Archive for the ‘WHTI’ Category

EU passport security has been placed under the microscope

c/o euobserver.com , *special thanks to EFF

EUOBSERVER / BRUSSELS – The biometric, or “e-passport,” was supposed to offer a previously unrivalled level of security and protection against forgery. It was “fool-proof,” some said, even “impossible” to counterfeit.

In the years that followed the attacks on New York and Washington, the European Union, as with many international powers, was eager to embrace the technology. In 2004, the European Commission proposed technical specifications for a harmonised e-passport system, first requiring digital facial image as as a mandatory biometric identifier for passports and later requiring fingerprint data.

Airport: EU passport security has been placed under the microscope (Photo: dacba10)

But in the wake of the Dubai targetted killing of a Hamas commander, in which a team of some 27 assassins used fake EU and Australian passports in the course of their cloak and dagger escapade, the security of the passport has been placed under the microscope.

Beyond the Dubai murder, Europol has warned that despite the biometric changes to passports, counterfeiting still remains a major problem for criminals or others “who are determined to do so,” with the provision of documents for irregular immigrants being the main driver of the activity.

In 2008, the latest year for which data is available, some 16.7 million passports were on an Interpol database of stolen or disappeared passports.

Magnus Svenningson, the CEO of Speed Identity, the company that provides the biometric data capture platform to the Swedish, Luxembourg and Lithuanian governments, in an interview with EUobserver reveals how passports can be forged.

“The EU passport is a very, very secure document. EU countries have invested a lot in the document. It’s extremely expensive and difficult to forge, although not impossible,” he said.

What makes it so hard is one would have to clone the certified chip of the issuing government: “This requires machine-supported verification of the documents.”

Famously, in August 2008, after 3,000 blank UK passports were stolen and British authorities said that without the chip, the documents would have been useless, the Times newspaper hired a computer researcher to successfully clone the chips on two British passports. Passport reader software used by the UN authority that establishes biometric passport standards believed the chips to be genuine.

This is designed to be countered by checking the chip at a border crossing against an international database of key codes, the Public Key Infrastructure, but only a minority of countries have signed up. So a would be counterfeiter should choose a state that does not share these codes.

The level of counterfeiting difficulty varies from country to country, said Mr Svenningson: “In some countries, it’s very easy, others not so easy, but every country has their own loopholes.”

Loopholes

First of all, the inclusion of the biometric identifiers is binding only for those countries in the Schengen area, of which the UK and Ireland have opted out and which Cyprus, Bulgaria and Romania have yet to join. These specifications are also binding on European Economic Area countries Norway, Iceland, Liechtenstein and Switzerland.

According to the EU regulation, countries were to have included both facial imagery and fingerprints in their systems by July last year. The British e-passport meanwhile only uses a digital image and not fingerprinting, although this is currently under consideration by authorities.

UK foreign minister David Miliband said that the Dubai passports taken from British citizens were in any case not biometric, which makes the forgery process that much easier. But Mr Svenningson said that one of the easiest methods is to acquire a duplicate passport – “a real fake passport” – rather than to forge one.

“The problem is enrollment and lies with the breeder documents. These are the documents that make you a for example a British or German citizen,” such as a birth certificate or naturalisation papers. “These documents plus the biographic data and the biometric data are then unified and stored in a passport tied together, forming a proof of identity.”

According to Mr Svenningson, you should choose a victim that roughly matches your appearance, and then photoshop an image of yourself so that it appears closer to what the original person looks like, something in between you and the other person.

This process is aided by “the transfer of a paper photo to a digital one, which involves a huge loss of quality, resulting in a photo that makes it very easy for others to use.”

“When all this is done, you apply for renewal of your victim’s passport and file a new application with your tailored picture. Then you wait at his or her mailbox of until the new passport arrives by mail and snatch that particular letter.” He added that a postbox that is separate from the apartment or house is best.

This method is the most common, he said. The advent of biometric passports has had an effect: “There has been a big shift in the last five years from counterfeiting to applying for a real one,” because of the additional hurdles set up by biometry.

Fingerprints can be fooled

But those countries that require fingerprints included on the chip can still be fooled.

“Fingerprints are possible to fake for a low cost. The easiest way is to obtain a print from something someone has touched, a glass or a mobile phone.”

From this you can extract a picture of the ridges that you see on your fingertip. This picture can be moulded onto a piece of plastic, which can then be subtly placed on the fingertip during enrollment or verification of the data to make you appear like someone else.

