Outside the Stade de France in Paris Friday night, amid the chaos of a series of attacks that claimed the lives of 129 people, police found a Syrian passport. The identity on the document was that of 25-year-old Ahmad Almohammad, and it was laying near the remains of a man who had detonated a suicide vest. Authorities subsequently identified the attacker as Almohammad.
But French Justice Minister Christiane Taubira said the document was a "fake" — and others agreed.
"Such fake Syrian passports are widely available in Turkey, and are often bought by non-Syrians trying to get to EU because Syrians get preferential treatment on the journey," wrote Human Rights Watch emergencies director Peter Bouckaert.
A French police source reportedly said the document was "definitely" a forgery. However, Public Order Ministry officials in Greece, where Almohammad apparently entered Europe with the passport in early October as a refugee before making his way across Europe and ultimately to Paris, reportedly said it definitely was not a fake.
Then on Monday, a man holding a nearly identical passport was detained in Serbia. The only difference was the photo.
* * *
Fraudulent passports fall into four general categories, says Russ Middleton, a forensic document examiner and former detective with the anti-terrorist branch at New Scotland Yard.
Counterfeits — completely phony documents created from scratch — are the easiest to buy on the black market, but are generally also the easiest to detect, according to Middleton. A forgery involves the alteration of a typically genuine and oftentimes stolen document to suit the identity of the new holder, and these can also be detected fairly easily. An impostor document is used by someone who resembles the rightful owner of the passport; lookalikes can be caught by border agents armed with iris scanners and facial recognition technology. Genuine passports obtained via identity theft — in other words, passports issued through official channels to people using other fraudulent documents — are the most difficult to suss out.
It is not yet clear into which category Almohammad's fell.
The myriad security features now built into passports, coupled with extensive cross-referencing between law enforcement databases, has actually made it easier to acquire a legitimate passport using a fictitious identity — the kind of passport that is hardest to spot as a fraud — than to pass off any kind of fake, according to the International Civil Aviation Organization (ICAO).
"By all accounts, the current generation of ICAO-compliant chip-based travel documents are the best and most secure the world has ever known," says Simon Deignan, a counterterrorism officer in the Travel Document Security Programme of the Organization for Security and Cooperation in Europe (OSCE). "However, travel document security is about more than the document itself. The trend, therefore, has been for fraudsters to increasingly turn to civil registry documents and systems to adopt a fake identity which is then used to apply for a genuine travel document."
In 2007, ICAO reported 54 percent of bogus travel documents discovered at international borders were forgeries and counterfeits, while real travel documents acquired through identity fraud accounted for just 31 percent of all interceptions. Just two years later, the numbers had more than flipped; forged and counterfeit travel documents detected at international borders dropped to 29 percent, while the number of illegally procured genuine documents had shot up to 71 percent of the total. (Those are the most current figures ICAO made available.)
In 2013, Frontex, the European Union's border management agency, intercepted double the number of fraudulently obtained passports than it did in 2012. And, as the 2015 Frontex Annual Risk Analysis warns, the trend is expected to "steadily rise."
* * *
Using a stolen identity to get a genuine passport involves the use of relatively easy-to-obtain "breeder documents" — also called "foundational documents" — which are then used to get other pieces of identification.
The breakdown of internal controls and infrastructure in war-torn or developing nations makes this process relatively simple there, says former UK Border Agency officer Simon Horswell. But it's still far simpler to get a so-called real fake US passport, which allows for visa-free travel to 147 countries, making it the most powerful passport in the world, than most people probably realize.
In the US, a birth certificate is the most common breeder document. It establishes proof of identity and is a conduit to obtaining, among other pieces of identification, a Social Security card, a driver's license — which can be used to board any domestic flight — and a US passport.
Across the country, birth certificates are issued by thousands of individual state and local vital records offices in addition to a variety of private entities, including churches and midwives. With no national standard, birth certificates come in thousands of versions and incorporate varying levels of security. Some are reasonably secure, while others "could be replicated by a 12 year old on their computer," legendary forger and imposter Frank Abagnale tells VICE News.
In many places, the security measures taken to protect the physical documents far exceed the steps taken to vet and monitor the people issuing the documents. Abagnale, whose criminal career was the basis for the 2002 movie Catch Me If You Can, and who now works as a security consultant in Washington, DC, says these employees can generally be paid off with relative ease, which has resulted, not surprisingly, in fairly regular cases of fraud aided and abetted by corrupt government officials, both in the US and abroad.
