How to build a fake identity

Image of a gravestone under cherry blossom tree

The hope of the sixties has just ended, and you've decided to go underground to stick it to the man. You and your LSD-fried buddies are on a mission to bring down the government, which means that you are going to need to hide out from the authorities while you build up your revolutionary movement.

You'll need a safe house, bell-bottom jeans, a lot of beads, and new identities. The new identities will allow you to resurface in other cities and live semi-normal lives while the revolution gathers steam. Without them, you'd be in trouble if you got pulled over for so much as a traffic ticket. You'd either have to say you don't have ID, which could result in a lot of dangerous questions, or you'd have to give yourself up and reveal your true identity.

With a new identity, you can just accept the traffic ticket and be on your way. All it takes is three simple steps:

Step 1: Take a stroll through a graveyard

It's a little morbid, but the process starts with a visit to the graveyard. You're looking for gravestones of people who were born in roughly the same year as you, but who died tragically young. Once you find a grave of someone in the appropriate age range, write down their name. Let's say it's John Doe.

Step 2: Head down to the local records office

With the name in hand, head on down to the local records office and ask the clerk for your—John Doe's—birth certificate. It's the seventies, so the odds are that no one will ask any questions.

In a worst case scenario where the clerk gets suspicious, all you have to do is make up some excuse about having left something in your car. You could easily be out of the building and back to the safe house before the clerk manages to rustle up the authorities.

Assuming everything goes smoothly, you'll be issued the birth certificate and you can skip out of the building with the first piece of your new identity.

Step 3: Build your identity

A birth certificate is a good start, but you need more than just a birth certificate to participate in society. You might want a driver’ license, a passport, credit cards, a social security number, and other kinds of IDs.

With your birth certificate in hand, you can now go to the relevant offices and use it as a foundation to acquire these other documents. With just a few weeks and a bunch of waiting in government offices, you'll have a brand new identity.

Now that you have a brand new identity, if the cops pull you over for speeding, they'll check your ID, issue you a ticket, and send you on your way.

Congratulations, you've managed to build a cover identity. Now you can focus all of your energy on bringing about the revolution.

Breaking the registration system

Why are we telling you all of this? No, we haven't gone insane, nor have we succumbed to the same excesses that doomed the sixties.

If you zoom out a little, what we're really talking about is an identity and access management (IAM) system, and how it could be circumvented. The three most focused on aspects of an IAM are identification, authentication and authorization.

However, we're discussing the often-overlooked first step, registration, which is also known as enrollment or onboarding. You can't identify, authenticate or authorize a user until they have been registered into your system, so the first aspect of an IAM that can be circumvented is registration.

Why do we need birth certificates and other identification?

Think of birth certificate issuance and obtaining other IDs as the registration process for participating in civilized life. We have all of these identifying documents and procedures surrounding them in an attempt to hamper bad actors. Issuing and verifying IDs gives us at least some protection from fraud and other crimes.

As an example, requiring ID helps to protect banks when they hand out loans. A person can't just walk in, give a fake name and then walk out with $100,000. They at least need to hand over ID, which puts at least some barrier in front of bad actors and helps to limit the prevalence of these types of crimes.

Are our registration systems secure?

Since the hippies were able to create new identities and circumvent the registration system with relative ease, it clearly wasn't perfect. This security lapse allowed them to live underground and evade the authorities for years.

Most countries have presumably tightened up security around birth certificate issuance, so the tactics outlined above probably don't work anymore. But no system is foolproof. Could you figure out a way to circumvent your jurisdiction's registration process?

Now, let's bring the question back to our professional lives. Take a look at your organization. Are there any holes in your company's onboarding process?

With your inside knowledge, can you figure out a way that it could be circumvented to enroll someone who shouldn't be enrolled?

Is HR reviewing the government ID of employees thoroughly? Are they calling references? Are they running background checks? If biometrics are taken, are the procedures followed properly?

Is the new-hire's personal data being stored securely? Do your systems force new-hires to establish secure passwords? Are new-hires only being given the privileges and authorizations they need to complete their role, and nothing more?

There are a lot of different ways that registration can go wrong, so we need to make sure that our systems are planned carefully.

Image of the author

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]