[ISN] Passport cards called security vulnerability

From: InfoSec News (alerts@private)
Date: Fri May 16 2008 - 01:05:39 PDT


http://www.washingtontimes.com/apps/pbcs.dll/article?AID=/20080516/NATION/662238118/1001

By Bill Gertz
THE WASHINGTON TIMES
May 16, 2008

The State Department will soon begin production of an electronic 
passport card that security specialists and members of Congress fear 
will be vulnerable to alteration or counterfeiting.

The agency has contracted with L-1 Identity Solutions Inc. to produce 
electronic-passport cards as a substitute for booklet passports for use 
by Americans who travel frequently by road or sea to Canada, Mexico and 
the Caribbean.

About the size of a credit card, the electronic-passport card displays a 
photo of the user and a radio frequency identification (RFID) chip 
containing data about the user. The State Department announced recently 
that it will begin producing the cards next month and issue the first 
ones in July.

Security specialists told The Washington Times that the 
electronic-passport card can be copied or altered easily by removing the 
photograph with solvent and replacing it with one from an unauthorized 
user.

James Hesse, former chief intelligence officer for the Immigration and 
Customs Enforcement Forensic Document Laboratory, which monitors 
fraudulent government documents, said the card should have been designed 
with a special optical security strip to make it secure and prevent 
counterfeiting. The selection of a card with an RFID chip is "an 
extremely risky decision," Mr. Hesse said in an interview.

"The optical strip has never been compromised," he said. "It's the most 
secure medium out there to store data."

Joel Lisker, a former FBI agent who spent 18 years countering 
credit-card fraud at MasterCard, said the new cards pose a serious 
threat to U.S. security. "There really is no security with these cards," 
he said.

Mr. Lisker, a consultant to a competitor for the electronic-passport 
card contract, said the State Department's selection of the RFID card 
shows it favors speedy processing at entry points more than security. He 
charged that the department "will not make changes until it is satisfied 
that compromises are occurring on a regular basis."

The State Department rejected a more secure card because it is 
"surrendering to speed over security, essentially creating new 
vulnerabilities. ... It will not take long for the bad guys to figure 
out which ports have readability and which do not," he said.

Steve Royster, a State Department spokesman, declined to comment.

Another State Department official, however, said the agency thinks the 
RFID passport card is secure.

"The passport card is the result of an interagency effort to produce the 
most durable, secure and tamper-resistant card for the American public 
using state-of-the-art, laser-engraving and security features," said the 
official, who spoke on the condition that he not be identified.

Members of Congress have raised concerns about the new card in a 
bipartisan letter to Secretary of State Condoleezza Rice and Homeland 
Security Secretary Michael Chertoff.

"We have serious concerns regarding the final card chosen for the 
Passport Card," the April 25 letter states. It was written by Reps. 
Brian P. Bilbray, California Republican, and Christopher Carney, 
Pennsylvania Democrat. Seventeen Republicans and one Democrat signed the 
letter.

"Each card will carry the same rights and privileges of the U.S. 
passport book with the exception of international air travel. As such, 
the cards will be used not only to cross the border, they will also be 
used throughout the interior United States as proof of citizenship and 
identity in everyday transactions; as a proof of identity in 
[Transportation Security Administration] lines, to enter federal 
buildings, to engage in financial transactions, and to obtain driver's 
licenses," the letter said.

The lawmakers noted that the bipartisan Sept. 11 commission final report 
stated that "travel documents are as important as weapons" for global 
terrorists.

In a separate letter to the State Department on May 2, Mr. Carney asked 
for a briefing on the passport cards, saying "we need to have confidence 
that these cards cannot be compromised by terrorists, drug smugglers, 
human traffickers and others who would break our laws and do us harm."

The State Department considered a prototype passport card designed by 
General Dynamics that used the optical security strip but rejected the 
option, preferring a passport card that contains an RFID chip made in 
Europe.

An optical security strip appears as a dark, 1-inch-wide line on the top 
of a card. Close inspection of the strip reveals ultra-high resolution 
images that security specialists say cannot be counterfeited and can be 
identified easily by border officials. Security specialists say the 
strip is needed to boost the security features of the RFID chip in the 
passport cards.

L-1 Identity Solutions announced in March that it won the State 
Department contract, which has an estimated value of $107 million over 
five years.

The cards are intended for use by travelers in U.S. border communities 
as a "less expensive and more portable alternative to the traditional 
passport book," according to the State Department Web site. The cards 
are not valid for entry into the United States by travelers arriving by 
aircraft.

Mr. Hesse, the former Forensic Document Laboratory intelligence chief, 
stated in a 2006 letter to Mr. Chertoff that he is "seriously alarmed" 
by the use of RFID technology on the passport card. He also noted that 
the U.S. permanent residence and border-crossing cards that use the 
optical security strip are being phased out.

"With my 30-plus years experience in the field of travel and identity 
document security, this is, in my opinion, a shortsighted and extremely 
risky decision," Mr. Hesse stated.

Because the passport card will be widely accepted as an official travel 
document for entry into the country, "this card will definitely become 
the document of choice for counterfeiters," Mr. Hesse said.

"Why would a non-U.S. citizen even bother to counterfeit the green card? 
The PassCard makes you a U.S. citizen and gives you the access to and/or 
the privileges mentioned above," he stated. "Therefore, it should be 
imperative that the U.S. government produce and provide the most secure 
card as possible."

Brian Zimmer, a former House Judiciary Committee investigator, said the 
new passport cards lack sufficient security features because the State 
Department did not demand them of the contractor, L-1 Identity 
Solutions.

"It's critical that the passport card be made highly 
counterfeit-resistant," said Mr. Zimmer, now head of the Coalition for a 
Secure Driver's License. "The State Department should address these 
deficiencies and change the contract so the manufacturer can address 
them." Mr. Zimmer was for a time a consultant on the passport card to a 
subcontractor of General Dynamics.

Frank Moss, a former State Department passport office official who is 
now a consultant to L-1, said the State Department and the Department of 
Homeland Security set the specifications for the contract.

"It was government security experts who determined the specifications," 
Mr. Moss said in an interview. "The optical stripe, quite honestly, was 
never used as a stand-alone security feature."

The federal government plans to supply only 39 ports of entry with 
equipment capable of checking the validity of the cards with electronic 
scanners. More than 300 other entry points will not have the RFID chip 
readers.

Kelly Klundt, a spokeswoman for U.S. Customs and Border Protection, said 
the deployment of passport card readers to the largest and busiest 39 
border-entry points was intended to expedite travel. The more than 300 
remaining points of entry without passport card scanners are in remote 
locations, and officials will visually inspect passport cards at those 
entry points, she said.

"Just because there aren't RFID readers at every entry point doesn't 
mean we don't inspect [the passport cards]," she said.


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Fri May 16 2008 - 01:21:56 PDT