As easy as it is to obtain a birth certificate with fraudulent documents — in California, people need just a notarized statement saying they are who they say they are — some places don't even have those barriers, even if you're not physically in the United States.
"Vermont is one of the last states that allows any person, anywhere in the world, to request and receive a certified copy of a birth or death certificate with no questions asked and no tracking," says a highly critical January 2015 report to the Vermont legislature by the state's public health statistics chief.
'We're talking about a relatively inexpensive step that would close an obvious loophole. It's certainly cheaper than hardening cockpit doors.'
Under current statutes, Vermont's state vital records office "lacks the authority to deny any request for a copy of a birth or death certificate or request proof of their need for the certificate." No red flags are raised if someone requests the birth certificate of a missing or kidnapped child, and no pre-employment background screening is conducted on any potential vital records employees. Vermont has no system in place to identify unusual patterns of requests for birth certificates, nor is there any way to determine if a particular person's certificate is getting an unusually high number of requests.
Vermont is not alone. In Ohio, if someone can provide a person's name and date of birth, state employees are legally required to hand over the person's birth certificate. In one case, officials were forced to set aside their suspicions and fulfill an order for 4,577 copies of different people's birth certificates from a single requester. New Mexico, another open-records state, has faced similar problems with identity thieves using their birth certificates as breeder docs. According to state official Demesia Padilla, ID fraud there has been linked to international crime syndicates in "Mexico, Bolivia, China, the Middle East, you name it."
"If there was no solution to any of this, I'd say, 'Hey, don't waste your time, there's nothing anyone can do,'" Abagnale says. "But there's plenty we can do. We're just not doing it."
* * *
The threat posed by corrupt employees extends throughout the system, says Scott Stewart, vice president for tactical analysis at Stratfor and a former special agent with the US Bureau of Diplomatic Security, the main government agency tasked with investigating passport and visa fraud.
Over the past 15 years, 31 employees at US embassies and consulates all over the world — 24 Americans and seven foreign nationals — have been found guilty of official corruption including visa and passport fraud. Valid US passports and visas have been sold in exchange for both cash and sex.
This past August, Michael Sestak, a Foreign Service officer and former Albany, New York police officer assigned to the US Consulate in Ho Chi Minh City, Vietnam was sentenced to 64 months in federal prison for processing roughly 500 fraudulent visa applications in exchange for more than $3 million. Many of the people he approved had previously been denied entry into the US. Just days before Sestak's punishment was handed down, US investigators descended on the US Embassy's Consular Section in the Dominican Republic's capital of Santo Domingo amid allegations that 68 fake visas had been sold for $4,000 apiece.
There have also been nine US Customs and Border Protection (CBP) officers arrested, indicted, or prosecuted for corruption-related charges so far in 2015. A June advisory council report to Homeland Security Secretary Jeh Johnson noted that busts of CBP officers "far exceed, on a per capita basis, such arrests at other law enforcement agencies."
"Criminals are very aware; they look for human frailties and prey on them," Stewart says. "It's almost like they're recruiting people for espionage [operations], and we need to fight against it in the same way. We need to be looking for similar things, almost take a counterintelligence approach to corruption."
* * *
According to Interpol, there are more than 45 million passports and visas from 169 countries registered in its Stolen and Lost Travel Documents (SLTD) database. However, in 2013, Interpol's own data showed fewer than 20 of 190 member countries systematically cross-checked the passports of international travelers against the SLTD database. Last year, that number had fallen to less than 10.
It wasn't until after Malaysia Airlines flight MH370 went missing in March 2014 that a database check was run on the flight's passengers, notes Robert Pape, director of the Project on Security and Terrorism at the University of Chicago. Only then was it discovered that two Iranians were on the flight traveling on stolen passports. (They have not been linked to the disappearance of the plane.) Pape said checking the SLTD database before planes take off needs to be a mandatory practice, and that airlines should be required to publicly post their compliance rates the same way they report on-time statistics.
"It's all basically done through the Internet, so we're talking about a relatively inexpensive step that would close an obvious loophole," Pape says. "It's certainly cheaper than hardening cockpit doors."
In the meantime, the abundance of physical security features that make passports so hard to duplicate aren't necessarily keeping us safer. They do make passports extremely difficult to forge, but they also prompted the OSCE to issue a report calling upon countries to "de-clutter" their passports.
"There is simply no time for first-line officers to check all security features of each and every national passport in circulation," it said. "Consequently, there is a probability that high-quality forgeries are more likely to get through border inspection."
Follow Justin Rohrlich on Twitter: @JustinRohrlich