Schneier on Security
A blog covering security and security technology.
« Social Engineering |
| Why You Should Never Talk to the Police »
July 31, 2008
3,000 Blank British Passports Stolen
Looks like an inside job.
Posted on July 31, 2008 at 6:08 AM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is a severe breach of security because we're not talking about 3000 fake passports -- it's 3000 *real* passports with fake credentials on them.
Yup it certainly looks like an inside job.
Better still initialy the F&CO representative said they where usless because of the "security features" however just a few days later the Home Office say that they are worth 2.5Million GBP...
At a guess based on earlier attacks you can "clone" the data from an existing passport into these blank ones, so they certainly have some value, in that you can go "Identity shopping" with a reasonable chance of success...
Oh and of course even without the data in the chip they are still worth a great deal for opening bank accounts and traveling to places where they do not check the biometric data (ie anywhere away from a boarder crossing).
"it was taking all necessary precautions to prevent the documents from becoming lucrative merchandise on the black market." - How? The only way I can think of to do this would be to flood the market with tens of thousands more...
They are useless for getting into the UK, as the "security features" are checked. However they are very useful for getting into other counties, getting work in the UK, and opening fake bank accounts etc.
Hence they a worth a lot on the black market, but still at the same time be “useless” as fare as the UK passport service is concerned.
I would think this would be easy to negate from an official standpoint. Those passports will already be stamped with sequential serial numbers. Today, it's trivial to enter them into the "Watch This Person" database. If someone presents it at, say, an airport, they've just waved a flag saying, "HI! I bought a fake passport! Arrest me!"
These can only be used in cases where they don't expect the person reading the passport to check it against anything. Heck, I expect that they'll publish the bogus numbers in The Times. They won't be good anywhere.
The *good* passport thefts occur where no one ever realizes the passports were stolen.
And you are assuming the banks, some countries, night clubs, .... are going to check a passport serial against such a list if it exist, why?
You need a passport to get into a nightclub now?
You need id to show you are of age.
The first thing a bank or any serious checker would do is store the passport number. Sooner or later it will be verified...
You may need ID to show you are of age to get into a club, but come on - you think stolen official passports are going to be sold at a price that makes them something that will show up in a 17 year old's pocket who wants to get a drink at a bar? I think they are destined for other uses.
No, I don't think it will by a 17 year old. But a 25 year old that wants to use it for other things might use it for other things like getting into a club to keep his fake identity running.
AFAIK, most countries outside the US and the UK don't even have readers at the border crossings, simply because most passports don't have an RFID chip.
You'd think most places that require ID, like banks and such, would check the number on the passport, making these useless for opening bank account, as well as border crossings. What could these be used for, considering they are said to be worth ~1000 euros each.
SecureApps: So a 25-year-old uses a fake passport to get into a club. What difference does that make? A doorman immediately forgets a fake name instead of his real one?
@KTC: A bank? Absolutely. They key it into their computers first thing. They key my DL into the computer every time I show up in person. (I have humorous anecdotes about a passport being refused as adequate ID in the USA also; they wanted a DL. I don't think the girl checking ID had actually ever seen a passport before, in one case.)
In the USA, employers can now go to a website and check the validity of Social Security Numbers. http://www.ssa.gov/employer/ssnv.htm I have to think that a similar site exists, or could exist, in Britain.
I don't think that they were planning on targeting 17 yos who want to buy beer as their target market; they're planning to sell these to folks who couldn't normally get a passport to enter Britain, or anywhere else in Europe. That isn't going to work now. It won't work anywhere else that has access to a computer, and cares enough to verify the document.
I thought that they still accepted the passports even if the RFID didn't work. So really, all someone would have to do is smash it with a hammer to get around having to write to the RFID tag.
Wasn't this a US concern as well? I thought there were something like a bajillion unsecured transport points across the Middle East and parts of Asia in which our 'blank passports' were vulnerable to theft, or unguarded completely, many points at which would be equally valuable interception points in terms of creating fake-but-valid US passports.
Maybe this'll wisen up the moronic proponents of "exporting the creation of our 'valuable identification documents' to multiple countries with 'terrorist ties' or otherwise anti-US agendas...".
Yay for brains!
My concern is that the passports are used to "leapfrog" onto other legitimately issued forms of ID.
for example, drivers licenses, bank accounts for laundering, company ownership, benefit/welfare fraud.
I love this line though:
"The Foreign Office [...] insisted the blank documents are unusable because of their high-tech-chip security features"
Haha, 'high-tech-chip security features'. My guess, poorly encrypted (if at all) read/write RFID chips. What, something like 250 bytes of data? Good lord... I'm sure one, maybe two or three, real passports and a RFID reader from RadioHut™ would be more than enough to break these 'high-tech-chip security features'.
And even if I'm just being overly cynical, and it's some amazing, tamper-evident crypto-chip of sorts on loan from the NSA... I'm sure a truckload of 3 thousand or more will be going somewhere, at some point, and quite a lucrative target for people with 3k blank passports to fill.
