Introduction
The MRZ (Machine Readable Zone) is a central element in the security of modern identity documents. Present on passports, identity cards, and certain residence permits, it enables automatic reading of document information and verification of its integrity.
Defined by the international ICAO 9303 standard, the MRZ contains structured data as well as several security mechanisms, including check digits designed to detect errors and falsifications.
Due to its essential role in automated verification processes, the MRZ is a preferred target for fraudsters. Understanding the different types of MRZ fraud and knowing how to detect them is now essential for businesses, government agencies, and any organization implementing identity verification procedures.
This article explains the main MRZ fraud techniques, the methods used to detect them, and the limitations of these controls.
What is the MRZ and why is it used to verify document authenticity
The MRZ (Machine Readable Zone) is a standardized area usually located at the bottom of an identity document. It consists of two or three lines of characters containing essential information such as the document type, issuing country, holder’s name, document number, nationality, date of birth, sex, and expiration date.
The MRZ structure is strictly defined by the ICAO 9303 standard, used worldwide. This standardization allows computer systems to automatically read and verify document information without human intervention.
The MRZ also includes check digits calculated from the document data. These check digits allow detection of any accidental or fraudulent modification of the information.
Due to these characteristics, the MRZ is an essential element in automated identity verification processes, including border controls, KYC (Know Your Customer) procedures, bank account opening, and online services.
Why the MRZ is a preferred target for fraudsters
The MRZ plays a central role in automated document verification systems. Many platforms rely exclusively on the MRZ to extract and validate identity information without analyzing the entire document in detail.
This reliance on MRZ data creates opportunities for fraudsters. By modifying certain information in the MRZ, they can attempt to deceive automated systems and make a falsified document appear authentic.
For example, a fraudster may attempt to modify the date of birth to bypass an age restriction, change the document number to conceal a flagged document, or alter the expiration date to make an expired document appear valid.
Although the MRZ includes security mechanisms, it remains vulnerable when verification processes are incomplete or poorly implemented.
Main types of MRZ fraud
Modification of one or more characters
The simplest type of fraud consists of modifying one or more characters in the MRZ. This may involve the date of birth, expiration date, document number, or holder’s name.
These modifications can be performed using image editing software or by altering the physical document itself.
However, any modification normally changes the associated check digits. If these check digits are not recalculated correctly, the fraud can be detected.
MRZ inconsistent with visible information
Another common fraud involves modifying visible document information without updating the MRZ, or vice versa.
For example, the visible name on the document may differ from the name encoded in the MRZ, or the printed date of birth may not match the one in the MRZ.
This type of fraud may deceive a quick visual inspection but can be detected through automated comparison between visible data and MRZ data.
Incorrect check digits
Check digits are designed to detect any modification of MRZ data. When a fraudster modifies information without correctly recalculating the corresponding check digit, the MRZ becomes invalid.
Verifying check digits allows immediate detection of this type of falsification.
However, experienced fraudsters may correctly recalculate check digits, making the fraud more difficult to detect.
Completely falsified MRZ
In some cases, the entire MRZ is replaced with an artificially generated one. This technique is used when the document itself is falsified or completely fabricated.
The MRZ may then contain coherent information and valid check digits while being associated with a fraudulent document.
This type of fraud requires additional checks to be detected.
Artificially generated MRZ
There are tools capable of automatically generating valid MRZs from arbitrary information. These tools calculate correct check digits automatically.
An MRZ generated this way may be technically valid while being associated with a falsified or nonexistent document.
The mathematical validity of an MRZ therefore does not guarantee document authenticity.
MRZ copied from another document
A fraudster may also copy the MRZ from a genuine document and apply it to another falsified document.
In this case, the MRZ is valid and check digits are correct, but the document does not match the MRZ.
Only a full document verification can detect this type of fraud.
Individuals, do you occasionally need to verify one or more identity documents ?
Professionals, do you need to integrate proof of identity validation into one of your business processes, including all European identity cards and global passports ?
How to detect MRZ fraud
Check digit verification
The first step is to verify the MRZ check digits. This verification allows detection of any incorrect modification of the data.
This is one of the most effective methods for detecting simple fraud.
Internal consistency verification
It is also necessary to verify the consistency between the different MRZ fields. For example, the overall check digit must correspond to all the data.
Structural inconsistencies may reveal fraud.
Verification of consistency with visible information
The information contained in the MRZ must match the visible information on the document.
Any discrepancy between this information is a potential indicator of fraud.
Format and structure verification
The MRZ must comply with the structure defined by the ICAO 9303 standard. Line length, allowed characters, and field positions must conform to the standard.
Any structural anomaly may indicate falsification.
Automated verification
Automated verification tools allow rapid MRZ analysis and detection of inconsistencies and anomalies.
These tools verify check digits, structure, consistency, and overall MRZ validity.
They automate fraud detection and reduce human error.
Limitations of MRZ verification
MRZ verification is effective but has limitations.
An MRZ can be mathematically valid while associated with a falsified document. Experienced fraudsters can generate perfectly valid MRZs with correct check digits.
MRZ verification must therefore be combined with additional checks, including visual inspection, security feature verification, and image integrity analysis.
MRZ verification alone does not guarantee document authenticity.
Why automated MRZ verification is essential today
With the growth of online services, automated document verification has become essential. Organizations must verify identities remotely, often using only an image of the document.
Automated MRZ verification allows rapid anomaly detection and reduces fraud risk.
It represents a critical first step in a complete document verification process.
How to automatically verify an MRZ
Automated MRZ verification involves extracting data, verifying structure, recalculating check digits, and analyzing consistency.
This can be performed using specialized tools capable of analyzing images or documents automatically.
These tools enable fast, reliable fraud detection and automate verification processes.
Best practices to detect MRZ fraud
To effectively detect MRZ fraud, it is recommended to verify check digits, compare MRZ data with visible information, verify structure and format, and use automated verification tools.
These checks should be complemented by a full document analysis.
Conclusion
The MRZ is a critical component of identity document security and a powerful tool for automated verification. However, it can be targeted by various fraud techniques, from simple character modifications to fully generated falsified MRZs.
MRZ verification enables detection of many fraud types thanks to check digits and the standardized ICAO 9303 structure.
However, MRZ validity alone does not guarantee document authenticity. A complete verification process must combine MRZ analysis with additional checks.
As document fraud continues to increase, automated MRZ verification is an essential step in securing identity verification processes.
Individuals, do you occasionally need to verify one or more identity documents ?
Professionals, do you need to integrate proof of identity validation into one of your business processes, including all European identity cards and global passports ?



