Up to now, document inspection systems were primarily designed as tools to support experienced users when examining documents. Nowadays, such devices are being used in a quasi-non‑supervised manner in automated border control (ABC) systems. A European research project, FastPass, is now investigating consequences of these actions and recommends a simulation system for testing and new protection measures for improved document security.

Automation is a key feature to answering the challenges of border control nowadays, namely the steadily increasing number of travellers crossing international borders and at the same time the decreasing availability of public administration personnel and police forces performing the task in this new setting. As a result to that, ABC gates are currently rolled out in many airports across Europe as well as worldwide. FastPass is a research project funded by the EU Seventh Framework Programme with the aim to establish and demonstrate a harmonised, modular approach for ABC gates.
   ABC systems are generally expected to be able to check the traveller’s identity with the same or higher accuracy and performance as a human border guard. An inevitable step in such systems is a reliable authentication of the identity document provided by the traveller. Important in this context are both the document itself and the device incorporated in the ABC system to perform the document inspection, the document scanner. These document scanners, which have been developed to assist experienced users, are nowadays being used with little or no modifications in ABC scenarios. Obviously, this introduces interesting open challenges, having potential impact on usability factors as well as on the overall system security.

Problem definition: Usage of document scanners for automation
Up to now, document readers were designed to support border guards in determining the authenticity of a passport. Passports typically contain a multitude of covert security features that are not visible to the naked eye. Examples include features only visible in the near‑infrared spectrum (IR) or fluorescent effects in ultraviolet light (UV). A de facto standard for passports – ICAO Doc 9303 – states that document readers should be able to take three different images of the scanned document, in IR and visible light, and a visible response to UV light.[1] These images aid a border guard in determining whether an inspected passport is considered genuine or not.
   Naturally, most state‑of‑the‑art document readers offer a lot more features than that. Documents conforming to the ICAO recommendations contain a machine readable zone (MRZ) complemented by an electronic part, that can be easily processed by any document reader. A few select readers can even recognise information from the visible data page (VIZ). Performing consistency checks between all the information contained in the MRZ, the electronic part as well as the VIZ is a rather easy task for machines, however not quite so for humans. Thus it only makes sense to support a border guard with a machine document reader.

What happens when we consider document security in the ABC scenario?
In that case,the ABC system comprising a document reader has to check the validity of a document in a completely autonomous manner, essentially without any human intervention. Currently, ABC solutions take full advantage of the electronic part of a passport, which is considered to be the most secure feature of modern passports. Unfortunately, several attack scenarios are known even for the electronic part, which puts sole usage of this part in question.[2],[3] Therefore the verification of optical security features is still of great importance.
   Most optical security features incorporated in modern passports, such as holograms, are not designed with machine verification in mind. Checking their authenticity is already a very difficult task for a human expert, and even harder for an automated document reader. Note that document readers are still expected to perform similar or better than humans. 
Making things even more complicated, each country has its own passport design with a unique set of security features. While the overall passport layout and some minimum security requirements are specified in ICAO Doc 9303, the actual design and implementa-tion of the security features is left to each country. That means a document reader might perform well with passports from one country, but fail with passports from another.

How can we make sure that a document reader of an ABC system is capable of its task?
In order to verify the marketing claims of different vendors, document readers must be rigorously tested in a black‑box manner, which assumes nothing about the document reader’s hardware/software architecture. In practice, that would require access to a large collection of genuine as well as counterfeited passports from as many countries as possible, which would need to be manually acquired by all tested document readers (one at a time) in order to verify the whole ABC system. 
   One example of such an independent test on a large scale is the Document Challenge II, organised by Frontex in 2013.[4] A large number of genuine and counterfeited documents were used to test the performance of seven document inspection systems
in comparison with a group of experienced human experts. While the results of this test alone were very valuable for better understanding of strengths and weaknesses of the tested systems compared with the human performance, it also showed how complicated it is to organise such a test. Imagining such a test in an ABC context, we would need to reassess the results whenever any setting of the document inspection system changes (for example, a firmware update), which would of course be infeasible with physical documents. As an attempt to overcome this principal restriction, we developed a device capable of performing such tests in a semi‑autonomous manner within the FastPass project.

figure 1.
Principle of the document simulator proposed in [5]. An image produced by the reflection of the light generated by the reader is suppressed by an anti‑reflex coating of the display. This allows for presenting the document reader with a simulated image generated by the display.
Introduction of a test tool: The passport simulator
In [5], we introduced a passport simulator as a device for black‑box testing of ABC systems. Essentially, it can be any device equipped with an active display that is big enough to reproduce the document to be simulated, that has a resolution high enough to get over the camera employed in the document reader, and finally is strong enough to override the illumination emitted by the reader. Furthermore, the simulator needs a means to detect illumination changes in order to recognise the acquisition sequence.

