Biometric Passports
© 2010 FrontLine Security (Vol 5, No 2)

How Secure Are They?

At 6:41 p.m. local time on 19 January 2010, a woman arrived at the luxury Al Bustan Rotana hotel in Dubai, accompanied by a large man in a Panama hat. Unbeknownst to hotel staff or authorities in the popular emirate, the couple were part of a clandestine group sent to Dubai to track and kill Mahmoud al-Mabhouh, a senior Hamas commander.

New microchipped passports designed to be foolproof afainst identity theft can be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports.

The Israeli government had long suspected the Palestinian of being involved in the kidnapping and murder of two Israeli soldiers in 1989 and also arms purchases from Iran for use in Gaza, where he was born 49 years ago.

The video shows al-Mabhouh returning to the hotel at 8:24 p.m., exiting the elevator and turning the corner to proceed to his room (number 230). Three minutes later, ‘Kevin’ and ‘Gail’ took up their position to monitor the empty hall as a four-man assassination team killed al-Mabhouh in his room by injecting him with succinylcholine, a fast-acting ­muscle relaxant, and smothering him. At 8:46 p.m., the ‘hit’ team was recorded by the ceiling video camera entering the elevator. They subsequently depart the hotel and Dubai via flights to various countries. Dubai police believe they are in Israel.

Forged passports and a global manhunt
One month after the killing, INTERPOL issued Red Notices – notifications to national governments – requesting the arrest and extradition of “11 internationally-wanted individuals who have been charged by UAE/Dubai authorities with coordinating and committing the murder of Mahmoud al-Mabhouh.” Several more suspects, including 10 that used passports with the names of people with dual Israeli citizenship, were later added to the list.

“Based on close co-operation among our member countries and on information provided by innocent citizens, it is becoming clear that those who carefully planned and carried out the murder of Mahmoud al-Mabhouh most likely used forged passports of innocent citizens whose identities were stolen,” said INTERPOL Secretary General Ronald Noble after the assassination.

In March, Magnus Svenningson, CEO of Speed Identity, a Swedish company that provides a biometric data capture platform to the Swedish, Luxembourg and Lithuanian governments, said in an interview with EUobserver Magazine, ‘The EU passport is a very, very secure document. EU countries have invested a lot in the document. It’s extremely expensive and difficult to forge, although not impossible.’

Police learned during their investigation that the surveillance and assassination effort in Dubai involved several people. Twenty-seven of the suspects are known to have entered the United Arab Emirates using fake passports from the following countries: Britain (12), Ireland (6), France (4), Germany (1), and Australia (4).

On March 23, British Foreign Secretary David Miliband told the House of Commons that there were “compelling reasons” to believe that Israel was behind the passport forgeries. “SOCA [the U.K. government’s Serious Organized Crime Agency] were drawn to the conclusion that the passports used were copied from genuine British passports when handed over to ­individuals linked to Israel, either in Israel or other countries; they found no link to any other country,” he said. “Given that this was a very sophisticated operation, in which high quality forgeries were made, the government judges that it was highly likely that the forgeries were made by a state intelligence service.”

The following month, the Australian Broadcasting Corporation interviewed ­Victor Ostrovsky, a former Mossad case officer, who said that the Israeli spy agency had its own ‘passport factory.’ “They create various types of papers, every kind of ink. It’s a very, very expensive research department,” he said.

‘Fakeproof’ e-passports cloned in minutes
An ePassport, also known as a biometric passport, looks like a traditional passport book, however, it contains an electronic chip that is encoded with the same information found on page 2 of the passport (surname, given name, date of birth, place of birth and gender). It also includes a digital picture of the bearer’s face. The addition of the electronic chip to the Canadian passport is aimed at increasing security by providing greater protection against tampering and reducing the risk of fraud.

However, the biometrics may not be as tamper-proof as they should be. In the summer of 2008, a reporter with The Times in the U.K. teamed up with a computer researcher to investigate how easy or difficult it would be to steal personal data from an e-/biometric passport and forge a copy.
His August 6 report said:

“New microchipped passports designed to be foolproof against identity theft can be cloned and manipulated in minutes and accepted as genuine by the computer software recommended for use at international airports. Tests for The Times exposed security flaws in the microchips introduced to protect against terrorism and organized crime. The flaws also undermine claims that 3,000 blank passports stolen last week were worthless because they could not be forged.”

Jeroen van Beek, a security researcher at the University of Amsterdam, cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber, Hiba Darghmeh. The altered chips were then passed as genuine by passport reader software used by the United Nations agency that sets ­standards for passports.

The Times report continued: “The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only 10 of the 45 ­countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but [did] not use the directory [until 2009]. Even then, the ­system will be fully secure only if every e-passport country has joined.’

According to the Chairperson of the International Civil Aviation Organization PKD Board, Dr. Eckart Brauer, only 16 nations – Canada, the U.S. and U.K., France, China, Switzerland, Germany, India, Japan, Kazakhstan, Australia, New Zealand, Singapore, Nigeria, South Korea and Ukraine – are PKD-registered. “However, I know that other States and non-State entities are in a preparation phase so that I expect more PKD participants in the short and medium term,” he said in a June 2010 e-mail. In addition to the 45 countries that will reportedly be part of the PKD, at least 95 other nations issue passports.

