Passport PIN tech could have SAVED MH370 ID fraudsters
A man who developed PIN code protection for credit cards is looking to extend the technology to passports as a way of making stolen credentials more difficult to use.
Kenneth Cecil of International Security, who came up with PIN code protection in US patent 6,340,116), will present a white paper on extending the technology to passports at the upcoming International Security Conference trade show in Las Vegas on 2 to 5 April.
In the paper, RFID/Proximity Card with PIN Code Protection, Cecil argues that his technology also protects against risks such as skimming.
The issue of stolen passports was raised in the context of Malaysia Airlines flight 370 because two of its passengers travelled using passports stolen in Thailand.
This raised fears about terrorism in the early stages of the investigation into the missing aircraft. Two individuals (later determined to be Iranian nationals seeking asylum in Europe) were travelling using the snaffled identities of an Austrian and an Italian who reported their passports stolen in 2012 and 2013, respectively.
INTERPOL later confirmed the two stolen passports used by passengers on missing Malaysian Airlines flight MH370 were both registered in its database.
But the issue of stolen passports goes much further than that. Cecil argues PIN code protection technology offers an effective means to mitigate the problem.
Cards used in either access control security or financial transactions can be used by the person that happens to be in possession. Lost or stolen cards cost the industry billions. The PIN code protection patent requires the user to input a PIN code and/or finger swipe into a numeric keypad on the card's surface.The PIN code and/or finger swipe is compared to the reference within the card chip and if correct enables the logic system within the card. After a time period the PIN code expires and the card is disabled. A duress feature allows for a remote alarm to be activate if the user is forced to activate the card such as at an ATM.
The PIN code protection technology can also be applied to visas and passport credentials as 40 million passports are lost or stolen each year. Protected cards cannot be cloned or skimmed.
Keypads built into your credit card
PIN code protection technology for credit or debit cards requires the user to input a a series of digits known only to them into a numeric keypad on the card surface. Credit card technology with built-in keypads have existed for some years without gaining acceptance across the payment card industry. This, and other reasons, make electronic ID experts cautious about the potential offered by putting keypads into passports.
"I’ve watched the technology on the payment card side since at least 2006 and it’s been really slow to develop," Ray Wizbowski, VP for financial vertical marketing at Datacard Group and an expert in electronic ID technology, told El Reg. "Given the requirements for international cooperation and everything that’s gone into the current generation of passport specs, I think this would have quite a tough time getting attention."
ePassports with built-in biometrics are supposed to stop the sort of problem that allowed someone to impersonate the holder of a stolen passport and get on the missing Malaysian Airways flight.
"There are technologies already covered by the ICAO [International Civil Aviation Organization] standards that would have prevented the use of stolen documents," Wizbowski explained. "However, it’s not just about whether a document is ePassport or not, but more about the adoption of the infrastructure within, and importantly, amongst countries."
Airlines are, in any case, supposed to check passport numbers against a list of stolen documents reported to Interpol. Passport technology only changes really slowly with a 10 year turnover cycle, as individuals are obliged to renew their travel documents. If ePassports, once the verification infrastructure is rolled out, can already do the job then why the need to add PIN code protection to travel documents?
Everything's borked
Cecil told El Reg that the present passport system is hopelessly broken and needs to be changed.
"The present passport is easily counterfeited and hard to provide with a RFID chip," Cecil said. "The book configuration for passports is for visa display and recording the date of entering and leaving a country. It should not be used for verifying the identity of the user. Biometric scanners at the point of entry can make the lines challenging."
He rejected the argument that passport systems are difficult to replace as justification for proceeding with current technology roll-out plans. "Thirty years ago we developed a card to replace metal keys and were told that the mechanical lock infrastructure would not allow change," he said.
Moving to RFID equipped passport cards with PIN entry is capable of addressing a myriad of problems, according to Cecil, who argued that similar technology would also help in combating credit card fraud.
"RFID readers could be used to interrogate RFID equipped passport cards as lines of passengers are waking within a defined space," Cecil explained. "Cameras could record and verify through facial recognition and identify those needing further assessment."
"My patent links the RFID card to the user by requiring a PIN code and or finger swipe to initiate the logic in the chip and then it times out so that lost or stolen cards cannot be used. Also it includes a duress feature for further protection in the event a user is threatened at a ATM. Unprotected RFID credit cards, as used in the EU, can be 'skimmed' and 'cloned' since the RFID chip is unprotected and is always available to a RFID reader," he added.
Bootnote
ePassports come in two flavours. In a Basic Access Control ePassport, the content that is physically printed on the holder page (facial image, text, etc) is also stored on the chip. The data that goes onto the chip is digitally signed by the issuing country so it can't be changed. This allows an inspector to verify that the data hasn’t changed and was actually issued by the government. "Imposter" fraud, where stolen passports are sold to someone who looks similar to the legitimate holder, are still possible in this scenario.
For countries wishing to include fingerprints in an ePassport, ICAO mandates the use of Extended Access Control. Security is strong but relies on the use of inspection systems that compare a capture of the passengers fingerprints against the data stored on the chip. "It really comes down to adoption of the verification infrastructure," Wizbowski. "While many ePassports have been issued, it is still early days on utilising the technology for inspection."