Before describing the main principle of the passport simulator, let us first recapitulate how the state‑of‑ the‑art document readers work. Typically, document readers record responses (i.e., reflections or luminescent responses) of the scanned document to three illumination sources operating in different spectral ranges – visible, infrared (IR) and ultraviolet (UV). During the acquisition, the illuminations come as a short train of flashes while the camera is synchronously recording images. As the same camera is used for recording each spectral response, it must be sensitive in both visible as well as IR spectra.
   The passport simulator we developed within the FastPass project builds upon the fact that most document readers nowadays require only one spectral image to be presented to the reader at one time moment. The simulator uses a high‑resolution light‑emitting active display in order to suppress an image produced by the reflected light generated by the reader and override it by an image generated by the display instead (see Figure 1). Due to the temporal separation of individual spectral recordings in the acquisition sequence, it is theoretically but also practically possible to present the correct image (i.e., visible, IR or UV) in a reaction to the train of incoming flashes. This technique allows for simulating essentially any optical security feature used in modern security documents to the extent given by the resolving power of the display‑vs.‑camera tandem.
   Regarding the actual hardware implementation of the simulator, smaller documents can be successfully reproduced by means of a smartphone‑based solution. One example of such an all‑in‑one solution was described in [6], where an Android smartphone was used in the active display attack experiments. It is crucial that the brightness sensor of the employed smartphone is able to detect changes in the near‑infrared spectrum as well. Alternatively, one may think of a dedicated hardware solution offering more flexibility with a choice of hardware components for simulating security documents as large as standard passports. This kind of solution was presented in [5], which consists of a 7’’ full HD (315 DPI) display controlled by Raspberry Pi extended by Arduino operating a photo diode (see Figure 2). For convenience in the field, the device can be controlled remotely via a Wi‑Fi access point.   
 

figure 2.The document simulation proposed in [5] running on dedicated hardware.
   An example of results obtained by the described passport simulator is shown in Figure 3. Images of a genuine Austrian e‑Passport are compared side‑by‑side with a simulated version of the same document. It can be seen that, apart from slightly brighter rendering of the simulated document, all security features visible in the images of the genuine document were successfully reproduced in the simulation. In order to correct for mentioned brightness/colour inaccuracies of the simulation, we would need to consider appropriate calibration steps.
   Regarding intended applications of the passport simulator in the testing of ABC systems, we may think of two basic options: (I) presentation of a pre‑acquired database of documents for calibration of the system or testing its throughput, robustness, et cetera and (II) generation of synthetic passports from unpersonalized document templates for more thorough testing of the system robustness against certain special or rare effects. In the first case, the document simulator can be either preloaded with a document database in order to work autonomously, or alternatively, it can be controlled from a remote computer. On the other hand, in the second case, the simulator takes the document template as well as models of the effects to be simulated (for example, material aging, crease, graffiti and production errors) and generates an arbitrary number of passports subjected to those effects. This mode has already been successfully used to simulate different passports of the same type with a variable MRZ using the OCR‑B font defined by ICAO.1

figure 3.

Conclusions and outlook
Testing of document readers is an inevitable step in order to meet the expected level of security delivered by ABC systems. Using our passport simulator, we can simulate an arbitrary number of passports with a range of document readers, and are therefore one step closer to the goal of achieving consistent quality control in the ABC scenario. 
   Although the availability of such a testing device is a huge methodological improvement, there are still open issues and questions. Currently, in terms of guidelines, there is very little information available about actual performance requirements for the optical document readers. There exists no ground truth as to how much the document must depart from a model to be considered fraudulent and what the admissible error rates should be. Even the variations among genuine documents are not well‑known, likewise variations in the printing process, document aging, dirt, wear and tear, et cetera. These variations make separating genuine documents from counterfeits even harder.
   Nevertheless, the optical document security is just one important aspect among many others that have to be addressed by a fully functional ABC system. Several aspects, such as security assessment, harmonisation and privacy matters need to be carefully taken into account. Additionally, considerable technological progress is necessary to be able to handle the ever increasing requirements on speed and comfort for legitimate travellers as well as security against illegal immigration and other threats. This includes tech-nologies for improved traveller identification, such as new biometric modules providing better security and minimising risk of spoofing.
   FastPass will further work on the development of a harmonised ABC gate with continuous end‑user involvement. Our work will include the analysis and comparison of different steps in the automated security document inspection: the quality and robustness of document readers, the security implications of document aging effects, and the influence of human interaction on the reading process. This work shall foster the improvement of document inspection tools to their full potential within the ABC systems of the future.
   Acknowledgements
The authors would like to thank Michael Gschwandtner for his essential contributions to the results presented in this paper. This work has been supported by the FastPass project and received funding from the European Union Seventh Framework Programme (FP7/2007‑2013) under grant agreement n° 312583.

References
1 International Civil Aviation Organization – ICAO (2006). Doc 9303: Machine Readable Travel Documents, Part 1: Machine readable passports. Current version: sixth edition 2006. http://www.icao.int/publications/Documents/9303_p1_v1_cons_en.pdf
2 Liu, Y., Kasper, T., Lemke-Rust, K. and Paar, C. (2007). E-passport: Cracking basic access control keys with COPACOBANA. Special-purpose Hardware for Attacking Cryptographic Systems (SHARCS), Vienna (AT).
3 Francis, L., Hancke, G.P., Mayes, K. and Markantonakis, K. (2011). Practical relay attack on contactless transactions by using NFC mobile phones. IACR Cryptology ePrint Archive, 2011, 618.
4 Gariup, M. and Soederlind, G. (2013). Document fraud detection at the border: preliminary observations on human and machine performance. Europ. Conf. on Intelligence and Security Informatics (EISIC), Uppsala (SE): IEEE.
5 Gschwandtner, M., Štolc, S. and Daubner, F. (2014). Optical security document simulator for black‑box testing of ABC systems. IEEE Joint Intelligence & Security Informatics Conference (JISIC), The Hague (NL): IEEE.
6 Gschwandtner, M., Štolc, S. and Vrabl, A. (2014). Active display attack on automated security document readers. Optical Document Security 2014, Conference San Francisco (CA): Reconnaissance International.