e-Passports — still not immune to identity theft or cloning
E-Passports, or biometric passports, have been available in select countries since 2006. These passports were touted to be foolproof — each passport contains a microchip that holds a digital photograph of the bearer, the same data as on the photo page (such as date of issue and birthdate), an identification number and a digital signature. The German biometric passport was also developed to include two fingerprints, one from each hand.
However, tests done by The London Times revealed that the chips can be easily cloned and accepted by the computer software in use at airports.
In one of the tests, Jeroen van Beek, a computer researcher from Amsterdam, took two passports, cloned the chips and implemented one with a digital picture of Osama Bin Laden and a suicide bomber’s picture in the other. It took less than an hour. When scanned against the passport reader, they were accepted as genuine.
The Home Office, the UK’s version of the Department of Homeland Security in the US, argued that “faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international database.” These security key codes are swapped manually among the countries that use them to add another level of security.
However, only 10 of the 45 countries that use e-passports signed up to the Public Key Directory (PKD) and only five are using it. Criminals can still use electronic security keys from those countries currently not sharing key codes.
The ability of criminals to clone chips leaves travelers more prone to identity theft. For example, when passports are left as an ID at hotels or car rental companies, criminals can take that passport, under the guise of verifying some information, read the information and clone it. The original ID information will be left intact on the cloned chip, but other information, such as the criminal’s fingerprint and digital photograph, can be added.
A spokesman for the Home Office said that “No one has yet been able to demonstrate that they are able to modify, change or alter data within the chip. If any data were to be changed, modified or altered it would be immediately obvious to the electronic reader.”
Despite this assurance from the Home Office, Dominic Grieve, the Shadow Home Secretary urged the ministers to take action to remedy the situation in light of the Times report. He said that “It is of deep concern that the technology underpinning that is a key part of the UK’s security can be compromised so easily.”
The International Civil Aviation Organization for its part intoned that “The PKD ensures that e-passports used at border control points … are genuine and unaltered. In effect it renders the passport foolproof. However, all states issuing e-passports must join the PKD, otherwise that assurance cannot be given.”
Here in the US, the focus has been on the actual security of the chip data. The data on the chip can be read by anyone standing nearby if it is not protected by some sort of metal film. This new cloning threat seems even more ominous.
According to one security expert who studied the security of RFID chip passports as they were being developed for use here in the US, “Get your paper copy right now before they go electronic.” Passports are valid for a long time, he notes. “You can have five to ten years for [the State Department] to see the error of their way and do it right later,” he says.
You may also be interested in these articles
Comments
3 Responses to “e-Passports — still not immune to identity theft or cloning”
Please share your thoughts...
It seems that nothing and no one is safe from identity theft and hacking. That is one of the truly scary things about today’s technology.
Biopassports cloned? It was bound to happen, the foolproof being fooled. Did no-one see this happening? Seriously?
It was staring everyone in the face; the smarter and more creative we become, the dumber the ideas and solutions get. I say if it ain’t broken, don’t fix it.
Yes, I agree that new security measures are needed, but putting your details on a microchip and carrying them around with you across the world? So not a good plan… Every nutjob terrorist and self imposed looney is going to be cloning themselves silly.
God bless technology it will kill us all .
The problem is poor implementation of the standard. Mind you though, that the USA requires foreigners whishing to peruse the Visa Waiver Program, to have e-passports if they’ve been issued in the last few years !
Officially, the word is that if the chip is broken, the rest of the document is still to be treated as valid etc. …
More info from the actual researcher at: https://www.os3.nl/2008-2009/epassport_eng