Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Readying the 1000-lb Squid for Science |
| The U.S. Terrorist Database »
March 26, 2007
10,000 Fake British Passports in One Year
This is the kind of thing that demonstrates why attempts to make passports harder to forge are not the right way to spend security dollars. These aren't fake passports; they're real ones mis-issued. They have RFID chips and any other anti-counterfeiting measure the British government includes.
The weak link in identity documents is the issuance procedures, not the documents themselves.
Posted on March 26, 2007 at 6:46 AM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I object to calling those fraudulently issued passports "fake" as they are real passports, issued by the government, indistinguisable from valid passports. I prefer to call them "wrongly issued" or "fraudulently obtained".
This leads to another question, how does the number of falsifications compare to the number of wrongly issued documents?
The weak link is about to be badly patched - as part of the introduction of the UK National Identity Register, new passport applicants will soon be required to attend an "authentication by interview". Your passport application form will be used to scrape as much information about you as possible from the Government's databases (which it has already admitted are riddled with inaccuracies).
You will then be required to attend an interview at one of 69 nationwide NIR interrogation centres, where you will be quizzed on the information the Government holds about you. If you can't answer their questions (quite likely because your information is correct and theirs is wrong), you won't get your passport.
On the individual level, this is a huge inconvenience - as well as the 50% cost increase, the application process has gone from a 2-week postal turnaround to a 6-week process involving taking time off work to pay to travel to a centre and attend interview. It's estimated that 25% of first-time passport applicants this year will miss their holidays due to this extra delay. Then there are the longer-term downsides - being placed on the NIR will increase your risk of identity theft and fraud and implicate you falsely in crimes.
On the national level, the £500m annual running cost for the database (plus the costs to other organisations for integrating their systems with the NIR) for no real benefit is a shameful waste of money. The Green Party and Liberal Democrats have pledged to repeal the Identity Cards Act 2006 and do away with the NIR, so there is some hope.
To quote what Bruce said, right above your post; "These aren't fake passports; they're real ones mis-issued."
Also the statistics are listed in the guardian's article. My big grind with the situation is that at first glance, the solution to this problem would be to put together a large national database of "bad guys" which would, as with ours, yield a multitude of false positives. It's a frustrating situation.
MathFox: A recent article in the Manchester Evening News stated the Passport Agency's accuracy as 99.8%, meaning that around 8,000 passports with incorrect information are issued each year, compared to this 10,000 with correct information based on false claims.
The good news is that the Home Office, by their own estimate, has a 99.5% rate of issuing genuine passports -- and they couldn't possibly be overestimating their success, right The bad news is that al-Qaida has (at least) 10,000 genuine passports, most of which they'll never need, so they can sell the excess on the black market for serious money.
The question here is: "what is an identity?" Who am I? Is it who I say that I am or is it who others say that I am. You can use all the technical stuff to protect a passport, but it is still all about trust relations.
A new child has been born? Who else are more sure about its identity then its parents. So they request a passport for their child.
You lost your passport? Come up with some family/friends who can confirm your identity.
The passport issuance procedure should be more like PGP.
From the article:
"In a written ministerial statement, she said "almost half" the applications were stopped by existing safeguards, but the remainder had gone undetected."
If they went undetected, how would you know how many there were?
"They have RFID chips"
Probably not, due to the delays ib colating this sort of information by far the majority would have been issued prior to the fairly recent introduction of the RFID passport.
Not that it makes any difference.
DId anybody else notice,
"Given this dire record, they have no chance of running the ID card project, which will cost up to £20bn and involve billions of pieces of data, effectively,"
Now let me see 20,000,000,000GBP cost divide by the 50,000,000 aproximate UK population = 400GBP / Person or around 700USD.
Oh and something else, for a population of 50 million and pasports lasting 10 years you might have reason to suspect that there was a problem with 6.6 million passports being issued in a single year. After all most organisations I know of would be surprised with a 32% greater than expected volume of turnover....
Does anybody think this (probably very low guess as to the real) cost is going to achive anything the avarage citizen would consider usefull?
It didn't really look like a news story. It looks more like justification for the introduction of the Interviews that those adults applying for a first passport will soon need to have.
People will be impressed with the government, after all, they are managing to react to the news story using facilities built up in the months prior to it breaking.
@ Dave Page:
How do you argue this?
"Then there are the longer-term downsides - being placed on the NIR will increase your risk of identity theft and fraud and implicate you falsely in crimes."
For all the talk of security the whole system is only as good as the badly paid workers who operate it. From a blog entry from November 2004:
"I recently renewed my passport. The passport office use a company called SMS to deliver the passport back to you. SMS purport to run a secure recorded delivery service. The first I hear of them is a letter saying that we weren't in and could we arrange a new delivery. I try the web site first. I'm not a huge fan of phones in general and automated phone systems with options and being put on hold don't rate highly in my preferred way of doing things. The website seems to work fine but there is no delivery. After a couple of days I try the phone system - its automated but its essentially an answering machine so no problems there. Then I get a phone call from them: We are unable to find your property on a number of occasions. Uh? I live in a terrace of houses. With a number on it. A couple of seconds with streetmap.co.uk and my postcode gives you all you need to know. I get loads of things delivered - its the main way I buy stuff. It all arrives. The woman on the phone ignores my incredulous tone as I give basic instructions. Come saturday morning when the delivery is promised. Nothing. Then late afternoon a stranger who lives near by brings it round. Uh? again. SMS promise *secure* delivery. They say in their letter that you need to give proof of identity. I am absolutely sure this why the passport office pay them for their service. Instead they actually offer nothing of the sort. A few half arsed attempts at delivery by someone too stupid to even read a streetmap and then deliver it to a random person instead.
Annoying as this is what it really shows is that security is only as good as the people involved. No matter how good the new ID cards are for example there will always be low paid people who don't care about their jobs checking them. The real solution of course is to pay people properly and to make sure they are motivated rather than spending huge amounts of money on unproven technology."
Maybe the issuance process is the weak link today, but tomorrow technologically enhanced passports will be as 'easy' to fake as the standard passports.
The population of the UK is about 60 million, and there are about 5.5 million british citizens living abroad, according to wikipedia. So 6.6 million passport applications is right on the expected figure.
My dog collects Social Security...he makes more than I do.
This all sounds like old cold-war jokes.
"We will not ask questions to which we don't know the answers,"
"You must tell the truth, we know all the answers, comrade."
"It looks more like justification for the introduction of the Interviews that those adults applying for a first passport will soon need to have."
I'm glad you said that. I also couldn't help thinking that this seemed a bit convenient for our government just as they are preparing to start up the IPS interrogation centres. It should be interesting listening to accounts of what the interviews are like and what happens when a genuine applicant can't answer the questions.
Dave Page points out "You will then be required to attend an interview at one of 69 nationwide NIR interrogation centres"...
So what will first-time applicants living overseas have to do? For many people there won't be a nearby interviewing centre. So either they require a possibly very expensive trip to the nearest consulate, or they relax the requirements for non-UK residents, allowing a classic "force fallback to older and less secure protocol" attack.
Of course even if there are overseas interroga^H interviewing centres, there's unlikely to be much if any data to be scraped from UK databases on someone who's never resided in the UK.
Wow the security is going to have to be bumped up in the next couple of years no dout about that this is phenominal
check out my blog
The fraudster will get there first with all the "right" answers he or his mates had previously planted all over the place, and the real person will then be denied his passport because he will only have the "wrong" answers.
Haven't they heard of Id Theft?
"The IPS executive director, Bernard Herdan, said applicants would be expected to know answers from a pool of around 200 questions about their ancestry, financial history and previous addresses"
I'm guessing that it won't take too long before the total pool of questions becomes known and can be researched/practiced by an imposter beforehand
Last time I looked the full UK population based on Health Care figures was just about 60.2Million as you say but, that's the total number of bodies including those from other countries, claiming health care.
If you look at,
They show a population of 58.7Million from the census data so you have a disparity of around 1.2million there. Also the page shows that about 8% being of non white ethnic origin.
It is difficult to get the figures but about 25% of these or 2% (say 1.2Million) of population are not eligable for UK passport as they are forign dependents with perminant residence status.
Other figures say that 1 in 12 of the population was not born in the UK (5Million).
You also need to know that there are a significant number of European whites in the UK legitimatly again figures vary but lets say a million or so.
Even our Spin Worthy Priminister Mr Blair said all countries were battling with the problem of mass migration and went on to say
"Twelve million people visited the UK every year for legal reasons such as trade and tourism - the challenge was to ensure they did not overstay"
He was as far as I can see being a little economical with the truth (as normal) A good chunk of the 12 Million are with us at any one time (say 5Million)
So only a percentage of these 60 Million Health Care bodies are elegable for full UK pasports my rough estimate was 50Million of them.
Then you need to reduce this number quite considerably for those that don't hold passports which is quite a few of our aging populance and for the quite young.
I had forgoton about the 5.5 Million expats many of whom by the way never bother renewing their passports (see problems with Zimbabwean non UK-Citizens),
But even taking the Ex-Pats into account 6.6Million still appears to be 15% or so to high to me.
There may also have been a blip due to people trying to get their new passports before time to avoid the increased charges I just don't know.
The trouble is the people who know the real figures are not telling because it is to "politicaly sensitive", and we have to peer dimly as though through a fog to ascertain a partial view that our minds compleat.
This is a straw-man argument against improved passport security. You're picking a hard problem, which is verification of identity, and claiming it "must" be solved before another problem is solved -- because you don't like the RFID solution.
