Friday, November 24, 2006
Identity theft
Although I am an avid user of and enthusiast for new technology I am by no means blind to its drawbacks. This article in the Guardian about identity theft therefore is very disturbing, so much so that it is worth quoting extensively:
Six months ago, with the help of a rather scary computer expert, I deconstructed the life of an airline passenger simply by using information garnered from a boarding-pass stub he had thrown into a dustbin on the Heathrow Express. By using his British Airways frequent-flyer number and buying a ticket in his name on the airline's website, we were able to access his personal data, passport number, date of birth and nationality. Based on this information, using publicly available databases, we found out where he lived, his profession, all his academic qualifications and even how much his house was worth.
It would have been only a short hop to stealing his identity, committing fraud in his name and generally ruining his life.
Great news then, we thought, that the UK had just begun to issue new, ultra-secure passports, incorporating tiny microchips to store the holder's details and a digital description of their physical features (known in the jargon as biometrics). These, the argument went, would make identity theft much more difficult and pave the way for the government's proposed ID cards in 2008 or 2009.
Today, some three million such passports have been issued, and they don't look so secure. I am sitting with my scary computer man and we have just sucked out all the supposedly secure data and biometric information from three new passports and displayed it all on a laptop computer.
The UK Identity and Passport Service website says the new documents are protected by "an advanced digital encryption technique". So how come we have the information? What could criminals or terrorists do with it? And what could it mean for the passports and the ID cards that are meant to follow?
It is not just information that is at stake. It would be possible to forge even these passports:
Several months ago, Lukas Grunwald, founder of DN-Systems Enterprise Solutions in Germany, conducted a similar attack to ours on a German biometric passport and succeeded in cloning its RFID chip. He believes unscrupulous criminals or terrorists would find this technology very useful.
"If you can read the chip, then you can clone it," he says. "You could use this to clone a passport that would exploit the system to illegally enter another country." (We did not clone any of our passport chips on the assumption that to do so would be illegal.)
Grunwald adds: "The problems could get worse when they put fingerprint biometrics on to the passports. There are established ways of making forged fingerprints. In the future, the authorities would like to have automated border controls, and such forged fingerprints [stuck on to fingers] would probably fool them."
But what about facial recognition systems (your biometric passport contains precise measurements of key points on your face and head)? "Yes," says Grunwald, "but they are not yet in operation at airports and the technology throws up between 20 and 25% false negatives or false positives. It isn't reliable."
Neither is the human eye, according to research conducted by a team of psychologists from the University of Westminster in 1996. Remember, information - such as a new picture - cannot be added to a cloned chip, so anyone using it to make a counterfeit passport would have to use one that bore a reasonable resemblance to themselves.
But during Westminster University's study, which examined whether putting people's images on credit cards might reduce fraud, supermarket staff drafted in for tests had great difficulty matching faces to pictures. The conclusion was that pictures would not improve security and they were never introduced on credit cards. This means that each time you hand over your passport at, say, a hotel reception or car-rental office abroad to be "photocopied", it could be cloned with equipment like ours. This could have been done with an old passport, but since the new biometric passports are supposed to be secure they are more likely to be accepted without question at borders.
Given the results of the Westminster study, if a terrorist bore a slight resemblance to you - and grew a beard, perhaps - he would have a good chance of getting through a border. Because his chip is cloned, with the necessary digital signatures, and because you have not reported your passport stolen - you still have it! - his machine-readable travel document will get him wherever he wants to go, using your identity.
The rather scary thing about this experiment is that once ID cards are introduced the potential to do the same thing increases exponentially. This undermines yet further Government claims for ID cards, particularly concerning terrorism as the article makes clear:
The problems we have identified with RFID chips in passports raise all sorts of questions about the UK's proposed ID card scheme, which will use the same technology. The government has not said exactly what will be contained in the ID card's chip, but there will be a National Identity Register that could contain around 50 pieces of information about you, ranging from your name, age, and all your addresses, to your national insurance number and biometric details. Eventually, you may need one to access healthcare. It could even replace the passport.
Already, then, criminals and terrorists will have identified just how useful cloned ID cards might be. It would be folly to think their best minds are not on the case.
