Thursday, November 16, 2006

RFID For RFID's Sake, It's Full Steam Ahead

United States State Department e-Passport - Image Credit: SecureIDNews eDigest

RFID Technology For RFID Technology's Sake, It's Full Steam Ahead At The State Department

Well, the right to privacy veil is about to be tested and potentially ripped wide open as the U.S. State Department puts the hammer down on the production and release of the new RFID embedded e-Passports.

As noted here back in August, a German computer security consultant, in a demonstration of RFID enabled passport information cloning, placed a new U.S. e-Passport on top of an RFID reader … and within four seconds the data on the RFID chip embedded in the new United States passport appeared on the screen in the Golden Reader Tool template. New e-passports come with a metallic jacket to prevent someone from surreptitiously "skimming," or reading the data on the chip from afar. But, as noted, to allow authorities to read the data on the RFID passport chip, the passport owner must remove the document from the shield before passing it over the RFID reader. It is at this point any passport is vulnerable to a skimming scam - from a distance.

Implementing technology for technology’s sake in order to make the process of identification faster and easier on the government workers may be the undoing of a true secure identification in our passport document approach. Truth is, there are also concerns that this new e-Passport may actually SLOW THINGS DOWN!

Excerpts from SecureIDNews -

ePassport issuance cranks up in U.S.
State Department rolls out citizen issuance though controversy still surrounds the project
By Marisa Torrieri, Contributing Editor, SecureIDNews - Tuesday, November 14 2006

In spite of a summer of criticism that included a prominent researcher's much-talked-about EU e-passport cloning demo, the U.S. State Department issued the first e-Passports and e-Passport readers.

Production began in late August at the Colorado Passport Agency and will expand to 17 other passport-issuing facilities throughout the United States in coming months.

And by the looks of things, most in the high-tech industry say it's a case of so-far, so-good. Pilot testing concluded in April 2006 and the bulk of this year was spent preparing for issuance. In 2005, more than 10 million passports were issued in the U.S. so this preparation is no small task.

The new passport's features include multi-layered security to authenticate passport holders and prevent unauthorized reading (called skimming) or eavesdropping:

**A 64 kbps contactless RFID chip in the rear cover of the passport

**Biometric data

**A metallic shielding material within passport's cover

**A randomized unique identification (RUID) feature will mitigate the risk that an e-passport holder could be tracked.

As of late, "there's really nothing new that's come out as far as any security vulnerabilities in the passport or any changes that have been made to improve the passport," says Randy Vanderhoof, chairman of the Smart Card Alliance. "Everything seems to be going pretty well."

But others say the "feelings are mixed"

"Certainly some issues have been addressed, such as cover design and authentication between the passport and the reader," says Bob Blakley, principal analyst for The Burton Group, former chief scientist for security and privacy at IBM. Though these have been dealt with, "security vulnerabilities aren't the only thing one should worry about."

Another concern, for example, is that reading the new technology may decrease travel as new passports could take longer to verify resulting in longer lines and other disruptions.

Much media attention has been paid to the possibility of counterfeiting the passport through cloning. "Certainly some attention needs to be paid as to whether good copies can be made of the electronic passports," Mr. Blakley says. "The new passport is significantly different than the old passport, and has not been extensively tested. I think it will be a while before we know if significant issues arise in terms of security of the passport. I think it’s likely we will discover there are additional issues that need to be addressed."
It's true one of the most common hack attacks involves intercepting information that travels across the air via RF-enabled communication between chips and readers, but the data is protected by other security measures that make such scenarios unlikely, Mr. Vanderhoof says.

"This German researcher had taken a German passport, and with some technology he acquired over the Internet was able to make an electronic passport and show that he could copy it into another device," explains Mr. Vanderhoof. "(But) what sounded like a vulnerability was not a vulnerability. Making a duplicate copy of the chip doesn't give someone an opportunity to enter the country. The procedure at the border entry point involves reading the chip data and comparing it to the printed data that is inside the passport document along with the appearance of the individual who is standing in front of the border agent. Copying the chip does nothing because the copied data won't match the printed data and photo of another passport or person holding it."

If a chip was duplicated and inserted into another passport, the photo stored in the chip would not match the physical photo in the book. The person would be caught at the checkpoint. And because of the security measures used to store data in the chips, it makes it vastly more difficult to change data than to simply duplicate it.

This is precisely the point of the inclusion of the new technology into the passports. In the past, counterfeit passports had no electronic checks and balances so fraudsters would insert their photo into another person's real document to cross borders. While most agree that no security effort is foolproof, the new e-passports are light years ahead of the prior iterations in regards to security.

Mr. Blakley adds, "there has been a lot of attention paid to the inclusion of the RFID chip, but it's only one of a number of important changes - and all of those [variables] need to be looked at, not just the RFID chip."
For more on the Electronic Passport, including links to transcripts with federal officials, visit the Bureau of Consular Affairs' Web site at
Read All>>

Identity theft is identity theft, ok, so one may not be able to clone a passport and enter the country but now one can easily breech the vail of personal identity information.

Besides, with the new leadership just voted in on the legislative side of our government, secure borders are not a priority, so why should we be so focused on a new high tech passport process? If they do not care, why should we?

We at MAXINE, as well as others, will wait and see.

No comments: