The UK is launching a new passport this month, featuring the likes of Ada Lovelace and Charles Babbage, some of the world’s first computer programmers, as part of its new design.
In the November unveiling, the passport promised “the latest in printing technology to ensure the security of the document remains the top priority.” It’ll be the “most secure ever produced” with “brand new security features to make it more difficult than ever for fraudsters to forge copies.”
In particular, this involves the use of “security printing using UV and infrared light, inks and watermarks.”
Indeed, most modern passports have upwards of 30 different security features across the paper, inks, chip, thread and even the fonts used, making it increasingly complex to get a fake passport just right.
The <3 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
Trouble is, beautiful new passport aside, there’s no way to know your identity is truly secure.
WTF?
What would you do if someone in a foreign airport took a photo of your passport behind an official desk using nothing more than an Android smartphone?
Would you even notice? I barely did. Should you care? I sure as hell did! So what happened next? Well. Nobody could really tell me.
I was dazed and confused, weary from time travel across the world, so I didn’t know what to do when a woman behind the international transfers desk at Borispol airport in Kiev took a picture of my passport.
I knew, as a journalist, that I wasn’t comfortable with her doing it. It was either insecure, illegal, or both. Before I’d got a proper answer from her, she was gone.
And none of the airport staff I spoke to afterwards seemed to be able to follow me after that.
“Do you speak English?”
“Yes of course.”
“A woman behind that desk just took a photo of my passport with a smartphone and I’m not happy about that.”
“…”
Frustrated, and with no real way of learning more, all I could be sure of was I had an ePassport, the two folks I was traveling with did not, and I was the only one whose passport had been photographed.
After an unsuccessful attempt to reach out to the UK embassy in Ukraine – still waiting guys, glad it wasn’t a life or death one! – I was none the wiser.
Then a security consultant passing by my Twitter pointed me towards eCLOWN, an app for cloning passports…
Ignorance is bliss
The existence of such an app was brand new information to two people I managed to speak to on the lost passport helpline.
One was unmoved by the potential that someone might steal my identity. One was intrigued. Neither could tell me what to do next. If I felt my passport was compromised, it was my judgement whether to cancel it or not.
So I cancelled it, of course, all without knowing if I had to, with no one to turn to but people on the other end of the phone who couldn’t tell me anything either.
But stumping up £103 for a fast-track replacement wasn’t what I wanted to do, so I went to HM Passport Office determined that it shouldn’t be me that was repaying the government to supply me with another insecure document.
I came face-to-face with another anonymous woman and then spoke to her manager, who both told me I was unable to email anyone to make a formal complaint, so I provided a handwritten statement which was sent to the body’s ‘intel hub’.
A week or so later and my statement arrived posted in an envelope. Without an accompanying letter.
An email then hit my inbox explaining that wherever my complaint had got to, it wasn’t their remit.
Is anybody home?
On getting in touch with the Home Office press team, which of course isn’t even an avenue for regular old civilians, I was already starting to get a hint of déjà vu…
A spokesperson told me: “The new UK passport, to be launched in December, uses the very latest printing and design techniques to be at the forefront of international security.”
On my specific question about the smartphone photograph, they added: “The passport contains personal details and holders’ should look after it carefully.
“HM Passport Office recommends that customers should only present their passport when required to do so.
“If you think your passport has been used for fraudulent purposes, then contact the police.”
Hm. As good as the deaf ears my complaints fell on in the airport.
How big a risk is identity theft and cloning?
“Overall your biometrics are very weakly protected on your passport – you can grab the information, passport number, person’s date of birth, expiry date of passport,” explains Terence Eden, the mobile security consultant who flagged eCLOWN.
“Using RFID, you can be a few centimetres away with your passport in a briefcase, and someone could be discreetly accessing your details. Theoretically, if someone has a focused high-beam scanner and a laptop, it can be read from a distance.”
