It’s been a bad couple of weeks for passport designers. Several things happened that could alter the future of the technology used in our travel documents.
The first bit of bad news came from the UK, where a van was stolen containing 3000 “virgin” passports. These passports were on their way to an RAF base, where they would be flown to consulates all around the world (previously covered here on Gadling)
The passports were made in a high security printing facility owned by 3M, but of course, no amount of security helps against stupidity. When the driver of the van stopped at a store to buy a candy bar, his colleague (who was still in the unlocked van) was ordered to keep his head down while the thieves drove off, stopped in a dark alley, and unloaded all the passports into a waiting car. The passenger of the delivery vehicle has been arrested and released on bail.
The UK passport service said “computer chips embedded in the passports to store personal and biometric data have not been activated. The service says that means the documents, which are still missing, can’t be used as passports.“.
Turns out they couldn’t have been more wrong, which brings us to the next bit of bad news.
RFID (radio frequency identification) chips in passports have been a hugely controversial issue. Ever since the first trials were conducted, security specialists have warned that they are not the holy grail they are said to be. Back in 2006, right after the first chip enabled travel documents rolled off the printing presses, researchers showed how easy it is to read, and write to the chip in these passports. In a more recent experiment, a researcher read the information off one passport, and altered it, rewriting the data to a different chip, but with a new photo; Osama Bin Laden.
When the standards were developed for the RFID chips in travel documents, a system was put in place that could verify the information stored on the passport with a remote database of “public keys”. So far, only 10 of the countries participating in RFID passports have signed up for this new public database, and only 5 are actually using it. Once this system is in place, a scanned passport will be verified against the data it is supposed to contain.
This technology should eventually make it much harder to use a fake or altered passport at an immigration counter, but only in countries that have the systems in place for using RFID. Any other county will still have to rely on the visible data stored in the passport. Since the RFID technology is only intended for immigration purposes, a fake passport can still easily be used for other purposes, like banking or real estate.
In the meantime, there are 3000 UK passports on the market (worth about $3400 each), and millions of passports being printed each month with RFID chips that don’t really protect anyone.
With each vulnerability found in these RFID passports, the designers are pushed back a little closer to their drawing boards, where they will eventually have to develop an even better method of protecting the countries they work for. Of course, in the big picture of things, nothing can stop good old human stupidity.