US border patrol hasn't validated e-passport data for years


Like other countries, the US began incorporating RFID chips into its passports in 2006. The chips, which store passport information including name, date of birth, passport number, photo, and biometric identifiers, enable machine-readable border controls like those now seen at an increasing number of airports. For authentication and to prevent counterfeiting and tampering, the chips also include a cryptographic signature (certificate) that authenticates the country issuing the passport. This certificate is supposed to be verified on each use; without that verification it provides no forgery protection. In a letter sent to US Customs and Border Protection, US senators Ron Wyden (D-OR) and Claire McCaskill (R-MO) complain that although the US demands that countries in the Visa Waiver programme include chips in their passports, it has not installed the software necessary to perform these authentication checks. The Department of Homeland Security and CBP have known about this problem since at least 2010, when the Government Accountability Office issued a report that explicitly said verification was not in place. It still takes technical skill to digitally alter the data on passport chips, as well as ability to alter the physical document to match, but it's common for people to trust what they see on their screens without double-checking. The cost to fix this exposure is likely a few million dollars.
Writer: Lily Hay Newman
Publication: Wired

Related learning resources