CBP’s fake passports problem

US can’t authenticate fake passports with e-chips

fake passports

Since 2007, the U.S. Department of State has issued only e-passports, the ones with the smart chip in them. They were introduced to enhance passport security by stopping fake passports. Also in 2007, the State Department began to require citizens of the countries in the U.S. visa waiver program to have an e-passport from their country.

Unfortunately, more than a decade later, U.S. Customs and Border Protection (CBP) still doesn’t have the ability to electronically authenticate the information in any e-passport smart chip, even the chips in U.S. passports.

As the U.S. Department of Homeland Security (DHS) indicates, the RFID (Radio Frequency Identification) smart chip in a U.S. e-passport holds the same information that is printed on its biographic information page. It includes the passport holder’s name, date of birth, place of birth, nationality, passport number, etc. The chip also contains anti-fake-passport cryptographic information to verify its authenticity.

The point of requiring all U.S. citizens and foreign nationals from countries participating in the U.S. visa waiver program to have an e-passport is to secure U.S. borders by making fake passports extremely difficult.

Fake passports are being used by terrorists. It’s known that at least two of the November, 2015, terrorists who attacked Paris reentered Europe from Syria posing as refugees, using fake Syrian travel documents.

The continued inability of CBP to verify the integrity of the information on the smart chip in an e-passport came to light in a letter sent to Kevin K. MacAleenan, the Acting Commissioner of CBP, from Senators Claire McCaskill (D-MO) and Ron Wyden (D-OR). In their letter, the senators request Commissioner McAlleenan to act immediately to rectify the fake passport situation.

Click here to subscribeThe Trump Administration has made it a major goal to secure U.S. borders. They plan to spend billions of dollars on a border wall that, according to a poll by the highly respected Quinnipiac University, Americans oppose by a margin of 65 to 33 percent, but so far they aren’t planning on spending far, far less to give CBP the real border security that would come by being able to spot fake passports.

We know that’s the case because when examining the DHS Inspector General’s list of Ongoing Projects, there is no project listing for oversight of an e-passport smart chip software verification development program.

What makes the lack of a project even harder to understand is that in 2010, during the Obama Administration, the U.S. Government Accountability Office (GAO) issued a report, Border Security, Better Usage of Electronic Passport Security Features Could Improve Fraud Detection, about this fake passport problem.

In the report, the GAO noted at that time,

“DHS does not have the capability to fully verify the digital signatures because it … has not implemented the system functionality necessary to perform the verification.”

Eight years later, DHS has not only not yet provided the functionality that would permit CBP to verify e-passport smart chip information electronically to determine if the passport was hacked and therefore a forgery, it isn’t actively pursuing the upgrade.

To be fair, CBP does do some data checking at the border. When a traveler presents an e-passport at the border, CBP reads the data on the smart chip and compares it with the information on the biographic page of the passport. According to CBP, agents also verify that the chip hasn’t been tampered with.

The problem with current CBP data checking is that it can’t detect fake passports on which the data on the chip and the information on the biographic page match. Even verifying that the chip hasn’t been physically tampered with is of little or no use. Hackers don’t physically manipulate RFID smart chips to alter the data on them.

It’s no secret that for years skilled forgers could alter the photograph and printed data on passports. It’s also no secret that a skilled hacker can connect to an RFID chip wirelessly and alter its data. Once altered by skilled forgers, it’s very hard for a CBP officer to detect the forgery in the short time they interview the passport holder at the border.

The point of having the smart chip was that through the use of the cryptographic information in the chip, the CBP officer could immediately know whether or not the passport was a forgery.

Without the software in the passport scanners at the U.S. border to verify the passport smart chip, called for by Senators McCaskill and Wyden, CBP officers aren’t able to verify the validity of passports today any better than they could before e-passports existed.

It’s time for the Trump Administration to get serious about border security. It’s time for Acting Commissioner MacAleenan to get the software written and the passport scanners at CBP updated to properly scan e-passports to protect U.S. borders. There can be no excuse for the Trump Administration not to act on this vital border security improvement immediately.