVA

– US / Canada Licenses and IDs

– Layout

– Barcode, Magnetic Stripe

• FIPS-201

– Government Programs


MRTDs - Machine Readable Travel Documents

ICAO (International Civil Aviation Organization)Document 9303

Standard has been around since mid 1980’s

….. but still not used universally!

Non-ICAO Passports

perhaps 60 countries

w/ICAO + non-ICAO

perhaps 20 countries

w non/ICAO

TypesID-1 DL sizedID-2 IntermediateID-3 Passport / Visa sized

e-Documents

Some MRTDs


• Photo

• Human Readable Information

• Machine Readable Zone (MRZ)

• Security Features

• RFID

Anatomy of a Passport


MRTD Features

Non-MRZ Zone Specifications for layout

Human readable – crosschecking possible

Security features UV, microprint, laminate, OVDs,

check digit, and others

Non compliant ICAO -standards not always followed check digit scheme

MRZ location

font variation, spacing, ink

MRZ – Machine Readable Zone

• OCR-B font human & and machine readable

• B-900 ink (IR)

• 2 line or 3 line

• Structured formatting of

• Country, name, DOB, sex

• Security –

• check digits (7-3-1)

U.S. / Canada Driver’s Licenses / IDs

AAMVA (American Association of Motor Vehicle Administrators)RMVs and DMVs, industry

Design States like to show design - sometime at odds functionality

Layout – e.g. Under 21 – vertical format

Security Features Used – state choices – cost factor per license

Data Format - Name, ID, DOB, Expiration, Face, Address, hair, etc.

Standardization? 2000, 2003, 2005 (best practice)

2009 (required compliance)

Formatting issues Standardized format but non uniform use of the format

Name format variations – JOHN SMITH vs. SMITH, JOHN

Address format variations, zip, etc

Real ID Act Some controversy re National ID, state resistance, who can get DL

Funding to Implement?

Verification Hub coming – AAMVA!

Real-ID

Section 202(b) of the Act directs that REAL ID-compliant licenses and identification cards must include the following information:

(1) The person's full legal name, date of birth, and gender;

(2) The person's driver's license or identification card number;

(3) A digital photograph of the person;

(4) The person's address of principal residence;

(5) The person's signature;

(6) Physical security features designed to prevent tampering,

counterfeiting, or duplication of the driver's licenses and

identification cards for fraudulent purposes; and

7) A common machine-readable technology, with defined minimum elements.

Driver’s License / State ID

• State Information

• License Class

• Name

• Address

• DOB

• Expiration

• Biometrics

– Photo

– Signature

– Height / Weight

– Hair / Eye Color


Possible Data Sources on ID

• Human Readable

– Text – OCR

– Image

• Machine Readable

– Magnetic Stripe

– 1 D Barcode

– 2 D barcode

– RFID

– Contact Chip

– Watermark


2D Barcode

• Machine Readable

• PDF-417 is standard for DLs

• AAMVA standard 2000-2003-2005-2009

• Data tags

• Required / Optional / State defined

• Standards not always followed

• Redundancy


Magnetic Stripe

• AAMVA standard

• 3 tracks

• Format defined

• Phasing out

• Can be demagnetized


Biometrics

• Tie the document to the person

• Picture –facial match to person or stored image

• Signature

• Height, Weight, Hair Color, Eye Color

• Fingerprint

• IRIS


Security Features

• UV Patterns

• IR Patterns

• Laminate – Coaxial lighting

• Ghost Images

• Check Digits

• OVD / Kinegram

• Microprint

• Watermark

• ….. Many more!


22

Lighting Types

UV (Ultraviolet)

Security feature

IR (Infrared) Printing

B900 Ink

IR Printing

UV Security

Laminate

Passports/Visas

Driver’s Licenses &

ID Cards

Color Image

Color Image

Coaxial Light

Security

Laminates

RFID / Contact Chip

• New generation of document with Smart Card technology tied to

biometrics.

– PIV card (HSPD-12 / FIPS-201)

– TWIC – Transportation Workers Identity Credential

– e-Passport / Passport cards

– FRAC (first responders)

– ACIS (Aviation Credential Interoperable Solution)

– … and others

• Need for Improved Credentialing

– Closer checking of breeder documents

– Capture of Biometrics

• Privacy Concerns

– How close to be able to read?

• Reader Availability

RFID+ICAO Alone is Inadequate

What About Non-Standard Documents?