Reporter Steve Boggan of The Times wrote: “Some of the 45 countries, including Britain, swap codes manually, but criminals could use fake e-passports from countries that do not share key codes, which would then go undetected at passport control. The tests suggest that if the microchips are vulnerable to cloning, then bogus biometrics could be inserted in fake or blank passports.” E-/biometric passports contain a tiny radio chip and antenna attached to the inside back page. An electronic reader transmits an encrypted signal and the chip responds by sending back the holder’s ID and biometric details.

Boggan explained how the e-/biometric passport forgery was accomplished: “Using his own software, a publicly available programming code, a £40 card reader, and two £10 RFID [radio frequency identification] chips, Mr van Beek took less than an hour to clone and manipulate two passport chips to a level at which they were ready to be planted inside fake or stolen paper passports.”

Britain dumps biometric ID programs
The Times report said, “the tests also raise serious questions about the Government’s £4 billion identity card scheme, which relies on the same biometric technology [as the passports]. ID cards are expected to contain similar microchips that will store up to 50 pieces of personal and biometric information about their holders.”

Five days after the May 2010 election in Britain and the formation of a coalition government, the Conservatives and Liberal Democrats released a written agreement on various issues such as implementing a ­programme of measures to reverse the ­erosion of privacy and roll back state intrusion. The measures will scrap the ID card scheme, the National Identity Register, the next generation of biometric passports, and the Contact Point Database.

Canada presses ahead
“Biometric passport promise revived,” was the Toronto Star headline on 4 March 2010. “The Conservative government has vowed to press ahead with biometric passports for Canadians, two years after first promising to adopt a more secure electronic travel document by 2011,” the report stated. “According to the government’s throne speech on 3 March, passports encrypted with biological information “will significantly improve security.’’

The new passports are to be valid for 10 years. Critics have complained that this timeframe is too long, for security reasons. NDP public safety critic Joe Comartin says biometric passports are ‘still of questionable value,’ adding that when a parliamentary committee last looked at the technology, biometrics were only 85-90% accurate – “nowhere near what you want,” he states. Additionally, the proposed use of DNA technology in the passports have raised many privacy concerns.

DHS use of biometrics
A Department of Homeland Security (DHS) web page says: “Biometrics collected by US-VISIT and linked to specific biographic information enable a person’s identity to be established, then verified, by the U.S. government.” At present, the program digitally photographs the face and obtains fingerprints of people entering the United States and checks their biometrics “against a watch list of known or suspected terrorists, criminals and immigration violators.”

Fingerprints are compared to those in a DHS database of millions of people “to determine if a person is using an alias and attempting to use fraudulent identification.’ Also, a check is done comparing an individual’s biometrics imbedded on the chip of “the identification document [such as a passport] presented, to ensure that the ­document belongs to the person presenting it and not someone else.”

These measures can assist in preventing identity fraud and stop criminals and immigration violators from crossing the borders. The DHS website claims that “based on biometrics alone, US-VISIT has helped stop thousands of people who were ineligible to enter the United States.”

In Europe, the inclusion of biometric identifiers in passports is binding only for the 25 countries of the Schengen area (the U.K. and Ireland are not part of the area; Cyprus, Bulgaria and Romania have yet to join). ­Biometric specifications are also binding on European Economic Area countries (Norway, Iceland, Liechtenstein and Switzerland).

According to Svenningson, one of the easiest methods to obtain an illegal ­biometric passport is to acquire a duplicate passport – a ‘real’ fake passport – rather than forge one. “The problem is enrollment,” he explains, “and lies with the breeder documents. These are the documents that confirm your citizenship (such as a birth certificate or naturalization papers). These documents, plus the biographic and biometric data, are then unified and stored in a passport tied together, forming a proof of identity.’

According to Speed Identity’s CEO, the party seeking to obtain a fraudulent passport should choose a victim that roughly matches the illegal passport holder’s appearance and then digitally edit – using photo editing software – an image of the person so it appears closer to what the original person looks like. The forgery process is aided by “the transfer of a paper photo to a digital one, which involves a huge loss of quality, resulting in a photo that makes it very easy for others to use,” said Svenningson.

“When all this is done, you apply for renewal of your victim’s passport and file a new application with your tailored picture,” he explained. “Then you wait at his or her mailbox until the new passport arrives by mail and snatch that particular letter.” This illicit method is the most used, according to Svenningson, who added, “there has been a big shift in the last five years from counterfeiting to applying for a real one.”

On 2 January 2009, the Sydney Morning Herald in Australia reported that a South Korean woman duped an advanced fingerprint scanner that was one of several units installed in 30 Japanese airports by using special tape on her fingers. There was already a deportation order against the woman; the newspaper did not say how authorities in Japan eventually found her.

Have hackers already stolen personal data from Canadian government computer systems? Have data buyers already forged e-/biometric passports using stolen Canadian identities?

Given the known loopholes and vulnerabilities, and the fact there is at least one ‘very sophisticated’ passport forgery operation in the world, affirmative answers cannot be discounted. What other more secure alternatives are there and what measures might our government take to improve what we already have? These incidents demand answers.

Blair Watson is a Contributing Editor at FrontLine magazines.
© FrontLine Security 2010