Secure University Certificate and Transcript Solution

This is Part 3 of a series of blog posts investigating university certificate fraud and potential solutions. This part provides an overview of our secure certificate generation solution and how it addresses the issues raised earlier. Part 1 explains the problem and Part 2 investigates typical solutions deployed by universities to address same.

At Qryptal, we have been working in this space for years and feel that an ideal solution to address this problem should have the following characteristics:

• Should work on physical printed paper:
  Often documents are required to be be submitted in physical paper format or copies are generated for printing  - making electronic digital signing solutions great in theory but not too viable in practice. This may seem counter intuitive with nearly everyone carrying a smartphone but when is the last time you submitted or verified an electronic signature?
  With smartphones, often instead of scanning paper - users simply take a photo of the document and share it instantly. Electronic digital signatures get lost in this process of printing or taking “photos”. This is the practical reason why for a decade everyone has been hailing these electronic signing solutions as a panacea -  which never delivered.

• Easy to validate on an ad-hoc basis:
  If a solution requires many steps/equipment - it will simply not get used!
  Just because you make a system available for document validation, it does not mean that it will get used.
  We technologists are guilty of this sin all the time. Often a big budget grand project is created with a lot of fanfare to solve a problem. After it finally get’s deployed - we wait and wait for usage and then finally blame the user for not “getting it”.
  It is not the fault of the user - complexity inundates us everywhere and the solutions which are easy and feel intuitive are the ones which end up getting traction.
  So if your mission is to make your documents trustworthy, then you have to make it super easy for anyone to validate the same without compromising on the security aspect. No messing around with visiting websites, creating accounts etc etc.
  
  
• Avoid Central Database or network access to validate:
  As recent hacking news has made it clear, network based solutions can introduce their own vulnerabilities (DNS, SSL, Privacy) and attack surfaces.
  Educational Certificates are especially vulnerable because if someone sneaks in a new record for a student who apparently graduated ten years back, how will that be detected?
  Perpetuators could be outside hackers or even some future disgruntled employee who thinks that this is a victimless and undetectable crime.

The Qryptal Secure Document System (QSDS) has been designed from the ground-up to provide the most elegant solution for securing university degrees and certificates.

This is how a secured certificate looks like:

The systems adds the secure Qryptal code to the certificate. Since this is a visual bar code (QR Code), it not only appears on the original but also copies: whether scanned or simple photos of the document.

Now anyone coming across this certificate can simply scan the code with the validation App and instantly verify. You can also try this right now by visiting

verify.demo-university.com

on your smartphone, installing the App and scanning the code above.

The major features of the Qryptal Secure Document System technology are:

• Server-less:
  No servers, cloud or central database is required - just need the App to validate.
  Apart from security and privacy benefits, this feature also implies that once a certificate is generated and issued, that certificate  stays valid and can continue to be verified without the need to maintain any infrastructure!
  
• Tamper proof code:
  Digitally signed code uses levels of security much higher than those commonly used for internet banking (equivalent to a 3072 bit key)
  
• Small Code Size:
  Unique compression technology keeps the code small while maintaining high levels of security

Deploying the Qryptal Secure Document System is also easy and we currently offer the following options:

• Web Service API:
  This is a RESTful API where your existing document generation system can make secure API calls to our system and get the secure code or the fully generated certificate PDF based on your template.
  
• On-premise software:
  We provide you with the Qryptal Generator software that you run in-house to generate these secure codes/certificates.
  
• MS Excel Add-in:
  If you use MS Excel as a database, we have an Addin which makes it easy for your operators to just click and generate secure codes/certificates.

For more information or trial, please contact us at:

How do Universities provide certificate verification services

This is Part 2 of a series of blog posts investigating university certificate fraud and potential solutions.  Part 1 gives an overview of the problem.

University degree certificate fraud has been occurring for a long time. Unfortunately the pain of fraud is felt primarily not by the university issuing the certificate but by institutions accepting those degrees and persons (students) to whom the certificate was issued to.

Institutions are now generally more careful in accepting certificates and follow various processes to vet the certificates:

• Request to inspect original:
  Not really used today because it is now easy to source “original” looking fake certificates.
• Ask the copy of the degree to be attested by the Embassy of the country where the University is domiciled:
  Also out of favour because the embassy staff can also be fooled, or even worse - facilitate the tampering.
• Check with the University itself:
  Not too difficult if the University is local but not really practical unless the university offers a streamlined process to do same. More on this below.
• Engage third party investigation agencies:
  These agencies would check with the issuing university in their respective home countries. This often costs a lot in terms of both money and time.

As one can sense from above, the actual price of fraud is paid daily by persons to whom the certificate was issued in the first place and by institutions accepting those documents.

The time delays lead to missed opportunities, unfilled positions and generally add an unwanted tax to the simple task of ascertaining the authenticity of a document.

Nearly every university has an authorised person (“Registrar”) who verifies certificate validation requests. If it is a manual process, then this becomes a bottleneck and sometimes another weak link in the validation chain.

Universities typically provide these validation services to third parties in one of the following forms:

• No stated process:
  Unfortunately this is the state of affairs in most developing countries.
  
• Paper Application (Manual):
  Yes - it is as tedious as it sounds: fill a paper form, get a bank draft made, snail mail and wait. Example: Indian Institute of Technology.