These problems are not casually related; well, perhaps they are. As identity checks increase and the erroneous-issue rate goes down, there will be more call for fake passports to take their place. Not to mention the overseas factories that churn out fakes.
Finally, this entire article smacks of innumeracy. A 0.5% error rate is — low? high? common? Who knows? What are the consequences? Are there really millions of terrorists and criminals getting passports in the UK each year, or is this report highlighting some small deficiency in the process and calling the result fraud?
(re: I had forgotten about the 5.5 Million expats many of whom by the way never bother renewing their passports,)
I always renew mine on the offchance that I'll need it. So does everyone else I know (the rest of my family mainly).
Grahame (expat Pom in Aus, and don't my pommie friends hate that I'm a registered pom ;-)
I have received a Swedish passport when living abroad, as a replacement for one that was expiring. This process involved traveling to a consulate and a long interview with staff there. I had to return to the consulate 4 weeks later to pick up the new passport. Perhaps not especially time efficient, but certainly a rather secure method, as I had to provide proof of identity and they verified things against the national registers. And I only have to do it once every 10 years.
I don’t really understand complains about this. A passport is a very important document, providing not only proof of identity but also a number of protections as citizen of a specific state. When traveling outside the western countries you begin to appreciate how valuable a passport really is.
I'm not much looking forward to how the expat situation will be dealt with. I live at least a four hour journey from the nearest British consulate. At some point I will need my passport renewed and my two small children will also want passports.
To add an extra layer of complication, I doubt there is a photographer in this country who is familiar with the insane rules for British passport photos, so getting an acceptable photo of them or me will also be a struggle.
Frankly it might just be easier and cheaper to apply for Danish citizenship.
-> So what will first-time applicants living overseas have to do?
A child does not need to get interviewed, if the person is not a child, they can not be British AND living overseas AND not already have a British Passport, as you can’t get out of the UK without a Passport.
Therefore peopling living overseas will just have to go to the consulate once every ten years to get their photo taken etc. If that is too match pain for the person they always come back to the UK and start paying UK taxes.
For the previous five years this statistic has not been volunteered but had to be extracted by an MP's written Parliamentary Question. The answer always comes back as a dodgy estimate of around 10,000 passports mis-issued per year and is only noticed by a few eagle-eyes who search through Hansard.
But what hasn't been reported is that this number historically includes passports issued to the correct person but with some details in error (which seems to be about half).
Another number that wasn't reported was the prosecutions for fraudulent applications. The only figures I've seen are a few years old but seem to be around half-a-dozen to a dozen each year.
Cynical conclusion: A self-serving statistic, non-news that is being spun just in time to explain the need to expand the introduction of a new bureaucracy at great public expense.
If Govt really thought this was a 'serious' problem might they have tried to do something about it in previous years?
Also of interest is the dubious constitutional basis of this 'initiative' . The issuance of passports is the prerogative of the Queen in the UK, and thus is beyond Parliamentary scrutiny. For the last century or so she has allowed it to be run by the Passport Agency on her behalf.
The new 'merged' ID & Passport agency is thus a convenient hybrid of unaccountable prerogative and 'accountable' Parliamentary legislation.
Any guesses to whom it will be accountable?
"if the person is not a child, they can not be British AND living overseas AND not already have a British Passport, as you can’t get out of the UK without a Passport."
Except i) they might have dual nationality and possess a non-British passport ii) they might have left Britain as a child, iii) they might be British citizens born abroad and iv) who says you need a passport to leave Britain anyway?
Your last paragraph doesn't make any sense either. Since when did consulates take photos?
What have taxes got do with anything?
hi who know how to make fake-real passport or id?
thanks for answer
I need some advice.. I am having relationship with a guy right now however some odd circumstances occured and I just found out that he's holding two passports: one is Australian Passport (he was born there) and the other one is British Overseas Citizen Passport.
This guy have only been living in UK for three years and he came to the UK for the first time under Working Holiday Maker Visa.. He is actually Australian born chinese, his parents came from Malaysia originally.
What I want to know, is this normal, how can he get British Overseas Citizen Passport by only living in UK for three years? Honestly I am a bit suspicious. As far as I know, someone holding working holiday maker visa in UK can only stay for two years. This is his third year already.
I am from Thailand. When I wanted to visit him in UK (this is long distance relationship) I told him that I needed a copy of his passport and his working visa in there, as stated by UK Embassy Visitor's Visa Requirement.
However, he was very reluctant to give me those. He didn't want to tell me why so he asked his friend (a British man) to give me copy of his passport instead.
I was even more suspicious when he asked me not to write his current address (he lives in London) in the immigration form.
Honestly I am a bit confused and any advice would be greatly appreciated. Thank you.
according to wikipedia it says that there are some 150 million born brits living around the world and only 50-million born brits living in the UK
can you confirm this
is british pasport and the u k the same
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.