Forged Credentials and Security

In Beyond Fear, I wrote about the difficulty of verifying credentials. Here’s a real story about that very problem:

When Frank Coco pulled over a 24-year-old carpenter for driving erratically on Interstate 55, Coco was furious. Coco was driving his white Chevy Caprice with flashing lights and had to race in front of the young man and slam on his brakes to force him to stop. Coco flashed his badge and shouted at the driver, Joe Lilja: “I’m a cop and when I tell you to pull over, you pull over, you motherf—–!” Coco punched Lilja in the face and tried to drag him out of his car. But Lilja wasn’t resisting arrest. He wasn’t even sure what he’d done wrong. “I thought, ‘Oh my God, I can’t believe he’s hitting me,’ ” Lilja recalled. It was only after Lilja sped off to escape — leading Coco on a tire-squealing, 90-mph chase through the southwest suburbs — that Lilja learned the truth. Coco wasn’t a cop at all. He was a criminal.

There’s no obvious way to solve this. This is some of what I wrote in Beyond Fear:

Authentication systems suffer when they are rarely used and when people aren’t trained to use them. […] Imagine you’re on an airplane, and Man A starts attacking a flight attendant. Man B jumps out of his seat, announces that he’s a sky marshal, and that he’s taking control of the flight and the attacker. (Presumably, the rest of the plane has subdued Man A by now.) Man C then stands up and says: “Don’t believe Man B. He’s not a sky marshal. He’s one of Man A’s cohorts. I’m really the sky marshal.” What do you do? You could ask Man B for his sky marshal identification card, but how do you know what an authentic one looks like? If sky marshals travel completely incognito, perhaps neither the pilots nor the flight attendants know what a sky marshal identification card looks like. It doesn’t matter if the identification card is hard to forge if person authenticating the credential doesn’t have any idea what a real card looks like. […] Many authentication systems are even more informal. When someone knocks on your door wearing an electric company uniform, you assume she’s there to read the meter. Similarly with deliverymen, service workers, and parking lot attendants. When I return my rental car, I don’t think twice about giving the keys to someone wearing the correct color uniform. And how often do people inspect a police officer’s badge? The potential for intimidation makes this security system even less effective.

Posted on January 13, 2006 at 7:00 AM • 73 Comments