printer friendly version

Forged credentials and security

Verifying credentials is a difficult task. Here is a real story about that very problem: (see full story at http://www.suntimes.com/output/news/cst-nws-fake08.html)

When Frank Coco pulled over a 24-year-old carpenter for driving erratically on Interstate 55, Coco was furious. Coco was driving his white Chevy Caprice with flashing lights and had to race in front of the young man and slam on his brakes to force him to stop.

Coco flashed his badge and shouted at the driver, Joe Lilja: "I am a cop and when I tell you to pull over, you pull over, you -----!"

Coco punched Lilja in the face and tried to drag him out of his car.

But Lilja was not resisting arrest. He was not even sure what he had done wrong.

It was only after Lilja sped off to escape - leading Coco on a tyre-squealing, 90-mph chase through the southwest suburbs - that Lilja learned the truth.

Coco was not a cop at all, he was a criminal.

There is no obvious way to solve this. This is some of what I wrote in Beyond Fear:

Authentication systems suffer when they are rarely used and when people are not trained to use them.

Imagine you are on an aeroplane, and Man A starts attacking a flight attendant. Man B jumps out of his seat, announces that he is a sky marshal, and that he is taking control of the flight and the attacker. (Presumably, the rest of the plane has subdued Man A by now.) Man C then stands up and says: "Do not believe Man B. He is not a sky marshal. He is one of Man A's cohorts. I am really the sky marshal."

What do you do? You could ask Man B for his sky marshal identification card, but how do you know what an authentic one looks like? If sky marshals travel completely incognito, perhaps neither the pilots nor the flight attendants know what a sky marshal identification card looks like. It does not matter if the identification card is hard to forge if the person authenticating the credential does not have any idea what a real card looks like.

Many authentication systems are even more informal. When someone knocks on your door wearing an electric company uniform, you assume she is there to read the meter. Similarly with deliverymen, service workers, and parking lot attendants. When I return my rental car, I do not think twice about giving the keys to someone wearing the correct colour uniform. And how often do people inspect a police officer's badge? The potential for intimidation makes this security system even less effective.

Share this article:

Further reading: