Only one solution.
Present your ID card at the same time.
Obviously we need to rush out the ID cards now.
A consignment of 3,000 "useless" blank biometric passports has been stolen on its way to British embassies throughout the world. Or at least, the Identity & Passport Service says they're useless. IPS' claim is based on the standard, highly optimistic party line that, as the passports contain a chip, they can't be used to …
Given current governmental performance on data 'security', does anyone really believe that!
I'll bet they were in nice little cardboard boxes, clearly marked "Passports - UK - Blank"
"as the passports contain a chip, they can't be used to produce fake passports"
That'll be in the same way that 'as credit cards contain a chip, they can't be used to produce fake credit cards' then.
Fuckwits, the whole lot of them.
perhaps if your intending to travel with them.
But lets face it travel is only one of the uses of a passport. After all its a guaranteed form of ID for many places, of which I would expect 99.9% do not have the technology used to verify a passports legitimacy.
all it will take is a quick document edit of the passport, which can then be used as legitimate ID to obtain bank accounts, and other forms of legitimate ID which can then be used to obtain a REAL passport.
So Mr Hugh Jarse using his fake passport can indeed obtain a real passport....and travel out of the country, relatively undetected.
Why can't the powers that be show some responsi-fuckin-bility in matters like this!
The powers that be - government; civil servants; police etc - WORK FOR US.
They are supposed to server us.
All they do is keep telling us lies and misleading us with half truths and misdirection!
When something like this takes place, surely they should act responsibly and notify us of the risks.
e.g. If a Rapist were on the loose somewhere, the police usually do the responsible thing and give a description of the rapist; where he was last seen; where he usually roams; timings of his attacks etc... However, on the matter of Identities, they just throw out bollocks to pacify everyone into a false sence of security - a bit like saying the rapist prowling the streets is actually rather harmless and is just misunderstood.
</rant>
No risk - because they are blank and we know the serias?
That's one of the real problems of border control. They are only concerned with borders. They don't even bother to take action against people with fake UK passports * as long as they were not used to get into the country *. And the criminals know that well. That's why a growing number of people use foriegn passports to get 'visitor' access and then switch to fake UK passports to get jobs, accounts & money.
Because that chip is never going to be used by employers, banks etc (and if they did the diffusion of checking would in itself make it easily breakable) - then this shows up just how silly ID cards will be. Having a fake card will be a licence to obtain money. Banks learnt that the hard way. Do civil servants never learn.
That's one of the benefits of being a SysAdmin. You are reminded on an hourly basis of the unlimited ingenuity of people trying to break your system. And they will ...
They're blank, presumably awaiting the passport office doing what it needs to do to make them "real" and not blank. Sooo, there will be a process to do this . . . and we're meant to assume crim's wont be able to duplicate a system built by the lowest bidder on a government contract.
Uesless they may be, out of the box, but theres nothing stopping them becoming useful. Unlike our government.
"having a broken chip is likely to get you an extended interview at a UK border"
Er......I think not. I frequently have to change duff passport scanner/chip readers at a local airport between incoming flights. I've noticed when I'm waiting for the punters to clear Immigration that if the chip reader is u/s but the scanner works, then its a wave through. I don't believe the scanned image goes through OCR.
> But lets face it travel is only one of the uses of a passport. After all its a guaranteed form of ID for many places, of which I would expect 99.9% do not have the technology used to verify a passports legitimacy.
I am surprised not many people picked up on this one. I thought the same when I first saw the article. After all, these blank passports *will* be blocked at the border. Even our inept government can do that.
However, go to the bank or steal someone's identity - that's where the real market for these things is. After all, who would question an authentic (!) British passport - we all know how it looks like, and their copy (or rather 3000 copies) is not a fake.
> Failing that, there's still tattooing barcodes on our foreheads
Don't worry ... that's coming
He also forced everyone, small and great, rich and poor, free and slave, to receive a mark on his right hand or on his forehead, so that no one could buy or sell unless he had the mark, which is the name of the beast or the number of his name.