Even retina scans are not impossible to fake.

“This is difficult. The process involves taking a picture of the retina with infrared light at very close distance. But it is still not impossible. You could hold some kind of eye-like object with a picture of the retina in front of the camera. Of course if the process is supervised, it then becomes quite difficult.”

But he says that this supervision, making sure that the photo, fingerprints and other biometric data are captured at the same moment that you apply for a passport: “So that all the data is tied together and impossible for the applicant to alter.”

“It’s very important to have the whole enrollment process take place in one sequence via an officially supervised process. Any time you break up this sequence, you introduce a window for individuals to undermine the security of the passport.”

Of course, Mr Svenningson’s business model is precisely that – all-in-one biometric data capture – so he has an interest in suggesting its importance. He jokes that photography shops, who do not sell as many rolls of film any more and for whom the €8 set of four passport photos is an increasingly substantial part of their business, do not particularly like the idea.

But it will still take many years before even the current generation of e-passports is widely adopted.

Five to 10 year window

“When it comes to non-biometric passports, there is an even weaker tie between the document and its holder, and while biometric passports are common now, the large bulk of EU passports in circulation are non-biometric because they aren’t out of date yet, and won’t be for a number of years. It will take at least another five to 10 years for all EU passports to be biometric.”

Still, nothing will be able to stop those who have the time and money to invest in counterfeiting, he said: “The intelligence services have the expenses and the capacity to do this.”

Last week, the Australian Broadcasting Corporation interviewed Victor Ostrovsky, a case officer at the Mossad in the 1980s, who said that the Israeli spy agency had its own “passport factory,” a company established within the Mossad headquarters.

“They create various types of papers, every kind of ink. It’s a very, very expensive research department,” he said.

© 2010 EUobserver.com. All rights reserved. Printed on 25.03.2010.

“If you are not a member of the Seneca Nation of Indians, fear not. The Saint Regis Indians, the Oneida Indian Nation of New York and the Haudenosaune (otherwise known as Onondaga, et al) are right in line (as well as every other federally recognized tribe). And guess what? You get to have your “Nation’s” logo on the card (maybe even your Indian name). No one will ever know you finally declared your subjugation to your oppressors. Hell, you won’t even have to show the card. It will transmit who and what you are from your pocket.



Ohnkwe Ohnwe, Of Native Pride


Ultimately, Michael Holly, chief of consular affairs/international affairs at the U.S. Department of State, says Chris Paget’s interception of the passport card’s data is no reason for concern.

“Mr. Paget actually was doing nothing more than what we intended to have happen…the card, if powered by a reader, will give off the ID number, which is simply a pointer to the data that we share with the Department of Homeland Security,” he says.


[BTC Comment – Is the State Department’s job to make egregious hacks look like it was all their idea and that they have everything under control?

I guess the more important question to ask is: are you in control of your identity and where your private information lands due to RFID deployment?

If you are confident RFID is insecure you reserve the right to demand more privacy provisions, especially if it’s a legal mandate and you are required to pay for it.]

RFID Passport Tags Save Time, Risk Privacy
By Jeff Goldman

c/o WiFi Planet

The presence of an RFID tag in U.S. passport cards has raised privacy concerns, but government officials insist the technology is safe–and that the efficiency it adds at land borders is worth the risk.

By the time WHTI went into effect on June 1st of this year, requiring Americans to present passport books, passport cards, or EDLs when crossing land borders into the United States, over a million RFID-enhanced passport cards had already been issued. While WHTI itself isn’t new, its implementation for land borders was delayed two years ago in order to allow for further testing of passport card technology.

It’s important to note that there’s a key difference between e-passports(passport books) and passport cards. While passport cards use vicinity RFID (EPC Gen 2) technology, which can be read at distances of up to 30 feet, e-passports use ISO 14443 contactless smart card tech with a read range of a few inches. To compensate for their readibility (and therefore hackability) at a distance, passport cards only transmit an ID number that relates back to information stored in a secure central database, while e-passports store and transmit much more detailed information about the passport holder.

According to Randy Vanderhoof, executive director of the Smart Card Alliance, that difference was key to the selection of the two technologies. “The electronic passport was built knowing that it was going to store secure information like a person’s name, city of issuance, passport number, image of the person… and therefore they chose a more secure chip technology to protect that information—whereas the passport card was designed to be a static identifier to a central database, with no personal information stored in the chip itself,” he says.

