Feeds

Irish passports go RFID, and naked

Mug me, my house is currently worth a fortune

The Essential Guide to IT Transformation

Analysis The Irish government has begun issuing RFID passports with biometric data that can be read at a distance to comply with US regulations for its visa waiver programme.

But unlike the RFID passports the USA is now issuing, the Irish ones lack a security feature preventing them from being skimmed, or read surreptitiously.

The US government has gone to the trouble of fitting its passports with a layer of foil that interferes with skimming attempts when the document is closed. The Irish government has not. A local lobbying outfit called Digital Rights Ireland (DRI) has complained that the new passports are ripe for remote privacy invasion. As of course they are.

Unfortunately, DRI has taken that a step further, fretting in a recent interview with the Sunday Times that the unprotected passports could leave Irish travelers "open to targeting by terrorists".

We find that to be quite a stretch, since Ireland remains neutral in the GWOT. While we wouldn't expect a terrorist attack to be called off because Irish citizens might become casualties, we're fairly confident they would be among the last people actively targeted.

But forgetting terrorists for a moment (not easy, we know, with everyone and his brother playing that card), there are significant privacy issues attached to carrying a document that broadcasts your name, nationality, date of birth, digital photo, fingerprint(s), tax number, and sundry other tidbits either in the system now, or scheduled to be added in the future.

Meanwhile, identity thieves have exhibited miraculous powers of imagination and Herculean initiative in exploiting the simplest holes in data security. This passport, while not an open book today, will likely become one long before its many holes are patched.

A simple layer of foil in the cover would help, although it's hardly a privacy panacea. Recent tests have shown that the RFID chips can be cloned. It's also been found possible to read an unprotected chip from as far away as 30 feet. And it has been demonstrated that RFID systems are vulnerable to viruses.

This is merely the start of a string of vulnerabilities we can expect to hear about, and the system is only now getting underway. Some of the best ones might not be discovered by researchers, but might instead be exploited by criminals for quite some time, until they're finally discovered and a fix is found.

Furthermore, passports are often used as ID cards, not merely as travel documents. The potential for skimming in that situation is virtually unlimited.

The whole scheme is meant to prevent people flying on fraudulent passports. And indeed, if it weren't for the cloning potential, this would be a help, although not a comprehensive fix. It is still quite easy to get an authentic passport with phony documents. I got one with nothing more than a birth certificate, a picture ID, and an application on which my signature had been witnessed by a notary public.

I was asked to swear that the information on the application was accurate, which I did. Perhaps I might have flinched if I'd been lying, but I doubt many criminals would.

With that, I received the passport in less than 24 hours. I think it unlikely that the authenticity of the birth certificate, the picture ID, and the notary public's stamp could have been verified in that time, unless I'd been the passport office's only customer. Most likely, if any verification is done, it's done on a fraction of the applications.

The RFID/biometric component has been grossly oversold as an authenticity panacea. It's hi-tech, scientific and all that, so it impresses the man in the street, who now feels that international criminals, illegal aliens, and terrorists will have a harder time operating. But this scheme might actually make life easier for them, since the overall perception of the biometric passport is one of enhanced security and sophistication. Which means that a bogus one will be even more convincing than it should be, and less likely to be challenged.

Besides not addressing the issue of authenticity terribly well, from a privacy point of view, RFID is the worst possible technology. But it seemed so next-generation to State Department bureaucrats, it was irresistible. A less fancy chip that can be read only through contact, such as those deployed on some credit cards, would be far more secure in terms of privacy. Of course, a layer of foil in the cover, which the US passports have and the Irish ones lack, will at least be helpful in this regard.

This scheme may yet prove to be a terribly expensive blunder. While no one has yet demonstrated a technique for tampering with the data on an RFID chip, we can certainly expect one to surface. Probably long before the first generation of super passports will have expired, prompting - well, what? A mass, international passport recall? Who will pay for that? And how will passport offices manage to replace millions of defective passports while still issuing new ones in a reasonable period of time? Or will we just live with the fact that many millions of passports are unreliable?

RFID isn't going to fix the problem that it's intended to fix, that is, the proliferation of bogus travel documents, yet it will become a boon to identity thieves. Basically, it's a bit worse than what we had. But it is hi-tech, scientific, and all that. Which, for the US State Department, is enough. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.