Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Data Storage Government News Technology

Cruising Fisherman's Wharf For New Passports' Serial Numbers 276

schwit1 writes "Fox News has an AP story on a hacker in San Francisco driving around and needing as little as 20 minutes to be successful in acquiring a passport number: 'Zipping past Fisherman's Wharf, his scanner detected, then downloaded to his laptop, the unique serial numbers of two pedestrians' electronic US passport cards embedded with radio frequency identification, or RFID, tags. Within an hour, he'd "skimmed" the identifiers of four more of the new, microchipped PASS cards from a distance of 20 feet. ... Meanwhile, Homeland Security has been promoting broad use of RFID even though its own advisory committee on data integrity and privacy warned that radio-tagged IDs have the potential to allow "widespread surveillance of individuals" without their knowledge or consent.'"
This discussion has been archived. No new comments can be posted.

Cruising Fisherman's Wharf For New Passports' Serial Numbers

Comments Filter:
  • Security (Score:5, Insightful)

    by tsa ( 15680 ) on Sunday July 12, 2009 @07:04AM (#28666667) Homepage

    It's strange that politicians and other managers seem to have a totally different idea of the meaning of the word 'security' than other people.

    • Re:Security (Score:5, Insightful)

      by innerweb ( 721995 ) on Sunday July 12, 2009 @07:19AM (#28666731)

      What the heck do you think they intended the RIFD passports for? They are meant to be used to track people. They are working as intended.

      InnerWeb

      • tracking (Score:4, Insightful)

        by TheSHAD0W ( 258774 ) on Sunday July 12, 2009 @09:04AM (#28667079) Homepage

        Yeah, and I'm less concerned about passports being counterfeited than I am about people carrying US passports in other countries being targeted for mugging. Those passports are valuable, you know.

      • Are you required to carry your passport with you even when you aren't crossing the border (including international travel at airports)? If not, wouldn't the tracking only show that you're always in your bedroom? And if so, I think that may be a somewhat bigger problem.
        • by Hadlock ( 143607 )

          Not in the US. I'm not sure how that is handled in other countries though. I know a lot of international students in the US voluntarily surrender their passport to the dean's office, which will hold them in a secure place, since students tend to lose important documents like that easily. I've taken more than a few couch surfers out drinking only to realize their government issued ID is in Lousiana, California, or D.C. due to this.

        • by HiThere ( 15173 )

          In many countries, yes, you are required to carry your passport. The US may be one of those countries. (N.B.: Just because you can substitute some other form of ID, e.g. driver's license, doesn't mean that a non-resident can do the same.)

      • Re: (Score:2, Funny)

        by beckett ( 27524 )

        i'm just surprised Americans have passports at all.

    • Re:Security (Score:4, Insightful)

      by Hurricane78 ( 562437 ) <deleted@slash[ ].org ['dot' in gap]> on Sunday July 12, 2009 @08:37AM (#28666977)

      You act as if they were interested in your security at all.
      Which just shows how effective their strong twisted reality is. It even affects you to the point where you believe they would be acting ouf of the interest of the people. :)

      Don't worry, we all fell for it. As long as we learn from it, that is ok. :)

      • by tsa ( 15680 )

        You forget that they themselves will be just as trackable. As a politician I would be very worried about that. For some reason though, they seem to not care, which I find weird. So either they really don't care, or they just have not clue. What do you think it is? ;)

        • You forget that they themselves will be just as trackable. As a politician I would be very worried about that.

          Politicians should be more trackable than citizens. Politicians are supposed to work for, and be accountable to, citizens not the other way around.

          So either they really don't care, or they just have not clue. What do you think it is? ;)

          Both I bet. Some probably don't know what uses can be made of with IDs and passports with embedded chips. And some of those who do probably think they're immune.

    • Re:Security (Score:4, Funny)

      by kamapuaa ( 555446 ) on Sunday July 12, 2009 @11:12AM (#28667859) Homepage
      I think it's even stranger that Slashdot has a totally different idea of the meaning of "cruising Fisherman's Wharf" than I do. My version has more sailors involved.
  • by vrmlguy ( 120854 ) <samwyse@NOSPAm.gmail.com> on Sunday July 12, 2009 @07:09AM (#28666685) Homepage Journal

    You just need to buy an RFID shield [rfid-shield.com] for your passport and you can put your mind at ease. Unless, of course, you want to worry about how they don't work [youtube.com].