Vanderhoof contends that the government’s decision to use the longer-range EPC Gen 2 technology in passport cards was a mistake. “The decision to trade speed over security and privacy, I think, was a poor decision on the part of the program managers under WHTI—but they repeatedly defended the decision because of the traffic flows through the land borders and the fact that they needed something that could be read from great distances,” he says.

Still, Paul Hunter, technical lead for the Western Hemisphere Travel Initiative at U.S. Customs and Border Protection, insists that the time savings provided by the passport cards are considerable. “We can actually read the documents as they’re approaching the booth…which means, instead of handing a document to an officer and him swiping it or manually typing in data, the data’s already there, and now he can focus on the person, and he can focus on the conveyance…it saves six to eight seconds per person,” he says.

And at a land border, Hunter says, time is of the essence. “We’re talking over 100 million crossings a year,” he says. “Those six to eight seconds actually are very significant. We’ve done time and motion studies where we’ve actually measured the time it takes to take the document, to bring it into the booth, to either manually type or swipe and then wait for the results—and if you eliminate all that, you are actually on average saving between six to eight seconds.”

What’s more, Hunter says, the same technology has already been in use for over ten years in the government’s SENTRI and NEXUStrusted traveler programs. “And we have not had one reported incident of somebody skimming that data and using it for nefarious purposes…the reality is, it’s just a number,” he says. “And we further mitigate that by making sure the data that’s associated with that is in a secure back-end database.”

Ultimately, Michael Holly, chief of consular affairs/international affairs at the U.S. Department of State, says Chris Paget’s interception of the passport card’s data is no reason for concern. “Mr. Paget actually was doing nothing more than what we intended to have happen…the card, if powered by a reader, will give off the ID number, which is simply a pointer to the data that we share with theDepartment of Homeland Security,” he says.

But Paget himself, now president and CTO of the security research firm H4RDW4RE, says that ID number shouldn’t be so easily accessible. “You shouldn’t necessarily think of it as low-risk just because it’s a number,” he says. “Your social security number is just a number. Your credit card number is just a number. It’s the meaning that’s attached to those numbers that makes it risky—and in this instance, it’s an identifier for a person, so any time you see that identifier, you can be certain that you’re seeing that same person.”

One possible solution, Paget says, would be to add an on/off switch to the passport card, as has been suggested by Dr. Ann Cavoukian,Information and Privacy Commissioner for the Canadian province of Ontario. Paget says it’s simply a matter of adding “a button on the card that you have to physically squeeze to turn the tag on, at which point it can be read—so it completely negates the need for shielding…because the tag is off until you actually want it to be turned on.”

The larger point, Paget says, is that RFID needs to be approached with the same caution as the Internet—both, essentially, are simply untrusted networks that move bits of data from point a to point b. “There’s no reason why RFID cannot have equivalent security to something like SSH or SSL that we use on the Internet all the time…I’m certainly not against RFID as a technology: I think it’s got great potential, but there needs to be a lot more security involved in the design of the systems,” he says.

LISTEN :::H4RDW4RE : An RFID Clean Up Team

BTCRadio Frequency ID chip technologies are “too vulnerable in too many ways,” says Chris Paget, ethical hacker and partner for H4RDW4RE, a new company creating privacy and security solutions to existing RFID problems in the marketplace.


The public has been made aware of RFID or Radio Frequency ID technologies commissioned for national identity documents: passports, Enhanced Drivers Licenses, TWIC cards, Speed Passes and even Tribal Identity Cards. Unfortunately, RFID as a government sanctioned technology earned a big brother reputation from its ability to track a persons current location, storing and conveying private information from 20 – 30 feet away.


Chris Paget, a technology penetration consultant, found the Western Hemisphere Travel Initiative compliant RFIDs especially troublesome. He began doing live demonstrations exposing identity security flaws RFIDs had on average cardholders. Then Chris Paget and his business partner Tim Mullen formed H4RDW4RE.com. They have made it their business to demonstrate exactly how insecure Western Hemisphere compliant RFID chips can be for people to possess in identity cards, smart-contactless cards and credit cards.


In this interview they explain the benefits of technology penetration testing or “ethical hacking” for investors and adopters. One of Paget’s demonstrations went viral via YouTube in February, blowing apart any faint notion of RFID’s billing as a secure identity technology. Equipped with only a $250 signal reader and a conventional laptop, Paget cloned or copied private passport information from a parked car in San Francisco.


