Agents operating undercover in seven states and the District of Columbia, ultimately obtained drivers licenses at every agency where they applied during the investigation, which began in July 2002.

Fake drivers licenses could enable terrorists to board airplanes or open bank accounts without detection, the report suggests.

“As far as drivers license issuing is concerned we’re no more safe from terrorists than we were before September the 11th,” said Sen. Charles Grassley, R-Iowa, chairman of the Senate Finance Committee, which is holding Tuesday’s hearings.

“The findings showed me that there isn’t a state in the nation geared up to being concerned about fake IDs before giving a drivers license.”

Investigators used obviously fake documents which should have been easily identified, Grassley said.

“It’s very, very easy to get fake documents,” Grassley said. “The documents that were used in the investigation were meant to be clearly fake ... and yet every one of them got a license.”

The report comes on the heels of a study released last week by the Federal Trade Commission indicating incidence of identity theft is much higher than government officials had previously believed. An FTC survey estimated that 3.3 million people were victims of full-blown identity theft last year. Another 6.7 million people were hit by credit card fraud and other account takeovers.

Tuesday’s hearing could renew debate about a national identity cards, says privacy expert Rob Douglas, who is scheduled to testify at the hearing, and has seen a draft of the report.

“It’s horrific how easily they did some of this,” he said.

DOCUMENTS NOT CONFISCATED

In many of the eight locations, investigators were initially turned away by motor vehicle employees who initially spotted problems with the applicants’ documents. But the fake paperwork was never confiscated and law enforcement officials were never notified. So the agents merely left the motor vehicle office, addressed the problems, and re-applied — often on the same day — with success.

In Virginia, the first state tested, an undercover agent was at first turned away because the birth date on the fake birth certificate didn’t match the birthday associated with the fraudulent social security number. The clerk handed the paperwork back to the agent and “apologized for being unable to assist him,” according to the report.

Six days later, the same agent went to another motor vehicle office with a new set of paperwork, making sure the birthdays matched. He got the license.

Getting a Maryland license proved a bit trickier, but agents were able to beat the system there on their third DMV visit. On first attempt, the DMV clerk noticed the fake birth certificate did not include a state or county seal, and the texture of the paper was suspicious. But again, the fake documents were returned to the agent — in direct violation of a Maryland DMV policy which tells workers there to confiscate such documents and send a Teletype within 15 minutes alerting all state offices of the suspicious transaction, the GAO report says.

A week later, agents were turned down again by a Maryland DMV because employees there said the agent didn’t have the required documents to establish Maryland residency. On third visit, armed with a utility bill, the agent got a license.

Given heightened security concerns since the Sept. 11, 2001, terrorist attacks, Sen. Max Baucus, D-Montana, said he was surprised by the lack of vigilance by motor vehicle agencies.

“I think most surprising, is that ... people are pretty casual at department of motor vehicles,” Baucus, the committee’s top Democrat, said. “I expected after 9-11 that people would be a little more vigilant and understand that drivers licenses are pretty important.”

THREE LICENSES IN TWO DAYS

The most serious vulnerabilities appeared in California, where agents managed to complete the process to receive three temporary state drivers licenses within two days using the same fake information.

On one occasion, after one agent failed the standard eye test, a second agent stepped in for him, passed the eye test, then handed the successful results to the first agent, who had his photo taken for the license.

Simultaneously, a third investigator was using the same data on another line in the same office; he also was issued a temporary license.

“No one at the DMV noticed that two individuals were simultaneously using the same fictitious name and same fraudulent supporting paperwork,” the report says.

And perhaps more troubling, that undercover agent had already received a temporary license a day earlier from a different location, using the same name. On Aug. 20 of last year, the agent supplied a fake out-of-state West Virginia license as verification of identity and managed to get the California license. On Aug. 21, using the same name but a fake Texas license, he got a California license again, even after the clerk noticed the agent had received a temporary license the day before. The agent simply said he’d lost the first license, and the DMV clerk issued a second California license “without questioning the story further.”

Other locations that ultimately failed the GAO test: Washington D.C., South Carolina, Arizona, Michigan, and New York.

TRY, TRY AGAIN

While agents did have initial trouble getting their fake licenses on their first try, Douglas said that’s even more cause for concern.

“The shocking thing is most states picked up they were forged documents but never did anything about it,” he said. “That means there is no risk to the person trying to obtain the false drivers license.”

The test was very realistic, said Douglas, whose American Privacy Consultants firm advises banks and other financial institutions on identity theft. Criminals often probe security controls several times until they find the right formula for success.

“That’s the way the real bad guys work. They keep pinging away, looking for the soft underbelly of the security procedure.”

In the weeks after Sept. 11, state-issued identifications cards — principally drivers licenses — drew much attention from security experts as a systematic weakness. With each state issuing its own forms of identification, there are hundreds of acceptable forms of state-issued photo ID.

“If one can get a counterfeit drivers license so easily today, we’ve got to do something about that,” Baucus said.

For some, national ID cards would go a long way toward solving the problem. Oracle CEO Larry Ellison offered to donate the software needed to create national ID cards soon after the Sept. 11 terrorist attack. Opponents say such a card would endanger civil liberties and give the federal government too much data about individual citizens and there whereabouts.

But Douglas said the current situation — he thinks there are about 400 state ID formats currently — is untenable.

“Behind the scenes we need to have standardization so an ID card from Virginia can be verified using the same software as an ID card from California. To me that’s common sense,” Douglas said. “Otherwise, there are forms of identification that most people in their own state can’t recognize, much less neighboring states.”