    • Or you could, you know, stick the thing in the microwave for ten seconds.

      Enough to zap the chip, not enough to toast the paperwork.

      Done and done, job well done.
      • by camperdave ( 969942 ) on Sunday July 12, 2009 @07:41AM (#28666803) Journal
        Or you could, you know, stick the thing in the microwave for ten seconds. Enough to zap the chip, not enough to toast the paperwork.

        Good luck trying to cross the border with your "forged" passport.
      • Re: (Score:3, Funny)

        by aclarke ( 307017 )
        I'm Canadian and went to renew my passport on Friday. My existing passport was still valid for a couple more weeks, but the woman across the desk thought it was expired as her machine didn't read it. She told me this, and I explained to her with a straight face that maybe that was because I'd microwaved my passport (I hadn't really).

        She didn't get the joke, which was just as well I suppose.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        I tried that with a cancelled RFID credit card.

        In 3 seconds it had already let out smoke.

        One second later (literally) I stopped the microwave. The card had a VERY visible "melt" ring where the RFID antenna was and was damaged enough it would not read in my CC reader anymore.

        Don't do this with anything you care about. A rubber mallet is more effective and leaves fewer traces.

    • by theeddie55 ( 982783 ) on Sunday July 12, 2009 @07:50AM (#28666827)
      Except that the RFID shield you reference is entirely different to the passport shielding that video demonstrates to be ineffective.
    • by MojoRilla ( 591502 ) on Sunday July 12, 2009 @08:15AM (#28666885)
      No, people shouldn't have to pay $20 for a way to make this technology safer. The government should improve their own shielding, and use more secure protocols [wikipedia.org] for RFID transmission.
      • You don't have to pay $20 - as the cards themselves are shipped with such a shield. (At least mine, which I got a couple of weeks back, came with such a shield.)
         
        Probably what happens is people leave the shield off as it is rather unwieldy with the shield installed and no longer fits properly into your wallet.

      • by Alioth ( 221270 )

        Or how about just not using RFID at all? I don't see why passports can't use the same style chip as used widely in credit cards and debit cards.

        • Or how about just not using RFID at all? I don't see why passports can't use the same style chip as used widely in credit cards and debit cards.

          Even the chips in credit cards aren't needed. Some years ago my credit card issuer stopped using them because the usefulness didn't justify the expense. Now if I want, such as to order something online, my issuer will issue a one tyme use credit card number.

          Falcon

        • by mpe ( 36238 )
          Or how about just not using RFID at all?

          Especially given that where passports are typically used it's important to ensure that you are reading the right passport and using RFIDs are vulnerable to a fairly simple denial of service attack.
        • by vidarh ( 309115 )
          In the UK one of the largest banks have started adding RFID to their credit cards for small purchases...
      • No, people shouldn't have to pay $20 for a way to make this technology safer. The government should improve their own shielding, and use more secure protocols [wikipedia.org] for RFID transmission.

        People should only be worried about safety from government. And government shouldn't be using RFID nevermind IDs. It used to be that people in the US could cross the US Mexico border and the US Canadian border, which I've done a number of tymes, without needing a passport.

        Falcon

    • If these RFID shields don't work, does anyone know something that does?

      • by smaddox ( 928261 )

        Aluminum foil, and enough to be sure.
        .
        (Why does firefox's spellcheck only have the British spelling of 'aluminium'?)

      • If these RFID shields don't work, does anyone know something that does?

        An oven does. But the paper may get burned. Someone above suggested a rubber mallet, which I think is better

        Falcon

    • Re: (Score:2, Interesting)

      Comment removed based on user account deletion
      • Many smart cards are dual purpose, and have RFID along with it. I'm actually surprised whenever I come accross an RFID card that is not also a smart card. If you read their descriptions a little closer, you'll notice that they are targeting employees working for companies with just such smart cards. That logo is something any smart card user will recognize. It's also a really really good idea to have something other than just wireless to read the card if you are using it for anything more than a door pa

      • As they are designed to stop Electomagnetic Radiation coming in then I would guess that they could ork to stop the RFID responses from getting out.

