About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

21 posts categorized "Travel"

Pass this one up

By Dave Birch posted Aug 6 2008 at 6:48 PM

[Dave Birch] The newspapers here are having a fine time with the very latest Dutch chip shenanigans: A Dutch researcher has shown The Times how easy it is to clone e-passport chips and change the details.

The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but will not use the directory before next year. Even then, the system will be fully secure only if every e-passport country has joined.

[From ‘Fakeproof’ e-passport is cloned in minutes - Times Online]

Nearly right. It's digital signatures that "would not match" and the international database contains the public keys that allow you to check the signatures. I doubt it's much of a threat to be honest, because you'd have to forge the paper part of the passport to match the cloned chip, and that strikes me as a little harder. The only people who read the chips, or at least attempt to read the chips, are immigration officers. My bank doesn't have any readers, nor does my airline and nor does Eurostar or anyone else. Anyway, as the journalist points out, digital signatures are pretty useless if no-one implements them. I'm not sure why it's in the new today, since it's a recycling of a story that's a couple of years old

A German computer security consultant has shown that he can clone the electronic passports that the United States and other countries are beginning to distribute this year.

[From Hackers Clone E-Passports]

It may be a symptom of a general collapse in public trust of any kind of government IT rather than a specific reflection on anything to do with e-passports.

Continue reading "Pass this one up" »

Identity thieves

By Dave Birch posted Feb 29 2008 at 10:46 AM

[Dave Birch] I've been thinking about identity theft because of a meeting I'm going to later on today and I was mulling over the different kinds of identity theft. It seems as if most of the identity theft we here about is really just "simple" credit card fraud, but of course there are other bigger and potentially more serious kinds of identity theft. But, once again, I must ask to what extent those crimes are the super new 21st century crime of identity theft and to what extent they are old-fashioned deception. Here is a case in point. I"m pretty sure I saw this on The Real Hustle on the BBC a few weeks ago, so I wonder if this is where the perps picked up the idea?

A brazen swindle in Wheaton last week in which a man walked into a BB&T bank dressed as an armored truck courier and walked out with $574,500 in cash has been linked to a similar bank job the next day in Washington, authorities in Montgomery County said yesterday. Assistant State's Attorney Marybeth Ayres named Elizabeth K. Tarke, a teller at the BB&T branch, as a possible ringleader.

[From Teller Called Possible Ringleader in Two Bank Thefts - washingtonpost.com]

If you were going to pretend to be somebody else for half an hour, who would it be? Me, or a cash collector? The story says that an employee checked the bogus courier's ID card. But how? I really doubt that the bank employee took off the courier's ID card and put the ID card into a machine and had the courier put his eyes up to an iris scanner to match his iris to the card and then went online to have the card credentials verified by the courier company and bank servers. I'm sure the story means that the employee glanced at the ID card and it seemed about right.

Continue reading "Identity thieves" »

Rushing in

By davebirch posted Jul 16 2007 at 11:03 AM
[Dave Birch] There's an identity-related debate going on about data sharing by government. I don't mean to take sides on it, except to note that I would prefer to see a more technologically-informed debate, especially around the sharing of biometric data. I was making some notes about this in a data protection context and thought I would mention that the EU's Data Protection Supervisor (a Mr. Peter Hustinx) has been saying that EU governments risk violating the protection of their citizen's personal data by acting hastily in approving the use of biometrics because it was "rushing in a new era" of using biometric identifiers for security checks while standards for data protection were still not clear. In particular, he warned against cross-linking national biometric databases and he said that Europe needs standardised procedures for collecting biometric data as well as common rules and safeguards for the use of the sensitive information.

