You may be surprised to learn some Canadian issuers of driver’s licenses, health cards and other tokens opt not to adhere to the proof of immigration status standards specified in the Canada Immigration Act and companion Regulations. It serves no purpose to speculate on why provinces to varying degrees fail to comply with the federal standard. About all that can be said is provinces are unnecessarily exposed to avoidable identity fraud risk and consequently your company is exposed to avoidable identity fraud risk if you accept these tokens as proof of identity.    

Some business sectors may choose to live with the inherent risks posed by drivers licenses and other tokens. This is hopefully not the case with critical infrastructures where a security compromise could lead to a catestrophic event. This post updates Canadian risk managers and security on what immigration officials consider as ”proof of status”. It hopefully positions risk managers and security to make the right identity fraud risk evaluation for their circumstance.

Gaining Entry to Canada

They are two immigration categories: permanent resident status and temporary resident status.

With regulated exceptions for visitors from a handful of countries, asylum seekers and temporary residents already in Canada, all other foreign nationals wanting to enter Canada must apply from outside the country. Personnel at Canadian embassies and consulates abroad screen the applicants and issue a visa once entry is approved by Immigration Canada.

Since June 2002 an adhesive backed, highly secure visa counterfoil is affixed to the applicant’s foreign travel document. This affirms to an immigration officer at a port-of-enter that the bearer is appropriately vetted. The visa counterfoil is replete with highly sophisticated, machine readable security features.

Documentation Requirements at a Port-of-Entry

The Immigration Officer at the port-of entry requires the following:

     For Permanent Residents:

Since June 2002 an immigration officer requires a foreign travel document and visa counterfoil, accompanied by a Confirmation of Permanent Residence (IMM5292) form, which provides additional administrative details. Prior to June 2002, the immigration officer required a foreign travel document and a Record of Landing (IMM1000). The Record of Landing doubled as the visa and included the essential administrative details not found on the current visa counterfoil.

The Confirmation of Permanent Residence (IMM5292) was never intended for use as stand-alone affirmation of permanent resident status. Its purpose is to provide the essential administrative details to an immigration officer at a port-of-entry. A copy is forwarded to the Immigration Department as part of the process for issuing a Permanent Resident Card. It is without security features and is easily duplicated by a high end photocopier or any number of desk top publishing software.

     For Temporary Residents:

Since June 2002, an immigration officer requires a foreign travel document and visa counterfoil, accompanied by Temporary Resident Permit (IMM1442). The IMM1442 has some security features, not at the level of the visa counterfoil. It identifies the type of temporary status (visitor, worker, student) and legal duration of the stay.

     A Minister’s Permit:  

A port-of-enter immigration officer may issue an Minister’s Permit to someone failing to have their paperwork in order, as long as the immigration officer is satisfied the person otherwise meets the requirements. The applicant must report to a specified place within a specified time frame to present the missing documentation. 

     Permanent Resident Card:

Beginning in June 2002, newly arriving permanent residents receive a Permanent Resident Card (PRC) within weeks of arrival. It is similar to the Green Card in the United States. More importantly for risk managers and security, the foreign travel document with the visa counterfoil and the Confirmation of  Permanent Residency (IMM5292) are not turned in to immigration officials when the Permanent Resident Card is delivered.  

The Confirmation of Permanent Residency is far too commonly accepted in some circles as proof of status. It is a valuable commodity in the wrong hands. Immigration officers know when the PRC has been mailed. They have enough training and experience to judge when the combination travel document/visa counterfoil and Confirmation of Permanent Residency form presents an unacceptable risk. They are aware its redundancy once the PRC is received.

The Final Word to Risk Managers and Security

Risk managers and security assessing the risks from relying on provincial tokens for identification should be aware of which provinces meet federal immigration proof of status standards and those which deviate from it. Additionally, until roughly twelve years ago permanent residents were not required to surrender the Record of Landing when issued a citizenship certificate: making the Record of Landing another valuable commondity in the wrong hands. 

The folly of less vigilant jurisdictions undermines the efforts of those striving to become more effective at countering identity fraud. Once a drivers licence is obtained from a less vigilant jurisdiction, it can be easily exchanged for a drivers license in a jurisdiction with higher standards of diligence. Organized criminals know this. Terrorists know this.

Finally, the security theater communicated from political and senior management levels in government about their security in issuing tokens doesn’t reconcile with the actual security effort. This further exacerbates the threats posed by identity fraud as unwitting identification handlers hold out higher security expectations than what the token actually delivers.  

Despite increased awareness to the threat of terror. Despite increased awareness to other transnational organized crime activity inside Canada. Despite government communication services pounding out consumer awareness communication on identity theft and identity fraud, more than one token issuer has actually increased risk exposure since June 2002 by accepting the even less secure Confirmation of Permanent Residence (IMM5292) without the companion travel document/visa counterfoil. From a risk managers perspective this is hard to rationalize, not to mention more than one province also accepts the Termporary Permit without the companion passport and visa counterfoil.

