High-Security ID Cards

Our Consideration Forumla for High-Security ID Cards

For anyone involved in the production of high-security identification cards, driver’s licenses, national ID cards, passports, etc, the risks of an ID card program are constant concerns. Will the document look good and hold up long-term? Can it be made affordable? Can the document be easily verified, yet resist deliberate criminal attacks? There’s a qualifying method that can help with the consideration and evaluation when designing a secure ID card system: The QDSC formula.

Quality, Security, Durability, and Cost (QSDC) are the cornerstones of any successful ID card program. These criteria have different pros and cons, and the relative value of each must be considered. This article defines critical elements of ID card programs, identifies challenges, and provides the knowledge needed to overcome obstacles with proven best practices to minimize the risk to any ID card program.

Quality

A high-quality ID card should look and feel like one; it’s consistent in appearance and closely matches all other cards issued in the same program. Security features like chips, optically readable characters (OCR), and barcodes, should be easy to authenticate, and the laminate will be clear.

Security

The security of an ID card measures how resistant it is to attacks. An attack is an attempt to produce a counterfeit or attempt to tamper with or alter the card data. Security depends upon how difficult it is to attack successfully and the levels of verification involved.

Durability

The durability of an ID card is determined by its resistance to wear and tear. A card will be exposed to a variety of hazards: overuse, temperature, humidity, potential attacks, or deliberate misuse. A durable ID card should survive the required validity period without major visual change or performance compromisation.

Cost

The cost of an ID document refers to the cost of making it. This includes fixed and variable costs associated with registration, manufacturing, personalization, printing, distribution, shipping, and the many administrative functions required to manage and secure these functions.

The Challenges

A functioning ID must be able to resist threats to survive in the real world. This can be achieved by careful design with QSDC in mind. Materials, components, features, hardware, photo ID software, processes, procedures, and training, all play a part in delivering an ID card that successfully meets the performance requirements. It is important to appreciate that QSDC is not simply just linked together, they are entwined; any change of one criterion will affect the others. 

Quality – Assurance in Consistency

A high-security ID card is usually a national or even international document. Its quality reflects the quality of the issuing authority, however, the quality of an ID card is also linked to its performance, security, and durability.

1. Poor quality creates differences between documents, making simulation easier and verification harder.

The essence of security ID card printing is the mass production of identical documents. Quality, or more specifically in this case consistency, must persist throughout the entire process of ID card production. Be they banknotes, passports, ID cards, or tickets to a major football game, the genuine articles must all look the same so that counterfeits, with their minor imperfections, can be identified. A person who inspects an ID card document is, in effect, attempting to spot the difference.

2. Unreadable features such as magnetic stripes, chips, or OCR, make documents vulnerable.

While adding new layers of security, some features can be expensive and there is often pressure to deliver an ID card printing solution at the lowest possible cost, or cut features out completely. If elements like biometrics fail, they can jeopardize security without enough physical security features to back them up. Criminals have purposefully damaged chips so the biometrics become unreadable. If the chip is the only security feature associated with the ID card, it causes the examiner to make a judgment call rather than a more informed decision based on authenticity.

3. Low-quality components or equipment could reduce durability performance.

Lower quality may very well be a consequence of cost-cutting; not all vendors offer the same quality of substrates, inks, overlays, holograms, etc. The result may be an ID badge that looks fresh and new but quickly starts to fail expectations. Achieving the necessary quality requires several factors, including design, QC processes, calibration, and maintenance. Material components and system hardware should not be selected independently of each other. When the materials and ID card system has been tested together, the quality of the issued ID badge is at the highest optimized output.

If non-machine-readable defenses like overlays are hazy, polycarbonate does not engrave cleanly, or if Optically Variable Devices (OVDs) such as ID card holograms are blurred and ill-defined, then there will be verification doubts.

Security – Layered Defenses

Layered security and the use of multiple security features (overt, covert, and forensic) is a fundamental principle that needs to be carefully considered when designing an ID card program.

1. Levels of Security Features

Criminals attack high-security ID cards in many ways, usually simulation, replication, or alteration. The role of security features is to alert an examiner upon inspection that an attack might have taken place, and then provide sufficient evidence to confirm the suspicion.

Because attacks are many and various, no single security feature is capable of defending against them all. Instead, a combined network of security features should be incorporated into every ID card.

There are three categories of security features. Most inspectors ask for at least two strong Level 1 features in ID card documents to deter counterfeiting.

Level 1 Overt – The easiest to identify without a device

• A visible “public recognition feature”
• Little or no training and no device required
• Hologram, OVI, MLI/CLI, paper watermark, etc.

Level 2 Covert – Harder to identify, may need a device

• Hidden features
• Requires some training and a simple device to validate
• UV-fluorescent, micro-text, etc.

Level 3 Forensic – Requires knowledge and a device to verify

• Deeply hidden features
• Requires specialist knowledge and equipment to validate
• Various proprietary taggants, etc.

The Strongest Security Features Succeed in:

• Encouraging inspection using something interesting to look at and look for
• Allow quick, confident decisions on authenticity
• Are unambiguous and intuitive
• Utilizing the variable biodata
• Effectively deterring simulation using commercial materials/equipment
• Being tamper-evident

It is important to remember that criminals will use low-tech methods and materials to copy features or effects made using complex, high-tech, and expensive processes. For example, the counterfeiting of a security hologram might be lifted from a different card instead, as long as the colors and effects are similar. Or, using black digital printing instead of properly laser engraving a card. 

