Can we cope with fake diplomas?
Last September I had a comment from Jean-Christophe Pazzaglia (SAP France) regarding my blog post on Integrating a QR code in printed transcripts . His initial concern was about student’s info privacy and the integration with SLcM. The answer to the second question is “yes”, SLcM is our academic info platform, we either manage processes in it, or have it as a platform and build on it. A couple of comments exchanged on SCN was followed by a deeper exchange by email regarding the first question.
This exchange led to deeper ideas exchange where Jean-Christophe’s expertise in security were key. Briefly, the discussed elements and solutions were:
- offline vs online validation: offline would require an app -mobile or desktop- with cryptographic features
- using already existing “add certificates” services offered by LinkedIn for example; we ruled out this idea because not everybody uses LinkedIn
- offer an OCR solution, where the user witl scan the diploma and we would develop a solution with OCR technology to read the diploma and compare it to our database.
- including a URL in a QR code is easily forgeable: getting a credible url and developing a simple web app to simulate successful validations is quite easy to manage ( DiplomaVerifier.com would be an excellent URL to start with)
- have the QR code represent/embed a key, and get the user to access the organization’s webpage and use a verifier service (added for this purpose). The user will insert the extracted key and some relevant information included in the diploma itself (name of the diplomee + year issued) and get a true/false answer
The idea of the QR code with the embedded key would affect any diplomas printed previous to developing this new solution. Only diplomas with a QR code would be verifiable. Although we are a young university we have thousands of graduates.
Not offering the embedded key may lead to people trying to guess names and programs, we would be on the one hand requesting the data to be input exactly as it appears on the diploma, and limiting the amount of validations per day (5 or 10 for example)
With these ideas, we developed a PoC (intended for a HERUG2016 track) that we’d like you to try and give some feedback. This idea could be used for diplomas, for transcripts or even for documents provided by any type of organization.
Link (that will be eventualy added somewhere on our homepage): www.um.edu.uy/DocVerifier
Student’s name and program name will have to be written exactly as they appear either on the diploma or transcript, and the date of birth (not included in either document) will have to be written exactly as explained (dd/mm/yyyy).
After clicking on the “Validate” button, the control sequence is:
- Name is compared to names in student master data
- If there is a match, date of birth is compared
- If there is a match, programs of study are compared to the one written (if the status is “Abandoned” it will be considered as no match)
- If there is a match, a successful message is shown
In case of no match at any point, the error message will not detail which of the 3 elements is the incorrect and a second message appears below offering alternative ways to communicate with us (email or phone) with instructions.
Test data (valid sample; altering any of the three items will get an invalid answer)
Student name: Ronnie Wood
Date of birth: 16/02/1946
Program of study: Carrera de Humanidades
Hope you found the article interesting and even better if you can share experiences/thoughts on this issues.
Thank you Jean-Christophe for the time dedicated!