The Daily Mail have an amazing piece regarding the insecurity of the new passports which contain an electronic chip. I know the article is from 2007 but the passport system is still in use!
The highlights of the article are as follows.
1. The password to crack the encryption on the chips is printed in plain view on the passport! The “Machine Readable Zone” at the bottom of the page where your personal details are featured is the password to access the chip.
2. The password is made up of your date of birth and the expiry date of the passport! Taking even more guess work out of finding the password.
3. You are allowed to have unlimited attempts to guess the password! Anyone who has used an online account for more or less anything knows that if you use the wrong password 3 or 4 times you get locked out, not the case with your passport! There is software freely available which can automate attempts to find a password. They can try millions of combinations a minute, in short the password protection is useless!
4. You do not need to open the envelope that your passport is sent in to scan the chip!
5. All the pertinent details are already in photographic form on the chip, counterfeiters no longer even have to scan the passport in order to manipulate the data, the government has given them a head start!
In short these new passports with chips are a complete joke and have made copying passports infinitely more easy.
Some practical examples of how your passport can be copied now the data is in electronic form.
The people delivering your mail can now scan your passport to get the details they need without you even knowing. And the envelopes the passports are sent in are easily recognisable.
Any person in the supply chain has the potential to be able to scan your passport. They could do it manually or they could automate it by placing a scanner on the sorting infrastructure.
Even easier. When you give your passport to any organisation they do not even have to guess the password to get your details as the password is on the passport. The temptation is going to be too much for some people.
In summary, these new passports make it much easier for counterfeiters to gain access to your details without you even realizing they also make the counterfeiting process by much easier as they take the requirement of having to copy the original passport out of the equation, the government has conveniently already done this step for the counterfeiter.
In short, I can’t believe it has taken me 5 years to realise the massive security issues connected to these new passports and it is yet more evidence of why the government should stay as far away as possible from collecting the data of citizens and compiling the data in electronic form. The government is simply to incompetent to be trusted with such valuable data.
Here is the link to the article again in case you didn’t get it the first time, its absolute gold and well worth reading in details, congratulations to The Daily Mail for an excellent piece of journalism.
The original article, check the link for images
They are the “safest ever”, according to the Government. But the Daily Mail has revealed how easily a person?s identity can be stolen from new biometric passports.
In just four hours, the Mail hacked into a new biometric passport and stole the details a people trafficker or illegal migrant would need to set up a life in Britain.
• Children ages 11 to have prints stored
A shocking security gap allows the personal details and photograph in any electronic passport to be copied from the outside of the envelope in which it is delivered to homes.
The passport holder is none the wiser when it arrives because the white envelope has not been tampered with or opened.
Using a simple gadget built from parts bought on the Internet, it took the Mail less than four hours to copy the details from one passport.
It had been delivered in the normal way by national courier company Secure Mail Services to a young woman in Islington, North London.
With her permission we took away the envelope containing her passport and never opened it.
By the end of the afternoon, we had stolen enough information from the passport?s electronic chip – including the woman?s photograph – to be able to clone an identical document if we had wished.
More significantly, we had the details which would allow a fraudster, people trafficker or illegal immigrant to set up a new life in Britain.
The criminal could open a bank account, claim state benefits and undertake a myriad financial and legal transactions in someone else?s name.
This revelation will prove a major embarrassment to ministers. Since their introduction a year ago, more than four million biometric travel documents have been delivered by courier.
The Government believes this is the safest way of sending out passports. But this may be an illusion.
The passports are dispatched in white envelopes which are easily recognisable from the distinctive lettering and figures on the outside.
There is no identity check on the person signing for the passport when it arrives. In multi-occupancy flats they can be handed to anyone at the address. Thousands have already gone missing.
We began our investigation by asking Elizabeth Wood, a 33-year old web designer, to apply for a new biometric passport.
She telephoned the Identity and Passport Service on Monday, February 12.
Because she wanted the passport quickly, she was asked to go to the IPS office in Victoria, Central London, the following afternoon.
