Increasing Secure Traveler Facilitation via e-Passport Passive Authentication

Electronic Passport (e-passport) technology, when implemented correctly – issued and validated in accordance with ICAO specifications and recommended processes – provides the highest level of assurance that the traveler is actually whom they claim to be.  The electronic security features encoded within the chip of the e-passport both protect the data from tampering or modification, as well as provide a cryptographic binding of the document to its Issuing State, and a biometric binding of the traveler to the document.  A global fabric of trust, the ICAO PKI data and processes underlying these documents, makes authentication of these security features relatively simple while ensuring that fraudulent documents are easily identified.

Incorporating these authentication processes into efficient, automated, self-service capabilities readily supports the facilitation of ever-increasing volumes of travelers without negatively impacting border queues – and actually increases the security posture of the transit point without the need for additional border personnel.

e-Passport processing not done according to specifications and guidance leaves the relying party to simply guess if the person presenting the document is who that document asserts that they are.

Sometimes this is inconsequential, sometimes it is a matter of national security.  Whether this document review is done as part of the check-in process at a hotel, to prove an identity for a financial transaction, or to support a border crossing, it is imperative that document authentication processes do not facilitate identity fraud or fraudulent cross-border movement.  If not properly validated, fraudulent documents can easily be used to transit borders for nefarious means, or to assume whatever identity that a person desires.

e-Passports were introduced in 2006 and now comprise the majority of travel documents in circulation.  However, since not all borders implement processes to properly authenticate these tremendously secure identity documents, fraud has also been facilitated.

In 2011, Somalia stated that they will no longer accept their original green passport (which is NOT an e-passport) due to their belief that the persons presenting these passports are likely to be engaging in terrorism-related activities.  The Israelis stated that they had over 135,000 documents stolen in 2010 alone, and they estimate that thousands of these documents are being used fraudulently around the world today.  In fact, they have arrested numerous Iranian and Pakistani nationals attempting to use fake Israeli passports.

While we know that 139 countries are currently issuing e-Passports, based on information available from open source resources, we also know that only a small percentage of countries actually perform Passive Authentication of e-Passports as part of their border control processes.

Passive Authentication (PA) is the process that ICAO requires be performed on the cryptographic security elements protecting the personal data held within e-passport and e-Identification documents. PA unconditionally proves the authenticity of the document by evaluating its cryptographic binding to a trusted issuance infrastructure.

Without this process, anyone can generate an e-passport that meets the electronic encoding requirements and appears to be genuine.

All of the elements protected by cryptographic hashes and the digital signature protecting the document security object may properly validate using the certificate provided within the document.  However, unless the certificate is proven cryptographically to have been produced by a trusted infrastructure, then the document cannot be considered authentic.  In other words, if PA fails, the document should be considered as fraudulent.

As the facilitation of an increasing number of travelers continues to be a top priority for nations, careful consideration must be given to the appropriate implementation of technology to support that objective.

Border processes cannot be cumbersome to the traveler or be perceived as the cause of delays.  Technology is increasingly being implemented to address this critical balancing act; self-service kiosks and automated border controls have been deployed or are being piloted across the globe.  However, with an increased reliance on technology to assess the validity and authenticity of the supporting travel document, the underlying processes MUST be implemented to leverage the significant security and level of identity assurance that is provided by the e-passport.  Many of these pilot implementations are basing an access decision on the comparison of the traveler’s biometrics to those found within the electronic chip of the e-passport.  While biometric comparison technologies are advancing at a tremendous rate, there is no value in performing the comparison unless the document that is being used as the source of the biometric has been proven to be authentic.

PA is a critical security component that must be implemented to truly take advantage of the anti-fraud and anti-tampering security features built into e-passports.  This process not only evaluates the authenticity of the document and its contents, but also facilitates the automation of traveler identity verification and transit throughout their journey.

 

 

Ozone e-Passport PKI

Fraudsters Want Your ID Information. What Are You Doing to Stop Them?

In 2016, identity theft amounted to $16 billion and affected more than 15.4 million people in the United States. Your identity is arguably your most valuable asset, but how often are you aware of all the ways that you use it to transact? With the lines of physical and digital identity becoming increasingly blurred, it’s more important than ever to safeguard your identity during transactions.

Are you doing enough to ensure you’re keeping your personal information – and your customers’ information – safe from fraudsters?

Click to download the free infographic: Where Does Your Identity Take You in a Day?

Every day, Americans make transactions by swiping, scanning or chip-reading – from grabbing a cup of coffee to purchasing airline tickets. The convenience of these transactions, it seems, trumps concerns of information falling into the wrong hands. But the time has passed for simply hoping our ID information – and our customers’ ID information – will continue to be safe, simply because you’ve seen no evidence it’s been compromised.

Just a Day in the Life for Identity Thieves

Let’s look at a typical day anyone could have to see how easily one can expose their ID information to considerable security risks.

Mobile banking. Shortly after leaving the office, a person decides to check the balance of their checking account. They use the local coffee shop’s free Wi-Fi, because like 67% of Millennials, they use a mobile app to access their banking information. Though on an open network, they tap in their ID, password and perhaps other Know Your Customer (KYC) information, as required by anti-money laundering (AML) regulations. Did a fraudster track their every keystroke?

Click to download the free infographic: Where Does Your Identity Take You in a Day?

Small business transactions. Because this person is now running late to a doctor appointment, they pull out their credit card to engage one of the 1,000 bike-sharing services across the country, a market that is expected to become a $6.1 billion business by 2020. Are the security measures employed by all 1,000 vendors up to par? How does this one rank?

Medical Insurance. At the doctor’s office, they check in at the front desk, making their co-pay with the same credit card and giving their medical insurance card information which is likely photocopied. Like most people, this person is more than likely unaware that 15.4 million medical records were stolen in 2016 alone, and that 301 people across the country were charged roughly $900 billion in false billing.

Remember, Identity Thieves Never Take a Vacation

Although you’re in a rest-and-relaxation mode, you still know not to leave your hotel room unlocked or your wallet on a car seat. If only you could take similar measures to protect your ID information. Here are some common transactions that require ID information on a typical vacation – and some data associated with their risk of security breaches.

Accommodations. The global vacation rental market is poised to be worth $193.89 billion by 2021. Fully 46% of customers check in using hotel loyalty programs, and loyal customers spend on average 67% more than new ones. Front desks and agencies are mostly taking your identity document photocopying it and storing it somewhere; a very insecure data capture method. All this makes vacation rental businesses likely targets for theft of identity information.

Ground transport. Uber reported that 40 million people used the ride-hailing service in 2016. Incidentally, 8,000 ride-hailing service drivers in Massachusetts failed to pass new state background checks in 2017. Similarly, car-rental agencies routinely require a check of ID documents to complete transactions and mostly use the archaic photocopy method of capturing your ID leaving you vulnerable to a paper file floating around.

The More You Know, the Better

Our free infographic, Where Does Your Identity Take You in a Day , illustrates just how important it is to protect your ID information.

Acuant provides businesses with identity proofing solutions for trusted transactions, for more information contact us here.

 

Read the Infographic