YOU ARE AT:Archived ArticlesE-passports issued as group lists best ID security practices

E-passports issued as group lists best ID security practices

Amid intensified airport security, U.S. passports outfitted with RFID technology rolled off the government’s presses as the U.S. State Department began issuing electronic passports to the public.

The State Department said e-passports are being produced at its Colorado Passport Agency in Denver and will be expanded to other production facilities during the next few months as part of an effort to enhance border security.

E-passports contain an RFID chip in the rear cover of the passport that stores the same data as that found on the biographic data page of the passport-name, date of birth, gender, place of birth, dates of passport issuance and expiration, and passport number-as well as a digital image of the bearer’s photograph, the State Department said.

The digital photo is a biometric identifier, which is a measurable physical characteristic that can be used to verify the identity of an individual. Other biometrics include face recognition, fingerprints and iris scans.

To protect the privacy of the information and to mitigate the chances of the electronic data being skimmed or intercepted by unintended parties, the State Department explained that it has employed a multi-layered approach to securing the chip’s data. Metallic anti-skimming material is incorporated into the front cover and spine of the e-passport book, which prevents the chip from being skimmed, or read, when the book is fully closed. The e-passport is also stocked with Basic Access Control technology, which requires that the data page be read electronically to authenticate the data, generating the unlocking of the chip.

To prevent alteration or modification of the data on the chip, and to allow authorities to validate and authenticate the data, the information on the chip will include an electronic signature.

The government said it expects that by October, all new passports will be chipped.

Privacy advocates are leery of such efforts.

Indeed, in a recent demonstration at the Black Hat security conference in Las Vegas, German researcher Lukas Grunwald reportedly used a laptop with an RFID reader and smart-card programmer to scan information on a VeriChip RFID chip, which he then wrote to the smart card. Theoretically, the information could wind up embedded in a fraudulent passport.

VeriChip spokeswoman Nicole Philbin wrote in an e-mail that “the company has not officially responded nor verified” the hacker demonstration. However, “the VeriChip technology is a much more secure means of identification than the cards people carry around in their wallets,” she commented.

VeriChip developed the now FDA-approved VeriMed Patient Identification System, a human-implantable microchip equipped with passive RFID technology designed to accurately identify patients as they arrive in emergency rooms. Once a patient is identified, hospitals can access a database network containing medical records. The company has said the chip can also be used in nursing homes and other medical settings.

Philbin dismissed security concerns about patients’ medical history, saying, “Each chip contains a unique 16-digit identification number. The information stored in an individual’s profile in the secure database only contains the information the patient chooses to enter. (Each patient is responsible for entering his or her own information, i.e. name, doctor’s name).”

Meanwhile, a secure ID industry coalition that includes card makers Gemalto and Oberthur Card Systems, as well as chipmakers Infineon Technologies AG, Philips Semiconductors and Texas Instruments Inc. said it planned to educate policy-makers and present them with the group’s privacy and security standards suggestions during last week’s National Conference of State Legislators.

The coalition says it aims to “promote the understanding and appropriate use of smart-card technology while maintaining user privacy.”

The group said the following initiatives form the basis of its call for standards and best practices within the industry:

  • Privacy of personal information as defined by all relevant regulations and laws.
  • Confidence that ID documents have been appropriately secured against threats of fraudulent access to personal information.
  • The right to know what data is contained in electronic ID documents, how that data will be collected, secured and transmitted, the presence of radio frequency technology in ID documents, and when, where and why an RF device is being read.

ABOUT AUTHOR