How fake ID with monkey photo pass the SIM registration process

Automated systems from Globe, Smart, and DITO were shown to be easily fooled in a revealing experiment by the NBI Cybercrime Division, raising questions about the efficacy of SIM registration law


At a glance

  • The National Bureau of Investigation (NBI) Cybercrime Division successfully registered new SIM cards using fake IDs featuring a smiling monkey's face, exposing vulnerabilities in automated verification systems used by telecom companies Globe, Smart, and DITO.

  • The current automated systems check for compliance based on specific criteria like file size, image format, and OCR-readable text but do not apply a layer of "common sense" in the verification process, making them susceptible to fraud.

  • Theoretically, a fake ID that meets all the automated system's guidelines—including having a matching "selfie" with the same monkey photo—can pass as valid, highlighting a crucial weakness in solely relying on algorithms for verification.

  • While automated systems are efficient in processing large volumes of data quickly, they lack human judgment, which can spot inconsistencies or suspicious details that an algorithm might not be capable of identifying.

  • Telecom companies had an extremely short timeframe of just about ten days to set up their SIM card registration systems, potentially contributing to the oversight in building a robust, multi-layered verification process.


The National Bureau of Investigation (NBI) revealed that fake IDs, even those with animal photos, can easily fool the SIM registration system. The NBI Cybercrime Division chief, Jeremy Lotoc, showed how they registered new SIM cards from different telcos using IDs with a smiling monkey's face. The system accepted the IDs without any verification.

When registering a SIM card, you are asked to provide identification for verification. These are screened by automated registration systems, relying on algorithms to perform initial checks. Globe, Smart and DITO have specific criteria for uploading an ID for verification.

 

373482192_333473385698518_7532879149119809658_n (1).jpg
SIM registration ID requirements.

ID Upload Specifications:

- Maximum file size is 5MB.
- Photos must be in PNG, JPG, JPEG, HEIC, or PDF.
- Make sure your chosen ID is not blurred or cropped.
- The ID must not be expired.
- Your ID photo and selfie must match.
- Make sure all information is correct and accurate.

These guidelines seem fairly comprehensive at first glance. They dictate the format and quality of the ID image and ensure that the uploaded ID is genuine, readable, and current. However, it is precisely the mechanical nature of these guidelines that presents loopholes.

Automated systems that screen these IDs generally confirm compliance with the points outlined above. They look for the file size, check the image format, and may use OCR (Optical Character Recognition) to ensure the text is readable and matches different data points. But, these systems are not typically designed to apply a layer of "common sense" to the verification process.

Here's where the absurdity enters: theoretically, a fake ID with a photo of a monkey could pass this automated system as long as it complies with all the listed specifications.

1. File Size and Format: If the fake ID image is under 5MB and in one of the accepted formats, it ticks these boxes.
 
2. Clarity: The system checks off these requirements as long as the image is clear and the text is readable. The automated system likely won't assess whether the ID's content (like the photo) makes logical sense.
 
3. Expiration: If the expiration date on the fake ID is set to a future date, the system will validate it as a non-expired ID.
 
4. Matching Photos: If you also upload a clear, matching "selfie" with the same monkey photo, technically, the photos "match," thus meeting this criterion.

5. Correct and Accurate Information: As long as the text fields contain data that is logically consistent (even if fraudulent), such as a name matching across both the ID and system entry, the algorithm is satisfied.


While this scenario might sound amusing, it highlights a critical weakness in relying solely on automated systems for important verification processes. While they are excellent for quickly handling large volumes of data, they are not a substitute for human judgment, which can spot inconsistencies that no algorithm could flag as suspicious—like a monkey appearing where a human face should be.

simreg_monkey.jpg

 

While automated systems have their place in streamlining large-scale operations, their limitations, as amusingly highlighted by our monkey photo example, suggest that they should be one part of a multi-layered verification process, ideally backed up by human oversight.

It's essential to recognize that telecom companies were given just about ten days to set up their systems for SIM registration. This is an incredibly short timeframe to establish such a critical system.