← Blog · Fraud Prevention

Detecting Forged ID Documents: MRZ, Security Features, Tamper Signs

PrivateKYCBot Team · July 18, 2026 · 3 min read

Detecting Forged ID Documents: MRZ, Security Features, Tamper Signs

Most KYC fraud does not start with a stolen face — it starts with a manipulated document. Attackers edit a date of birth, swap a photo, or generate a plausible-looking passport page and submit it through whatever channel you accept. Detecting these forgeries reliably requires more than a visual glance. It requires checking the structured data, the printed security features, and the pixels themselves.

Start With the Machine-Readable Zone

The MRZ — the two or three lines of monospaced characters at the bottom of a passport or ID card — is the fastest integrity check available. It follows the ICAO 9303 standard, encoding the document number, date of birth, expiry date, nationality, and name in a fixed format. Critically, each field carries a check digit computed with a 7-3-1 weighting, plus a composite check digit over the combined data.

When a fraudster edits the visual date of birth but forgets to recalculate the MRZ, the check digit fails. When they edit the MRZ but not the printed field, the two disagree. A basic cross-validation catches a surprising share of amateur tampering:

  • Recompute all check digits and reject on mismatch.
  • Compare MRZ fields against the OCR-read visual zone; flag divergence.
  • Validate the document number format against the issuing country's known pattern.
  • Confirm the expiry date is in the future and the issue date is plausible.

Inspect Security Features, Not Just Text

Genuine documents embed features that are hard to reproduce with a home printer. Depending on the country and document generation, these include holograms, optically variable ink, microprint, guilloché background patterns, and UV-reactive elements. A photo captured in normal light will not reveal UV features, so automated checks lean on what is visible: pattern continuity, font consistency, and the placement of overlays.

Tamper detection focuses on the anomalies editing leaves behind. Photo substitution often disturbs the guilloché lines that should run continuously beneath the portrait. Font substitution shows up as inconsistent character spacing or a hairline difference in stroke weight. Copy-move manipulation leaves duplicated texture regions. Error Level Analysis and metadata inspection can surface re-compression artifacts, though EXIF data alone is weak evidence — it is trivial to strip or spoof.

Where Automation Reaches Its Limit

Automated document checks are good at rejecting the obvious and confirming the clean. The gray zone in between is where risk lives. A high-quality forgery with a correctly recomputed MRZ and a convincing background will pass structural checks. Conversely, a genuine document photographed at a steep angle, under glare, or on a cracked screen can fail legitimate features and frustrate a real customer.

Two practices reduce both error types. First, pair document authentication with a liveness-checked selfie and face match, so a stolen-but-genuine document does not clear on its own. Second, route ambiguous cases to human review rather than auto-approving or auto-declining — and log the specific signals that triggered escalation, so your decisions are defensible under examination.

Capture Quality and Data Handling

Detection accuracy depends heavily on the input. A chat-based flow can guide the applicant frame by frame — asking them to hold the document flat, avoid glare, and capture all four corners — which raises first-attempt pass rates and cuts the re-submission loop. Clear instructions do more for accuracy than any single algorithm.

Document images are among the most sensitive data you will ever hold. Treat capture and retention deliberately: extract only the fields you need for the verification decision, avoid storing raw images longer than your policy and regulator require, and apply configurable retention so records expire automatically once obligations lapse. A forged-document check that itself becomes a breach liability is a poor trade. For general framing on retention windows, consult your applicable regulator and counsel, then encode those rules into your workflow rather than leaving them to manual discipline.

General information, not legal advice. Talk to your compliance counsel for guidance on your specific obligations.