– Rev. 13:16-17
:-)
How many USB sticks lost by the MOD? How many families data for Child Benefit lost? How many laptops left in the back of cabs? I'll stop there.
And these people want to vote THEMSELVES a pay rise! On top of the several thousands of pounds they may claim in expenses! Eh, f*ck off!!!
ISO27k anyone?
The country is a joke! They tax us to the point of desperation and then p*ss the tax money up against the wall by claiming they're doing their job. We'd be better off with a group of South American meat packing glitterati in charge.
I hear Canada's looking for IT Pro's.
Mine's the one with the fur hood...
"the Identity & Passport Service says they're useless"
Nice of them to finally admit it ;)
P.S. Please don't say things like "that's why we need ID cards"; we all know you're being sarcastic, unfortunately most civil servants and politicians probably aren't bright enough to realise it...
I believe that the chip on the passports is designed to work on much the same lines as the ones on credit cards (with some slight modifications).
The idea then is that the biometric data is held on the chip; then a system is used to read the biometric data and state if the two match or not.
A while ago, some credit cards were stolen and the software on the chips modified so that whatever pin number was input, it would return a "PIN Verified" message. It took less than a day for the modified cards to be out in the wild earning lots of money.
As far as I can see, the passports could be modified in pretty much the same way (slightly more complex, but not much). I'm hoping that whoever has them, intends to put the names of all the government ministers on them - wouldn't that be a hoot.
Hang on a tick. I'm a bit rusty on the passport specification but it's definitely digitally signed with a Home Office key, which have to be distributed to a Public Key directory, available to the ICAO and "member states", which is presumably anyone with an e-passport scheme themselves [1].
So although you can open a bank account, you'd be lucky to fly anywhere with this without some fairly serious questioning, no matter where you landed.
The real fun would begin if you managed to compromise one of the signing keys. They'd have to revoke it, which at a stroke would flag huge numbers of passports as potential forgeries. Cue mummy, daddy and little Timmy on their first trip to Disneyworld being hauled off to Gitmo instead.
[1] http://www.mrtd.icao.int/images/stories/Doc/ePassports/PKI_for_Machine_Readable_Travel_Documents_offering_ICC_read-only_access_v1.1.pdf
There are a couple of major problems with relying on the chip as the route to rescue from Yet Another Major League Cockup.
1. The passport itself. EU regulations (AFAIK) do not dictate shielding, which is jolly nice for anyone wanting to nick an electronic ID on remote. But the advantage is that you cannot guarantee the integrity of the chip either. I imagine anyone working in the field of wireless transmission have theirs zapped by the dish eventually. Or that's the excuse and you should stick to it.
2. Checking on issue. Is anyone aware of anyone checking that the chip actually works when it is issued?
3. Check on entry - readers are not that widespread, and confidence in those that have been placed is currently low. A chip that has seen a bit of microwaving won't work, and the protocol is than to switch back to normal checking.
"I believe that the chip on the passports is designed to work on much the same lines as the ones on credit cards (with some slight modifications)."
- You don't really have any idea how the chip on passports work, do you?
"A while ago, some credit cards were stolen and the software on the chips modified so that whatever pin number was input, it would return a "PIN Verified" message. It took less than a day for the modified cards to be out in the wild earning lots of money."
- Lets face it, you don't really know how banking transactions work.
"As far as I can see, the passports could be modified in pretty much the same way "
- You can't see very far either.
