Feeds

Irish passports go RFID, and naked

Mug me, my house is currently worth a fortune

Next gen security for virtualised datacentres

Analysis The Irish government has begun issuing RFID passports with biometric data that can be read at a distance to comply with US regulations for its visa waiver programme.

But unlike the RFID passports the USA is now issuing, the Irish ones lack a security feature preventing them from being skimmed, or read surreptitiously.

The US government has gone to the trouble of fitting its passports with a layer of foil that interferes with skimming attempts when the document is closed. The Irish government has not. A local lobbying outfit called Digital Rights Ireland (DRI) has complained that the new passports are ripe for remote privacy invasion. As of course they are.

Unfortunately, DRI has taken that a step further, fretting in a recent interview with the Sunday Times that the unprotected passports could leave Irish travelers "open to targeting by terrorists".

We find that to be quite a stretch, since Ireland remains neutral in the GWOT. While we wouldn't expect a terrorist attack to be called off because Irish citizens might become casualties, we're fairly confident they would be among the last people actively targeted.

But forgetting terrorists for a moment (not easy, we know, with everyone and his brother playing that card), there are significant privacy issues attached to carrying a document that broadcasts your name, nationality, date of birth, digital photo, fingerprint(s), tax number, and sundry other tidbits either in the system now, or scheduled to be added in the future.

Meanwhile, identity thieves have exhibited miraculous powers of imagination and Herculean initiative in exploiting the simplest holes in data security. This passport, while not an open book today, will likely become one long before its many holes are patched.

A simple layer of foil in the cover would help, although it's hardly a privacy panacea. Recent tests have shown that the RFID chips can be cloned. It's also been found possible to read an unprotected chip from as far away as 30 feet. And it has been demonstrated that RFID systems are vulnerable to viruses.

This is merely the start of a string of vulnerabilities we can expect to hear about, and the system is only now getting underway. Some of the best ones might not be discovered by researchers, but might instead be exploited by criminals for quite some time, until they're finally discovered and a fix is found.

Furthermore, passports are often used as ID cards, not merely as travel documents. The potential for skimming in that situation is virtually unlimited.

The whole scheme is meant to prevent people flying on fraudulent passports. And indeed, if it weren't for the cloning potential, this would be a help, although not a comprehensive fix. It is still quite easy to get an authentic passport with phony documents. I got one with nothing more than a birth certificate, a picture ID, and an application on which my signature had been witnessed by a notary public.

I was asked to swear that the information on the application was accurate, which I did. Perhaps I might have flinched if I'd been lying, but I doubt many criminals would.

With that, I received the passport in less than 24 hours. I think it unlikely that the authenticity of the birth certificate, the picture ID, and the notary public's stamp could have been verified in that time, unless I'd been the passport office's only customer. Most likely, if any verification is done, it's done on a fraction of the applications.

The RFID/biometric component has been grossly oversold as an authenticity panacea. It's hi-tech, scientific and all that, so it impresses the man in the street, who now feels that international criminals, illegal aliens, and terrorists will have a harder time operating. But this scheme might actually make life easier for them, since the overall perception of the biometric passport is one of enhanced security and sophistication. Which means that a bogus one will be even more convincing than it should be, and less likely to be challenged.

Besides not addressing the issue of authenticity terribly well, from a privacy point of view, RFID is the worst possible technology. But it seemed so next-generation to State Department bureaucrats, it was irresistible. A less fancy chip that can be read only through contact, such as those deployed on some credit cards, would be far more secure in terms of privacy. Of course, a layer of foil in the cover, which the US passports have and the Irish ones lack, will at least be helpful in this regard.

This scheme may yet prove to be a terribly expensive blunder. While no one has yet demonstrated a technique for tampering with the data on an RFID chip, we can certainly expect one to surface. Probably long before the first generation of super passports will have expired, prompting - well, what? A mass, international passport recall? Who will pay for that? And how will passport offices manage to replace millions of defective passports while still issuing new ones in a reasonable period of time? Or will we just live with the fact that many millions of passports are unreliable?

RFID isn't going to fix the problem that it's intended to fix, that is, the proliferation of bogus travel documents, yet it will become a boon to identity thieves. Basically, it's a bit worse than what we had. But it is hi-tech, scientific, and all that. Which, for the US State Department, is enough. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?