Only embracing RFID/Contactless Smartcard

doesn't solve the document

authentication problem:

• 214 countries, each with unique ID

documents, most non-RFID – over 8000

in all

• Most will continue to be used for the

next 20 years

• In the U.S., over 500 drivers license

documents that will continue to be in use

for many more years

• It takes 3.5 years to train a forensic

document inspector

• Inspectors don't have enough time at

inspection points to catch good fakes

ID Variety


26

The Problem

• Significant Transaction Volume

– Over a Billion (B) U.S. Exit / Entries

– 3.2B WW Airline Passengers

– Thousands of Entry Points

• High Number of Issuing Locations

– 8.9K+ U.S. locations issuing Documents

– 20,000+ international locations issuing Documents

• Thousands of Document Types

– Passports, Visa’s, Driver Licenses, Other ID Cards


ID Variety

• New Issues from Jurisdictions – all the time

• Different Classes

– DL, CDL, Under 21, Boat, Motorcycle, ID only

• Different wording, layout, color

• Information in different locations

• Different information provided by different jurisdictions

• Difficult for human inspectors to know all the variants

• Worn and dirty documents


28

Some Varieties of Maryland ID’s

Difficulties

“There are more than 240 different types of valid driver’s

licenses issued within the United States”

“It would not be easy for CBP inspectors to have a

passing familiarity with, let alone a working knowledge

of, each of these documents.”

Asa Hutchinson,

Under Secretary for Border and Transportation Security

Testimony before U.S Senate Finance Committee

September 9, 2003


ID Fraud


Types of ID Fraud

• Counterfeit

– Examine Built in Security Features

• Altered - removal and/or addition

– Look for Age or Date Modifications

– Look for Photo Substitution

• Theft of legitimate materials

– Test for all security features

• False issuance of legitimate documents

– Corrupted officials (test for ID number)

• Use of Valid Document by Different Person

– Biometric: Facial Matching, Signature

– Database matching


Fake ID’s - Availability

e.g. PhonyID.com

Manual ID Checking


Tools for Manual Checking


ID Manuals

36

Inspector Training

Human Examination Severely Limited

Too many documents, not enough time…

• Security documents have become significantly more important in today’s world, but there are too many identity documents and only seconds to make an evaluation and approval decision.

• There are currently more than 1,500 different types of domestic and international drivers licenses and identity documents in circulation.

• 40% of passports and visas do not comply to ICAO international guidelines for travel documents and these will be in circulation for many years.

• Document inspectors and security personnel cannot be expected to memorize the features of the thousands of different identity document types

• Humans are susceptible to fatigue, distraction, intimidation, bribery, blackmail…

• Inspectors spend too much time entering data and too little time evaluating the human behavior of the document presenters.

Reader - Authenticators


Reader / Authenticators

– Remove problems of human vulnerability to:• Memory

• Fatigue

• Distraction

• Boredom

• Bribery /Blackmail

– Allow more focus on:• Human behavior

• Facial Matching

Reader/Authenticators Allow:

• Reading and identifying document type

• Collecting information from document

• Confirming presence of known features

• Reference-checking information

• Presenting biometric for comparison

• Scoring risk against established entitlement

paradigm

Evaluating ID Reader Systems

• Human Factors – Automaticity

• Types of IDs that can be evaluated

• Image Quality

• Data Extraction Capability

• Authentication

• External Database connectivity


Human Factors

• Footprint on desk / height of imaging platform

• Operational Steps

• Accommodate ID-1, ID-2, ID-3 or other documents

• Autodetect upon Insertion

• Rotate/Deskew – upside down

• Duplex (read both sides of a document

• Automatic Classification from Image?

• Auxiliary reading from BC, MS, RFID

• Cover Hood (UV Safety – external light rejection)

• One Handed operation

• Glass platen quality – scratch resistance


ID Document Library

• New types of IDs are being issued frequently

• Older issued IDs are still valid for future years

• ID Coverage

– Passports (ICAO / non ICAO)

– Visas

– Driver’s Licenses, IDs

– Non US coverage of licenses, voter cards, consular cards, etc.

– Military cards

• How to Update

• Frequency of Updates

• Trainable for new document types

• Customizable to a subset of IDs for speed


Functional Requirements

• Authenticate Accurately• Mistakes are not good

• Authentication– Wrongly accuse someone

– Let a person with fraudulent ID through

• Reading– Field accuracy needed for data input (Name, etc.)

– Accuracy for database lookup (e.g. Passport or DL Number)

• Easily Trainable for new document types• Secure Library

• Provide a Risk Analysis• Forensic Examiner in a box

• Adjunct to human inspector» Inspector can touch and feel document

• Graduated scale: 0 (low risk) to 10 (high risk)

• Can be used to refer presenter for secondary inspection

• Document Detection

• Document Sizes handled – ID-1, ID-2, ID-3 and others?

• Cropping, Deskew, Rotation (also finger rejection)

• Light Sources – Visible, UV, IR, Coaxial - how many?