All said and done, it is up to individual businesses and organizations to know their identity fraud risks in today’s environment and to evaluate if the risk in accepting government issued tokens over proof of status documents is an acceptable risk for their circumstance.

The level of diligence required to counter identity fraud is not the same for all organizations. For some types of critical infrastructure any security breach has the potential to quickly escalate politically. Boards of Directors at nuclear power and water treatment plants to mention a couple are keen to maintain positive public perception about the effectiveness of their site security. Any one breach may result in an insignificant event, but on sites where the results of a successful identity fraud could have catastrophic consequences, the breach is serious.

Tight access control includes assuring identification is genuine, unaltered, in the right hands and the topic of this post: Not assuming all types of identification mean the same thing.

If you rely on identification to reduce your risks to terror, sabotage or other crime threats it is important to know what different categories of identification mean and how they play off  each other. Identification is issued in one of three categories:

1. government issued identification documents (ID) that affirm status
2. government issued travel documents affirming citizenship or other designation by the country of issue, and
3. tokens issued by government and the private sector affirming a privilege, or access to some benefit or service

Identification Documents (ID)

The ATRiM Group recommends reserving the use of Identification Document (ID) to a term describing identification affirming the issuer retains a record of someone’s status.

ID comes in three types:

• proof of citizenship status
• proof of permanent resident status
• proof of temporary resident status

Status by Right of Birth: Every baby born in the United States or Canada has the right to citizenship, whether or not the parents are citizens. Certified Certificates of Birth are issued at the state level (US) and in Canada by the provinces, where they are simply called Certificates of Birth. State/provincial records are generally based upon documentation submitted from county and municipal clerks who have reconciled forms prepared by parents with live records of birth prepared by an attending physician or nurse, as the case might be.  The State Department (US) and the Citizenship Department in Canada issue citizenship ID to children of citizens born outside the country.

Status by Privilege: Newly arriving permanent residents are issued a “green card” in the U.S. by the Department of Immigration. They may remain permanently in the United States subject to meeting the residency requirements. Since June of 2002 Canada issues a “Permanent Resident Card”. Prior to 2002, proof of permanent resident status in Canada includes a combination of paper Record of Landing (IMM1000) supported by a foreign passport or other authorized travel document containing a visa stamp.

Temporary Resident Permits: There are several classes of temporary permits. The most common are workers, students and visitor permits. Proof of temporary status includes the temporary permits and the accompanying foreign travel document with a visa counterfoil secured inside affirming the bearer as been appropriately vetted prior to enter. Governments issue documentation to refugees and asylum seekers. Most refugees apply from outside the destination country. Some show up at at ports-of-entry with little or no documentation. If satisfied the asylum seeker will meet the criteria, an Immigration Officer may allow entry on the condition the applicant reports for a hearing at a time/date/place specified.

Important: Most other categories of government issued identification are rooted in a proof of status ID.

Travel Documents

Travel documents, the most well known of which are passports, are issued by federal governments affirming that bearer’s citizenship in the country of issue. Stolen and quality forged passports are in high demand internationally. There are many documented cases of successful attempts to obtain a passport under a fabricated identity or through identity fraud.

There are other travel documents issued by federal governments and in some cases by agencies such as the United Nations and the Red Cross under exceptional circumstances; usually involving political refugees and internationally displaced persons without a homeland.

Tokens Affirming Access to Privileges Benefits or Services

A variety of other government issued tokens are issued on the strength of a proof of status ID.

• driver’s licenses, social security cards, medicaid cards, Registered Indian Status Cards, military identification to mention a few

Although tokens such as driver’s licenses are not proof of status ID, they are valuable to seasoned identification handlers with information gathering skills. A driver’s license points to a biographical record retained by the issuer that has been built up over time. Someone presenting a driver’s license should be able to recount details about the driver’s license history verifiable against the history retained by the issuer.

We will never know how many lives Diana Dean saved from correctly judging the problems in Ahmed Ressam’s story for entering the United States. The same might be said of U.S. Customs Inspector Jose Melendez-Perez, who was sensed something in Saudi Natiional Mohammed al Qahtani’s bearing and attitude when refusing entry to the U.S. at Orlando in August 2001. The 911 Commission later states Qahtani might be part of the hijack team recruited for the September 2001 terrorist attacks.

Over the last twenty years science explodes with new discoveries on human judgment and decision making. Educators of police, regulatory enforcement personnel, issuers of identification and others relying on identification are well advised to heed these discoveries.

