|
|
http://www.thisislondon.co.uk/news/article-23387681-details/'Safest+ever'+passport+is+not+fit+for+purpose/article.do
05.03.07
They are the "safest ever", according to the Government. But the Daily
Mail reveals today how easily a person's identity can be stolen from new
biometric passports.
A shocking security gap allows the personal details and photograph in
any electronic passport to be copied from the outside of the envelope in
which it is delivered to homes.
The passport holder is none the wiser when it arrives because the white
envelope has not been tampered with or opened.
Using a simple gadget built from parts bought on the Internet, it took
the Mail less than four hours to copy the details from one passport.
It had been delivered in the normal way by national courier company
Secure Mail Services to a young woman in Islington, North London.
With her permission we took away the envelope containing her passport
and never opened it.
By the end of the afternoon, we had stolen enough information from the
passport's electronic chip - including the woman's photograph - to be
able to clone an identical document if we had wished.
More significantly, we had the details which would allow a fraudster,
people trafficker or illegal immigrant to set up a new life in Britain.
The criminal could open a bank account, claim state benefits and
undertake a myriad financial and legal transactions in someone else's
name.
This revelation will prove a major embarrassment to ministers. Since
their introduction a year ago, more than four million biometric travel
documents have been delivered by courier.
The Government believes this is the safest way of sending out passports.
But this may be an illusion.
The passports are dispatched in white envelopes which are easily
recognisable from the distinctive lettering and figures on the outside.
There is no identity check on the person signing for the passport when
it arrives. In multi-occupancy flats they can be handed to anyone at the
address. Thousands have already gone missing.
We began our investigation by asking Elizabeth Wood, a 33-year old web
designer, to apply for a new biometric passport.
She telephoned the Identity and Passport Service on Monday, February 12.
Because she wanted the passport quickly, she was asked to go to the IPS
office in Victoria, Central London, the following afternoon.
If she had not requested the fasttrack service, the passport would
normally have been sent out without a face-to-face interview.
The next day Miss Wood met an official for ten minutes. The details on
her application form were verified using two forms of ID - normally a
household bill and a bank statement. Her photograph was also examined.
Miss Wood paid 91 for the fasttrack delivery and was told her passport
would be sent to her home by secure courier in exactly seven days.
In fact, it took just four days, arriving when Miss Wood was in the
shower. Her boyfriend went to the door and signed for the document. He
was able to do so without showing any form of identity to the courier,
who did not ask for Miss Wood.
But there is another gaping hole in security. At first glance the new
biometric passport looks much like the traditional one.
The only clue on the outside of the document that it contains an
electronic chip is a small gold square on the front.
Inside the passport there is a laminated page containing the holder's
picture, passport number, name, nationality, sex, signature, date and
place of birth and the document's issue and expiry date.
At the bottom of this page are two lines of printed numbers and letters
which can be read by a computer when the passport is swiped through a
special machine by immigration officials. It is called the Machine
Readable Zone.
On the back of the page is a tiny computer chip, surrounded by a coil of
copper-coloured wire. This is a Radio Frequency Identification
microchip, which can be read using radio waves.
Encoded on the passport's RFID chip are three important files. One
contains an electronic copy of the printed information on the passport's
photo page; the second holds the electronic image of the holder's photo.
The third is a security device which checks that the previous two files
are not accessed and altered.
In order to get into the files, the computer needs an "electronic key".
This is the 24-digit code printed on the bottom line of the passport's
Machine Readable Zone. It is called the "MRZ key number".
When an immigration official checks the passport by swiping it through
his machine, it reveals the key which is then used to open up the
electronic data on the microchip.
The official checks that the photograph and information printed on the
passport match the details on the chip and the holder is allowed to pass
in, or out, of the country.
The Government says the biometric chips are protected by "an advanced
digital encryption technique". In other words, without the MRZ key code
it is impossible to steal the passport holder's details if you do not
have their travel document.
Yet it took us no time at all to unravel the crucial code, using a
relatively simple computer software programme and a scanning device.
The Mail was helped by computer security consultant Adam Laurie, who
advises public bodies and private companies on combating IT fraud. He
discovered glaring weaknesses in the biometric passport's security
system.
The first flaw is that a hacker can try to access the chip as many times
as he likes until he cracks the MRZ code. This is different to putting a
pin number into a bank machine, where the security system refuses access
after three wrong combinations are entered.
The second is that there are easily identifiable recurring patterns in
the MRZ key codes issued. For example, the passport holder's date of
birth always features, as does the passport's expiry date, which is ten
years after the issue date.
The Mail is not publishing full details of Miss Wood's passport to
protect her. We know exactly how Mr Laurie cracked the MRZ code but we
are not going to reveal the process for security reasons.
Crucially, he only needed one new piece of information - Miss Wood's
date of birth.
In under two hours, the Mail had found this by checking the electoral
roll, birth records and looking at genealogical sites on the Internet.
Miss Wood's photo page soon popped up on Mr Laurie's laptop screen. He
had not needed to see her actual passport - the white envelope
containing it remained unopened on the desk.
Crucially, some banks, including the Post Office, no longer require to
see a full passport as proof of identity from a new customer opening an
account. They ask for a photocopy of the photo page to be sent in the
post instead.
Miss Wood's photo page could easily be copied and used for this purpose.
Mr Laurie said: "I used public information and equipment that is legal.
The software took me three days to write. It is incredibly easy to
thieve data from the passports. It could be put onto another chip and
implanted in a blank passport."
Phil Booth, national co-ordinator of NO2ID, a group pressing the
Government to abandon plans for identity cards, witnessed our
experiment.
"This shows how easy it is to steal a person's identity from the new
passport without the innocent owner even knowing," he said.
"The Government has repeatedly said this information is secure. You have
just shown that it is not."
Last night a Home Office spokesman said: "We do not believe it would be
possible to successfully forge a new passport by doing this.
"The security around the UK passport chip prevents anyone changing or
deleting any of the data or information on the chip, which is what is
required to successfully forge a passport."
_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org