If she had not requested the fasttrack service, the passport would normally have been sent out without a face-to-face interview.
The next day Miss Wood met an official for ten minutes. The details on her application form were verified using two forms of ID – normally a household bill and a bank statement. Her photograph was also examined.
Miss Wood paid £91 for the fasttrack delivery and was told her passport would be sent to her home by secure courier in exactly seven days.
In fact, it took just four days, arriving when Miss Wood was in the shower. Her boyfriend went to the door and signed for the document. He was able to do so without showing any form of identity to the courier, who did not ask for Miss Wood.
But there is another gaping hole in security. At first glance the new biometric passport looks much like the traditional one.
The only clue on the outside of the document that it contains an electronic chip is a small gold square on the front.
Inside the passport there is a laminated page containing the holder?s picture, passport number, name, nationality, sex, signature, date and place of birth and the document?s issue and expiry date.
At the bottom of this page are two lines of printed numbers and letters which can be read by a computer when the passport is swiped through a special machine by immigration officials. It is called the Machine Readable Zone.
On the back of the page is a tiny computer chip, surrounded by a coil of copper-coloured wire. This is a Radio Frequency Identification microchip, which can be read using radio waves.
Encoded on the passport?s RFID chip are three important files. One contains an electronic copy of the printed information on the passport?s photo page; the second holds the electronic image of the holder?s photo. The third is a security device which checks that the previous two files are not accessed and altered.
In order to get into the files, the computer needs an “electronic key”. This is the 24-digit code printed on the bottom line of the passport?s Machine Readable Zone. It is called the “MRZ key number”.
When an immigration official checks the passport by swiping it through his machine, it reveals the key which is then used to open up the electronic data on the microchip.
The official checks that the photograph and information printed on the passport match the details on the chip and the holder is allowed to pass in, or out, of the country.
The Government says the biometric chips are protected by “an advanced digital encryption technique”. In other words, without the MRZ key code it is impossible to steal the passport holder?s details if you do not have their travel document.
Yet it took us no time at all to unravel the crucial code, using a relatively simple computer software programme and a scanning device.
The Mail was helped by computer security consultant Adam Laurie, who advises public bodies and private companies on combating IT fraud. He discovered glaring weaknesses in the biometric passport?s security system.
The first flaw is that a hacker can try to access the chip as many times as he likes until he cracks the MRZ code. This is different to putting a pin number into a bank machine, where the security system refuses access after three wrong combinations are entered.
The second is that there are easily identifiable recurring patterns in the MRZ key codes issued. For example, the passport holder?s date of birth always features, as does the passport?s expiry date, which is ten years after the issue date.
The Mail is not publishing full details of Miss Wood?s passport to protect her. We know exactly how Mr Laurie cracked the MRZ code but we are not going to reveal the process for security reasons.
Crucially, he only needed one new piece of information – Miss Wood?s date of birth.
In under two hours, the Mail had found this by checking the electoral roll, birth records and looking at genealogical sites on the Internet.
Miss Wood?s photo page soon popped up on Mr Laurie?s laptop screen. He had not needed to see her actual passport – the white envelope containing it remained unopened on the desk.
Crucially, some banks, including the Post Office, no longer require to see a full passport as proof of identity from a new customer opening an account. They ask for a photocopy of the photo page to be sent in the post instead.
Miss Wood?s photo page could easily be copied and used for this purpose. Mr Laurie said: “I used public information and equipment that is legal. The software took me three days to write. It is incredibly easy to thieve data from the passports. It could be put onto another chip and implanted in a blank passport.”
Phil Booth, national co-ordinator of NO2ID, a group pressing the Government to abandon plans for identity cards, witnessed our experiment.
“This shows how easy it is to steal a person?s identity from the new passport without the innocent owner even knowing,” he said.
“The Government has repeatedly said this information is secure. You have just shown that it is not.”
Last night a Home Office spokesman said: “We do not believe it would be possible to successfully forge a new passport by doing this.
“The security around the UK passport chip prevents anyone changing or deleting any of the data or information on the chip, which is what is required to successfully forge a passport.”