Online University Degree Certificate Verification using QR Codes
This is Part 2 of a series of blog posts investigating university certificate fraud and potential solutions. Part 1 gives an overview of the problem.
University degree certificate fraud has been occurring for a long time. Unfortunately the pain of fraud is felt primarily not by the university issuing the certificate but by institutions accepting those degrees and persons (students) to whom the certificate was issued to.
Institutions are now generally more careful in accepting certificates and follow various processes to vet the certificates:
* Request to inspect original:
Not really used today because it is now easy to source “original” looking fake certificates.
* Ask the copy of the degree to be attested by the Embassy of the country where the University is domiciled:
Also out of favour because the embassy staff can also be fooled, or even worse — facilitate the tampering.
* Check with the University itself:
Not too difficult if the University is local but not really practical unless the university offers a streamlined process to do same. More on this below.
* Engage third party investigation agencies:
These agencies would check with the issuing university in their respective home countries. This often costs a lot in terms of both money and time.
As one can sense from above, the actual price of fraud is paid daily by persons to whom the certificate was issued in the first place and by institutions accepting those documents.
The time delays lead to missed opportunities, unfilled positions and generally add an unwanted tax to the simple task of ascertaining the authenticity of a document.
Nearly every university has an authorised person (“Registrar”) who verifies certificate validation requests. If it is a manual process, then this becomes a bottleneck and sometimes another weak link in the validation chain.
Universities typically provide these validation services to third parties in one of the following forms:
* No stated process:
Unfortunately this is the state of affairs in most developing countries.
* Paper Application (Manual):
Yes — it is as tedious as it sounds: fill a paper form, get a bank draft made, snail mail and wait. Example: Indian Institute of Technology.
* E-mail (Manual):
A validation request is sent via e-mail and response provided by e-mail — typically manually by a human. Example: Harvard Business School.
* Web Service (Manual or automated):
Agents wishing to validate need to validate need to create an account on the web portal, provide details and pay some fees. These web services are provisioned in a couple of ways:
* University run web service:
University run and managed service. Example: National University of Singapore.
* Third Party Web Services:
Here the university ties up with a third party and provides them with their student records database. Agents wishing to validate log on to these third party websites, provide details and get the result after paying some fees. Example: Massachusetts Institute of Technology.
Features and drawbacks of manual processes:
One advantage of the manual process is that it does not require connecting the entire student database to some internet connected server. Everyday we come across hacking incidents and the manual process does not increase bulk data hacking risk.
Manual processes are slow. On the flip side, since the process is manual — it is easier to maintain a balance between student privacy and third party verifier interests.
Time-Person risk: Degrees may need to be verified after years and if the process is manual, at some point in future a compromised person may be part of the office processing such requests. Since many perpetrators consider this a victimless crime, any discrepancies can be next to impossible to detect (no interested party to raise issue).
This case of a MIT Dean needing to resign due to fake degrees is a reminder that individuals with compromised integrity may become part of university administration at certain points of time.
Features and drawbacks of web services offering online verification:
Instant verification: This is the major obvious benefit and much more in sync with current expectations.
Student privacy: This gets tricky in such services and many institutions have resorted to asking students to give consent for such information sharing. Often the consent is global and not for a specific case — again a compromise for efficiency but less than ideal in today’s world. Example: Carnegie Mellon University explaining the need for consent.
Database risk: The risk emanates from the fact that for such a service to work, the entire current student and alumni database needs to be exposed somehow to the internet. This brings it’s own set of risks:
Data leakage: Identity theft is common and such a database is a great target for such thieves.
Data tampering: This can compromise the integrity of such a service. This is not so far fetched and cases have actually been reported:
- For $6500, this forgery business claims to be able to input the fraudulent student details into database for many Australian Universities!
After recent revelations of data hacks of the most sophisticated government departments, reducing database risk should be a prime criteria.
- Third party web-service risks: Though tempting to off-load validation services to third parties, it is important to realize that all the risks multiply in such cases. From a hacker’s perspective, a third party aggregating databases of multiple universities is a much more juicier target than a single university.
We have been studying the certification validation problem for years and feel that the ideal solution should have the following features:
Should work for Paper and electronic copies: often documents get presented as physical copies or submitted as scanned copies making electronic only solutions unviable.
Offer instant validation: instant validation is a hard requirement for the solution to be adopted and be useful.
Avoid Central Database: database risks have to be reduced. It is difficult to secure information today, but securing infrequently accessed information for decades is close to impossible.
Maintain Privacy: An ideal solution should maintain the privacy of both the student as well the organisation validating the certificate and the university or third parties should not be in the middle with attendant responsibilities.
We have been working on a solution that addresses the shortcomings of existing solutions mentioned above. The next post in this series will explain it in more detail.