back to article Blank robbers swipe 3,000 'fraud-proof' UK passports

A consignment of 3,000 "useless" blank biometric passports has been stolen on its way to British embassies throughout the world. Or at least, the Identity & Passport Service says they're useless. IPS' claim is based on the standard, highly optimistic party line that, as the passports contain a chip, they can't be used to …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Only one solution.

    Present your ID card at the same time.

    Obviously we need to rush out the ID cards now.

  2. Tawakalna

    I agree..

    ID cards now, it's the only way to be sure.

  3. Anonymous Coward
    Anonymous Coward

    RFID chips

    Please tell me they have unique id numbers burned in?

  4. dervheid
    Unhappy

    the Identity & Passport Service says they're useless.

    Given current governmental performance on data 'security', does anyone really believe that!

    I'll bet they were in nice little cardboard boxes, clearly marked "Passports - UK - Blank"

    "as the passports contain a chip, they can't be used to produce fake passports"

    That'll be in the same way that 'as credit cards contain a chip, they can't be used to produce fake credit cards' then.

    Fuckwits, the whole lot of them.

  5. Simon C

    Or at least, the Identity & Passport Service says they're useless.

    perhaps if your intending to travel with them.

    But lets face it travel is only one of the uses of a passport. After all its a guaranteed form of ID for many places, of which I would expect 99.9% do not have the technology used to verify a passports legitimacy.

    all it will take is a quick document edit of the passport, which can then be used as legitimate ID to obtain bank accounts, and other forms of legitimate ID which can then be used to obtain a REAL passport.

    So Mr Hugh Jarse using his fake passport can indeed obtain a real passport....and travel out of the country, relatively undetected.

  6. Anonymous Coward
    Pirate

    3000 attempts

    They might be 'useless' without the coded chip, but now they've got 3000 to try out there new oyster-hacked jury-rigged system to get it right and start making coded passports!

    Even I can get something right given 3000 attempts!!

    AC Cause the boss is watching.

  7. Anonymous Coward
    Alert

    @JonB

    yeah until the ID card van driver goes for a ciggy.

    then its biometric for all..

  8. Anonymous Coward
    Pirate

    WTF?!?!

    Why can't the powers that be show some responsi-fuckin-bility in matters like this!

    The powers that be - government; civil servants; police etc - WORK FOR US.

    They are supposed to server us.

    All they do is keep telling us lies and misleading us with half truths and misdirection!

    When something like this takes place, surely they should act responsibly and notify us of the risks.

    e.g. If a Rapist were on the loose somewhere, the police usually do the responsible thing and give a description of the rapist; where he was last seen; where he usually roams; timings of his attacks etc... However, on the matter of Identities, they just throw out bollocks to pacify everyone into a false sence of security - a bit like saying the rapist prowling the streets is actually rather harmless and is just misunderstood.

    </rant>

  9. Stuart
    Unhappy

    Do they really think we are that stupid?

    No risk - because they are blank and we know the serias?

    That's one of the real problems of border control. They are only concerned with borders. They don't even bother to take action against people with fake UK passports * as long as they were not used to get into the country *. And the criminals know that well. That's why a growing number of people use foriegn passports to get 'visitor' access and then switch to fake UK passports to get jobs, accounts & money.

    Because that chip is never going to be used by employers, banks etc (and if they did the diffusion of checking would in itself make it easily breakable) - then this shows up just how silly ID cards will be. Having a fake card will be a licence to obtain money. Banks learnt that the hard way. Do civil servants never learn.

    That's one of the benefits of being a SysAdmin. You are reminded on an hourly basis of the unlimited ingenuity of people trying to break your system. And they will ...

  10. Anonymous Coward
    Happy

    Re: @JonB

    Failing that, there's still tattooing barcodes on our foreheads.

    It's a jolly vision of the future where technology has solved everything.

  11. Joe

    Enter personal details here...

    How do you get the info on the chip then? Do you just plug it into something or what?

  12. EvilGav

    Erm

    They're blank, presumably awaiting the passport office doing what it needs to do to make them "real" and not blank. Sooo, there will be a process to do this . . . and we're meant to assume crim's wont be able to duplicate a system built by the lowest bidder on a government contract.

    Uesless they may be, out of the box, but theres nothing stopping them becoming useful. Unlike our government.

  13. Anonymous Coward
    Anonymous Coward

    Extended interview

    "having a broken chip is likely to get you an extended interview at a UK border"

    Er......I think not. I frequently have to change duff passport scanner/chip readers at a local airport between incoming flights. I've noticed when I'm waiting for the punters to clear Immigration that if the chip reader is u/s but the scanner works, then its a wave through. I don't believe the scanned image goes through OCR.

  14. Anonymous Coward
    Paris Hilton

    They're useless because they have a chip on them?

    Just like all those missing laptops are secure because they are password protected? That's alright then. 100% secure.

    Paris, because even she wouldn't believe that crock.

  15. Angus Wood
    Flame

    Not useless at all!

    You'd cheerfuly travel from Algeria to Spain, for example, using one of those.

  16. M A Walters

    Re Simon C

    > But lets face it travel is only one of the uses of a passport. After all its a guaranteed form of ID for many places, of which I would expect 99.9% do not have the technology used to verify a passports legitimacy.

    I am surprised not many people picked up on this one. I thought the same when I first saw the article. After all, these blank passports *will* be blocked at the border. Even our inept government can do that.

    However, go to the bank or steal someone's identity - that's where the real market for these things is. After all, who would question an authentic (!) British passport - we all know how it looks like, and their copy (or rather 3000 copies) is not a fake.

  17. Anonymous Coward
    Anonymous Coward

    @JonB

    > Failing that, there's still tattooing barcodes on our foreheads

    Don't worry ... that's coming

    He also forced everyone, small and great, rich and poor, free and slave, to receive a mark on his right hand or on his forehead, so that no one could buy or sell unless he had the mark, which is the name of the beast or the number of his name.

    – Rev. 13:16-17

    :-)

  18. Duncan Robertson
    Coat

    Surprised? Em, no...

    How many USB sticks lost by the MOD? How many families data for Child Benefit lost? How many laptops left in the back of cabs? I'll stop there.

    And these people want to vote THEMSELVES a pay rise! On top of the several thousands of pounds they may claim in expenses! Eh, f*ck off!!!

    ISO27k anyone?

    The country is a joke! They tax us to the point of desperation and then p*ss the tax money up against the wall by claiming they're doing their job. We'd be better off with a group of South American meat packing glitterati in charge.

    I hear Canada's looking for IT Pro's.

    Mine's the one with the fur hood...

  19. Anonymous Coward
    Coat

    I don't believe it!

    Would have been better to be send these out using carrier pigeon... at lease they don't need passports to cross borders.

    Mines the one with the RFID in the lapel.

  20. Victor Meldrew
    Coat

    I don't believe it!

    Would have been better to be send these out using carrier pigeon... at lease they don't need passports to cross borders.

    Mines the one with the RFID in the lapel.

  21. Tim

    ebay?

    I was wondering how long it'd be before some wag put one up on ebay with Gordon's piccie in it, then I heard these go for £1700 each on the black market, so I'm off to buy a stocking mask and stripey jumper instead.

  22. Anonymous Coward
    Anonymous Coward

    >Rev. 13:16-17

    Brilliant, I hadn't thought of tying it into credit cards.

    Just goes to show the bible isn't all bollocks.

  23. AC
    Joke

    "the Identity & Passport Service says they're useless"

    Yup, I think we can all agree on that.

    the IPS are indeed completely useless.

  24. Anonymous Coward
    Happy

    They're not usually so honest

    "the Identity & Passport Service says they're useless"

    Nice of them to finally admit it ;)

    P.S. Please don't say things like "that's why we need ID cards"; we all know you're being sarcastic, unfortunately most civil servants and politicians probably aren't bright enough to realise it...

  25. Tony

    Chips with everything

    I believe that the chip on the passports is designed to work on much the same lines as the ones on credit cards (with some slight modifications).

    The idea then is that the biometric data is held on the chip; then a system is used to read the biometric data and state if the two match or not.

    A while ago, some credit cards were stolen and the software on the chips modified so that whatever pin number was input, it would return a "PIN Verified" message. It took less than a day for the modified cards to be out in the wild earning lots of money.

    As far as I can see, the passports could be modified in pretty much the same way (slightly more complex, but not much). I'm hoping that whoever has them, intends to put the names of all the government ministers on them - wouldn't that be a hoot.

