[ISN] "Safest ever" passport is not fit for purpose

From: InfoSec News (alerts@private)
Date: Sun Mar 04 2007 - 22:12:45 PST



They are the "safest ever", according to the Government. But the Daily 
Mail reveals today how easily a person's identity can be stolen from new 
biometric passports.

A shocking security gap allows the personal details and photograph in 
any electronic passport to be copied from the outside of the envelope in 
which it is delivered to homes.

The passport holder is none the wiser when it arrives because the white 
envelope has not been tampered with or opened.

Using a simple gadget built from parts bought on the Internet, it took 
the Mail less than four hours to copy the details from one passport.

It had been delivered in the normal way by national courier company 
Secure Mail Services to a young woman in Islington, North London.

With her permission we took away the envelope containing her passport 
and never opened it.

By the end of the afternoon, we had stolen enough information from the 
passport's electronic chip - including the woman's photograph - to be 
able to clone an identical document if we had wished.

More significantly, we had the details which would allow a fraudster, 
people trafficker or illegal immigrant to set up a new life in Britain.

The criminal could open a bank account, claim state benefits and 
undertake a myriad financial and legal transactions in someone else's 

This revelation will prove a major embarrassment to ministers. Since 
their introduction a year ago, more than four million biometric travel 
documents have been delivered by courier.

The Government believes this is the safest way of sending out passports. 
But this may be an illusion.

The passports are dispatched in white envelopes which are easily 
recognisable from the distinctive lettering and figures on the outside.

There is no identity check on the person signing for the passport when 
it arrives. In multi-occupancy flats they can be handed to anyone at the 
address. Thousands have already gone missing.

We began our investigation by asking Elizabeth Wood, a 33-year old web 
designer, to apply for a new biometric passport.

She telephoned the Identity and Passport Service on Monday, February 12.

Because she wanted the passport quickly, she was asked to go to the IPS 
office in Victoria, Central London, the following afternoon.

If she had not requested the fasttrack service, the passport would 
normally have been sent out without a face-to-face interview.

The next day Miss Wood met an official for ten minutes. The details on 
her application form were verified using two forms of ID - normally a 
household bill and a bank statement. Her photograph was also examined.

Miss Wood paid 91 for the fasttrack delivery and was told her passport 
would be sent to her home by secure courier in exactly seven days.

In fact, it took just four days, arriving when Miss Wood was in the 
shower. Her boyfriend went to the door and signed for the document. He 
was able to do so without showing any form of identity to the courier, 
who did not ask for Miss Wood.

But there is another gaping hole in security. At first glance the new 
biometric passport looks much like the traditional one.

The only clue on the outside of the document that it contains an 
electronic chip is a small gold square on the front.

Inside the passport there is a laminated page containing the holder's 
picture, passport number, name, nationality, sex, signature, date and 
place of birth and the document's issue and expiry date.

At the bottom of this page are two lines of printed numbers and letters 
which can be read by a computer when the passport is swiped through a 
special machine by immigration officials. It is called the Machine 
Readable Zone.

On the back of the page is a tiny computer chip, surrounded by a coil of 
copper-coloured wire. This is a Radio Frequency Identification 
microchip, which can be read using radio waves.

Encoded on the passport's RFID chip are three important files. One 
contains an electronic copy of the printed information on the passport's 
photo page; the second holds the electronic image of the holder's photo. 
The third is a security device which checks that the previous two files 
are not accessed and altered.

In order to get into the files, the computer needs an "electronic key". 
This is the 24-digit code printed on the bottom line of the passport's 
Machine Readable Zone. It is called the "MRZ key number".

When an immigration official checks the passport by swiping it through 
his machine, it reveals the key which is then used to open up the 
electronic data on the microchip.

The official checks that the photograph and information printed on the 
passport match the details on the chip and the holder is allowed to pass 
in, or out, of the country.

The Government says the biometric chips are protected by "an advanced 
digital encryption technique". In other words, without the MRZ key code 
it is impossible to steal the passport holder's details if you do not 
have their travel document.

Yet it took us no time at all to unravel the crucial code, using a 
relatively simple computer software programme and a scanning device.

The Mail was helped by computer security consultant Adam Laurie, who 
advises public bodies and private companies on combating IT fraud. He 
discovered glaring weaknesses in the biometric passport's security 

The first flaw is that a hacker can try to access the chip as many times 
as he likes until he cracks the MRZ code. This is different to putting a 
pin number into a bank machine, where the security system refuses access 
after three wrong combinations are entered.

The second is that there are easily identifiable recurring patterns in 
the MRZ key codes issued. For example, the passport holder's date of 
birth always features, as does the passport's expiry date, which is ten 
years after the issue date.

The Mail is not publishing full details of Miss Wood's passport to 
protect her. We know exactly how Mr Laurie cracked the MRZ code but we 
are not going to reveal the process for security reasons.

Crucially, he only needed one new piece of information - Miss Wood's 
date of birth.

In under two hours, the Mail had found this by checking the electoral 
roll, birth records and looking at genealogical sites on the Internet.

Miss Wood's photo page soon popped up on Mr Laurie's laptop screen. He 
had not needed to see her actual passport - the white envelope 
containing it remained unopened on the desk.

Crucially, some banks, including the Post Office, no longer require to 
see a full passport as proof of identity from a new customer opening an 
account. They ask for a photocopy of the photo page to be sent in the 
post instead.

Miss Wood's photo page could easily be copied and used for this purpose. 
Mr Laurie said: "I used public information and equipment that is legal. 
The software took me three days to write. It is incredibly easy to 
thieve data from the passports. It could be put onto another chip and 
implanted in a blank passport."

Phil Booth, national co-ordinator of NO2ID, a group pressing the 
Government to abandon plans for identity cards, witnessed our 

"This shows how easy it is to steal a person's identity from the new 
passport without the innocent owner even knowing," he said.

"The Government has repeatedly said this information is secure. You have 
just shown that it is not."

Last night a Home Office spokesman said: "We do not believe it would be 
possible to successfully forge a new passport by doing this.

"The security around the UK passport chip prevents anyone changing or 
deleting any of the data or information on the chip, which is what is 
required to successfully forge a passport."

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Sun Mar 04 2007 - 22:39:48 PST