Passport PIN tech could have SAVED MH370 ID fraudsters

Integrated keypad security? They'd never have made it onboard

Choosing a cloud hosting partner with confidence

A man who developed PIN code protection for credit cards is looking to extend the technology to passports as a way of making stolen credentials more difficult to use.

Kenneth Cecil of International Security, who came up with PIN code protection in US patent 6,340,116), will present a white paper on extending the technology to passports at the upcoming International Security Conference trade show in Las Vegas on 2 to 5 April.

In the paper, RFID/Proximity Card with PIN Code Protection, Cecil argues that his technology also protects against risks such as skimming.

The issue of stolen passports was raised in the context of Malaysia Airlines flight 370 because two of its passengers travelled using passports stolen in Thailand.

This raised fears about terrorism in the early stages of the investigation into the missing aircraft. Two individuals (later determined to be Iranian nationals seeking asylum in Europe) were travelling using the snaffled identities of an Austrian and an Italian who reported their passports stolen in 2012 and 2013, respectively.

INTERPOL later confirmed the two stolen passports used by passengers on missing Malaysian Airlines flight MH370 were both registered in its database.

But the issue of stolen passports goes much further than that. Cecil argues PIN code protection technology offers an effective means to mitigate the problem.

Cards used in either access control security or financial transactions can be used by the person that happens to be in possession. Lost or stolen cards cost the industry billions. The PIN code protection patent requires the user to input a PIN code and/or finger swipe into a numeric keypad on the card's surface.

The PIN code and/or finger swipe is compared to the reference within the card chip and if correct enables the logic system within the card. After a time period the PIN code expires and the card is disabled. A duress feature allows for a remote alarm to be activate if the user is forced to activate the card such as at an ATM.

The PIN code protection technology can also be applied to visas and passport credentials as 40 million passports are lost or stolen each year. Protected cards cannot be cloned or skimmed.

Keypads built into your credit card

PIN code protection technology for credit or debit cards requires the user to input a a series of digits known only to them into a numeric keypad on the card surface. Credit card technology with built-in keypads have existed for some years without gaining acceptance across the payment card industry. This, and other reasons, make electronic ID experts cautious about the potential offered by putting keypads into passports.

"I’ve watched the technology on the payment card side since at least 2006 and it’s been really slow to develop," Ray Wizbowski, VP for financial vertical marketing at Datacard Group and an expert in electronic ID technology, told El Reg. "Given the requirements for international cooperation and everything that’s gone into the current generation of passport specs, I think this would have quite a tough time getting attention."

ePassports with built-in biometrics are supposed to stop the sort of problem that allowed someone to impersonate the holder of a stolen passport and get on the missing Malaysian Airways flight.

"There are technologies already covered by the ICAO [‪International Civil Aviation Organization‬] standards that would have prevented the use of stolen documents," Wizbowski explained. "However, it’s not just about whether a document is ePassport or not, but more about the adoption of the infrastructure within, and importantly, amongst countries."

Airlines are, in any case, supposed to check passport numbers against a list of stolen documents reported to Interpol. Passport technology only changes really slowly with a 10 year turnover cycle, as individuals are obliged to renew their travel documents. If ePassports, once the verification infrastructure is rolled out, can already do the job then why the need to add PIN code protection to travel documents?

Everything's borked

Cecil told El Reg that the present passport system is hopelessly broken and needs to be changed.

"The present passport is easily counterfeited and hard to provide with a RFID chip," Cecil said. "The book configuration for passports is for visa display and recording the date of entering and leaving a country. It should not be used for verifying the identity of the user. Biometric scanners at the point of entry can make the lines challenging."

He rejected the argument that passport systems are difficult to replace as justification for proceeding with current technology roll-out plans. "Thirty years ago we developed a card to replace metal keys and were told that the mechanical lock infrastructure would not allow change," he said.

Moving to RFID equipped passport cards with PIN entry is capable of addressing a myriad of problems, according to Cecil, who argued that similar technology would also help in combating credit card fraud.

"RFID readers could be used to interrogate RFID equipped passport cards as lines of passengers are waking within a defined space," Cecil explained. "Cameras could record and verify through facial recognition and identify those needing further assessment."

"My patent links the RFID card to the user by requiring a PIN code and or finger swipe to initiate the logic in the chip and then it times out so that lost or stolen cards cannot be used. Also it includes a duress feature for further protection in the event a user is threatened at a ATM. Unprotected RFID credit cards, as used in the EU, can be 'skimmed' and 'cloned' since the RFID chip is unprotected and is always available to a RFID reader," he added. ®


ePassports come in two flavours. In a Basic Access Control ePassport, the content that is physically printed on the holder page (facial image, text, etc) is also stored on the chip. The data that goes onto the chip is digitally signed by the issuing country so it can't be changed. This allows an inspector to verify that the data hasn’t changed and was actually issued by the government. "Imposter" fraud, where stolen passports are sold to someone who looks similar to the legitimate holder, are still possible in this scenario.

For countries wishing to include fingerprints in an ePassport, ICAO mandates the use of Extended Access Control. Security is strong but relies on the use of inspection systems that compare a capture of the passengers fingerprints against the data stored on the chip. "It really comes down to adoption of the verification infrastructure," Wizbowski. "While many ePassports have been issued, it is still early days on utilising the technology for inspection."

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.