    • You just need to buy an RFID shield for your passport and you can put your mind at ease. Unless, of course, you want to worry about how they don't work.

      Thanks for the interesting links!

      As others have noted, your analysis isn't quite correct. For those who don't want to watch the whole video in your second link, here's a summary of what it says. It demonstrates a security vulnerability. The vulnerability does not involve theft of data, because there's encryption built into the passport. What it demonstra

      • Your No 3 is not quite correct

        - Speak English - A lot places other than the USA speaks english
        - Dresses like an American - Agreed
        - Carry Cameras - Have you ever seen a Japanese Tour Group. They have more cameras than people

        I'd add however
        - Have name tags attched to their clothes with names like 'Chip', 'Bud' & 'Hank'.
        - Only willing to eat Steak & French Fries unless it is a BigMac. (even in places where there are no Macdonalds...)

        Seriously though, Americanes are about the easiest Nationality to pick

      • by Svartalf ( 2997 )

        I wouldn't say far fetched.

        You wouldn't steal data. You wouldn't be "singling them out" for direct attack. You would, though, leave things that would instill terror behind that looked for these passports.

        The video's bogus (It looks too smoke and mirrors for them to have actually DONE the exploit they're talking to...), but the risk is actually very real- especially considering that it'd only cost $500 above the cost of the explosives to set up a car-bomb or similar that wouldn't go off until it saw an Ame

      • by Dr Tall ( 685787 )

        But the threat in the video is farfetched, because there are much easier ways of finding American tourists.

        I don't think the author is making the claim that RFID is the best way to ID Americans. I agree with you that there are much better ways for a human to ID an American. But what about an explosive device, as shown in the video? Modern terrorists use remote explosives to time an attack for most destruction and/or destruction of Americans as opposed to sympathetic locals.

        It would be much easier to build a device that will only blow up if X number of Americans are in its kill range. This device could be cons

    • by Svartalf ( 2997 )

      The only problem I have is that while Flexilis may have a good point, the video you linked to is rubbish as far as proving their point. It could just as easily have been a rigged thing for their "demo". They needed to show things just a bit better than that- it's all smoke and mirrors with it as it is now.

  • Gosh... (Score:3, Funny)

    by feepness ( 543479 ) on Sunday July 12, 2009 @07:14AM (#28666703)
    If only these same people who secured my passport were in charge of my healthcare as well, then everything would be great!
    • Re:Gosh... (Score:4, Insightful)

      by Atmchicago ( 555403 ) on Sunday July 12, 2009 @08:00AM (#28666855)

      [sarcasm]Yes, heaven forbid the United States catch up with the rest of the developed world and get a system that works better [photius.com] while costing less [photius.com].[/sarcasm] Passport security and health systems have nothing to do with each other, please let you brain do the thinking, not your mouth or your gut.

      • Re:Gosh... (Score:4, Interesting)

        by maxume ( 22995 ) on Sunday July 12, 2009 @08:14AM (#28666879)

        The U.S. doesn't make any passing attempt at running an efficient health care system. For people that can afford it, spectacular care is available here.

        So the well off have plenty to fear from government intervention, they face the potential for higher taxes and the potential for lower availability of care (vast amounts are spent on extreme measures in the U.S.).

        Sure, it would probably be healthier for us as a society to provide a more equitable system, but let's not pretend that it is going to be better for everyone.

        • Yes and no (Score:5, Interesting)

          by Anonymous Coward on Sunday July 12, 2009 @08:51AM (#28667025)

          I live in Finland and we do have a public healthcare system here. That doesn't mean that here wouldn't also be private healthcare available. Those who dislike the public system (which works pretty well but is underfunded so waiting lines can be hours long in any non non-emergency case) can go to the private clinics. In addition to competing with each other, private clinics also need to compete with the public health care. It sets some kind of a status quo of "If you don't manage to offer extremely good service, people will just use public healthcare".

