Feeds

Irish passports go RFID, and naked

Mug me, my house is currently worth a fortune

Choosing a cloud hosting partner with confidence

Analysis The Irish government has begun issuing RFID passports with biometric data that can be read at a distance to comply with US regulations for its visa waiver programme.

But unlike the RFID passports the USA is now issuing, the Irish ones lack a security feature preventing them from being skimmed, or read surreptitiously.

The US government has gone to the trouble of fitting its passports with a layer of foil that interferes with skimming attempts when the document is closed. The Irish government has not. A local lobbying outfit called Digital Rights Ireland (DRI) has complained that the new passports are ripe for remote privacy invasion. As of course they are.

Unfortunately, DRI has taken that a step further, fretting in a recent interview with the Sunday Times that the unprotected passports could leave Irish travelers "open to targeting by terrorists".

We find that to be quite a stretch, since Ireland remains neutral in the GWOT. While we wouldn't expect a terrorist attack to be called off because Irish citizens might become casualties, we're fairly confident they would be among the last people actively targeted.

But forgetting terrorists for a moment (not easy, we know, with everyone and his brother playing that card), there are significant privacy issues attached to carrying a document that broadcasts your name, nationality, date of birth, digital photo, fingerprint(s), tax number, and sundry other tidbits either in the system now, or scheduled to be added in the future.

Meanwhile, identity thieves have exhibited miraculous powers of imagination and Herculean initiative in exploiting the simplest holes in data security. This passport, while not an open book today, will likely become one long before its many holes are patched.

A simple layer of foil in the cover would help, although it's hardly a privacy panacea. Recent tests have shown that the RFID chips can be cloned. It's also been found possible to read an unprotected chip from as far away as 30 feet. And it has been demonstrated that RFID systems are vulnerable to viruses.

This is merely the start of a string of vulnerabilities we can expect to hear about, and the system is only now getting underway. Some of the best ones might not be discovered by researchers, but might instead be exploited by criminals for quite some time, until they're finally discovered and a fix is found.

Furthermore, passports are often used as ID cards, not merely as travel documents. The potential for skimming in that situation is virtually unlimited.

The whole scheme is meant to prevent people flying on fraudulent passports. And indeed, if it weren't for the cloning potential, this would be a help, although not a comprehensive fix. It is still quite easy to get an authentic passport with phony documents. I got one with nothing more than a birth certificate, a picture ID, and an application on which my signature had been witnessed by a notary public.

I was asked to swear that the information on the application was accurate, which I did. Perhaps I might have flinched if I'd been lying, but I doubt many criminals would.

With that, I received the passport in less than 24 hours. I think it unlikely that the authenticity of the birth certificate, the picture ID, and the notary public's stamp could have been verified in that time, unless I'd been the passport office's only customer. Most likely, if any verification is done, it's done on a fraction of the applications.

The RFID/biometric component has been grossly oversold as an authenticity panacea. It's hi-tech, scientific and all that, so it impresses the man in the street, who now feels that international criminals, illegal aliens, and terrorists will have a harder time operating. But this scheme might actually make life easier for them, since the overall perception of the biometric passport is one of enhanced security and sophistication. Which means that a bogus one will be even more convincing than it should be, and less likely to be challenged.

Besides not addressing the issue of authenticity terribly well, from a privacy point of view, RFID is the worst possible technology. But it seemed so next-generation to State Department bureaucrats, it was irresistible. A less fancy chip that can be read only through contact, such as those deployed on some credit cards, would be far more secure in terms of privacy. Of course, a layer of foil in the cover, which the US passports have and the Irish ones lack, will at least be helpful in this regard.

This scheme may yet prove to be a terribly expensive blunder. While no one has yet demonstrated a technique for tampering with the data on an RFID chip, we can certainly expect one to surface. Probably long before the first generation of super passports will have expired, prompting - well, what? A mass, international passport recall? Who will pay for that? And how will passport offices manage to replace millions of defective passports while still issuing new ones in a reasonable period of time? Or will we just live with the fact that many millions of passports are unreliable?

RFID isn't going to fix the problem that it's intended to fix, that is, the proliferation of bogus travel documents, yet it will become a boon to identity thieves. Basically, it's a bit worse than what we had. But it is hi-tech, scientific, and all that. Which, for the US State Department, is enough. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.