The Home Office insists that UK passports are secure and among the best in the world, but not everyone agrees. Last week, an EU-funded body entitled the Future of Identity in the Information Society (Fidis) issued a declaration on machine-readable travel documents such as RFID-chipped passports and ID cards. It said the technology was "poorly conceived" and added: "European governments have effectively forced citizens to adopt new ... documents which dramatically decrease their security and privacy and increase risk of identity theft."
The government is now facing demands from the Liberal Democrats and anti-ID card groups for a recall of the passports so that simple devices such as foil covers can be installed - at enormous cost. Such covers would at least stop chips being scanned remotely, though they wouldn't prevent an unscrupulous hotel receptionist from opening the passport and sucking out its contents the way we did.
It may be that at some point in the future the government will accept that putting RFID chips in to passports is ill-conceived and unnecessary. Until then, the only people likely to embrace this kind of technology are those with mischief in mind.
It seems that biometric passports and ID cards are not so much a solution, but another opportunity for criminals and terrorists.
Six months ago, with the help of a rather scary computer expert, I deconstructed the life of an airline passenger simply by using information garnered from a boarding-pass stub he had thrown into a dustbin on the Heathrow Express. By using his British Airways frequent-flyer number and buying a ticket in his name on the airline's website, we were able to access his personal data, passport number, date of birth and nationality. Based on this information, using publicly available databases, we found out where he lived, his profession, all his academic qualifications and even how much his house was worth.
It would have been only a short hop to stealing his identity, committing fraud in his name and generally ruining his life.
Great news then, we thought, that the UK had just begun to issue new, ultra-secure passports, incorporating tiny microchips to store the holder's details and a digital description of their physical features (known in the jargon as biometrics). These, the argument went, would make identity theft much more difficult and pave the way for the government's proposed ID cards in 2008 or 2009.
Today, some three million such passports have been issued, and they don't look so secure. I am sitting with my scary computer man and we have just sucked out all the supposedly secure data and biometric information from three new passports and displayed it all on a laptop computer.
The UK Identity and Passport Service website says the new documents are protected by "an advanced digital encryption technique". So how come we have the information? What could criminals or terrorists do with it? And what could it mean for the passports and the ID cards that are meant to follow?
It is not just information that is at stake. It would be possible to forge even these passports:
Several months ago, Lukas Grunwald, founder of DN-Systems Enterprise Solutions in Germany, conducted a similar attack to ours on a German biometric passport and succeeded in cloning its RFID chip. He believes unscrupulous criminals or terrorists would find this technology very useful.
"If you can read the chip, then you can clone it," he says. "You could use this to clone a passport that would exploit the system to illegally enter another country." (We did not clone any of our passport chips on the assumption that to do so would be illegal.)
Grunwald adds: "The problems could get worse when they put fingerprint biometrics on to the passports. There are established ways of making forged fingerprints. In the future, the authorities would like to have automated border controls, and such forged fingerprints [stuck on to fingers] would probably fool them."
But what about facial recognition systems (your biometric passport contains precise measurements of key points on your face and head)? "Yes," says Grunwald, "but they are not yet in operation at airports and the technology throws up between 20 and 25% false negatives or false positives. It isn't reliable."
Neither is the human eye, according to research conducted by a team of psychologists from the University of Westminster in 1996. Remember, information - such as a new picture - cannot be added to a cloned chip, so anyone using it to make a counterfeit passport would have to use one that bore a reasonable resemblance to themselves.
But during Westminster University's study, which examined whether putting people's images on credit cards might reduce fraud, supermarket staff drafted in for tests had great difficulty matching faces to pictures. The conclusion was that pictures would not improve security and they were never introduced on credit cards. This means that each time you hand over your passport at, say, a hotel reception or car-rental office abroad to be "photocopied", it could be cloned with equipment like ours. This could have been done with an old passport, but since the new biometric passports are supposed to be secure they are more likely to be accepted without question at borders.
