Why a "genuine" passport is now a security risk
Published
If a passport is issued by the government, has a valid hologram, and passes a UV light test, we naturally assume it is safe to trust.
For years, a "genuine" document was the ultimate proof of identity. But in our recent webinar, Compliance Leaders vs Fraudster, we learned why relying on the physical document is now a dangerous blind spot.
We were joined by Alex Wood, a man with a unique CV. For 25 years, Alex was a career criminal, committing everything from identity fraud to multi-million pound bank scams. Today, he has turned his life around. As a "poacher turned gamekeeper," he now works with the Home Office and police forces to help stop the very crimes he used to commit.
During the session, Alex introduced us to a concept that turns traditional verification on its head: the FOG document.
What is a FOG document?
FOG stands for Fraudulently Obtained Genuine.
Unlike a fake passport, which is a counterfeit document created by a criminal, a FOG passport is a real document issued by His Majesty's Passport Office. It has the correct watermarks, the correct paper quality, and it exists in the government database.
The problem is that the details belong to a vulnerable person, but the photo belongs to the fraudster.
In the webinar, Alex explained exactly how they obtain them.
The easiest thing to obtain a passport is to go and speak to what we would call a ‘vulnerable person’ ... give them some cash and get them to take out a passport. It's a legitimate passport, it's in their name... but it's our photo."
Alex Wood
By exploiting vulnerable individuals (often addicts or the homeless), criminals can procure high-quality, government-issued ID that allows them to travel, open bank accounts, or instruct law firms under a stolen identity.
Why manual identity checks fail
The existence of these documents breaks the standard "checklist" approach to compliance.
If you are checking a FOG passport manually, or even using a basic digital scan, it will pass. The document isn't a forgery. If you check the name and address against the electoral roll, it will match.
As Alex noted, this method is "frighteningly easy" and creates a document that works at borders and banks alike. Because the fraudster has inserted their photo into the application process before the document was issued, the physical photo on the page looks like the person standing in front of you.
To the naked eye, everything looks perfect. To catch it, you need to look where the fraudster can't reach: the chip.
The solution is in the chip
While a fraudster can manipulate the application process to get a photo printed on the page, manipulating the encrypted data inside the passport chip is significantly harder.
This is where NFC (Near Field Communication) verification becomes essential.
When a passport is issued, the biometric data (including the true facial image) is cryptographically signed and stored on the RFID chip. By reading this chip directly using a smartphone, you can access the source data.
If the data on the chip has been tampered with, or if the "genuine" document was obtained using a method that doesn't align with the biometric signature, an NFC check will flag it. It provides a layer of cryptographic security that a visual check - whether in person, or over a video call - simply cannot match.
Trust the data, not the paper
As fraud tactics evolve, our defences have to evolve with them. The FOG passport proves that a "real" document doesn't always mean a real client.
At Thirdfort, we use Enhanced NFC ID verification to read the encrypted chip data directly from the passport. It allows you to verify the document to border-control standards, ensuring that the person you are onboarding is exactly who they say they are. Don't just check the paper. Check the data.
Subscribe to our newsletter
Subscribe to our monthly newsletter for recaps and recordings of our webinars, invitations for upcoming events and curated industry news. We’ll also send our guide to Digital ID Verification as a welcome gift.
Our Privacy Policy sets out how the personal data collected from you will be processed by us.
