Shostack + Friends Blog Archive

 

Apparently The State Department Didn’t Learn From Regular Passports

passport-card-frame.jpgThe Washington Times reports that the State Department is going to be producing “passport cards” for people who regular travel by car or boat to/from Canada, Mexico and Carribean.

About the size of a credit card, the electronic-passport card displays a photo of the user and a radio frequency identification (RFID) chip containing data about the user. The State Department announced recently that it will begin producing the cards next month and issue the first ones in July.

That’s right RFID just like booklet style passports. Only it won’t be encrypted and it won’t be shielded. It will even be “vicinity” aka long range RFID, so the very intent is to read them from a distance. While the card isn’t supposed to have any personal information on it, it will link back to a database that does contain personal information. I for one don’t have a lot of confidence that that database can be kept properly secure.

Security specialists told The Washington Times that the electronic-passport card can be copied or altered easily by removing the photograph with solvent and replacing it with one from an unauthorized user.

And if that wasn’t bad enough only about 10% of border sites will actually have readers:

Kelly Klundt, a spokeswoman for U.S. Customs and Border Protection, said the deployment of passport card readers to the largest and busiest 39 border-entry points was intended to expedite travel. The more than 300 remaining points of entry without passport card scanners are in remote locations, and officials will visually inspect passport cards at those entry points, she said.

Joel Lisker, a former FBI agent who spent 18 years countering credit-card fraud at MasterCard, said the new cards pose a serious threat to U.S. security. “There really is no security with these cards,” he said.

So there you have it. Once again the government is engagins in security theater rather than actual security.
[Image from: http://www.uspasscard.com/]