H4RDW4RE recently featured high profile demonstrations at 2009 conventions like DefCon & Black Hat. They continue to invent solutions for existing security problems and risks ordinary people face from identity technologies present in U.S. passports and other public cards.


BTC – These two articles came in from the Windsor Star, Vancouver B.C. , a Canadian town due north of Seattle, Washington.

Skimming machines found at 2 TD ATMs

Police are confident that the suspect or suspects did not gain any personal information from the ATM in Devonshire mall. The skimming machine was comprised of a camera and an electronic component that’s installed over the card slot which holds a memory card. When police investigated, they found the memory card still intact.

Police are unsure at this time if any personal information was compromised at the TD on Walker Road.

A man was caught on a surveillance camera at the Walker Road location, but police don’t know how long ago both devices were installed.

The border: An 8-year assessment

The WHTI has hurt businesses on both sides of the border and squeezed tourism. Business groups are also worried that when the recession ends, and truck traffic ramps up again, the border will turn into a chokepoint for two-way trade.

In the hours after 9-11, we used this space to point out that the immediate priority of our American neighbours would be to improve national security, and they would start with their borders.

We argued that the U.S. would build a higher, stronger wall around itself to protect its citizens, and Canadians could not afford to find themselves on the wrong side of the new security fence.

If that happened, the price to pay would be the erosion of a co-operative relationship that had created the world’s most open and intertwined economies.

Now, eight years later, we haven’t reached the point that the Canada-U.S. border has become a wall, but it is not the same border it was before 9-11, and it isn’t operating in the best interest of either country.

The days when you could count on hassle-free travel across the border are mostly over. The last-minute decisions to cross the border for dinner or a night-on-the-town aren’t being made as often.

Initially, it was the risk of delays as U.S. customs ramped up inspections. Now traffic in both directions is down again with the U.S. requiring passports or similar documentation (the Western Hemisphere Travel Initiative) to enter the U.S. The rule applies to both Americans and Canadians.

The war on terrorism was not supposed to turn into a war on the lifestyle and livelihoods of law-abiding Canadians and Americans. :::MORE HERE:::

The run on global identity continues
The Western Hemisphere Travel Initiative was just about proving you were a citizen, not that you had to do it by any specific kind of technology. We are close to the point now that if you don’t want RFID in any of your documents that you can’t leave the country or get back into it.” –Michigan State Representative Paul Opsommer 

From Global Research of Canada

Enhanced driver’s licenses have built-in radio chips providing an identifying number or information that can be accessed by a remote reading unit while the license is inside a wallet or purse. The technology already had been implemented in Washington State, where it is promoted as an alternative to a passport for traveling to Canada . So far, the program is optional. But there are other agreements already approved with Michigan, Vermont, New York and Arizona, and plans are under way in other states, including Texas [who passed state transportation code for both RFID & biometrics in 2007].

Many countries besides the Security and Prosperity Partnership [United States, Mexico, Canada] members have jumped on the RFID bandwagon, which has become a multibillion dollar global enterprise.

[On June 1st, 2009, the first day of the Western Hemisphere Travel Initiative (WHTI) full implementation, Border Trade Alliance (BTA), is asking U.S. and Canadian citizens to use Twitter to post their cross-border travel experiences with WHTI to collect feedback on the program at land ports throughout North America.]

On July 15, 2009, the Indian government announced that India is going to issue biometric ID cards to its 1.2 billion citizens. The Government in Delhi recently created the Unique Identification Authority, a new state department charged with the task of assigning every living Indian an exclusive number. It will also be responsible for gathering and electronically storing their personal details, at a predicted cost of at least £3 billion.

On July 28, 2009, President Felipe Calderon proclaimed that Mexico will start issuing nationwide identity cards for its citizens starting this year and by 2012 everyone will have one.

Compulsory national identity cards are used in about 100 countries including Germany, France, Belgium, Greece, Luxembourg, Portugal and Spain.

German police can detain people who are not carrying their ID card for up to 24 hours.