• Directional lighting for OVD detect or reject

• Ambient light rejection (cover is important for ID-1 documents)

• Duplex Capture – capture both sides of a document

• Image Resolution – 200 to 600 dpi

• Image Lighting Uniformity – needed for OCR binarization

• Image Linearity – pincushion, lens quality / distortion

• Focus, depth of field

• Image Export Formats – save images to compressed files

• Image Pre-processing / Enhancement – contrast, filtering, erosion, etc

• Image Field Extraction – pull out facial, signature, etc.

• Color Depth (24 bit color) vs Gray Scale

• Color Fidelity

Reader Imaging Specifications

Data Extraction

• MRZ Reading, classification

– From ICAO documents

– From non-ICAO compliant documents

– Font support – non compliant OCR-B

• OCR from fields

– Accuracy, Speed

– Engines

– Field pre-processing

– Custom Fonts

• 1D / 2D Barcode Reading

– PDF-417

– Cross match to OCR

• RFID “SmartCard” automated read

• Magnetic Stripe supportMarch 31-April 2, 2009

Document Authentication

• Authentication Tests

– Number and types of tests

– Ability to tune tests

• Text Based Tests

– MRZ Tests – check digits, field format

– Cross Matching

– OCR, Barcode, Magnetic Stripe, RFID

– Date Checking – Birthdate, Expiration, Issue Date

• Image Based Tests

– Color / Grayscale Response – color tests

– Physical Relationship between card elements

– Pattern Matching

– Presence/Absence (for all light sources)

– Security Feature Verification (holograms patterns)


Software

• Recognition Engine

• SDK (Software Development Kit)

• Languages/Environments supported

• Application Development

• Data Structures and Interface

– XML, SQL, Image formats

• Security


Reader Authenticator

Devices


Some Types of ID Reading Devices

• Barcode / Magnetic Stripe Readers

• Contact or RFID readers

• Flatbed scanners

• Camera Units

• Card Scanners

• Intelligent Card Scanners

• Reader Authenticators (multi light source)

• Mobile Devices


Place of Usage

• Desktop

– Camera Based Reader Authenticator

– Card Scanners

• Kiosk

– Platen

– Card Reader (like ATM)

• Mobile

– Battery powered, wireless


Scanners / Mag / Barcode


Desktop Reader Hardware


54

Desktop Reader Inside

IEEE 1394

Lightin

gCCD Camera

Glass Platen

CoverHinged Do or

IndicatorLights

Controlle r

Reader / Authenticator

Desktop Reader Authenticators


CIS vs Camera

• Camera

– Lighting uniformity important

– Less resolution

– Instant capture

– Multiple light sources

• CIS (Contact Image Sensor)

– Lighting is uniform

– Better effective resolution

– Mechanical operation

– ID across CIS or CIS across ID

– Longer scanning time

– Duplex OperationMarch 31-April 2, 2009

Under the hood


Duplex CIS Readers

Kiosk Systems

Kiosk Systems (with Desktop Units)


Mobile Devices


System Components

• Hardware Components

– Scanner / Reader

– Processing Unit

– Network

• Software Components

– Engine (SDK)

– Library

– Application Software


Detect Document Insertion

Capture InitialDocument

Image

Classify the Document(Determine its type)

Extract Alphanumeric &Biometric Data

Authenticate DocumentUsing Forensic Tests

Typically 2-8 seconds elapsed time

Customer-Specific Application

Operator

Capture Additional

Document Images

Query

external alpha

numeric &biometric

databases

Processing Steps

Capture Steps

• Insert Document

• Detect Document Insertion

• AutoSense until document is stable

• Take IR Picture

• Edge Detect / Deskew

• Crop to Document only

• Take Visible Picture and Crop

Document Detection, Deskew, Rotate

STATE

STATE STATE

STATE

InsertDocument

InsertDocument

Picture LoopDetect Document

Stabilized

Take PictureEdge Detect

Deskew

CroppedImage

Classify Document

• Extract Document Signature

• Compare with Document Database Members of Same Size

• Work through list of Similar Documents and Validate

• Match Found or Classify as Unknown

67

Field Extraction

• Extract Fields

– Data

– MRZ

– Barcode

– ID Number

– Name

– Date of Birth

– Image

– Photo

– Patterns

• Using …

– Image Processing

• Light Sources

• Crop

• Spatial Filter

• Color Filter

• Contrast

• Erode/Dilate

– Engines

• OCR (multiple)

• Barcode (1D, 2D)

• Matching (Pattern, Color,

Text)