In almost all countries outside of the US and UK people do not check passports at borders. There are relatively few other places where people actually scan passports, British banks perhaps, but somebody opening an account in France, or the US, with a British passport would probably have no problem even if it would show up in the UK.
If the real safeguard is the electronic chips on the passports, I find it unlikely that terrorists, criminals, or whomever will not find a successful way to clone legitimate user's information onto the chip eventually, then they won't be perfect forgeries, they will in fact be just like my passport.
The passports were on route to embassies - so the embassies must have the means to create a "valid" passport from them. So a corrupt (or threatened) embassy worker in some obscure part of the world is all the bad guys need to create a passport that WILL go through the electronic checks.
Again, I wasn't suggesting using it or intelligence behind, just that it CAN be used for ID and is because Bodi seemed to question it.
I wasn't defending or justifing anything.
Doesn't sound like that big of a deal if they recovered them. People could attempt to create fakes anyway...
Well maybe a few of them will wind up in the hands of Eton kids.. :)
A while back here in Mpls a person was denied entrance to a night club when he showed his passport. He didn't have a driver's license and the door man wouldn't let him in without one. I bet the doorman is with the TSA now.
"so the embassies must have the means to create a "valid" passport from them."
Actually probably not.
As has been shown virtualy anybody with the right (think buy on Ebay for a few dollars) equipment can read or write to the chip in passports. Which is why they can be cloned with little difficulty and "ID Shopping" is possible.
What people don't have is the ability to "sign the records".
I have been told (but have no way to verify) that the Embassies don't need the ability to "sign the records" either.
In these days of high speed communications the Embassy simply acts as the "eyes / ears / hands" for the UK Identity Service (or whatever it is calling it's self this week).
That is the Embassy inspect the documents people produce and send the info back to the "brain" in the U.K. Where the data for the RFiD Chip is produced in the same way as normal and signed and then sent back to the Embassy where they download it into the blank passport.
It is this ability for anybody with the knowledge and minimal equipment to be able to put "real records" in such a worry.
Assume you are a person who wishes to assume a new ID well all you need to do is find sombody who looks like you and get hold of thei passport for a very short period of time. Basically just long enough to photo/copy the photo page and slurp the data out of the chip. So less than 30 secs.
As you might be aware many countries require that you hand over you passport at your Hotel for ID verification as well as your credit card to be pre-charged.
Well how long do you think it is going to take those dishonest people that currently "sell on" photocopies of your pasport and credit card to criminals to equip themselves with a chip reader.
I fully expect a quite lucrative "ID market" to build up around these records, so "ID Shopping" will get oh so much easier.
These "security features" on RFiD Passports actually make you as an individual less secure and in no real way increase the security of the Passport. All it realy does is alow electronic gathering of your details when you travel more reliable as it remove the unreliable typing of a passport officer or OCR technology on the scanner...
"The *good* passport thefts occur where no one ever realizes the passports were stolen. "
"What people don't have is the ability to "sign the records".
Can the FCO guarantee that the key(s) used for electronically signing the information on their passports haven't been compromised?
Authentic, blank passports in conjunction with a compromised signing key could be a very damaging combination.
I wonder if this "theft" will push legislation through for a "universal" ID?
While the participants in this particular incident are obviously idiots, blank and stolen passports do have a high value in the EU.
The newer members of the EU do not have well developed border controls and once someone gains entry at a poorly defended border using a stolen or cloned passport, they then have unrestricted travel rights to most other countries in the EU (the UK is an exception.) Crossing most internal EU borders is little different to crossing a state border in the US.
Guess where you can buy the best fake passports...
Hint: not the drug dealer at the corner...
Inside jobs that *are not* detected are ones that matter... aka the drivers licenses that the 11/9 guys had.
Geez...I wonder where all these passports are going to end up?
Oh geez...am I suggesting the Brits and Americans are helping the other side to keep the fires brewing?
Say it ain't so...I mean...it's not like it's ever happened.
"‘Fakeproof’ e-passport is cloned in minutes"
"Tests for The Times exposed security flaws in the microchips introduced to protect against terrorism and organised crime. The flaws also undermine claims that 3,000 blank passports stolen last week were worthless because they could not be forged.
In the tests, a computer researcher cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber. The altered chips were then passed as genuine by passport reader software used by the UN agency that sets standards for e-passports. "
"Using his own software, a publicly available programming code, a £40 card reader and two £10 RFID chips, Mr van Beek took less than an hour to clone and manipulate two passport chips to a level at which they were ready to be planted inside fake or stolen paper passports."
Fakeproof, yeah, maybe even Deadproof...
Slighty aside, it's extremely annoying that it's so common for hotels & other temporary residences to demand you hand over your passport - they often even want to keep it until you leave. As a holder of a passport, doing so is a punishable offense (which is, in practice, ridiculous), and it's definitely a bad idea. Hotels sometimes claim the police even ask them to do so.
(This is based on my experience in the Netherlands, Germany and France).
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..