Intuition

Intuition is a hot topic after the release of Malcolm Gladwell’s book, “Blink”. Gladwell’s gift; his ability to expose the average person to some heavy duty science on the relatively new science of unconscious information processing (rapid cognition) and in language understandable by most.

Gladwell scans the surface of science delving deeply into how the human brain perceives things. This study into intuition is at least as old as psychology itself, dating back to Gestalt psychology in the earlier 20th Century. Intuition is recently discussed in the same breath as chaos and complexity. It doesn’t replace conscious, rational thinking. Science determines both ways of processing are underway at the same time and are interconnected.

It is likely dead wrong, as some articles and consults say, to completely trust intuition: that “gut instinct”, that “6th sense”. Daniel Khaneman emphases this in, “Thinking, Fast and Slow”. Maybe Ronald Regan put it best in the middle of the arms reduction negotiations with the Soviet Union when he said, “Trust, but Verify”. In the context of this post: Have intuition, think about it!

Humans take in more information through the five senses than can be consciously processed. Science reveals information received from the eyes, ears and other sensory organs is first received by the thalamus: an organ positioned between the cerebral cortex and the midbrain. It relays sensory and motor signals in two directions.

One pathway is to the cerbral cortex: The image of of the brain we all picture and common to all mammals. This post is about a second pathway to a more primitive structure.

The Role of the Limbic System in Judgment

The second pathway is to the amygdala, two organs in the limbic system at the base of the brain. The amygdala determine what events are stored in long-term memory.

All animal brains have a limbic system, from reptiles on up the evolutionary chain to humans. It is referred to as the  “lizard brain” by some. The limbic system houses brain structures for emotions and motivation, especially those linked to survival. These emotions include fear, anger and feelings of pleasure such as eating and sex. The research into Emotional Intelligence (EI or SQ) strongly supports the role emotions play in shaping  judgments.

The hippocampus is another important organ in the limbic system and closely linked to the role of the amygdala. The hippocampus sends memories out to the appropriate parts of the cerebral hemispheres for long-term storage and retrieves them when necessary. It helps place visual information in context. It is important to know if the lion is in the cage at the zoo, or in your back yard.

It is important to survival that dangerous situations are recognized in less than a heartbeat, that is if we want to pass down our genes. Processing information from the senses occurs at far greater speed in the limbic system than we are aware of in the more rational part of the brain discussed in a later post.

Emotions-Laden Memory

Emotions-laden memories accumulate over time. Some are positive, others are negative. The intensity of emotions-laden experience varies: some experiences are more vivid than others because they are more fearful than others, more pleasing than others, more uncomfortable than others. In other words, these accumulated experiences are weighted, filed and are drawn upon in complex decision making. It might be said emotional memories assist in placing raw information in context.

We have lot of learning to do on what type of education and training strategies can apply this new science to improve human capacity to detect deception at the moment of transference, when a would-be offender is face to face with an identification handler presenting identification.

The news is filled with stories of corporate executives motivated by avaraice. At the least, some display a profound sense of entitlement. At the other end of the scale, employees find themselves working harder for less. Emotions run high as dreams get crushed and life styles diminish. Do these factors contribute to occupational fraud?  

In an article, “What the Bagel Man Saw” Stephen J. Dunbar and Steven D. Levitt offer new insight into human nature. From psychology and economics, Nobel Laureate Daniel Khaneman offers Prospect Theory as an alternative to rational choice and bounded rationality. Behaviour economist Dan Ariely introduces new insight on cheating.  Behavioral economists John Helliwell and Huang Hiafung publish and study on the striking large value of trust in the workplace.  Should this new science cause reflection on fraud deterrence theory?

Fraud Deterrence Theory

American penologist, sociologist and criminologist Donald R. Cressey applied rationalization, opportunity and pressure (motive) to a “fraud triangle”. Its roots are in rational choice theory with roots in classical economics. The fraud triangle is appplied by certified fraud examiners in the prevention and deterrence of occupational fraud. Fraud triangles are useful when applied properly. A Safe Growth blogger, Criminologist Greg Saville shares his views on crime triangles and where they fall short. Crime triangles aren’t designed to dig deeply into the causes of crime.

A Psychologists View of Rationalization

Swiss economist Bruno Frey wrote an article on the psychological assumptions behind classical economic theory. To this day, Daniel Khaneman recalls the first sentence of this article, which he read in the early 1970′s: “The agent of economic theory is rational, selfish, and his tastes do not change.” In micro economic modeling rationality, “wanting more rather than less of a good” is a widely held assumption on how humans behave as individuals. It appears in most economics textbooks on human decision-making.

Khaneman spent years with colleague Amos Tversky studying human judgment and decision making. He knows people are neither fully rational, nor completely selfish. He knows tastes are anything but stable. He knows people often have little idea about what they will like in the future.  Khaneman and Tversky modeled real-life choices rather than optimal decisions.

