Scanning IDs — Making Fakes Easier

This is a post from an earlier version of my site, moved to the current version for maximum enjoyment. Originally posted 2018-03-08

-Bob

Not long before I procured my wonderful license, they were printed pieces of paper with a photograph attached, then laminated.

For both security and durability reasons, all states have moved away from this technique of identification. It was trivial to make fake IDs, and people knew it.

I used to smoke, up until November of 2016, and as part of being a smoker, I would have to engage with store clerks. My receding hairline was usually enough evidence that I was old enough to buy them, but the occasional pedant would request proof anyways. Being a cashier at a gas station years ago, I understand the request and the problems with not doing so, therefore I obliged the request. They view the license, DOB, expiration date and make sure it matches me. Transaction success.

A strange new behavior has developed where companies are forcing cashiers to scan in the driver’s licenses for adult purchases (alcohol, tobacco, spray paint, cough medicine, etc). I’m not sure if companies simply don’t trust the people they have run their business, alone, all day long, to do their jobs of checking IDs?

A Policy Introduces an Exploit

This is where it becomes interesting. Driver’s licenses have a plethora of features, holograms and colored stripes that cross over both the date of birth, as well as expiration dates. More modern licenses even have underage kids with a vertical orientation and different colored banners.

The holograms and stripes are to prevent bleaching, a technique where a legitimate, government-issued identification is otherwise modified to indicate a different date.

There are a few barcodes on the back of an Illinois license (where I sadly once lived), one of them looks similar to the barcode on a can of tomatoes (this is your license number). The more complex one that looks like a long QR code — this one is what they usually scan.

The Problem with Scanning Identification Cards

Bar codes look secure, high tech, and modern to people who are none of the above. Barcodes are as easy to read and write as basic English given the “write tools” (punny). They aren’t hard to find. As a matter of fact, I used to host a driver’s license number generator on this site, and it turned out a few bank actually used it to validate that people were presenting real IDs!! The License number in IL is really easy to figure out. From the last 5 digits, for example, I can tell your date of birth and gender. The first four are encoded with Soundex, and the middle three are from a lookup table from your first name.

Generate a License Number

The entire number is generated from just a few facts about you:

A123-4567-8900
  • A123 – Your last name, encoded with Soundex. Try me!
  • 456 – Your first name and middle initial, compared against a lookup table
  • 7-8 – The year of your birth (1978)
  • 900 – This is your month of birth, minus one, times 31. Then you add the days. So for somebody born on January 25th, 1978, you would get: ((1-1)*31)+25 or 025. If you are a female, you add 600 (and get 625).

Make it a Bar Code

So you now know how the number is decided, and lucky for you the American Association of Motor Vehicle Administrators (AAMVA) is a standards organization that specifies exactly how to format the barcode on your license (how to structure the data), and how you should use the PDF417 styled barcodes. Really though.

So if you don’t think you can trust that person reading a driver’s license, remember you’re now trusting the bearer to present it honestly, and it is much easier to trick a computer than a person. We call this “client-side security.” You’re letting them forge variables with impunity.

What about the consumer?

I stopped by a BP station in my neck of the woods a few years ago to buy some of my Marlboros. I wanted to feel like a real rancher that day. They insisted that they scan my ID, which I politely declined, explaining that my address is not pertinent to my purchase of cigarettes. The clerk told me “well you paid with your credit card, and they have your information.”

I was surprised he didn’t see the distinction. A company that I have made a financial partner would, obviously, have my information to contact me about payments and debts. A gas station does not require an ongoing level of trust. I pay, they provide, and I leave.

The large barcode contains everything from your address to your eye color. It is trivial to log more information than simply checking your DOB and expiry.
Nobody benefits

In the end, retailers are put at increased risk while causing consumers more privacy invasion issues. Nobody is the winner here. I’m not cool enough on the internet to drive enough interest to my blog to see change happen, however you can. Throw tape over the barcode. If you get pulled over, either pull it off or make the officer type it in manually. If you buy smokes and they’re willing to hire people they don’t trust, why are you trusting them not to swipe your card in a square reader of their own?


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.