2. Security at Time Of Personalization.

Ideally, security features should be designed to occur throughout the various layers of high-security ID cards. Materials like watermarked paper or custom holographic laminates are difficult to counterfeit but can be stolen. Arranging security features throughout the document makes it that much harder for criminals to recreate an entire card if they were only to get one component. This is particularly true for features created during ID card printing personalization.

Personalization data, restricted materials, unique engineering, and process secrets can all combine to make counterfeiting significantly more difficult and help defend against data alteration. Certain ID card printing technologies enhance tamper-resistance by penetrating the ID card substrate: inkjet permeating into passport paper and laser engraving of suitable polymers are examples of personalized data being held beyond the surface.

3. Beware the “Silver Bullet”.

Although there are many reported cases of hacking electronic ID chips, the majority of these stories turn out to be media hype. The reality is that chips are highly resistant to duplication or data alteration when the necessary layers of defense have been implemented. 

There’s been excellent work done by ICAO, Smart Card Alliance Association, and others to ensure that the development of electronic security remains steps ahead of the criminal. However, the chip should not be treated as a “silver bullet”. Chips and card readers sometimes break, are unavailable, or are deliberately disabled.

In the case of a malfunctioning chip, it is the traditional physical security features of high-security ID cards that will be scrutinized. If the budget for these features is cut in exchange for the smart chip, an opportunity is opened up for criminals; this is why no single security feature can provide a total defense. The dangers of relying on a single feature are clearly illustrated when considering the strengths and weaknesses of the smart card chip. 

4. Design and Training.

A security feature being incorporated in one of the various layers of a blank ID card (substrate, ID card printing, personalization, laminate, chip, etc.) needs to be designed with full consideration of the likely threats and other defenses.

A feature designed in isolation may be incompatible with other features; its effect can be compromised or be a duplicate form of defense. The optical effects from laminates may be reduced by underlying print design, or optically variable ink may duplicate the anti-scanner properties of a holographic device. Ultimately, this creates a less-than-ideal return on investment.

Consider a successful sports team, playing as a team rather than a group of individuals: creating cohesiveness and more thorough overall effectiveness. It may be a challenge, but coordinating several different ID card designers, (potentially from multiple vendors’ studios), helps ensure that team approach. A training and awareness program is also essential. The best security features in the world are worthless if the examiner can’t verify them.

Durability  – In the Real World

What is the normal use of high-security ID cards? A passport may be used to travel across borders or open a bank account, this is expected, but it may also travel through a washing machine, or fall in a puddle. There is no single type of ‘normal use’ for an ID card. Carried in a pocket with keys and coins, inserted daily into a swipe ID card reader, worn in bright sunshine every field day, or kept in a drawer at home and rarely taken out, are all viable realities. 

1. Lab Insight and Real World Experience.

High-security ID cards must be designed to resist all reasonably potential environments they may encounter.  Laboratory testing of particular materials, construction methods, and personalization technologies and specific performances such as flex, bend, delamination, abrasion, solvent attack, lightfastness, humidity, etc. Doing so ensures meeting durability standards, which continue to evolve. 

The real world is more complicated than a lab test, so it is important to remember that the results of lab tests may provide critical insights, but it is ultimately up to each issuer to set pass/fail criteria for these tests.

The release of the ISO 24789- Card Service Life standards enables governments to specify an application profile that fits their unique situation. Developing these unique profiles guarantees tests will meet customer durability requirements; something past test standards have been inflexible about.

2. The Value of Built-in Weaknesses.

Part of the durability challenge is needing to reveal if attack attempts have been made to alter the document. This means needing built-in weaknesses, like ID card overlaminates must be tough to survive long-term, yet delicate enough to break if separated.

Passports, for example, have low-peel strength and micro-perforations within the laminate or visa sticker, creating a challenge to remove without damaging what’s beneath. Chemical detectors of tiny dye particles within the paper are designed to bleed when introduced to solvents. These features must remain dormant during the rigors of “normal use,” and only activate when attacked.

Cost – Maximizing the Budget

1. The Long-term Cost.

In an ideal world, quality, security, and durability would be maximized and implemented without consideration for cost: in reality, budgets are limited. Yet, using poorly thought-out ID card systems, or low-quality components such as substrates, inks, and chips, may cause mass fraud that requires expensive re-design, shorten the overall card life, or need a whole new ID card printing issuance program.

It may cost even more money in the end than if things were done right in the first place.

2. Cost-effecting from Experience.

The most important factor for working in-budget is to learn from other people’s mistakes. Tried and tested best practices will help minimize the chance of unexpected overspending and ensures compliance with local, regional, and international standards and practices.

While all projects are unique, frameworks and tools exist to add confidence to the decision-making process and ease the implementation process. Careful consideration allows you to handle key topics like issuance organization structure, project management, end-user concerns, supply chain optimization, and even specific technology recommendations much earlier.

In Summary,

QSDC is a formula to keep in mind when crafting a successful ID card printing program; each part is clearly affected by one another. When selecting a solution for high-security ID cards, it is essential to understand the trade-offs presented in the QSDC framework to help reduce the risks associated with issuing secure identity card documents. The most successful ID card programs utilize best practices and a broad portfolio of integrated, cohesive solutions (hardware, software, supplies, and service) that enable organizations to balance their unique secure ID card program.

Contact us to learn more about our consultative approach to working with government entities or SDVOSB contractors who have prime contracts for security solutions that match our areas of expertise.