Custom Search

July 13, 2009

ID cards another potential source of information for identity thieves

New identity theft news - Interesting article about yet another way for an identity thief to steal your identity.

"With only a Matrics antenna and a Motorola reader purchased on eBay for $190, Chris Paget drove around San Francisco with the goal of locating the identity cards of strangers, wirelessly.
According to an Associated Press report, it only took him 20 minutes to achieve his goal.

He was able to download the serial numbers of two pedestrians' electronic U.S. passport cards encoded with radio frequency identification, or RFID. In only one hour, he'd 'skimmed' four additional microchipped PASS cards from 20 feet.

More and more, government officials are endorsing the chipping of documents as technology that will speed up border crossings, protect against counterfeiters, and will stop terrorists from getting into the country. Paget's experiment has revealed what privacy advocates have worried about for years: RFID and other technologies can cause people to be traceable without their awareness.

RFID has the capability of making everybody pop up on someone's radar screen.

On June 1, it became a rule that Americans coming into the US by land or sea from Canada, Mexico, Bermuda and the Caribbean had to have identity documents with RFID tags, although regular passports are valid until expiration.

Amid new options is the 'e-passport' and the PASS card, a credit card sized gadget with a digital photograph and a chip that can be scanned from 30 feet.

The point of RFID is not to detect people, said Mary Ellen Callahan, the chief privacy officer at Homeland Security, to AP News, but 'to verify that the identification document holds valid information about you.'

An RFID document 'only makes it easier to pull the right record fast enough, to make sure that the border flows, and is operational' - even though a 2005 Government Accountability Office report noted that RFID readers often did not sense travelers' tags.

Neville Pattinson, vice president for government affairs at Gemalto, Inc., a supplier of the microchipped cards, has concerns about the RFID movement. In a 2007 newsletter for privacy professionals, Pattinson noted that the chipped cards were susceptible 'to attacks from hackers, identity thieves and possibly even terrorists.'

RFID, he stated, has an inherent flaw: Every chip faithfully transmits its identifier 'in the clear, exposing the tag number to interception during the wireless communication.'

Once a tag number is located, 'it is relatively easy to directly associate it with an individual,' he says. 'If this is done, then it is possible to make an entire set of movements posing as somebody else without that person's knowledge.'

In the mean time, Homeland Security has been encouraging the overall use of RFID, even though its own advisory committee on data integrity had concerns. In its 2006 draft report, the committee came to the conclusion that RFID 'increases risks to personal privacy and security, with no commensurate benefit for performance or national security,' and recommended 'RFID be disfavored for identifying and tracking human beings.'

For now, PASS cards and driver's licenses are not being widely used across the US. Only 192,000 EDLs exist in Washington, Vermont, Michigan and New York.

As more Americans acquire them 'you can bet that long-range tracking of people on a large scale will rise exponentially,' says Paget, a self-proclaimed 'ethical hacker' who is an Internet security consultant.

Gigi Zenk, a spokeswoman for the Washington state Department of Licensing, insists that Americans 'aren't that concerned about the RFID' in a time when 'tracking an individual is much easier through a cell phone.'

After Sept. 11, the State Department proposed that Americans and foreign visitors have 'enhanced' passports, with microchips hidden in the covers.

In February 2005, when the State Department reviewed public opinion over the hot topic, 98.5% of opinion was negative, and 86% of people had privacy concerns.

Identity theft and 'fears that the U.S. Government or other governments would use the chip to track and censor, intimidate or otherwise control or harm them' were of "grave concern,' they stated. Lots of Americans worried 'that the information could be read at distances in excess of 10 feet.'

According to department records, a debate about security concerns with the e-passport started in January 2003, but tests were not conducted until the department faced public criticism two years later.

When the AP inquired about when the testing started, the State Department said only that 'a battery of durability and electromagnetic tests were performed' by the National Institute of Standards and Technology, and tests 'to measure the ability of data on electronic passports to be surreptitiously skimmed or for communications with the chip reader to be eavesdropped,' testing which 'led to additional privacy controls being placed on U.S. electronic passports ... '

The State Department, according to its own records acquired under Freedom of Information Act, knew about the hacking concerns before the e-passport debuted in August 2006.

'Do not claim that these chips can only be read at a distance of 4 inches,' Frank Moss, deputy assistant Secretary of State for passport services, wrote in an April 22, 2005, e-mail to Randy Vanderhoof, director of the Smart Card Alliance. 'That really has been proven to be wrong.'

The RFIDs in driver's licenses and PASS cards have a silicon chip connected to a wire antenna, which puts out an identifier through radio waves when 'awakened' by an electromagnetic reader.

The government insists that the ID cards only transmit RFID numbers, which go back to records in safe government databases. Although a hacker could copy an RFID number onto a blank tag for a fake ID, the forger's face would not match the cardholder's photo in the database.
Critics feel that RFID-tagged identities will only help identity thieves in committing 'contactless' crimes."

The article can be found at

No comments:

Post a Comment