There has been a lot of coverage regarding the use of fake Irish passports by the team that assassinated a senior Hamas official Mahmud al-Mabhouh in Dubai last month. Details of how or what types of passports were used are still unavailable and it is not clear yet whether the passports were of the old type or the new biometric passports that are said to be more secure.
I was interviewed about this topic by the Irish Daily Mail (unfortunatelythe article is not available online). The discussion focused on how could fake passports end up in the hands of criminals and/or terrorists. Last year I done a lot of research in this area and highlighted how easy it is now, thanks to the Internet and in particular social networks, to gather personal details on individuals and then steal their identity.
With the appropriate pieces of critical personal information it is then possible to get a copy of that person’s birth certificate and then in turn apply for a legitimate passport (or other forms of Government id) using their identity but with the criminal’s photograph and/or biometrics. I have given various presentations based on this research and most lately spoke at the December meeting of the IISF and the slides for that talk are available below.
However, there are other ways that the security measures in the new biometric passports can be circumvented. Adam Laurie has conducted a lot of research in this area and has been demonstrating these flaws for some time now. Recently this research was picked up by CNN and they ran a story on how Adam and a colleague managed to use a password in the name of Elvis Presley to bypass passport security checks.
So there are a number of important lessons that we should take away from the above two different approaches;
Trust is key to security. This is true whether that is in real life or in the computer world. If ways are found to undermine that trust then security can be circumvented.
We do not control our identity, it is controlled by third parties. The only time we can equivocally state that we are someone is while we are still attached to the umbilical chord at birth. Once that chord is cut we rely on third parties from then on in to verify who we are.
Processes that were designed years ago for a different type of society can now be undermined by those who know the system and fool others into verifying that we are someone that we are not.
Technology by itself cannot be relied upon solely to provide security as time and time again we see that anything made by man can be broken by man
While this is not the first, and no doubt won’t be the last, time that criminals and terrorists have travelled using fake passports lets hope the powers that be will take heed of this warning shot and review the security measures around passports, be they technical or otherwise.