          So I don't think that the wealthy do need to worry about potential for lower availability of care. Public healthcare just gives best of both worlds... In theory.

          Recently (within the past decade) right wing government has been trying to change the way that public healthcare works here. Instead of having doctors who work for the government they try to have government buy services from private companies. In practice this works horribly.

          Government buys from the company that offers services for cheapest but that lowers the quality. And even those companies have higher prices than what government would pay directly to the doctors as the companies try to make profit. So it is slowly changing from "The best of both worlds" to "The worst of both worlds".

          One example of this is a hospital near me (Peijas in Itä-Vantaa). It used to be managed by the government but then there was a decision to privatize (if that's a word) the emergency duty. Now, if you go there complaining that your chest hurts, you might still need to wait four hours in the lobby before a doctor sees you but if they deem that you need further care and send you to the main part of the hospital... You get EKGs taken, evaluations from several doctors and so on, all for completely free of charge. (Speaking from experience here.)

          So even with the "worst of both worlds" it works somehow (which is good because I really couldn't have been able to afford the treatments in a private clinic). I just fear what happens if the rest of the hospital services will be bought from private companies too.

          Public healthcare can be done very well or very poorly depending on how it is implemented.

          As for taxation... Yeah, it raises. Can't deny you there. As a rather decently earning programmer I pay nearly half of my wage as taxes (then again, that is more than free healthcare. It includes, among other things, that government funded my university education and insured my student loan). You are wrong to assume it will hurt the wealthy, though. It uses the people who don't use the services.

          Whether you are wealthy or not, having higher taxes that provide services that you use are fine. Higher taxes hurt those who rarely have to visit a doctor, they hurt those who don't go to an university and so on. Others would have had to pay that money anyways, it just wouldn't have gone to government but directly to the private companies that provide the services. And the result might not have been any better.

          • So if government is paying for your education why do you have a student loan?

            For myself personally I'd rather get taxed at 25% rather than 50% and be able to choose my health care.

            • Re: (Score:2, Insightful)

              by Hillman ( 137883 )

              Well, if it's like in Québec, we still have to pay for college. It's very subsidized, so we pay a little less than 2k$ a year. The loans are there so you can concentrate on your studies instead of working full time. Most people will work part time though.

              And we can choose our health care. The only difference is that the doctors are paid by the state instead of by me. Only my doctor can make health care decisions, not a faceless bureaucrat or a CS rep from an HMO. And because there's no administrative o

              • As bad as private bureaucracies are, public bureaucracies are worse, at least in the US. In the US, a government entity gets funding based largely by how much they spent the previous year - and not in a way that incentivises efficiency. When an entity does not spend all of their budgeted money, not only do they not get to use that money in the current year (because they ran out of things to spend it on), that amount usually gets dropped from their budget for the next year! Which means if they don't need

    • Re: (Score:3, Interesting)

      truly spectacular care is in Europe these days, sadly the US healthcare system has defeated itself due to the cost of doing business here for most physicians. What America has is the _perception_ of good healthcare, however, just because sombody has a specialist for every ailment doesn't mean they're getting remotely good healthcare. in the US there are typically around 12 Doctors involved in the average Americans healthcare. have you ever been to a doctors office? do you know how busy- especially a decent

    • If only these same people who secured my passport were in charge of my healthcare as well, then everything would be great!

      We live in a country that is protected by a military funded by the government
      If my house is on fire, the fire is managed by a fire department funded by the government
      Law enforcement is provided by a police or sheriff's department funded by the government
      I drive to work on roads whose maintenance are funded by the government
      I was educated at public schools funded by the government

      (just to name a few government services that are entitled to US citizens) If you would rather not have any of those se

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        We live in a country who's military funded by the federal government "protects" other countries.

        If my house is on fire, the fire is managed by a fire department funded by my municipal government

        Law enforcement is provided by a police or sheriff's department funded by my city or county government

        I drive to work on roads whose maintenance are funded by my county or state government

        I was educated at public schools funded by my county and state government

        Fixed that for you.