• E-mail (Manual):
  A validation request is sent via e-mail and response provided by e-mail - typically manually by a human. Example: Harvard Business School.
  
• Web Service (Manual or automated):
  Agents wishing to validate need to validate need to create an account on the web portal, provide details and pay some fees. These web services are provisioned in a couple of ways:
• University run web service:  University run and managed service. Example: National University of Singapore.
• Third Party Web Services: Here the university ties up with a third party and provides them with their student records database. Agents wishing to validate log on to these third party websites, provide details and get the result after paying some fees. Example: Massachusetts Institute of Technology.

Features and drawbacks of manual processes:

• One advantage of the manual process is that it does not require connecting the entire student database to some internet connected server. Everyday we come across hacking incidents and the manual process does not increase bulk data hacking risk.
• Manual processes are slow. On the flip side, since the process is manual - it is easier to maintain a balance between student privacy and third party verifier interests.
• Time-Person risk: Degrees may need to be verified after years and if the process is manual, at some point in future a compromised person may be part of the office processing such requests. Since many perpetrators consider this a victimless crime, any discrepancies can be next to impossible to detect (no interested party to raise issue).

This case of a MIT Dean needing to resign due to fake degrees is a reminder that individuals with compromised integrity may become part of university administration at certain points of time.

Features and drawbacks of web services offering online verification:

• Instant verification: This is the major obvious benefit and much more in sync with current expectations.
• Student privacy: This gets tricky in such services and many institutions have resorted to asking students to give consent for such information sharing. Often the consent is global and not for a specific case - again a compromise for efficiency but less than ideal in today’s world. Example: Carnegie Mellon University explaining the need for consent.
• Database risk: The risk emanates from the fact that for such a service to work, the entire current student and alumni database needs to be exposed somehow to the internet. This brings it’s own set of risks:
• Data leakage:
  Identity theft is common and such a database is a great target for such thieves.
• Data tampering:
  This can compromise the integrity of such a service. This is not so far fetched and cases have actually been reported:
  
  For $6500, this forgery business claims to be able to input the fraudulent student details into database for many Australian Universities!
  
  After recent revelations of data hacks of the most sophisticated government departments, reducing database risk should be a prime criteria.
• Third party web-service risks: Though tempting to off-load validation services to third parties, it is important to realize that all the risks multiply in such cases. From a hacker's perspective, a third party aggregating databases of multiple universities is a much more juicier target than a single university.
  

We have been studying the certification validation problem for years and feel that the ideal solution should have the following features:

• Should work for Paper and electronic copies: often documents get presented as physical copies or submitted as scanned copies making electronic only solutions unviable.
• Offer instant validation: instant validation is a hard requirement for the solution to be adopted and be useful.
• Avoid Central Database: database risks have to be reduced. It is difficult to secure information today, but securing infrequently accessed information for decades is close to impossible.
• Maintain Privacy: An ideal solution should maintain the privacy of both the student as well the organisation validating the certificate and the university or third parties should not be in the middle with attendant responsibilities.

We have been working on a solution that addresses the shortcomings of existing solutions mentioned above. The next post in this series will explain it in more detail.

The Fake University Degree Scourge

Fake or tampered degrees or certificates have always been a problem but recent scams show that they are becoming more pervasive. This is Part 1 of a series of blog posts attempting to investigate the issue and suggest potential solutions. 

Degree scams are not limited to your average Joe but are now being uncovered in high places as well:

We have been aware of this problem for years and are now alarmed at the increasing frequency of such incidents. Surprisingly, this problem is not just limited to developing countries and such incidents occur literally in every country.

There are three main drivers for this phenomenon:

• Motivation: Academic credentials are highly valued and considered a passport for leading a good and respectable life - by hook or crook, everyone wants one!
• Access to technology: Sophisticated scanners, printers and image manipulation software are now easily available to everyone.
• Globalisation: With increased workforce mobility, it is now very common for people growing up and studying in one part of the world and working in another.

Everyday, society pays a very heavy price for this malarkey. Trustworthy credentials lay the foundation of a merit based society and such incidents shake our faith in the system. 

The worrying aspect is that the scope of the damage is extending beyond sullied reputations or economic costs, fake degrees have literally caused deaths due to fake doctors:

A couple of ways unscrupulous people fake degrees are:

• Outright fake: Never graduated from the college and either forged a certificate by modifying one from a friend or by using an online degree selling service. The fake certificates  can be such a good imitation that even a trained eye could be deceived.
• Embellishment: Actually graduated from the claimed college but courses are faked or marks enhanced in transcripts. These are even more difficult to detect because a high level check will validate that the person did attend that college.

Another factor making this an intractable problem is that it is not just individuals faking degrees but organised commercial operators.

The above story about an operator in China providing degrees from Australian Universities is remarkably brazen even by the standards of these shady operators:

• The degrees, which the business claims are sourced from the same parchment providers used by the universities, range from $3500 for “copy” quality to $5700 for an “original”
• For $6500, it claims to be able to input the fraudulent student details into university databases!

Such incidents should raise the hackles of any university administrator. 

In the next post we will discuss some of the options being used to mitigate this epidemic of fake degrees.