  26. EmperorFromage
    Boffin

    No digital signature ?

    A digital signature would easily prevent counterfeiting the data on the chip.

    Cloning is another matter though...

  27. Anonymous Cowherd Silver badge
    Stop

    Digitally Signed

    Hang on a tick. I'm a bit rusty on the passport specification but it's definitely digitally signed with a Home Office key, which have to be distributed to a Public Key directory, available to the ICAO and "member states", which is presumably anyone with an e-passport scheme themselves [1].

    So although you can open a bank account, you'd be lucky to fly anywhere with this without some fairly serious questioning, no matter where you landed.

    The real fun would begin if you managed to compromise one of the signing keys. They'd have to revoke it, which at a stroke would flag huge numbers of passports as potential forgeries. Cue mummy, daddy and little Timmy on their first trip to Disneyworld being hauled off to Gitmo instead.

    [1] http://www.mrtd.icao.int/images/stories/Doc/ePassports/PKI_for_Machine_Readable_Travel_Documents_offering_ICC_read-only_access_v1.1.pdf

  28. Anonymous Coward
    Anonymous Coward

    Nah - the chip is useless, for now

    There are a couple of major problems with relying on the chip as the route to rescue from Yet Another Major League Cockup.

    1. The passport itself. EU regulations (AFAIK) do not dictate shielding, which is jolly nice for anyone wanting to nick an electronic ID on remote. But the advantage is that you cannot guarantee the integrity of the chip either. I imagine anyone working in the field of wireless transmission have theirs zapped by the dish eventually. Or that's the excuse and you should stick to it.

    2. Checking on issue. Is anyone aware of anyone checking that the chip actually works when it is issued?

    3. Check on entry - readers are not that widespread, and confidence in those that have been placed is currently low. A chip that has seen a bit of microwaving won't work, and the protocol is than to switch back to normal checking.

  29. Boring Bob

    For Tony

    "I believe that the chip on the passports is designed to work on much the same lines as the ones on credit cards (with some slight modifications)."

    - You don't really have any idea how the chip on passports work, do you?

    "A while ago, some credit cards were stolen and the software on the chips modified so that whatever pin number was input, it would return a "PIN Verified" message. It took less than a day for the modified cards to be out in the wild earning lots of money."

    - Lets face it, you don't really know how banking transactions work.

    "As far as I can see, the passports could be modified in pretty much the same way "

    - You can't see very far either.

  30. Jeremy
    Happy

    Re: Chips with everything

    Hang on a mo... You think that the pin authorization takes place 'inside' the chip?

    Dude, you gotta stop believing those emails you get from your technophobic auntie with "FW: FW: FW: FW: FW: FW: Send this to everyone you know!!!!!1!" in the subject line...

  31. Charles Smith
    Jobs Horns

    Money Laundering

    The Banks use the passport to help check the identity of people opening accounts.

    "Thank you Mr Daz your passport looks in order. Nice and new isn't it. Ah you want to deposit $15,000,000 in used notes no problem Sir."

  32. Anonymous John

    "Stolen UK passports worth £2.5m"

    So whose brainfart was it to tell us that?

    Until then, the thieves probably thought they had screwed up when they opened the boxes only to find blank passports.

  33. Anonymous Coward
    Flame

    @Boring Bob

    Actually #2 (modded credit card) would work in theory at least,

    being stuck (hopefully temporarily) in retail due to everyone and his dog in the local area being made redundant,

    I will vouch that many high street names dont do online checks of cards for low amount transactions and sometimes high amounts if the system isnt set-up properly to connect to the correct card authoriser (yes I have worked for companies who have had all manner of companies authorising cards for them depending on who is cheapest that week *rolls eyes*, and when the till can't make a connection to the authoriser the system falls back to "offline authorisation" which basically means the EPOS system assumes the card is valid, isnt stolen or maxed out and permits the transaction to happen. This means the store loses out if the card is nicked, but management dont care as it doesnt affect them really, neither do they care about the dubious worker who seems to be handling cards in an "odd manner" for fear of appearing racist, sexist or religiously discriminatory or again cant be bothered. *rolling eyes again*

    Secondly any company who buys a till "solution" which is a poorly written VB app (yes it is very easy to tell from the window designs and the error messages that are regularly thrown) running on a poorly ventilated obsolete PC running Windows 2K, which caches the price data locally on an access database which usually hasnt been compacted in years and has horrendously poor table designs [therefore regularly crashes out or takes 10 mins to figure out 2 simple pieces of math] deserves to go bankrupt or be closed down for risking peoples money and details. Who supplies crap like this....couldnt say....*Cough* VME Retail *cough* *cough*

    AC as Head office are known to read online and I wouldnt put it past someone at VME to tip off someone either in retaliation.

