God... "CBP said most of the fake IDs were for college-age students. Many had the same photo but different names. But one alarming discovery was that the barcode on the fake Michigan licenses actually worked, CBP said. "
Yes I've been telling everyone who'll here this. The PDF417 bar code at the back is just plain text without any kind of digital signature. Anyone could generate a new one. There are apps that do it for you. Since there's no digital signature, there's no way of verifying that it is authentic. There's nothing ALARMING about this. The bar code is an open standard and anyone can generate a new one. It would be alarming if they faked the digital signature.
You can't have digital signatures without all of the attendant PKI baggage. And if you're going to implement all of the PKI baggage, might as well go all the way and start issuing people smart cards.
It doesn't need to be full PKI. Just link to some internal website ran by the State that spits out DB info about how "Joe's license, numberd 01010101 is valid". Georgia already does this for temporary license plates (Pardon the TLS 1.1): https://www.gada.com/index.php?module=FileShare&func=downloa...
Yes I've been telling everyone who'll here this. The PDF417 bar code at the back is just plain text without any kind of digital signature. Anyone could generate a new one. There are apps that do it for you. Since there's no digital signature, there's no way of verifying that it is authentic. There's nothing ALARMING about this. The bar code is an open standard and anyone can generate a new one. It would be alarming if they faked the digital signature.