Why Identity Fraud Remains Undetectable
As of 2025, digitalization has become commonplace in companies and organizations. Paper documents have been replaced by electronic files, seals by digital signatures, and operational efficiency has improved dramatically. However, behind this convenience lurks a serious security risk that did not exist in the analog era: the problem of “identity fraud” or “impersonation.”
The “Personal Character” of Analog Records
Handwriting as Compelling Evidence
In the paper era, “handwriting” was a powerful means of verifying the authenticity of documents. Human handwriting contains individual-specific characteristics that are not easy to replicate completely.
Imagine, for example, signing an important contract. The signed document records characteristics unique to that person, such as the strength and weakness of pen pressure, the tilt of the characters, and the way the pen is handled. If an expert performs handwriting analysis, they can determine with a certain degree of accuracy whether it is the person’s signature or a forgery by a third party.
However, handwriting analysis also has its limitations. A Supreme Court precedent from February 21, 1965 pointed out that “traditional handwriting analysis methods rely heavily on the examiner’s experience and intuition, and their probative value is limited.” Research has also revealed that identification accuracy significantly decreases, particularly with sophisticated imitations using tracing paper.
Nevertheless, compared to digital records, handwriting provides far more information as a physical trace reflecting the creator’s individuality.
The Truth Told by Physical Traces
Beyond handwriting, analog records retain many physical traces:
Paper texture and aging deterioration, ink type and absorption patterns, traces of correction fluid or eraser use, and usage history such as folds and stains. These traces become evidence that tells us when and in what environment a document was created, serving as clues to discover tampering or forgery.
Fundamental Challenges of Digital Records
The Characteristic of “Perfect Replication”
The greatest feature of digital data is that “perfect replication is possible.” While this characteristic is a great advantage in improving operational efficiency, it becomes a fatal weakness from a security perspective.
Consider a document created with word processing software. A document file created by Person A and a document file with the same content entered by Person B are technically identical data. If the font, character size, and paragraph settings are the same, there is no way in principle to distinguish between them.
Serious Problems Caused by the Absence of Handwriting
Digital records fundamentally lack the “personal character” that analog records possessed.
Uniformity of keyboard input: No matter how idiosyncratic one’s typing may be, the digital text ultimately generated is completely uniform. No elements reflecting the input person’s individuality remain.
Vulnerability of creator information: File properties record information such as “creator” and “last modifier.” However, this metadata can be easily rewritten. For example, by logging in with someone else’s account and creating a document, it is possible to make it appear as if that person created it.
Limits to the reliability of time information: File timestamps (creation date/time, modification date/time) can also be tampered with by changing the system clock settings. In other words, even the record that “this document was created yesterday” is not absolute proof.
Real Examples: Cases Where Identity Fraud Was Not Discovered
Case 1: Replacement of Approved Documents
At a certain company, an incident occurred where the content of a proposal approved by a supervisor was rewritten after approval. The perpetrator temporarily accessed the supervisor’s computer, opened the approved file, changed the amount, and saved it.
The file’s creator information remained the supervisor’s, and the last modified date/time was the same as the approval date (the system clock had been adjusted). If it had been a paper proposal, the tampering could have been discovered from traces of correction fluid or differences in handwriting, but the digital record left no traces whatsoever.
Case 2: Email Sender Spoofing
Exploiting vulnerabilities in the internal system, an email impersonating an executive was sent to the finance department. The email’s sender address was legitimate, and the text skillfully imitated the person’s writing style.
The recipient had no means of determining whether this email was genuinely sent by the executive or was a third-party impersonation. While a paper document could have been identified by handwriting, the true identity of the sender cannot be discerned from digital text.
Fundamental Reasons Why Identity Fraud Detection Is Difficult
The “Characterlessness” of Digital Data
Digital records completely lack physical or biological traces that indicate the creator’s individuality. If the same content is entered, the same data results regardless of who inputs it. This “perfect uniformity” is the greatest factor making identity fraud detection difficult.
Separation of “Input Action” and “Data”
In analog records, the act of writing and the record are inseparable. The trace of the action is inscribed in the record in the form of handwriting.
However, in digital records, the input action and the generated data are completely separated. No matter how the keyboard is struck, it has no effect on the final data. In other words, information about “who input it” is not included in the data in principle.
Limitations of Authentication Systems
Current authentication systems are designed on the premise that “account = actual person.” Those who possess authentication information such as passwords or IC cards are considered the “actual person.”
However, this authentication information can be stolen or lent. Since the system treats “those possessing authentication information” as the actual person, it has no means of determining whether the person actually operating is the genuine user.
Current State and Future Outlook: Required Countermeasures
The Importance of Multi-Factor Authentication
By combining not only passwords but also biometric authentication (fingerprint, facial recognition) and physical tokens, the risk of identity fraud can be reduced. However, this is not a complete solution either, and the trade-off with convenience remains a challenge.
According to NIST Special Publication 800-63B (Digital Identity Guidelines), multi-factor authentication is recommended for applications requiring high assurance levels. As of 2025, many organizations have adopted multi-factor authentication (MFA), but implementation rates and operational maturity vary widely.
Development of Behavioral Analysis Technology
Technologies that analyze individual behavioral characteristics such as keyboard typing patterns and mouse movement are being researched. These are also called “digital handwriting” and may potentially be used for identity fraud detection in the future.
