In Brazil it is possible to interact with virtually any e-gov system through the use of digital certificates issued by a government controlled Public-Key Infrastructure (ICP-Brasil). Holding an ICP-Brasil digital certificate, lawyers are able to access the court system in Brazil to send injunctions electronically; doctors can electronically sign prescriptions and validate complex exams through tele-medicine systems; companies are able to issue invoices that are digitally signed by the revenue system, allowing for citizens to check on spot if taxes were duly collected, as well as export goods, transport good between state borders and do all the required bookkeeping electronically; ordinary citizens can over the Internet start a company, open bank accounts, fill their taxes forms, book medical appointments, check their social care status and apply for social welfare among other things.
ICP-Brasil is composed by more than 20 certification authorities that are in charge of correctly identify people and to issue a digital id token. Digital signatures produced with digital certificates are treated the same as regular paper ones by the Brazilian legal system. Due to heavy use in governmental, digital certificates are the perfect tool for crooks to impersonate people online, being the target for identity theft. Attacks have been in the news lately, being important to cite the impersonation of a judge for changing the reachability of a sentence, the impersonation of environmental clerks for authorising illegal logging and the impersonation of revenue and custom officials to avoid paying import duty. Although official figures from ICP-Brasil claim a 0,0002\% fraud in the over 3.5 million certificates issued a year, frauds are growing at exponential pace, and their detection is based only on procedural security. The main objective of this project is to mechanise the process of detecting fraud through the use of unsupervised anomaly detection techniques on the data used to issue digital certificates. We plan to use the data collected by ICP-Brasil for auditing and regulatory reasons to assess the likeability of a certificate being issued to the wrong person. By avoiding online impersonation we can assure safer service for people.
The process of issuing digital certificates for people is very different form the process of issuing digital certificates to websites or machinery. In the process of issuing a digital certificate toady in Brazil, the person is required to present in person to a representative office of the Certification Authority and show a series of documents that need to be properly checked so that their data is embedded in the digital certificate for use online later. These documents are valid Brazilian ID cards for citizens and resident foreigners, passports for non-residents, proof of residence, social security numbers, fingerprints and facial photo taken on spot. In Brazil there are more than 40 different types of valid id cards, being issued by states or by professional associations in some cases.
As fraud is a big concern due to the myriad of accepted documents and the reachability it can have in terms the diverse use crooks can have for the digital id token. Some precautions are taken by the market regulator and are imposed to clerks from the certification authority. The presented documents are manually checked for visual cues that would identify that as a possible fraud. These cues are mostly related to the sloppy adulteration of documents or inconsistencies between the different documents. Coupled to that there is a blacklist of known fraudsters that already attempted to get hold of a fraudulent digital certificate. The fraudsters are identified by their personal characteristics, such as apparent age, hair and eyes colour and other apparent features. If the clerk believes he could be facing a fraud attempt, he will inform the market regulator that will conduct a forensic analysis on the documents to assess whether the digital certificate should be issued or not.
The cost a digital certificate today is around 400 BRL per 3 years period and most of this cost is related to the data collection for issuance and its fraud validation. This price is high for Brazilian standards and represents 40% of a monthly minimum wage, what creates a social divide on who can have access the e-gov services available. The process of validating a person can take around 30 minutes and is what determines the actual cost of the digital certificate for the end user. In cases where fraud is detected it can take up to two days for the certificate to be issued and the cost must be absorbed by the certification authority and the individual that may have to show in person several times.
The aim of this project is to equip the applicants’ group with expertise in anomaly detection techniques so that an automated fraud detection system could be developed. This fraud detection system would make the ICP-Brasil system safer, quicker and cheaper. Thus, enabling lower income individuals to have access to digital certificates and respective e-gov systems. On more specific terms, we aim at training local researchers in data science techniques to apply them in computer security related problems.We also want to provide the co-applicant’s group with very accurate data collected from the PKI market regulator, which could be used to develop specific anomaly detection techniques. On broader terms the project aims at strengthening the Brazilian PKI’s security and agility, which will allow for a price drop in the cost of digital certificates and more access to people to secure e-gov systems.