Wednesday, March 24, 2010

EU passports not that safe, says expert

EU passport security has been placed under the microscope

c/o euobserver.com , *special thanks to EFF


EUOBSERVER / BRUSSELS - The biometric, or "e-passport," was supposed to offer a previously unrivalled level of security and protection against forgery. It was "fool-proof," some said, even "impossible" to counterfeit.

In the years that followed the attacks on New York and Washington, the European Union, as with many international powers, was eager to embrace the technology. In 2004, the European Commission proposed technical specifications for a harmonised e-passport system, first requiring digital facial image as as a mandatory biometric identifier for passports and later requiring fingerprint data.


Airport: EU passport security has been placed under the microscope (Photo: dacba10)

But in the wake of the Dubai targetted killing of a Hamas commander, in which a team of some 27 assassins used fake EU and Australian passports in the course of their cloak and dagger escapade, the security of the passport has been placed under the microscope.

Beyond the Dubai murder, Europol has warned that despite the biometric changes to passports, counterfeiting still remains a major problem for criminals or others "who are determined to do so," with the provision of documents for irregular immigrants being the main driver of the activity.

In 2008, the latest year for which data is available, some 16.7 million passports were on an Interpol database of stolen or disappeared passports.

Magnus Svenningson, the CEO of Speed Identity, the company that provides the biometric data capture platform to the Swedish, Luxembourg and Lithuanian governments, in an interview with EUobserver reveals how passports can be forged.

"The EU passport is a very, very secure document. EU countries have invested a lot in the document. It's extremely expensive and difficult to forge, although not impossible," he said.

What makes it so hard is one would have to clone the certified chip of the issuing government: "This requires machine-supported verification of the documents."

Famously, in August 2008, after 3,000 blank UK passports were stolen and British authorities said that without the chip, the documents would have been useless, the Times newspaper hired a computer researcher to successfully clone the chips on two British passports. Passport reader software used by the UN authority that establishes biometric passport standards believed the chips to be genuine.

This is designed to be countered by checking the chip at a border crossing against an international database of key codes, the Public Key Infrastructure, but only a minority of countries have signed up. So a would be counterfeiter should choose a state that does not share these codes.

The level of counterfeiting difficulty varies from country to country, said Mr Svenningson: "In some countries, it's very easy, others not so easy, but every country has their own loopholes."

Loopholes

First of all, the inclusion of the biometric identifiers is binding only for those countries in the Schengen area, of which the UK and Ireland have opted out and which Cyprus, Bulgaria and Romania have yet to join. These specifications are also binding on European Economic Area countries Norway, Iceland, Liechtenstein and Switzerland.

According to the EU regulation, countries were to have included both facial imagery and fingerprints in their systems by July last year. The British e-passport meanwhile only uses a digital image and not fingerprinting, although this is currently under consideration by authorities.

UK foreign minister David Miliband said that the Dubai passports taken from British citizens were in any case not biometric, which makes the forgery process that much easier. But Mr Svenningson said that one of the easiest methods is to acquire a duplicate passport - "a real fake passport" - rather than to forge one.

"The problem is enrollment and lies with the breeder documents. These are the documents that make you a for example a British or German citizen," such as a birth certificate or naturalisation papers. "These documents plus the biographic data and the biometric data are then unified and stored in a passport tied together, forming a proof of identity."

According to Mr Svenningson, you should choose a victim that roughly matches your appearance, and then photoshop an image of yourself so that it appears closer to what the original person looks like, something in between you and the other person.

This process is aided by "the transfer of a paper photo to a digital one, which involves a huge loss of quality, resulting in a photo that makes it very easy for others to use."

"When all this is done, you apply for renewal of your victim's passport and file a new application with your tailored picture. Then you wait at his or her mailbox of until the new passport arrives by mail and snatch that particular letter." He added that a postbox that is separate from the apartment or house is best.

This method is the most common, he said. The advent of biometric passports has had an effect: "There has been a big shift in the last five years from counterfeiting to applying for a real one," because of the additional hurdles set up by biometry.

Fingerprints can be fooled

But those countries that require fingerprints included on the chip can still be fooled.

"Fingerprints are possible to fake for a low cost. The easiest way is to obtain a print from something someone has touched, a glass or a mobile phone."

From this you can extract a picture of the ridges that you see on your fingertip. This picture can be moulded onto a piece of plastic, which can then be subtly placed on the fingertip during enrollment or verification of the data to make you appear like someone else.

Even retina scans are not impossible to fake.

"This is difficult. The process involves taking a picture of the retina with infrared light at very close distance. But it is still not impossible. You could hold some kind of eye-like object with a picture of the retina in front of the camera. Of course if the process is supervised, it then becomes quite difficult."

But he says that this supervision, making sure that the photo, fingerprints and other biometric data are captured at the same moment that you apply for a passport: "So that all the data is tied together and impossible for the applicant to alter."

"It's very important to have the whole enrollment process take place in one sequence via an officially supervised process. Any time you break up this sequence, you introduce a window for individuals to undermine the security of the passport."

Of course, Mr Svenningson's business model is precisely that - all-in-one biometric data capture - so he has an interest in suggesting its importance. He jokes that photography shops, who do not sell as many rolls of film any more and for whom the €8 set of four passport photos is an increasingly substantial part of their business, do not particularly like the idea.

But it will still take many years before even the current generation of e-passports is widely adopted.

Five to 10 year window

"When it comes to non-biometric passports, there is an even weaker tie between the document and its holder, and while biometric passports are common now, the large bulk of EU passports in circulation are non-biometric because they aren't out of date yet, and won't be for a number of years. It will take at least another five to 10 years for all EU passports to be biometric."

Still, nothing will be able to stop those who have the time and money to invest in counterfeiting, he said: "The intelligence services have the expenses and the capacity to do this."

Last week, the Australian Broadcasting Corporation interviewed Victor Ostrovsky, a case officer at the Mossad in the 1980s, who said that the Israeli spy agency had its own "passport factory," a company established within the Mossad headquarters.

"They create various types of papers, every kind of ink. It's a very, very expensive research department," he said.

© 2010 EUobserver.com. All rights reserved. Printed on 25.03.2010.

No comments: