Opinion
Computing Applications Digital village

Fungible Credentials and Next-Generation Fraud

Digital technology is easing access and lowering barriers for a new generation of criminal.
Posted
  1. Introduction
  2. Fungibility
  3. The Science of Securing Credentials
  4. Next-Generation Fungibility and Credential Amplification
  5. Credential Amplification
  6. Conclusion
  7. Author
  8. Footnotes
  9. Figures
  10. Sidebar: URL PEARLS

One of the most dramatic effects of global digitization is the transformation of white collar crime. Computer and network technology makes it possible for the white collar criminal to operate more efficiently with less risk and near total geographical independence. It has long been suspected that the economic impact of white collar crime surpasses its blue collar counterpart. The consensus seems to be that white collar crime venues such as embezzlement, theft of negotiable instruments, misappropriation of funds, insider trading, income tax fraud, theft of trade secrets, violation of intellectual property laws (patents, copyrights, trademarks, and so forth) have produced more economic damage by far than more mundane counterparts like burglary, auto theft, forgery, robbery, and vice for a very long time (think Enron and Worldcom). The difficulty in quantifying the losses due to these crimes is primarily due to low frequency of reporting.

The digital twist is the increased accessibility of electronic white collar crime. The criminals seem to have the same socioeconomic advantage as white collar criminals of yesteryear, but the entry-level barriers are much lower. The Nigerian Scam (aka, “advance fee fraud,” “419 fraud”) is indicative of the ease with which neophyte computer users may cause billions of dollars of worldwide economic damage with only a primitive telecommunications and networking infrastructure at their disposal.

One of the most troublesome applications of computing technology to white collar crime for law enforcement is fungible credentials.

Back to Top

Fungibility

The operative meaning of `fungible’ in this context is “interchangeable.” As I use the term here, fungible documents include counterfeits (for example, currency), forgeries (contracts, negotiable instruments, signatures), as well as a third category that I call “quasi-verifiable” or “legitimized.” Most fungible documents are created for criminal purposes, usually with the intent to defraud. “Legitimized” documents are those produced by legitimate issuing authorities based upon false information. One example is a driver’s license that has been issued to an individual under a fictitious name. That’s where the quasi-verifiable characteristic comes in. The driver’s license corresponds to a Department of Motor Vehicles (DMV) database record—in that sense it’s legitimate. However, the data fields do not correspond to the holder—both the credential and the credentialed are real, they just don’t correspond to each other.

The driver’s license is an important member of the set of core credentials in the U.S. (along with birth certificate, passport, and Social Security number). It is particularly valuable because it is the most widely circulated of the credentials that have an image or likeness of the holder. In all 50 states, if you’re going to operate a motor vehicle on a public road, you must have one. For this reason, it is a tempting target for counterfeiters. Figure 1 shows two counterfeit driver’s licenses manufactured for the same person to establish dual identities (both of which were fictitious, incidentally).

Counterfeiting driver’s licenses has become a cottage industry in the U.S. Law enforcement sees the entire spectrum from simple laminates of dot matrix printings to sophisticated replicas—typically those that have the authentic 45-degree hologram laminates superimposed on legitimate, stolen card stock printed with the same equipment that DMV uses. Figure 1 falls somewhere on the lower end of the quality spectrum: better than one produced in a college dorm room, but unable to withstand the scrutiny of law enforcement.

There are several features of these counterfeits that betray poor quality. For one, the 45-degree laser hologram laminate is missing. This is the easiest to spot even with minimal illumination. Second, the state seals along the bottom are blurred and suggestive of a low-resolution background image. Third, the two microprinted visible watermarks that appear on authentic Nevada driver’s licenses of the period are missing.

Back to Top

The Science of Securing Credentials

The act of counterfeiting core credentials is so widespread at this point that an entire industry has arisen to reduce exposure. The taxonomy of anti-counterfeiting technology shown in Figure 2 is derived from Michael Gips’s white paper, “The Spurious and the Injurious” (see www.securitymanagement.com/library/001540.html).The features that apply to the analysis of the counterfeit driver’s licenses in Figure 1 appear in boldface type in Figure 2. The taxonomy illustrates the considerable lengths that various government agencies and manufacturers have gone to discourage counterfeiting. Rigorous authentication technology also motivates criminals to seek means to obtain legitimized credentials.

There is also a fourth deficiency that is more subtle and doesn’t apply to the taxonomy: the addresses are both bogus. The reader may be amused to see the satellite photo of the area in which the Topweed Avenue address would fall in Figure 3. Not only is the address number bogus, but there are no apartment building within sight—certainly none with 844 units.

