News

New Travel Rules Amid Concerns over RFID-tagged Passport Cards

Card can be easily cloned, used for tracking purposes, critics say

By Jaikumar Vijayan, Computerworld

Page 2

Underscoring such concerns, security researcher Chris Paget earlier this year demonstrated at a security conference how he had been able to clone RFID passport cards using a $250 card reader purchased off eBay. Paget posted a video of himself driving around San Francisco reading RFID tags from passports and other identity documents using the reader and antenna.

Paget's experiment was based on earlier research at the University of Washington and RSA Labs that showed how the publicly readable data on passport cards could be cloned after a single read.

The researchers also showed how the passport cards and RFID-tagged enhanced driver's licenses issued in Washington state could be read at a distance of up to 50 meters. Even credentials in wallets and in protective sleeves could be clandestinely read but at much closer distances, the research showed.

With only days remaining for WHTI to go into full effect, none of these longstanding issues appear to have been addressed, said Ari Schwartz, a policy analyst at the CDT.

"Our concerns have not been answered. We still have the same concerns that we had," since plans to used RFID technology in passport cards were first announced, Schwartz said. It is a major concern that the same Electronic Product Code (EPC) tags used by retail establishments to track products are being used in identity credentials, with no additional security protections, he added.

David Williams, vice president of policy at Citizens Against Government Waste (CAGW) noted that "it will be interesting to see what kind of issues arise after June 1."

Like other organizations, CAGW has urged the government to reconsider the use of RFID-enabled passport cards and driver's licenses for identity verification at the border. "We are keeping our fingers crossed that we don't see stories coming out in the next six to 12 months" about security incidents involving passport cards, he said.

The State Department did not immediately respond to a request for comment. However, in the past, officials at the agency and at the U.S. Department of Homeland Security have said that concerns about the card reflect "an improper understanding" of the WHTI's business model.

The department also noted that the RFID tags will not carry any personal identifying information. Instead, the card stores a unique identifying number that can be used to access a cardholder's identifying information, which is stored separately on a secure Customs and Border Patrol system. It has also said that passport cards will be issued with special radio-opaque envelopes that help prevent unwanted scanning when travelers are carrying them.