Given the results of the Westminster study, if a terrorist bore a slight resemblance to you - and grew a beard, perhaps - he would have a good chance of getting through a border. Because his chip is cloned, with the necessary digital signatures, and because you have not reported your passport stolen - you still have it! - his machine-readable travel document will get him wherever he wants to go, using your identity.
The rather scary thing about this experiment is that once ID cards are introduced the potential to do the same thing increases exponentially. This undermines yet further Government claims for ID cards, particularly concerning terrorism as the article makes clear:
The problems we have identified with RFID chips in passports raise all sorts of questions about the UK's proposed ID card scheme, which will use the same technology. The government has not said exactly what will be contained in the ID card's chip, but there will be a National Identity Register that could contain around 50 pieces of information about you, ranging from your name, age, and all your addresses, to your national insurance number and biometric details. Eventually, you may need one to access healthcare. It could even replace the passport.
Already, then, criminals and terrorists will have identified just how useful cloned ID cards might be. It would be folly to think their best minds are not on the case.
The Home Office insists that UK passports are secure and among the best in the world, but not everyone agrees. Last week, an EU-funded body entitled the Future of Identity in the Information Society (Fidis) issued a declaration on machine-readable travel documents such as RFID-chipped passports and ID cards. It said the technology was "poorly conceived" and added: "European governments have effectively forced citizens to adopt new ... documents which dramatically decrease their security and privacy and increase risk of identity theft."
The government is now facing demands from the Liberal Democrats and anti-ID card groups for a recall of the passports so that simple devices such as foil covers can be installed - at enormous cost. Such covers would at least stop chips being scanned remotely, though they wouldn't prevent an unscrupulous hotel receptionist from opening the passport and sucking out its contents the way we did.
It may be that at some point in the future the government will accept that putting RFID chips in to passports is ill-conceived and unnecessary. Until then, the only people likely to embrace this kind of technology are those with mischief in mind.
It seems that biometric passports and ID cards are not so much a solution, but another opportunity for criminals and terrorists.
Labels: ID
Comments:
<< Home
Warning: You've triggered a pet peeve of mine here ;)
It is Identity Fraud not Identity Theft.
It is termed theft by those who wish to shift the consequences of their lapses of security onto you.
Banks are responsible for the money you have deposited with them. If someone claims to be you and withdraws money, the bank is liable and the bank has been defrauded, not you. The bank should be responsible in this case, but they seek to shift responsibility onto the customer (this is why they moved to Chip and Pin, they can now claim it must have been you or you wrote down your pin, shifting responsibility onto you - before a signature could be verified as being yours).
To treat identity as something which can be stolen is playing into the hands of the government who wish to declare our identities their property with the National Identity Register and the like.
It is disturbing that your privacy is so easily violated, but that is invasion of privacy not identity theft. Fraud committed using that information is fraud, not theft of identity. Pretending to be you using that information is impersonation and fraud, not theft.
I think this is an important distinction to make, to combat the government's authoritarianism and to protect consumer rights.
It is Identity Fraud not Identity Theft.
It is termed theft by those who wish to shift the consequences of their lapses of security onto you.
Banks are responsible for the money you have deposited with them. If someone claims to be you and withdraws money, the bank is liable and the bank has been defrauded, not you. The bank should be responsible in this case, but they seek to shift responsibility onto the customer (this is why they moved to Chip and Pin, they can now claim it must have been you or you wrote down your pin, shifting responsibility onto you - before a signature could be verified as being yours).
To treat identity as something which can be stolen is playing into the hands of the government who wish to declare our identities their property with the National Identity Register and the like.
It is disturbing that your privacy is so easily violated, but that is invasion of privacy not identity theft. Fraud committed using that information is fraud, not theft of identity. Pretending to be you using that information is impersonation and fraud, not theft.
I think this is an important distinction to make, to combat the government's authoritarianism and to protect consumer rights.
You can be traced by your Tesco purchases and if you this that GPS is a one-way system then think again. Theft, fraud, piracy - who cares. You can be arrested to further a police investigation and held on suspicion for longer than you can in soem countries which we condescendingly describe as third world. At the end of the day, it is about control at corporate and state. The fact that we can seldom tell the difference is most terrifying part.
Post a Comment
<< Home