Once upon a time, an enterprising thief who wanted to steal your passport had to take the actual document from you. But with today's "ultra-secure" RFID passports, a thief merely needs to be somewhere close to you, equipped with the proper electronics.
Using a device that one researcher bought on eBay for US$250, you too can create ultra-secure RFID passports. Driving along Fisherman's Wharf in San Francisco, the researcher captured—and cloned—a half-dozen RFID chips used in these passports in less than an hour.
True, the RFID chips he cloned weren't the same as the ones in an ordinary U.S. passport. They're used in the new "passport cards" the U.S. Department of Homeland Security now issues for travel to and from Western Hemisphere countries. Some U.S. states have also issued high-tech driver's licenses incorporating these chips.
But ordinary passports are vulnerable as well. Last summer, security researchers in the United Kingdom demonstrated how to clone RFID-equipped U.K. passports and accepted as genuine by the computer software recommended for use at international airports. After cloning the chips, the researchers implanted digital images of Osama bin Laden and a suicide bomber. Then they tested the "passport" using passport reader software used by the U.N. agency that sets standards for e-passports. It passed with flying colors.
Naturally, this should be viewed as progress, according to government security experts. Here's what the U.S. Department of State has to say about RFID passports:
"The [RFID] chip securely stores the same data visually displayed on the photo page of the passport, and additionally includes a digital photograph. The inclusion of the digital photograph enables biometric comparison, through the use of facial recognition technology, at international borders. The U.S. e-passport also has a new look, incorporating additional anti-fraud and security features."
Got that? Since the government says the passport is secure, it is secure! Doesn't that make you feel better?
Hopefully, Osama and his ilk won't be carrying cloned British or U.S. passports anytime soon. But even if not, the ability to clone the RFID chip on your passport makes you vulnerable to identity theft. Here's how it might happen.
You check in to a hotel managed by a criminal. When you take out your RFID passport to identify yourself, a hidden RFID scanner captures the data. Now your name, digital photo, and biometric data can be cloned and sold over the Internet to the highest bidder.
To protect yourself, consider the following precautions:
- If you have one of the new DHS "passport cards" or a driver's license with an RFID chip, keep the card wrapped in foil except when you need to present it at a border crossing. That makes it less vulnerable to remote cloning.
- Also, when you check into a hotel, rent a vehicle, or carry out any other transaction abroad that requires you to present your passport, try not to let it out of your sight. Unless a hidden remote scanner is present, that way your data is less likely to be cloned. This may be easier said than done; some hotels (particularly smaller ones) insist on holding on to visitors' passports until checkout. If you offer to pay in advance, the hotel may relent on this requirement.
Unfortunately, I can't recommend the most effective self-defense mechanism: to put your RFID passport in a microwave oven and switch it on for a few seconds. That will destroy the RFID chip, but tampering with a passport is punishable by 25 years in prison. Compared to that, identity theft is a small price to pay.
Copyright © 2009 by Mark Nestmann
Comments