Security Vulnerabilities Remain as REAL ID Act Deadline Nears
Not a Member?  Become One Today!

Security Vulnerabilities Remain as REAL ID Act Deadline Nears

By Roy Maurer  10/15/2012
Copyright Image Permissions

As the January 2013 deadline for states’ compliance with the REAL ID Act nears, the U.S. Government Accountability Office (GAO) demonstrated that counterfeit documents with fictitious identities can still be used easily to obtain driver’s licenses and state-issued identification cards.

The GAO found that all 50 states have made positive gains in identifying counterfeit documents since the terrorist attacks of Sept. 11, 2001. It also found that federal actions have helped by enhancing verification systems or by giving money to help states develop new systems. In an investigative report, however, released in September 2012 and titled Driver’s License Security: Federal Leadership Needed to Address Remaining Vulnerabilities, the government watchdog agency demonstrated that it is still possible to exploit loopholes in states’ identity verification procedures to fraudulently obtain genuine driver’s licenses. These findings fly in the face of the upcoming implementation date of the REAL ID Act, which, among other provisions, sets minimum national standards for driver’s license security, including procedures for states to follow when verifying the identity of license applicants. 

Additionally, the GAO cited the lack of proactive guidance from the top levels of the Department of Homeland Security (DHS) to help states address driver’s license and identification fraud.

The GAO laid out how driver’s license fraud affects everyone by facilitating identity fraud, which they estimate cost victims in the U.S. $37 billion in 2010, said Brian Zimmer, president of the Coalition for a Secure Driver’s License, to SHRM Online.

An increasing percentage of that identity fraud pertains to employment, Zimmer said.

“The report provides a particularly lucid and succinct explanation of the minimum standards for states’ issuance for identity verification: documentation, verification, image capture, renewals, one driver to one license, and training staff to recognize fraudulent identity documents. Human resource professionals would be wise to be cognizant that the same principles apply to confirming identity of employment applicants,” Zimmer said.

Brief Background on REAL ID

In 2005, after the National Commission on Terrorist Attacks Upon the United States recommended enhanced security for licenses, Congress passed the REAL ID Act, which sets minimum national standards for driver’s license security, including procedures for states to follow when verifying the identity of license applicants.

States have until January 2013 to comply with the act’s requirements. States are not required to comply, but if they decline, their licenses will not be accepted for official purposes as defined in the act, such as boarding commercial aircraft and entering federal buildings.

Under the REAL ID Act, DHS has primary responsibility for establishing how and when states may certify their compliance and determining whether states are compliant. DHS issued regulations in 2008 that provided details on how it would determine whether states were REAL ID-compliant.

As of July 2012, 17 states had enacted laws expressly opposing implementation or prohibiting the relevant state agencies from complying with the REAL ID Act.

States’ Vulnerabilities Highlighted

GAO investigators exploited states’ vulnerabilities to fraudulently obtain drivers’ licenses in the three states where attempts were made, according to the report. In each state, investigators obtained genuine licenses under fictitious identities: combinations of names, dates of birth and Social Security numbers (SSNs) that do not correspond to any real individuals. In two states, an investigator obtained two licenses under different identities. In each attempt, investigators visited local license issuance branches and submitted various counterfeit documents to establish their identities, depending on state requirements. In all cases, they submitted a counterfeit driver’s license and a counterfeit birth certificate, both purportedly from other states. In some cases, investigators also submitted other documents, including fake Social Security cards and pay stubs. In most of these five attempts across the three states, investigators were issued permanent or temporary licenses. In only one case did a front-counter clerk appear to question the validity of one of the counterfeit documents, but this clerk did not stop the issuance process, the GAO reported. “All three states check the validity of applicants’ personal data, including SSNs, through the [Social Security Online Verification] system, but assuming the checks were performed, they were not sufficient to detect these fraud attempts because the SSNs were valid,” GAO said. “We used SSNs that are valid, in the sense that they exist in the Social Security Administration’s database, but that do not correspond to any real individual,” the agency reported. 

