The Pakistani province of Punjab is trying to clamp down on fraud within its new biometrically-secured vehicle exchange system. The Department of Excise and Taxation implemented the new regulations in January to require biometric identity verification for both the buyer and the seller whenever a vehicle changes hands.
Unfortunately, the province has already been hit with a wave of biometric forgeries from people looking to use fake fingerprint data to complete fraudulent vehicle sales. The problem does not appear to stem from the fingerprint technology itself, as much as it does from a security gap on the backend that makes the system vulnerable to human interference.
More specifically, it appears that government officials in the Excise Department are charging anywhere from 10,000 to 20,000 rupees to either change or verify the fingerprint data ahead of a sale. The officials who are changing the data are taking advantage of the ‘correction’ utility in the Department’s biometric software, which is ostensibly there to make sure that the department can fix genuine mistakes. However, the officials involved in the scheme are instead using it to temporarily replace the identity data for a real sale with false data submitted by a fraudster.
The officials who are verifying false data, on the other hand, are simply sending out fake authority letters that explain why a seller’s biometric information is missing from the system. For the most part, that means that the Department is telling victims that the seller is overseas.
In both cases, the goal seems to be to provide cover for people performing fake vehicle sales. When the buyer checks to see whether or not the person selling a vehicle is legitimate, the system will show that the fingerprint data is real (if the corrupt official has changed the data), or a government official will sign off on any data that is missing (if they are sending a fake letter). Either way, the action creates enough trust to convince a buyer to move forward with the sale, and pay cash up front for a vehicle that they will never receive.
The officials who change seller data are switching the record back to the original to cover their tracks once the fake sale is complete. The Department is now auditing 314 irregular cases in which forgery may have been used to carry out a sale, and taking other precautions to prevent fraud in the interim. Most notably, the Department is trying to ban cash vehicle sales, and wants to issue unique ID numbers for each sale that buyers will need to submit to complete a transaction online or at a bank. The government also plans to restrict authority letters and card corrections to people in the capital city of Lahore. People who want to complete a sale while overseas will need to be verified through a video chat.
The new policy would cover an initial two-month period, though it is still waiting for approval from the Chief Minister. A more robust backend would presumably help the Department address its problem, since it would allow auditors to figure out who had access to the system when data was being changed. Even so, the scheme will further diminish trust in Pakistan’s biometric capabilities after a 2021 report that suggested that fraudsters were creating fake prints to obtain illegal SIM cards.
Source: The Express Tribune
April 25, 2022 – by Eric Weiss