More evidence that RFID passports are bad

This probably falls more under the category of things only I am interested in, but I still feel the need to point it out just in case any of my visitors actually care about privacy, personal safety, or good security.  In the US, our government is burning a fast path to mandatory passports at the same time we are being pushed into required RFID tags in our passports.  This is a bad idea, and has been documented as such in numerous places.  Fortunately, we have the British leading the way in this endeavor, although I doubt we’ll learn anything from the failure of their RFID passport system and its supposed security.

The author of this article briefly mentions how earlier this year he was able to gather significant amounts of personal information on an airline traveller using only the discarded boarding-pass stub as a starting point.  From that point:

Great news then, we thought, that the UK had just begun to issue new, ultra-secure passports, incorporating tiny microchips to store the holder’s details and a digital description of their physical features (known in the jargon as biometrics). These, the argument went, would make identity theft much more difficult and pave the way for the government’s proposed ID cards in 2008 or 2009.

Today, some three million such passports have been issued, and they don’t look so secure. I am sitting with my scary computer man and we have just sucked out all the supposedly secure data and biometric information from three new passports and displayed it all on a laptop computer.

The UK Identity and Passport Service website says the new documents are protected by “an advanced digital encryption technique”. So how come we have the information? What could criminals or terrorists do with it? And what could it mean for the passports and the ID cards that are meant to follow?

. . .

Within minutes of applying the three passports to the reader, the information from all of them has been copied and the holders’ images appear on the screen of Laurie’s laptop. The passports belong to Booth, and to Laurie’s son, Max, and my partner, who have all given their permission.

Thankfully, the government is quick to respond:

“This doesn’t matter,” says a Home Office spokesman. “By the time you have accessed the information on the chip, you have already seen it on the passport. What use would my biometric image be to you? And even if you had the information, you would still have to counterfeit the new passport – and it has lots of new security features. If you were a criminal, you might as well just steal a passport.”

Oooops – guess the response is “It doesn’t matter.”  This is “No threat here” thinking, which has always proven to be the wrong answer when personal data is unsecure.  Something about ostriches springs to mind now.  If the supposedly secure RFID information is so easily cracked, why would I think any of the other “…lots of new security features.” will do me any good, either?  If you don’t know the answer, here’s a clue – they won’t.

There is a wealth of other important information on the insecurity of the system, the risks of this failure, and how criminals (think 9/11 terrorists, since the mandatory passports farce was pushed on us because some of them used fake passports) can expoit this system to make movement easier for those interested in illegal travel.  Bruce Schneier has written up some commentary on this, as well.  He’s a big famous security guy – I’m a nobody with A.D.D. and a penchant for writing about things no one cares about.  See what he says if you don’t like what I say.  I will mention that on my system, the font on his article makes it damn hard to read.  Also, his comments are inline to the original article, so might make more sense than what I’ve posted.  (via boingboing)

[tags]RFID passports demonstrably insecure, Stupid government decisions perpetuated by head-in-sand behavior[/tags]