      • If only these same people who secured my passport were in charge of my healthcare as well, then everything would be great!

        We live in a country that is protected by a military funded by the government
        If my house is on fire, the fire is managed by a fire department funded by the government
        Law enforcement is provided by a police or sheriff's department funded by the government
        I drive to work on roads whose maintenance are funded by the government
        I was educated at public schools funded by the government

        (just to

  • Poor encryption (Score:4, Interesting)

    by MobyDisk ( 75490 ) on Sunday July 12, 2009 @07:32AM (#28666779) Homepage

    Passports use BAC [wikipedia.org] encryption, which is obviously pretty weak.

    • by MobyDisk ( 75490 )

      Sorry to reply to my own post. The article only says:

      Zipping past Fisherman's Wharf, his scanner detected, then downloaded to his laptop, the unique serial numbers of two pedestrians' electronic U.S. passport cards
      So all he got was serial numbers? meh.

  • WHAT!? (Score:3, Funny)

    by anonieuweling ( 536832 ) on Sunday July 12, 2009 @07:32AM (#28666781)
    You mean that RFID actually works!?


    Yes, but do we really need it in passports and identification cards?
    • You mean that RFID actually works!? Yes, but do we really need it in passports and identification cards?

      Might help me find mine.

  • thats a endorsement for continual increase in use.

    I wonder how long it will take before credit companies, homeland security and other rfid pushers join forces to create a implantable credit card/passport/whatever-service-you-can-think-of rfid chip. For your own protection and convenience, honest...

  • by cheros ( 223479 ) on Sunday July 12, 2009 @08:14AM (#28666883)

    I cannot imagine that even a SINGLE conversation with someone mildly conversant in basic security, no, just having common sense, would not have indicated that uncontrolled ID reading from a distance was a VERY VERY bad idea. It suggests to me that such a conversation was either not had, someone has a LOT of shares in RFID manufacturing or there is something else behind this rush to promote even more ID theft.

    You can read ID from a distance which means it's now possible to create hidden bombs that lie dormant until there are enough people of a certain nationality nearby, it's possible to clone an identity and I suspect it won't be long before you can edit the biometric, making the theft of your LIFE complete because of "the 'pjuter is always rite" syndrome.

    In the process other associated idiots are building up databases which are unnecessary (it works prefectly without) and which are a reversal of approach - normally your identity is only collected AFTER you have committed a crime, not BEFORE. You're now guilty until you prove it wasn't you who left a cloned identity behind. All of that without you noticing someone has been near to your passport, you no longer have control over who sees the data. Hello girls, welcome to stalking v2.

    Actually, if you want political emotional scare stories, as the EU has now made one passport per person mandatory, it's also "Hello kids, welcome to 'brief your local paedophile'".

    It would be really good if the clowns who dream up such stuff would be the first to suffer the consequences, all of them. Because I don't think they will learn otherwise - this is causing risk, not fixing identity issues. /rant

    • Re: (Score:3, Interesting)

      by maxume ( 22995 )

      The cards discussed in this article strictly provide a number, so they are just being used as a glorified barcode (maybe they have some security features that a barcode doesn't, but the guy scanning the numbers already knows how to bypass them, so they are irrelevant); a barcode is just as easy to link to a government database and introduces all the same problems with securing the database, so the only additional threat created by the RFID here is the ability to track the person holding the card (leakage of

    • by adolf ( 21054 ) <flodadolf@gmail.com> on Sunday July 12, 2009 @04:01PM (#28669741) Journal

      I wrote about RFID landmines here [slashdot.org] on Slashdot, about five years ago.

      It's nice to see that someone else besides me is sufficiently realistic to understand that this can be a real problem. And it's cheap: I don't know what RFID standard passports are using, but various readers on Ebay don't seem to creep much above the $50 mark. Add a microcontroller and some code (which, of course, can be open-sourced amongst other terrorist organizations), along with a little supporting hardware, and you've got yourself a trigger for a device for less than, say, $200 and a few days/weeks of study by an aptly-minded person.

      That $200 isn't much money at all, even for a third-world organization, for an attack which is nearly guaranteed to kill one or more civilians of any country which institutes standardized RFID identification. And the best part is, they get to pick and choose which country is the enemy this week when deploying the things.