In 2003, a few years after Tversky died, Khaneman was a co-recipient of the Noble Prize in Economics for their work on “Prospect Theory”. This theory is one of the building blocks of behavioral economics. It is move beyond rational choice in accounting for human behavior.

A Behavioral Economist on Cheating and Revenge

Take for example Dan Ariely’s ted.com talk, “Our buggy Moral Code“.  He discusses his research on cheating, making the following observations:

• Most people cheat. However, most people cheat just a little
• When people are reminded about their morality, they cheat less
• The more distant from direct access to cash, the more likely people are to cheat
• When people see examples of cheating around them, cheating goes up

In other studies new science determines employees’ decisions are often emotions laden. In Upside of Rationality,  Ariely points to new science providing evidence when people feel treated unfairly or unjustly, they plan revenge. The mere planning of revenge excites the same parts of the brain as addictions: the striatum. Some conclude that planning revenge is innate, the threat of which contributed to cooperation in the early stages of human development. At times the emotions are so strong that the more rational center of the brain is unable to hold in check primitive urges to strike back. Maybe its  emotions run amuck that contributes to workplace sabotage, workplace violence and perhaps the motive for some forms of occupational fraud?

A Small Step Forward

There is a subtle difference between ”people making rational choices” and stating, “people rationalize their choices”.  Dorminey, Fleming, Kranacher and Riley consider environmental factors in fraud deterrence theory (Fraud Magazine: Sept/Oct 2011).  Human behavior biologists have stated for quite some time that environment is the most important factor in the shaping human behavior.

Perhaps the Association of Certified Fraud Examiners is moving towards a better understanding of what motivates and prevents occupational fraud. This is encouraging given its prevalence. We may all be better off  for it.   

Business is painfully aware of the impact of identity theft; personal identifiers and identification falling into the wrong  hands. It creates all kinds of problems.

Much is said and written about identity theft. Less is said and written about identity fraud: the art of using another party’s personal identifiers to electronically access accounts, to apply these personal identifiers to forged documents or to use stolen ID to deceive an identification handler.

Technology does a good job of detecting forged identification. I don’t know if we will ever resolve electronic attacks. It certainly isn’t helpful if a genuine document is issued to the wrong person by a government ID issuer.

Knowing the frequency with which personal identifiers fall into the wrong hands and the number of ID’s erroneously issued, business should no longer be surprised that obtaining legitimate or forged ID is not the true art in identity fraud. The true art is not arousing suspicion while presenting stolen or forged ID. It is simply too easy to pull the wool over the eyes of those depending on ID’s to establish if someone is who they say they are. The risk in committing identify fraud is low and detecting identity fraud takes training, experience and a lot of cognitive effort.

Anyone relying on identification must consider three questions:

1. Is the identification document genuine and unaltered?
2. If it is genuine, is this the person it was issued to? and
3. The most difficult, did the issuing agency get it right in the first place?

It makes sense to bring resources to bear on the deception. Deception is most readily identifiable at the moment of transference, when the would-be offender is face to face with a knowledgeable, experienced identification handler. The ID handler needs skills for gathering information and reporting their concerns in an environment that keeps them safe. They must learn to trust their instincts when they sense something about a person or their story isn’t making sense.

If we don’t figure out how to do this, we should not expect any appreciable reduction in identity theft and identity fraud for the foreseeable future.

Optical Character Recognition (ORC) technology has been around for a long time. OCR technology is used to scan handwritten, typewritten and printed text into machine-encoded text. It has advanced to other uses including screening travel documents and other forms of identification.

The International Civil Aviation Organization (ICAO) explored different approaches for machine readable travel documents as far back as 1969. In 1980, ICAO published the first edition of Document 9303: A Passport with Machine Readable Capability. The technology has evolved. Not only passports, but driver’s licences and other government issued ID with machine readable security features can be programmed and read by these readers. It significantly reduces the threat posed by forged (fake) identification documents.

No mess, no fuss, the ultimate solution to countering identity fraud. Right? Well, not quite.

What if the identification is issued to the wrong person? What happens if stolen identification is now in the wrong hands? From science we know humans are pretty good at recognizing people they have met previously, even years later. However, humans are not very good at associating a person in front of them with two dimensional photograph. This is an even bigger problem when the bearer of the identification is from a different race; unless we have been exposed to this race from very early in life.

OCR technology resolves problems with altered or forged (fake) ID, as long as they are machine readable. But don’t limit thinking to countering forged ID. OCR technology saves data processing time by populating data bases with information directly from the reader. It improves quality assurance by eliminating data transposition errors. This provides business with savings and efficiencies to focus counter-fraud efforts on deception.