Behavioral biometrics technology has advanced significantly in recent years, with continuous authentication systems being piloted in financial institutions and high-security facilities. These systems analyze typing rhythm (keystroke dynamics), mouse movement patterns, touchscreen pressure, and gait patterns to continuously verify user identity.
However, challenges remain regarding accuracy and practicality at present, and widespread adoption is expected to take time. According to research by institutions such as the National Institute of Standards and Technology (NIST), the Equal Error Rate (EER) for keystroke dynamics ranges from 5-10%, which still requires improvement for practical use.
Adoption of Zero Trust Security
An approach based on the principle of “never trust, always verify,” continuously monitoring and verifying all access, is attracting attention. Rather than relying on a single authentication, this approach mitigates identity fraud risk by confirming identity through multiple factors at each access.
The Zero Trust Architecture defined by NIST Special Publication 800-207 has become an international standard, with adoption accelerating particularly in government agencies and critical infrastructure sectors. Core principles include:
Continuous verification: Not just authenticating once at login, but verifying identity and device security status for each resource access.
Least privilege principle: Granting only the minimum necessary access rights, dynamically adjusting permissions based on context (location, device, time, etc.).
Microsegmentation: Dividing the network into small segments and strictly controlling access between segments.
Comprehensive logging and monitoring: Recording all access and detecting anomalies through real-time analysis.
Digital Signatures and Blockchain Technology
While digital signature technology based on public key infrastructure (PKI) has been widely deployed, its effectiveness depends on proper key management and certificate authority trust chains.
Recent developments include blockchain-based distributed ledger technology for document authenticity verification. By recording document hashes on the blockchain, tampering can be detected and the integrity of records at specific points in time can be cryptographically proven.
However, digital signatures only verify “documents created using a particular private key,” and if the private key itself is stolen or the signing device is compromised, they cannot prevent impersonation. Fundamentally, they address different issues than “confirming that the actual person performed the action.”
Regulatory Trends and Compliance Requirements
Identity fraud and impersonation issues are being addressed not only technically but also through legal and regulatory frameworks:
eIDAS 2.0 (European Union): The revised eIDAS (electronic IDentification, Authentication and trust Services) regulation, implemented in 2024, establishes a framework for digital identity wallets and requires high assurance level electronic signatures and seals for important transactions.
GDPR and personal data protection: The General Data Protection Regulation (GDPR) requires appropriate technical and organizational measures to ensure personal data security, including identity verification and access control.
U.S. Executive Order on Cybersecurity: Executive orders issued in 2021 and subsequent years mandate Zero Trust Architecture adoption in federal agencies, requiring multi-factor authentication and advanced identity verification mechanisms.
ISO/IEC 27001:2022: The international standard for information security management systems includes requirements for identity and access management, requiring organizations to implement appropriate authentication and authorization processes.
Financial sector regulations: Banking regulations such as PSD2 (Payment Services Directive 2) in the EU and similar regulations in other countries mandate Strong Customer Authentication (SCA), requiring at least two-factor authentication.
Comparison Table: Authentication Method Security Levels and Characteristics
| Authentication Method | Security Level | Advantages | Disadvantages | Typical Use Cases |
| Password only | Low | Simple, low cost | Vulnerable to theft, sharing | General web services, low-risk systems |
| Multi-factor authentication (MFA) | Medium-High | Significantly improved security | Slightly reduced convenience | Business systems, financial services |
| Biometric authentication | Medium-High | Difficult to forge, no memorization required | Privacy concerns, potential false rejections | Smartphone unlocking, physical access control |
| Hardware tokens | High | Resistant to phishing | Cost, risk of loss | VPN access, privileged account access |
| Behavioral biometrics | Medium | Continuous verification possible | Accuracy issues, adaptation required | Supplementary authentication, fraud detection |
| Zero Trust Architecture | Very High | Comprehensive security | Complex implementation, high cost | Critical infrastructure, government agencies |
Education and Organizational Measures
Technical solutions alone cannot solve the identity fraud problem. Security awareness training for employees is essential, including:
Understanding of social engineering attack methods (phishing, pretexting, tailgating), importance of protecting authentication credentials (passwords, IC cards, biometric information), adherence to organization security policies and procedures, and regular security drills and incident response training.
Organizations must also establish and enforce clear security policies, including access control policies, privileged account management, regular security audits and vulnerability assessments, and incident response plans.
Summary
The reason “identity fraud” in electronic records is difficult to detect stems from the fundamental characteristics of digital data. Because individual-specific traces such as handwriting do not exist, it is technically extremely difficult to identify the actual input person from a once-created record.
While countermeasure technologies such as digital signatures and log records exist, they too have limitations and create new challenges such as operational complexity and authentication information management.
What is important is not trying to solve this problem through technical measures alone, but a comprehensive approach combining organizational controls, education, and appropriate risk management. While enjoying the convenience of digitalization, what is required in the coming era is understanding the risks lurking behind it and building a system where humans and systems cooperate to ensure safety.
Current international regulations and standards such as Zero Trust Architecture, multi-factor authentication, and behavioral biometrics are evolving as complementary technical solutions. However, these technologies are not silver bullets, and appropriate selection and combination according to organizational risk profile and resource constraints are essential.
Furthermore, as digitalization progresses, the boundary between “genuine person” and “impersonator” becomes increasingly ambiguous. In future society, we may need to fundamentally reconsider the concept of identity itself and construct new trust models. This is not merely a technical challenge but a social challenge that will test how we humans build trust in the digital age.
Comment