Is Your Passport Secure

Published Date: 02 Nov 2017

After the 911 terrorist attacks in 2001, the US government has raised the concern about the security aboard. They found out that using electronic identification, e-passport, could be an effective way to reduce the number of fake passport which the terrorist could enter United State. The US government has decided to issue the passport that embedded a RFID chip to citizens. However, some IT experts argued that the RFID chips could increase the security risks. In this article, we are going to discuss the loopholes on the e-passports, passport and EDL cards, measurements that the US government should take to protect the privacy of US citizens. Finally, we would bring the focus back to Hong Kong, to discuss on the statutory body which is responsible on privacy protection and the incidents happened during the past few years.

For e-passport, there are four types of security breaches occur with e-passports, interception of RFID chips, fault of metallic covering, hackers clone e-passport and tracking individual.

Firstly, radio-frequency identification (RFID) listens for a radio query and responds by transmitting its own unique ID code. However, the RFID tags broadcast sensitive information. It enables people with the proper equipment to collect information and they may be used for identity theft, privacy theft or other purposes.

Even if the RFID technology used in e-passport systems only operate in shorter distance, the range may be extended if the reader broadcasts at the high technology illegally. And anyone can be vulnerable to skimming and eavesdropping. A skimming attack can help to identity theft or track individual and an eavesdropping attack is that someone can secretly listen to the private conversation without their consent.

Therefore, more than 300,000 passports are stolen or lost in recent years. It showed that the RFIC chips are not completely safe.

Secondly, the metal mesh can shield the chip for the passport. It can prevent unauthorized reading the RFID device inside the e-passport. The aims are to prevent radio waves from the chip’s antenna and avoid possible secretly scanning or tracking attack. However, it is found that the covering lost its function if the passport is opened half an inch or more. Moreover, the metal mesh will make transmission more difficult.

Although US use a high technology to make a very thin metal mesh into the passport cover to act as a shield and it may not affect the transmission, the metal mesh is not completely effective. Therefore, metallic covering cannot completely solve the security problem for the e-passport.

Furthermore, the main reason why hackers can be easy to clone the e-passport that is the RFID chip is not safe and the passport design is not complete.

Hackers can secretly open and reseal the envelope without detection.

Many cases can show that e-passport is not safe. For example, in 2009, a British hacker showed that he can be easy to clone US passport cards that use RFID chips by conducting a drive-by test on the streets of San Francisco. Another case, in 2010, Tom Chothia and Vitaliy Smirnov showed that they can be allowed to attack an individual passport.

The security concern of the illicit tracking of RFID tags. It will be a risk to personal privacy because the data in the e-passport may be transferred with wireless RFID technology. If their personal privacy is not encrypted, their information may be tracked or stolen in the wrong hand.

Besides, it will be a risk to corporate or military security. As we know that, many countries are using e-passport. If some confidential information or important things is stolen, some countries may through the leaks to attack other countries. The worst case will be a terrorist attack.

Although RFID Vision in the DoD supply chain took some measures, the security problem are also exist. Therefore, the illicit tracking is a big risk to people and countries.

Moreover, in recent years, many countries also have many code error responses. It means that the security status is not satisfied even if DoD supply chain updates the security system every year.

To reduce the effect from these breaches, more protection methods could be implemented, such as using random chip identification number, Basic Access Control which encrypting the transmission to protect the communication channel between the reader and chips, the reader needs to provide a calculated key before it can read all the information, these method could reduce the chance of eavesdropping. In addition, there is a mandatory method called passive authentication. Under this method, the chips would contain a file stored hash value of all information and a digital signature of those values and the signatures are signed by a country signing key. If one of the information being changed, the hash values would be mismatched and being detected. Also, the reader would access to all public country keys to find out if the signature is from a trusted nation.

There are some identities also using RFID technology in US, passport card and Enhanced Driver’s License (EDL). However, it is found that the electronic passport is more secure than those two proofs of identity.

For passport cards, there are several reasons that why passport cards are less secure than E-passport. Firstly, passport card adopted Electronic Product Code Radio-frequency identification Generation 2 (EPC Gen 2 RFID) technology, which a system applies tag to attach to passport scanner to identified. EPC is a unique number which can identifies personal information by RFID reader; it designed to be deposited on the RFID tag. However, it is an unencrypted technology since it designed to speed up for the border crossing; immigration assistant can get traveler information when their passport approaches to the passport scanner. Although it is save time, it is not secure.

Secondly, the chips of RFID scanner is inexpensive and the RFID tags have a long read range, the intruder can use an inexpensive RFID scanner to capture the unique number of your passport card easily, they would use the unique number to make fake passport, it will occur identity theft.