Technorati Tags: , ,

Continue reading "Rushing in" »


By davebirch posted Jun 20 2007 at 2:13 PM
[Dave Birch] Presumably one of the benefits of moving to a smart identity card -- alongside smart passports and driving licences -- is that many of the associated processes can be automated. Somewhere like Malaysia, which has had a smart identity card for years, shows how this can be done. There, passport applications can be made online or at kiosks. The Deputy Home Affairs Minister Datuk Tan Chai Ho says that e-kiosks and e-applications were part of the Immigration Department’s efforts to go paperless and increase efficiency. Only one e-kiosk had been installed at the time of writing, but it can process a passport for an identity card holder in as little as 10 minutes. Applicants deposit the RM300 fee in the machine, which can also photograph passport holders, enter their details and then pick up their passport the next day. This means, of course, that the integrity of the passport applications now depends on the integrity of the identity card and the National Registration Department has detected 364 cases where the MyKad has been tampered with but has found no cloning of the identity card. Mr. Ho said the tampering was confined to changing of the photograph on the card and most of these cases involved illegal immigrants. He said that in these cases the MyKad chip was damaged because it contained the personal particulars of the card holder which could not be altered.

Technorati Tags: , ,

Continue reading "Automat" »

Not-very-public key infrastructure

By davebirch posted Mar 15 2007 at 8:49 AM

[Dave Birch] One of the most visible digital identity documents, the passport, has been much in the news recently.  Unfortunately, most of the coverage has been about the limitations of Basic Access Control (BAC).  Not that electronic passport control is operational yet because of the problems getting readers installed and configured, which in turn means getting the public key directory working.  This directory is being set up by Netrust, a Singaporean company that last year was selected by ICAO.  Germany, citing security worries, says it is not taking part in the directory, even though the USA and UK are (currently).  Readers won't have the German keys in them (unless they get them directly from the Germans), so they won't be able to validate the digital signatures on German e-passports.  As we've discussed before here, there some genuine problems here that need to be fixed for the e-passport to be effective.

Technorati Tags: , ,

Continue reading "Not-very-public key infrastructure" »

Tinfoil tests

By davebirch posted Dec 11 2006 at 10:53 AM

[Dave Birch] You may remember the DIFRWear shielded wallets and passports that we were talking about a couple of weeks ago.  I thought people might be interested to know that they arrived, and they're very nice.  But do they work?  In other words, if you put a passive ISO 14443 card or passport inside, do they stop terminals from seeing them?

Technorati Tags: , , ,

Continue reading "Tinfoil tests" »


By davebirch posted Nov 15 2006 at 5:43 AM

[Dave Birch] Bruce Schneier's blog points me at the "Budapest Declaration", which also came up at the International Biometric Foundation meeting that I went to yesterday (I was leading the round table on public sector issues).  The declaration includes this: European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilises technologies and standards that are poorly conceived for its purpose. In this declaration, researchers on Identity and Identity Management (supported by a unanimous move in the September 2006 Budapest meeting of the FIDIS “Future of Identity in the Information Society” Network of Excellence) summarise findings from an analysis of MRTDs and recommend corrective measures which need to be adopted by stakeholders in governments and industry to ameliorate outstanding issues. Since e-passports are a very important kind of digital identity, it's important to understand the issues that they are highlighting.

Technorati Tags: ,

Continue reading "Budapests" »

Protect and survive

By davebirch posted Nov 10 2006 at 8:17 AM

[Dave Birch] For those of you who are concerned about terrorists tracking you by lighting up your new e-passport from a distance, a company called DIFRwear has started making snazzy passport holders with built-in shielding.

Technorati Tags: , ,

Continue reading "Protect and survive" »

Cloning e-passports

By davebirch posted Aug 4 2006 at 3:51 PM

[Stuart Fiske] Because of the CHYP Electronic Passport Interoperability Service, we've already had a few calls about today's Wired News story on the cloning of e-passports.   But what exactly is this story about?  Is it about uncrackable e-passports being broken open by hackers?  Or is it about someone reading the specifications and discovering that e-passports work as they are supposed to?

Technorati Tags: , , ,

Continue reading "Cloning e-passports" »

Passport control

By davebirch posted Jul 12 2006 at 6:29 PM

[Dave Birch] According to Europe Information (which I can't link to online), the European Commission has decided to adopt the proposed technical specifications for biometric passports.  This means that by June 2009, member states (except, of course, for the UK and Ireland because they have opted out of euro-border control stuff) must be issuing e-passports with an electronic chip embedded in them that contains two of the holders fingerprints as well as the facial image.  The "Justice, Freedom and Security" Commissioner Franco Frattini unveiled the specifications on 28th June.

Technorati Tags: , ,

Continue reading "Passport control" »