Actually #2 (modded credit card) would work in theory at least,
being stuck (hopefully temporarily) in retail due to everyone and his dog in the local area being made redundant,
I will vouch that many high street names dont do online checks of cards for low amount transactions and sometimes high amounts if the system isnt set-up properly to connect to the correct card authoriser (yes I have worked for companies who have had all manner of companies authorising cards for them depending on who is cheapest that week *rolls eyes*, and when the till can't make a connection to the authoriser the system falls back to "offline authorisation" which basically means the EPOS system assumes the card is valid, isnt stolen or maxed out and permits the transaction to happen. This means the store loses out if the card is nicked, but management dont care as it doesnt affect them really, neither do they care about the dubious worker who seems to be handling cards in an "odd manner" for fear of appearing racist, sexist or religiously discriminatory or again cant be bothered. *rolling eyes again*
Secondly any company who buys a till "solution" which is a poorly written VB app (yes it is very easy to tell from the window designs and the error messages that are regularly thrown) running on a poorly ventilated obsolete PC running Windows 2K, which caches the price data locally on an access database which usually hasnt been compacted in years and has horrendously poor table designs [therefore regularly crashes out or takes 10 mins to figure out 2 simple pieces of math] deserves to go bankrupt or be closed down for risking peoples money and details. Who supplies crap like this....couldnt say....*Cough* VME Retail *cough* *cough*
AC as Head office are known to read online and I wouldnt put it past someone at VME to tip off someone either in retaliation.
"You don't really have any idea how the chip on passports work, do you"
If you know better, then please explain it - so far, I have heard 3 explanations from "experts" which all contradict each other.
"Lets face it, you don't really know how banking transactions work"
Do you work for a banking system? Have you actually seen how they process their data?
Surely the system would do something like, get pin, give pin to card get signature from card, verify signature?
To fake the card would then require knowledge of the secret key on the card, to verify the card would require a set of public keys for valid cards.
I doubt it's a give pin to card, card says ok, give customer wads of dosh model.
You had a nice little rant at Tony, so I can have a little rant at your good self.
I do work in the credit card industry, I work on EMV (chip and pin) systems and I write and design systems for the industry, so hopefully that removes any bullshit about whether I know what I'm talking about or not.
My knowledge is only based on Seccos type chips, so it might not work for all, but you can reasonably easily crack these credit card chips for offline use.
You need a lot of kit which is easily available, a lot of knowledge which isn't so hard to come by and a public key which can be obtained but is the hardest part.
With all this you should be able to make a chip which would pass at a petrol station or such place where they routinely do offline transactions.
If the transaction is done online then life gets a hell of a lot more difficult and you would be very, very lucky to get it to work, but of course it is not impossible which is why I have a job.
I have no idea about passports, but I would imagine they would use a very similar system and given that public sector workers don't get paid so much I'm sure an organised gang could find someone willing to leak the specifications and any public keys required.
Also, given the fact that the government are absolutely crap at databases and big centralised systems they probably have a fallback system for offline so it might just work.
Certainly where the government is concerned, never say never.
Mines the one with the German flag so I don't have to worry about the shit English government any more.
no more like give customers goods which could easily be sold online, fenced etc
Certain EPOS systems will allow cashback also to the £50 max without going online if it cant connect to the authoriser.
Plus signatures arent that hard to forge passably
In my experience the ones to watch are those who sign *exactly* the same as whats on the card back, without any variances.
It comes down to the simple concept of you get what you pay for. Cheap EPOS = insecure and poorly implemented.
Compared to an expensive solution from NCR which I've used in the past, not as much eye candy but always did online checks even for trivial amounts, gave meaningful error messages and would at times do online checks on norwegian, swedish and even a japanese credit card once.
(usually it just says swipe & signature for overseas cards due to incompatibility between systems, but some overseas cards do work with the UK chip and pin system, even you do have to swipe them due to lack of chips)
[Also reversed situation uk chip and pin cards can be online checked and pin verified in north america if they bother to process the card properly and dont just click "visa credit" otherwise it just goes through like pre chip and pin days here with the whole signing of names etc. I've only had it happen once though in a retail outlet in Niagara Falls, Canada]
goto http://www.rfidiot.org
You have to be an idiot to use insecure RF technology on something as important as passports.
Yep its like using your credit card on http (without the s)
Hacker could potentialy read all your Passport/Creditcard info just by sitting on the same train carriage as you ! (anything with RFID)
You do not need to plug it into anything its Radio Frequency ID....