Somewhat reassuringly, it doesn’t sound like someone who’d cloned your biometric passport could recode the picture on the chip and just start galavanting around the world in your name.
“That’s the interesting thing about that word ‘cloned’,” said Tony Anscombe, senior security evangelist at AVG. “If I cloned your passport and even if I modified the bio page, I might even be able to clone the chip. But in order to pretend to be you, I would have to modify the picture and that’s not so simple. You’d have to unlock, de-encrypt and then re-encrypt.”
Although many accept that creating a new passport from scratch, with a new chip and a new photo, is tough and may well be detected by human or machine, doing so is not unheard of or impossible.
That’s not helped by the Home Office admitting that “it is not known how many fraudulent passports there are in circulation. Passport fraud by its very nature is difficult to establish and measure”, although it did also say that security measure had prevented 12,965 fraudulent passports being issued in 2014 to 2015, as well as identifying 548 after the fact.
eCLOWN creator Jeroen van Beek told me: “In The Netherlands, there are many well documented cases, including criminals using copied IDs for renting houses and starting drug labs in those houses, renting expensive cars and not bringing them back and buying phones that are used to threaten people.
“In an international context, cloned IDs have been used by hitmen and the secret services.”
“But, actually, if someone has just taken a photo of that, they can also rip off all the information anway,” Eden adds.
Potential for misuse
So, they don’t ‘clone’ it, but make a crude copy… It might not fox immigration officers, but what else could they do?
“Whether or not the chip has been cloned, that doesn’t stop your passport information being misused,” Anscombe warns. “If you go to a bank, it is usually part of the identity check. And of course they don’t read the RFID.”
“With the information they have from that picture, they could potentially re-set your bank password,” adds Anscombe. “Interestingly I never answer those safety questions honestly. Never put down your real place of birth.”
And, rather frighteningly, I also learned you really don’t need to have your identity stolen in order to be a target for criminals on the lookout for leaky documents.
“There’s this longstanding rumour – and it’s theoretically possible – that someone built a bomb into a rubbish bin that would only blow up if someone walked past who was of a certain nationality,” Eden explains.
“Likewise, your bank card can be read for the bank country, which offers an opportunity for people to target tourists.”
“My understanding is in the 2010 release of the ePassport, they moved the antenna and RFID further into the book of the passport,” Anscombe adds. “In doing so it makes it harder for someone to read the RFID as you walk past something.”
But he also points out that with the US passport, the cover is made of the material that blocks RFID, the perfect solution, but this isn’t yet standard in other countries.
Many in the security crowd have taken to buying wallet-style Faraday cages to make themselves invisible to fly-by-night bin bombers.
And fraudsters could, of course, just find someone who looks enough like me and simply ensure they avoid the digital desks at the airport.
“People of different nationalities are very bad at racially spotting people,” Eden adds.
There is actually a list of misused documents kept by world police Interpol, but AVG’s Anscombe says it’s rarely checked against.
“Ultimately, it’s hard to give someone a locked box and a key,” Eden adds. “Every passport officer in the world needs to be able to unlock it.”
No answers in sight
It’s not clear whether the latest iteration of the UK passport will be updated to include an RFID blocker but essentially, THAT MAKES NO FRICKIN DIFFERENCE.
“The most important issues are still not addressed,” according to van Beek, who presented many workarounds for passport security system to Black Hat Europe back in 2009.
“The main problem is the poor quality of inspection systems. Current passport control procedures, especially with the current mass influx of refugees, are very poor in the EU general, you don’t need a chip or even a document for immigration.”
Ultimately, you’re walking around with many of your most secret details, handing it to most people who ask with no awareness of their intentions, or leaking it as you stroll down the street.
With no one really able to tell me, or in fact know, exactly who’s doing what with my identity, I’m hoping the woman in Borispol is just a creepy fan who’s got photos of me stuck all over the walls of her home.
Like it or not, I guess that sounds like the most favourable outcome.
Get the TNW newsletter
Get the most important tech news in your inbox each week.