  34. Tony

    @ Boring Bob

    "You don't really have any idea how the chip on passports work, do you"

    If you know better, then please explain it - so far, I have heard 3 explanations from "experts" which all contradict each other.

    "Lets face it, you don't really know how banking transactions work"

    Do you work for a banking system? Have you actually seen how they process their data?

  35. Mister Cheese
    Stop

    Why not...

    ...just publish the serial-numbers of the nicked passports? Or is that too obvious?

  36. Anonymous Coward
    Anonymous Coward

    Offline verification.

    Surely the system would do something like, get pin, give pin to card get signature from card, verify signature?

    To fake the card would then require knowledge of the secret key on the card, to verify the card would require a set of public keys for valid cards.

    I doubt it's a give pin to card, card says ok, give customer wads of dosh model.

  37. Bob
    Coat

    @Boring Bob

    You had a nice little rant at Tony, so I can have a little rant at your good self.

    I do work in the credit card industry, I work on EMV (chip and pin) systems and I write and design systems for the industry, so hopefully that removes any bullshit about whether I know what I'm talking about or not.

    My knowledge is only based on Seccos type chips, so it might not work for all, but you can reasonably easily crack these credit card chips for offline use.

    You need a lot of kit which is easily available, a lot of knowledge which isn't so hard to come by and a public key which can be obtained but is the hardest part.

    With all this you should be able to make a chip which would pass at a petrol station or such place where they routinely do offline transactions.

    If the transaction is done online then life gets a hell of a lot more difficult and you would be very, very lucky to get it to work, but of course it is not impossible which is why I have a job.

    I have no idea about passports, but I would imagine they would use a very similar system and given that public sector workers don't get paid so much I'm sure an organised gang could find someone willing to leak the specifications and any public keys required.

    Also, given the fact that the government are absolutely crap at databases and big centralised systems they probably have a fallback system for offline so it might just work.

    Certainly where the government is concerned, never say never.

    Mines the one with the German flag so I don't have to worry about the shit English government any more.

  38. Anonymous Coward
    Anonymous Coward

    Offline verification

    no more like give customers goods which could easily be sold online, fenced etc

    Certain EPOS systems will allow cashback also to the £50 max without going online if it cant connect to the authoriser.

    Plus signatures arent that hard to forge passably

    In my experience the ones to watch are those who sign *exactly* the same as whats on the card back, without any variances.

    It comes down to the simple concept of you get what you pay for. Cheap EPOS = insecure and poorly implemented.

    Compared to an expensive solution from NCR which I've used in the past, not as much eye candy but always did online checks even for trivial amounts, gave meaningful error messages and would at times do online checks on norwegian, swedish and even a japanese credit card once.

    (usually it just says swipe & signature for overseas cards due to incompatibility between systems, but some overseas cards do work with the UK chip and pin system, even you do have to swipe them due to lack of chips)

    [Also reversed situation uk chip and pin cards can be online checked and pin verified in north america if they bother to process the card properly and dont just click "visa credit" otherwise it just goes through like pre chip and pin days here with the whole signing of names etc. I've only had it happen once though in a retail outlet in Niagara Falls, Canada]

  39. vahid
    Thumb Down

    @ joe

    goto http://www.rfidiot.org

    You have to be an idiot to use insecure RF technology on something as important as passports.

    Yep its like using your credit card on http (without the s)

    Hacker could potentialy read all your Passport/Creditcard info just by sitting on the same train carriage as you ! (anything with RFID)

    You do not need to plug it into anything its Radio Frequency ID....

  40. heystoopid
    Black Helicopters

    Now

    Now why would MI5 want with 3000 hot passports , what big sting are they pulling this time around ?

This topic is closed for new posts.