[ISN] IG: U.S. Visit RFID needs better security controls

From: InfoSec News (alerts@private)
Date: Tue Jul 11 2006 - 01:07:03 PDT


By Alice Lipowicz
Contributing Writer 

Use of radio frequency identification tags within the U.S. Visitor and 
Immigrant Status Indicator Technology program has been applied with 
privacy protections but has not been adequately configured and tested to 
ensure that those protections are effective, according to a new report [1] 
from the Homeland Security Department inspector general.

The RFID tags currently are being used on Form I-94 documents issued to 
foreign visitors at several U.S. land ports of entry. As of December 31, 
2005, US Visit had issued 149,414 RFID-enabled Form-I-94s to travelers, 
DHS Inspector General Richard Skinner said.

The RFID on the Form I-94s was designed with privacy protections, the 
inspector general said. Specifically, the RFID tag, which is a small 
computer chip, contains only a number. This number must be viewed within 
US Visits secure database to obtain personal information on the visitor.

Overall, the inspector general judged these privacy protections to be 
effective, and to present no high or medium information security 

However, the report identified vulnerabilities in US Visits password 
management and user access system that allows US Visit employees to access 
the personal information contained in the database.

U.S. Visit has not properly configured its Automated Identification 
Management System database to ensure that data captured and stored is 
properly protected, the inspector general wrote.

Furthermore, US Visit has not prepared and tested contingency plans to 
make sure that the database can be restored following a disruption, the 
report said.


Alice Lipowicz is a staff writer for Government Computer News sister 
publication, Washington Technology.

1996-2006 Post-Newsweek Media, Inc. All Rights Reserved

[1] http://www.dhs.gov/interweb/assetlibrary/OIG_06-39_Jun06.pdf

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue Jul 11 2006 - 01:23:40 PDT