      I, for one, am not very happy about this.

  • The anti-rfid wallet... ;)

  • by madsheep ( 984404 ) on Sunday July 12, 2009 @08:34AM (#28666967) Homepage
    Well I am completely against the apparent weak encryption and their lack of shielding but I think the big brother concerns are a little overblown. I don't think this is part of some massive systems to track us. Unless the U.S. is setting up this massive trackng network on cruise ships and all over foreign countries... I don't think it will suck in much.. unless of course they enjoy getting receiving data from my passport that always reports that I am 1) at home or 2) on my way to the airport. Seriously.. what U.S. citizen carries their passport everywhere they go domestically?
    • Well I am completely against the apparent weak encryption and their lack of shielding but I think the big brother concerns are a little overblown.

      If you're not actually interested in this issue, why do you even bother to comment?

      I can TELL you're not actually interested, because you don't understand that the primary problem has nothing to do with our government, and has to do with the potential use of RFID tags to safely and clandestinely identify and track American targets in other countries, for purposes like the taking of hostages.

      The government already has vastly easier ways to track Americans using RFID that don't involve passports, which most o

    • Seriously.. what U.S. citizen carries their passport everywhere they go domestically?

      Indeed. Mine lives in my safe unless actually required.

      Well I am completely against the apparent weak encryption and their lack of shielding but I think the big brother concerns are a little overblown.

      You're new here aren't you? Conjuring up complex big brother scenarios is practically the entire purpose of Slashdot. Seriously, I've seen less insane scenarios on actual tinfoil hat sites.

  • If these were passports or passport cards ? .. Most people here don't carry their passport around with them all the time.. However those new cheapo passport cards (for Canada, Mexico, the Caribbean, and Bermuda) are much smaller and more portable and I can see people keeping them in their wallet.

    I realize that both are vulnerable.. Sadly I have to get a passport renewal in 2010, and not looking forward to having a chipped one. I'll be getting the full one again (can see the point in limiting travel possibil

    • Some people do carry passports and ID-whatever around all the time.
      Some are concerned with the lack of care taken while implementing what others wanted.
      Why not distribute tin-foil envelopes?
  • by Dachannien ( 617929 ) on Sunday July 12, 2009 @09:26AM (#28667145)

    Meanwhile, Homeland Security has been promoting broad use of RFID because its own advisory committee on data integrity and privacy warned that radio-tagged IDs have the potential to allow "widespread surveillance of individuals" without their knowledge or consent.

    Fixed.

  • So if I can get my RF scanning equipment within 20 feet of you, I can get the passport office's unique identifier for you. (Where can I use that identifier besides the passport office?) As a tracking strategy, one scanning device every 20 feet is going to be an expensive grid.

    Good thing the whole country's already wired for cellphone service and service providers share connectivity in support of roaming. Lord knows how many people can track your whereabouts right now.

    Oops...I left my passport at home to

  • The designers should have known, and any RFID system, can be read without the owner knowing it, making it a security risk. Bad choice of technology from the outset.

    --

    Privacy vs Surveillance [feeddistiller.com] Feed @ Feed Distiller [feeddistiller.com]

  • I need to get a passport soon, but this issue kind of concerns me - people who think those of us who are concerned are being overly paranoid just don't get it - just because there isn't anything disturbing happening with these things right now at this moment (that we know of) doesn't mean that we know things will remain copacetic in the future...Once the apparatus for widespread monitoring/tracking is in place, it's in place - it isn't a good or a bad thing, it's a tool that can be used in either manner.

    I h

  • Would it be all that hard for the US government to raise the price $5 and include a blocking sheath?
  • by Electros ( 1166421 ) on Sunday July 12, 2009 @11:40AM (#28668015)
    Just to clarify, these are passport cards which are a hard plastic card that can only be used to travel between Canada the US and Mexico. The "Real" passports also have an rfid in them but they have a faraday cage built into the cover so they can only be picked up when opened.

Hackers are just a migratory lifeform with a tropism for computers.

Working...