Back to Top

Next-Generation Fungibility and Credential Amplification

The typical criminal would use fungible credentials as an instrument to defraud because it offers reduced risk, minimal effort, and increased effectiveness. Financial frauds, money laundering, and identity theft are three common exploits that typically rely on fungible credentials. Fungible credentials are useful precisely because they simultaneously obscure the criminal’s real identity and facilitate any authentication that may be required.

A very common illustration is the use of fungible IDs to authenticate credit or debit card transactions. Merchants routinely rely on the photo and name on driver’s licenses to authenticate the card holder. Thieves find fungible IDs to be ideal companions to stolen credit/debit cards in committing fraud. Counterfeit driver’s licenses have proven to be quite effective for small to medium-sized purchases.

However, the counterfeiters are becoming the bottom feeders in the credit card fraud food chain. In order to see why, we need to add another level of complexity to our analysis. Counterfeit IDs may be thought of as `limited use” vehicles of authentication: they have a fundamental defect: its issuance itself cannot be verified, and thus won’t withstand any level of official inspection—for example, a simple records check during a routine traffic stop. To overcome this defect, more sophisticated criminals are using legitimized credentials. This is where the upper echelon of “new millennium fraudsters” are headed, and it’s causing headaches for law enforcement agents.

Back to Top

Credential Amplification

The starting point of a legitimized credential remains the counterfeit document. However, the counterfeit is only the means to the end of obtaining a legitimized document. A typical scenario might be to begin by ordering a counterfeit passport from people who linger around the dark side of swap meets. It’s not uncommon for criminals to special order the passports by country, name, visas, and endorsements. The counterfeit passport is then used in the “credential amplification” phase to produce the tokens that will be actually used to defraud, for example, a driver’s license issued by DMV. The typical DMV has no means to validate passports, so the amplification is relatively straightforward. The driver’s license may in turn be used to obtain a Social Security number, county health card, and other documentation until the wallet is filled. It goes without saying that the variations on this theme seem endless.

What is unique to the credential amplification approach to fraud is that the legitimized token becomes `authenticatable’—that is, there is actually a DMV record for the name on the driver’s license. This is usually all it takes to establish a solid false identity (or steal someone else’s). As a reality check, contact your local bank and ask what identification is required to open an account, withdraw from an account, establish a credit line, or obtain a credit/debit card. In many if not most cases, only two forms of ID are required, only one of which must have a photo and neither of which are validated beyond visual inspection, a valid driver’s license (in precisely the sense that I mean “quasi-verifiable” or “legitimized”), a state-issued or military ID, or a U.S. Passport.

Back to Top

Conclusion

In the past few years, the use of fungible credentials has taken a turn for the worse from a social perspective. Since many criminals only use the counterfeit credentials to obtain quasi-verifiable credentials in the amplification phase, the original counterfeits are disposable. The operative token credentials are legitimately issued by agencies. This makes detection nearly impossible, for the token (if not the holder) is legitimate. Note how this circumvents the anti-counterfeiting technologies mentioned previously, unless all government agencies and law enforcement are postured to authenticate all documents, irrespective of source. This isn’t likely to happen any time soon.

While the problem of counterfeiting is not new, the ease and quality with which counterfeit credentials may be produced with modern computer and printing technologies is new. Arrests of identity thieves and credit/debit card fraud rings almost always yield a computer and a good-quality dot matrix printer. Today, one can enter the ranks of the successful fraud criminal for a few hundred dollars. With judicious use of credential amplification and some street smarts, one can quickly leverage this minimal investment into a move into the defrauding big leagues.

The point to bear in mind is that this new cottage industry within our global digital village has been made possible by high-quality, inexpensive computers, printers, and small office/home office software. Ironically, the production of large quantities of fungible credentials is a direct consequence of the same computing appliances and productivity applications that have made modern business so efficient. Perhaps the scariest application of fungible credentials to date is the counterfeiting of law enforcement IDs by posers for home/office invasion.

Look for the problem of fungible IDs to obey Moore’s Law in the years to come.

Back to Top

Back to Top

Back to Top

Figures

F1 Figure 1. Two counterfeit driver’s licenses for the same person. (Both identities are fictitious; pixilation added by author.) Source: Las Vegas Metropolitan Police Department.

F2 Figure 2. Taxonomy of anti-counterfeiting technology (derived from Michael Gips’s white paper, “The Spurious and the Injurious”; see www.securitymanagement. com/library/001540.html).

F3 Figure 3. A satellite image of the Topweed neighborhood (mid- to lower center). Note absence of apartment buildings. (Produced with Keyhole 2 PRO. © 2004 Keyhole Corporation.)

Back to Top

    This column is a byproduct of research conducted at the Identity Theft and Financial Fraud Research Center in conjunction with the Las Vegas Metropolitan Police Department. I appreciate the assistance of Michael Sthultz and my LVMPD colleagues Deputy Chief Dennis Cobb, and Detectives Kai Degner and D.C. Tony in developing material for this column.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More