Sample Field Extractions

2D Barcode

1D Barcode

MRZ

Microtext

Perforations

Guilloche

OCR

Photo

The Process – Capture & Check Data

• All types of machine printed data

– ICAO Machine /Visual Readable Zones

– Typed or printed anywhere

– Barcodes 1-D, 2-D

– Special characters/fonts

– Regardless of background

– Any light source – white, infrared, ultraviolet

• Field validations – format, check digits, range

• Cross-field comparisons – zones, light sources

• Country/issuer specific information

70

Expiration Date

Data Crosschecking

UV Patterns

Drivers' Licenses

Passports

OVD (Optical Variable Device)

OVD Detection OVD Suppression

“GENUINE”

Micro-Text Not Present

Microprint on Driver's License

Alerts and Risk Factors

Security Risk

Score

Security Alert

Authentication

Authentication Results

Authentication Resultsshows the tests that did not pass, with their level of risk indicated with the following symbols:

Validation against

• Databases

• Watchlist

• Facial MatchOne to One

One to Many


Example

Application Areas

Secure Document Issuance

• DMV/RMV/BMV (Motor Vehicle Administrators)

• Passports and Visas (State Department)

• Special Programs - FIPS-201 / PIV / HSPD-12 (see below)

Recent GAO Report on Passport Issuance


PIV Enrollment Process

The PIV Enrollment process shall provide the following minimum steps:

1. Applicant shall appear for enrollment with supporting documentation;

2. Enrollment shall inspect and confirm all supporting documents using automated

means if available;

3. Enrollment shall establish that the individual present matches the supporting

documents;

4. Enrollment shall confirm Employer/Sponsor approval for PIV; and

5. Enrollment shall scan all supporting documents.

The PIV Binding process shall provide the following minimum steps:

1. Enrollment shall take biometric samples and photograph of the Applicant;

2. Enrollment shall manage the quality assurance process of the biometric and

photographic capture. The biometric samples shall be verified to ensure proper

performance; and

3. Enrollment shall bind the completed electronic enrollment package with a digital

signature and forward the enrollment application to the IDMS for identity

verification and validation.

HSPD-12 – PIV Card

TWICTransportation Workers Identity Credential

Airports


Border Security

“In fiscal year 2002, there were about 279

million inspections of foreign nationals at U.S.

Points of Entry. In these circumstances,

preventing the entry of persons who pose a

threat to the United States cannot be

guaranteed, and the missed entry of just one

can have severe consequences.”

HOMELAND SECURITY

Risks Facing Key Border and Transportation

Security Program Need to Be Addressed

GAO Report GAO-04-569T, March 18, 2004

Transportation

Ensuring the right

traveler is on-board

a passenger aircraft,

cruise ship or

cross-border train

has always been a

concern for the

travel industry.

Car Rental

“This system

prevents fraud and embezzlement. Only this year we

managed to prevent six cars from getting

stolen by well-organized criminals.”

Chino Klaverweide-LorteijeManaging Director, OribiThe Netherlands

Banking / Money Laundering


• Account Opening

– Government

Requirements

• Identity Theft

• Fraudulent Check Cashing

I-9 Requirements

Employment

Restricted Products

• Restricted Sales

– Alcohol – Liquor Stores

– Tobacco – Convenience Stores

– Firearms Sales

• Bars, Clubs, Restaurants, Casinos

– ID Checkers – pay bounties

– Underage

• Large Potential Penalties for owners!

www.assuretec.com

Age Verification Application

Check Cashing at Casinos

• The Department of the Treasury, the Financial Crimes

Enforcement Network (FinCEN), and the seven federal

financial regulators have issued final rules that require

certain financial institutions to establish procedures to

verify the identity of new account holders.

• No amount of training on the detection of fake IDs can

prepare the average casino worker at the cage or your

hospitality suite for the formidable task of

authenticating a customer’s ID in a few seconds. Any

mistake he or she makes in detecting a fraudulent ID

can be costly in terms of compliance with AML

regulations.


Future for ID

• Cross-jurisdictional authentication of IDs

• Standards for Licenses enforced

• Phase in of e-Documents over years

• Biometric verification systems – e.g. fingerprint

• Upgrading Source Document Security / Verification

networks

• Issuing from secure facilities

• More rigorous standardization of document security


Reader Authenticator Benefits

• Lower Life-cycle Costs

(less training costs, support costs, fewer people)

• Improved Productivity

(better results, in less time, with fewer people, lower expertise required)

• Higher Throughput (overlaps other steps, less time for examination, less exception handling)

• Ease of Use

(intuitive operation, easy installation and updates, no documents to remember)

• Reduced Risk (better security and less susceptibility to human failings)

• Increased Security

(more thorough examination, repeatable results)

• Scalability (flexible for today’s needs, scales for the needs of tomorrow)