South Korean, Brazilian, Italian and Malaysian ID cards contain fingerprints. Cards in some countries contain information on any distinguishing marks of the holder. In the European Union some cards can be used instead of a passport for European travel. ID cards are not used yet in the US , Canada , New Zealand , Australia , the Irish Republic , and the Nordic countries. :::MORE HERE:::

“I’m sure the civil libertarians will object to some kind of biometric card — although . . . there’ll be all kinds of protections — but we’re going to have to do it. It’s the only way,” Schumer said. “The American people will never accept immigration reform unless they truly believe their government is committed to ending future illegal immigration.”

Generations of Americans have lived without biometrics. It is not the only way.

BTC Commentary – Schumer, misunderstands and underestimates the fiscal limits of both the American people’s patience and tolerance for any further insolvency or compromise over the integrity of something as personal as our identity. In short, the U.S. Congress does not respect or uphold a standard suitable for the American public if they persist with biometric identifiers against the 4th Amendment. They misrepresent the U.S. people.

Senate Democrats Address Immigration

c/o Washington Post , Spencer Hsu

Senate Democrats outlined plans yesterday to overhaul the nation’s immigration laws, including a requirement that all U.S. workers verify their identity through fingerprints or an eye scan.

Speaking on the eve of a White House summit with congressional leaders on immigration, Sen. Charles E. Schumer (N.Y.) said a national system to verify work documents is necessary because Congress has failed to crack down on unscrupulous employers and illegal immigrants with fake documents.

“I’m sure the civil libertarians will object to some kind of biometric card — although . . . there’ll be all kinds of protections — but we’re going to have to do it. It’s the only way,” Schumer said. “The American people will never accept immigration reform unless they truly believe their government is committed to ending future illegal immigration.”

By announcing his plans, Schumer, who chairs the Senate’s main immigration subcommittee, ushered in what President Obama has signaled will be his next major legislative campaign, after the economic stimulus plan, health care and energy.

Schumer said legislation should secure control of the nation’s borders within a year and require that an estimated 12 million illegal immigrants register with the government and “submit to a rigorous process to convert to legal status” or face immediate deportation. Rejecting the euphemism “undocumented workers,” he said: “Illegal immigration is wrong — plain and simple.”

A senior White House official said Obama is open to all of Schumer’s proposals, including his ID plan, saying that “he wants to listen, he wants to talk. All of it is on the table.”

Hispanic leaders and immigrant advocates have pressed Obama to fulfill a campaign pledge to tackle the issue this year. In response, House and Senate Democratic leaders voiced new optimism this week that a deal can be struck before election season heats up next spring.

“I think we have the floor votes to do it,” Senate Majority Leader Harry M. Reid (D-Nev.) told reporters Tuesday. House Majority Leader Steny H. Hoyer (D-Md.) added that action could begin “as early, perhaps, as this fall.”

Seeking to build momentum, Obama will meet today with at least 20 House and Senate members from both parties, officials said. But White House aides have worked to lower expectations, noting Congress’s inability to deliver legislation to former president George W. Bush in 2006 and 2007, and vowing to proceed with debate this year only with strong bipartisan support.

“The president wants to make it clear he is serious,” a senior White House official said yesterday. “He also wants to make it clear he’s going to need strong partnership and leadership on both sides of the aisle to get the right policies moving.”

Key Republicans reacted cautiously, saying they would work with Obama if he thinks a deal is possible.

“What we need now is not another photo op at the White House,” Sen. John Cornyn (Tex.), the ranking Republican on Schumer’s panel, said Tuesday. “What we need is a plan from the president of the United States.”

In pushing Congress to tackle the subject for the third time in four years, advocates say a bigger Democratic majority, Republican unease over the party’s waning support from Hispanics and public demand for solutions will deliver a filibuster-proof 60 votes in the Senate.

But the plan faces obstacles, opponents said, including rising competition for jobs in a collapsing economy, and continued resistance to granting “amnesty” to illegal immigrants.

“Every Democrat that’s in a competitive district knows that will be the question next year: Why did they vote for more foreign workers while 14 million workers are unemployed?” said Roy Beck, founder of NumbersUSA, a group that advocates for limiting immigration.

Also unclear is what backing might come from business groups. Schumer’s priorities did not include expanding a guest-worker program, which employers sought. Instead, Schumer said that any deal must also create mechanisms to attract highly skilled immigrants, control the flow of low-skilled immigrants and protect native-born workers.

A system to access legal workers “is non-negotiable from a business point of view,” said Tamara Jacoby, president of the ImmigrationWorks USA lobby, adding: “But we’re open to a discussion of what that legal mechanism should be.”