These successful fraud attempts demonstrate several vulnerabilities in states’ defenses against license fraud. First, the fact that investigators were able to use counterfeit out-of-state licenses in each attempt confirms states’ inability to consistently check if applicants’ identities are already associated with licenses in other states. The second vulnerability relates to birth certificates. The GAO was likely able to use counterfeit birth certificates containing fictitious information, because no state licensing agencies are verifying birth certificate data through the Electronic Verification of Vital Events (EVVE) system, designed to verify the accuracy of data on birth certificates including name, date of birth, and either the date the certificate was filed or the file number, the report stated. Finally, according to the GAO, the fact that some states are still not using facial recognition or other biometric techniques to detect identity theft is another vulnerability that needs to be addressed. “The fact that the states where our staff applied for multiple licenses are among the nine states that do not use facial recognition technology or other biometric techniques most likely made it easier in these states for our staff to obtain two licenses under two different identities.”

Challenges Include Cross-State Fraud, Phony Birth Certificates

State officials acknowledged they lack the ability to consistently determine if the identity presented by a license applicant is associated with a license-holder in another state already. Some existing verification systems may accomplish this goal in limited circumstances, but do not fully address the gap, GAO said.

If the state-to-state verification system proposed under REAL ID was in place, then the states where investigators applied might have discovered that the out-of-state licenses submitted were fakes and did not actually exist, the report noted. “This system would verify the validity of licenses submitted from other states as well as check if applicants have licenses from other states that they have not divulged.”

States are trying to develop additional mechanisms for addressing cross-state license fraud, but none is fully operational yet. Officials in a number of states said there would be challenges to implementing such a system, primarily related to cost and ensuring the security of personal data, according to GAO’s findings.

Cross-state facial recognition, in which states run checks against neighboring states’ photo databases, could be a helpful tool. State officials cited obstacles, however, including the much larger number of potential matches that staff would have to examine, the technological incompatibility of different states’ facial recognition programs, and privacy concerns.

Even with the progress reported in preventing the use of certain types of counterfeit documents, the use of forged or improperly obtained birth certificates remains a challenge that leaves states vulnerable to license fraud, the report found. Officials in about half the states the GAO interviewed said it can be challenging to detect counterfeit birth certificates. Officials in several states said that the wide variety of formats in which birth certificates are issued across the country makes detecting counterfeits difficult. According to the National Association for Public Health Statistics and Information Systems (NAPHSIS), the agency in charge of the country’s vital records, there are thousands of different versions of birth certificates because formats have varied over time and among issuing agencies.

Besides forging birth certificates, criminals may obtain someone else’s genuine birth certificate improperly. For example, criminals may steal or purchase the documents and use them as part of packages of identity documents to obtain licenses fraudulently, according to the report. In other cases, criminals may be able to obtain another person’s birth certificate from a vital records agency directly. According to NAPHSIS, 15 states have virtually no restrictions on who may obtain a birth certificate from a vital records agency.

DHS Lacking in Leadership on REAL ID

The GAO specifically faulted DHS, which it said has failed to tell states how to carry out key parts of REAL ID. Despite the approaching January 2013 deadline for compliance, “DHS has not provided timely, comprehensive or proactive guidance on how states seeking REAL ID compliance could meet the identity verification requirements,” GAO stated.

For example, DHS did not issue written guidance on how to meet specific REAL ID Act identity verification requirements for over four years after it issued its final regulations in 2008. Officials in most of the states interviewed expressed a need for additional guidance on how they could meet the identity verification requirements of the REAL ID Act and DHS regulations, according to the report. This lack of guidance makes some state officials uncertain about their compliance and reticent to invest resources in particular steps lest they discover later that their state was found noncompliant.

In its official response, DHS rejected the report’s recommendations, stating that interim strategies for addressing cross-state identification and birth certificate fraud are not needed. The agency said it has informed states that existing systems and procedures may address these issues and meet regulatory requirements, and has provided grant funds to help states develop their own new solutions.

Former President George W. Bush’s homeland security department championed the REAL ID program, but under President Barack Obama’s administration, the department has been less supportive of the law, and DHS Secretary Janet Napolitano has talked about repealing the law. As governor of Arizona, she signed a law forbidding the state from complying with REAL ID.

Roy Maurer is an online editor/manager for SHRM.

Quick Links:

SHRM Online Safety & Security page


Keep up with the latest Safety & Security HR news.

Copyright Image Permissions