Feeds

Irish passports go RFID, and naked

Mug me, my house is currently worth a fortune

Intelligent flash storage arrays

Analysis The Irish government has begun issuing RFID passports with biometric data that can be read at a distance to comply with US regulations for its visa waiver programme.

But unlike the RFID passports the USA is now issuing, the Irish ones lack a security feature preventing them from being skimmed, or read surreptitiously.

The US government has gone to the trouble of fitting its passports with a layer of foil that interferes with skimming attempts when the document is closed. The Irish government has not. A local lobbying outfit called Digital Rights Ireland (DRI) has complained that the new passports are ripe for remote privacy invasion. As of course they are.

Unfortunately, DRI has taken that a step further, fretting in a recent interview with the Sunday Times that the unprotected passports could leave Irish travelers "open to targeting by terrorists".

We find that to be quite a stretch, since Ireland remains neutral in the GWOT. While we wouldn't expect a terrorist attack to be called off because Irish citizens might become casualties, we're fairly confident they would be among the last people actively targeted.

But forgetting terrorists for a moment (not easy, we know, with everyone and his brother playing that card), there are significant privacy issues attached to carrying a document that broadcasts your name, nationality, date of birth, digital photo, fingerprint(s), tax number, and sundry other tidbits either in the system now, or scheduled to be added in the future.

Meanwhile, identity thieves have exhibited miraculous powers of imagination and Herculean initiative in exploiting the simplest holes in data security. This passport, while not an open book today, will likely become one long before its many holes are patched.

A simple layer of foil in the cover would help, although it's hardly a privacy panacea. Recent tests have shown that the RFID chips can be cloned. It's also been found possible to read an unprotected chip from as far away as 30 feet. And it has been demonstrated that RFID systems are vulnerable to viruses.

This is merely the start of a string of vulnerabilities we can expect to hear about, and the system is only now getting underway. Some of the best ones might not be discovered by researchers, but might instead be exploited by criminals for quite some time, until they're finally discovered and a fix is found.

Furthermore, passports are often used as ID cards, not merely as travel documents. The potential for skimming in that situation is virtually unlimited.

The whole scheme is meant to prevent people flying on fraudulent passports. And indeed, if it weren't for the cloning potential, this would be a help, although not a comprehensive fix. It is still quite easy to get an authentic passport with phony documents. I got one with nothing more than a birth certificate, a picture ID, and an application on which my signature had been witnessed by a notary public.

I was asked to swear that the information on the application was accurate, which I did. Perhaps I might have flinched if I'd been lying, but I doubt many criminals would.

With that, I received the passport in less than 24 hours. I think it unlikely that the authenticity of the birth certificate, the picture ID, and the notary public's stamp could have been verified in that time, unless I'd been the passport office's only customer. Most likely, if any verification is done, it's done on a fraction of the applications.

The RFID/biometric component has been grossly oversold as an authenticity panacea. It's hi-tech, scientific and all that, so it impresses the man in the street, who now feels that international criminals, illegal aliens, and terrorists will have a harder time operating. But this scheme might actually make life easier for them, since the overall perception of the biometric passport is one of enhanced security and sophistication. Which means that a bogus one will be even more convincing than it should be, and less likely to be challenged.

Besides not addressing the issue of authenticity terribly well, from a privacy point of view, RFID is the worst possible technology. But it seemed so next-generation to State Department bureaucrats, it was irresistible. A less fancy chip that can be read only through contact, such as those deployed on some credit cards, would be far more secure in terms of privacy. Of course, a layer of foil in the cover, which the US passports have and the Irish ones lack, will at least be helpful in this regard.

This scheme may yet prove to be a terribly expensive blunder. While no one has yet demonstrated a technique for tampering with the data on an RFID chip, we can certainly expect one to surface. Probably long before the first generation of super passports will have expired, prompting - well, what? A mass, international passport recall? Who will pay for that? And how will passport offices manage to replace millions of defective passports while still issuing new ones in a reasonable period of time? Or will we just live with the fact that many millions of passports are unreliable?

RFID isn't going to fix the problem that it's intended to fix, that is, the proliferation of bogus travel documents, yet it will become a boon to identity thieves. Basically, it's a bit worse than what we had. But it is hi-tech, scientific, and all that. Which, for the US State Department, is enough. ®

Security for virtualized datacentres

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.