For E-passport, it applies high level encryption and protection, it utilize embedded chips and has a cover to protect the chips form strainer. Moreover, it applies high level encryption that needs special reader to scan the identification and the identifier would change every time when it is being scanned.

As a result, passport card just has a unique ID number and E-passport would present a new unique ID number when it is scanned, even the intruder capture the UID and make a duplicate, the UID would not match, therefore, E-passport makes it impossible for passports to be falsified, it is more secure than passport cards.

Moreover, in the passport card and EDL card, it would occur identity theft, the intruder that can pick up your UID with the RFID scanner and get your personal information. They would use victim’s name, identifier number, address to pretend to victim, in order to get the benefits from the person name or violate other crimes such as terrorism, espionage, illegal immigration.

To protect the privacy of individuals when issuing these electronic identity cards, the federal and state governments should consider three elements, security, law and education.

For security, to avoid the hacker or cracker can easily crack the privacy information from our electronic card, put more money and time to develop a more security and complex encryption algorithms is needed since technology developed rapidly, stronger hardware appears and the people have more high education, the number of cracker and hacker could be increased. This will speed up the breaking procedure on the encryption algorithms. Also, it would be better to renew the electronic identity card with a new encryption algorithm every ten years.

Furthermore, only the authorized organizations can get the scanning machine and those machines should not be bought easily by others. Also, federal and state governments need to permit specific manufacturer to produce the scanning machine and its core parts with rules that the scanning machine or even a part of machine cannot sell to other without federal and state government permission.

In addition, it is suggested that using more than one authentication credentials to access the data of electronic identity cards. The three factors are that something you know like password, something you are, such as finger print, and something you have like a token. It would construct a more complex and secure authentication method to access the data.

Secondly, government should focus on the law. There should be some rules on limiting organization can access the data or get hardware. For example, the library and transport department are permitted to access the electronic identity cards’ information. If other organizations tried to access the data without the permission of federal and state government will be considered as an offense. For more deterrent effect to the criminal, it is needed to increase the penalty of illegal way to collect the information from electronic identity cards. For example: the maximum penalty will be in jail for 20 years and 500 thousand US dollars.

For education, federal or state government should educate the public on protecting their electronic passport and identity card, such as do not borrow their proof of identity to strangers and if they lost those proofs, they should report to the police as soon as possible, and the new established law.

Secondly, they should publicize the harm of the leakage of personal information and losing electronic proof of identity. For example, identity theft involves using other personal information to create credit card accounts. Some greedy people may use others electronic identity card to borrow books from library and not to return those books. Criminals may use you electronic identity card to rent car to commit crimes, like robbing.

Although the threat of terrorist attack is not a very big concern in Hong Kong, we should still be aware of privacy protection, otherwise we may need to pay a high price on it. In Hong Kong, there is a statutory body, the Office of the Privacy Commissioner for Personal Data (PCPD), responsible on privacy protection. According to the website of PCPD, their key goals are educating people and organizations to know about their rights and responsibilities as data objects or data users, letting publics know about the role of PCPD, handling the complaints or investigations in a fair and effective manner. PCPD reviews and revises the Personal Data (Privacy) Ordinance regularly and the latest amendment ordinance was passed on 27 June 2012 and the provisions relating to direct marketing came into effect on 1 April 2013. (Kennedy) The major change on the Amendment is the data users (mostly the companies) need to consent the data objects (mostly the citizens) before they can use those personal data for direct marketing. In the ideal level, this would reduce the direct marketing phone calls, messages and emails, however, many of citizens have received many emails or messages from different companies, noticing about the use of personal data in direct marketing, since there is a grandfathering provision in the new Amendment which making the personal data held by the data users before 1 April 2013 is not affected by the new amendment.

Furthermore, there is another latest incident showing that the PCPD is playing their role effectively. In 9 April 2013, the privacy commissioner has criticized on the deal between two companies, Hong Kong Preventive Association (HKPA) and Aegon Direct Marketing Services Insurance Broker. HKPA collected people’s personal information like name, phone number, address and part of HKID number by phone and offered them a free body check under a government’s scheme which is imaginary. Then, they sold those data to the Aegon and the people received letters from Aegon advertising insurance products. The deal involved at least 10 million dollars. The investigation has been started since the PCPD has received several complaints.

To conclude, although there is an organization aiming to protect our personal data, we should still be aware of privacy protection since some people are attempting to make profits from the data, for example, selling the information to the other companies, using the copies of the identity card of others to borrow money. It is suggested that starting to protect our privacy from ourselves, if we do not provide our information to strangers casually, the chance of our privacy being used in inappropriate ways could be greatly reduced.