Ominously, Chris Paget, a security researcher, armed with a $250 RFID scanner purchased on eBay, and a low-profile antenna in his car, captured and successfully cloned the RFID tags of two U.S. Passport Cards without the knowledge of their owners, in a 20 minute drive in downtown San Francisco earlier this month.
U.S. Customs and Border Protection (CBP) spokeswoman Kelly Ivahnenko said CBP doesn’t view Paget’s demonstration as an indication of the need to abandon or change the Passport Card. The RFID chip doesn’t contain personal information, only a unique ID number.
I don’t share CBP’s point of view. I believe Paget has demonstrated the easy and inexpensive first step to break into citizen identities and create counterfeit citizenships for illegal immigrants.
Paget said, the only protections these RFID tags have is one code that makes the tag read-only, and another which makes it self-destruct, but there are multiple ways to recover those codes, so they are ineffective. “The software for copying them lets you just choose the tag you want to copy, wave a blank tag in front of it, and it writes it out.”
If the RFID chip was the only Passport Card problem, it might not be so serious, but there’s more.
In May, 2008, James Hesse, past chief of intelligence for the Immigration and Customs Enforcement Agency (ICE), and former FBI agent, and MasterCard fraud expert, Joel Lisker said the Passport Card can be readily copied and counterfeited by easily replacing its photograph. Security specialists have stated the photograph can be removed with solvent and replaced with another, then resealed.
Hesse stated the card should have been designed with an optical security strip to make it secure and prevent counterfeiting, and that the selection of a card with an RFID chip is “an extremely risky decision.” Lisker said, “There really is no security with these cards.”
The government considered a passport card designed by General Dynamics which uses an optical security strip, but rejected it, opting for an RFID chip. Mr. Hesse points out, “The optical strip has never been compromised. It’s the most secure medium out there to store data.”
U.S. citizens with the traditional passport book and its new RFID chip should be somewhat relieved to know it’s more secure than the one in the Passport Card, because its RFID has encryption and authentication features.
To me, the Federal Government should abandon its current RFID technology and replace it with the far more secure optical strip. If nothing else, that would mean an identity thief would need to be in physical possession of a Passport/Passport Card to steal its information, not just a $250 scanner.
Just as important as the Passport Card’s exposure to identity theft is its vulnerability to counterfeiting.
Eighteen Congressmen wrote to Secretary of State Condoleezza Rice and Homeland Security Secretary Michael Chertoff in April, 2008, led by Reps. Brian P. Bilbray (R-CA) and Christopher Carney (D-PA) about their serious concerns with the Passport Card, adding,
Each card will carry the same rights and privileges of the U.S. passport book with the exception of international air travel. As such, the cards will be used not only to cross the border, they will also be used throughout the interior United States as proof of citizenship and identity in everyday transactions; as a proof of identity in lines, to enter federal buildings, to engage in financial transactions, and to obtain driver’s licenses.
Mr. Hesse stated,
This card will definitely become the document of choice for counterfeiters.
Why would a non-US citizen even bother to counterfeit the green card? The PassCard makes you a U.S. citizen and gives you the access to and/or the privileges mentioned above. Therefore, it should be imperative that the U.S. government produce and provide the most secure card as possible.
In her Tripso column, Hey cruisers, it’s time to get a passport! my colleague, Anita Dunham-Potter, advised most travelers to get a passport, not a Passport Card. She quoted the respected travel agency owner John Frenaye, who said, “I advise all my clients who travel abroad to apply for a full-fledged passport.”
Even without the serious security deficiencies of the Passport Card, I concur with that advice, but now, with its critical problems thoroughly exposed, I recommend against anyone acquiring a Passport Card, and instead suggest he or she obtain a traditional Passport.
Moreover, I call on Secretary of State Clinton, and Homeland Security Secretary Napolitano to immediately halt further issuance of the Passport Card until its security issues can be overcome, or drop it altogether.
{ 5 comments… read them below or add one }
Scary stuff for sure. Obviously a few other issues are that a passport card is more apt to be carried daily in a wallet whereas a full fledged passport is usually kept in a secure place at home unless traveling.So the opportunity (the leading cause of any crime) is much more prevalent.
While the Optical Strip might be the answer to TODAY’S encryption issues, will it be the answer tomorrow. We have seen technology move at lightning speeds and as soon as one technology is invented, someone has invented a means to thwart it.
Perhaps the solution is to not rely as heavily on technology and rely a bit more heavily on a well trained, qualified work force–which is a whole other discussion.
From the beginning, this was another case of government compounding a “screwed up” passport situation by calling this document a “Passport Card”. That alone created massive confusion for the average U.S. citizen during the Passport fiasco. Many U.S. citizens, in trying to save money especially in these difficult economic times, jump at the opportunity to get a Passport Card not fully realizing the limitations as to its usage.
Now with this security issue, it appears to be a great time to admit a mistake and start over by doing the following.
1. Stop issuing the current card.
2. Give it another name that does not include “PASSPORT”. You might even call it what it is. “Boarder Crossing Card”. Wow! What a thought! Sounds like what its function.
Where are the government watchdogs on this one? Just jow long is it going to take to fix it?
I just received a new passport and that also has an RFID tag in it. Is it just as easy to get the intormation off that?
Greg, and everyone else, thanks for your comments. I appreciate you stopping by to read my column, and the time you took to make your comment. I hope you’ll be coming back to read my future columns, and those of my colleagues here at Tripso. You might be interested in sharing your experiences in our forums at Talking Travelers.
Greg, all new US Passports now are issued with RFID chips. As I mentioned in my column,
The most important feature included with the Passport RFID, which is not part of the Passport Card RFID, is an access-control system for the RFID chip. The data on the chip (Passport only) is encrypted, and the key is printed on the passport. The officer swipes the passport through an optical reader to get the key, and then the RFID reader uses the key to communicate with the RFID chip. This means that the passport-holder can control who has access to the information on the chip; someone cannot skim information from the passport without first opening it up and reading the information inside.
The new design also includes a thin radio shield in the cover, protecting the chip when the passport is closed. The problem with the shield is that if the passport is open just a little bit, as can happen in a purse, for example, it is ineffective.
As a result, I use one of those new RFID Blocking Passport Wallets. These wallets work two ways. First they contain shielding materials which block RFID signals, and second they ensure that passports remain closed while in the wallet.
I rather be safe.
Passport Card is a joke…the people who decide on the RFID should be canned. Get some real brains to design and decide the passport Card.
jus wrap the passport card and/or passport in a couple of layers of Alumnium foil (three or four layers even better) …that should limit the RFID readability from afar