Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cruising Fisherman's Wharf For New Passports' Serial Numbers

Posted by timothy on from the sub-exactly-because-for-even-though dept.

schwit1 writes "Fox News has an AP story on a hacker in San Francisco driving around and needing as little as 20 minutes to be successful in acquiring a passport number: 'Zipping past Fisherman's Wharf, his scanner detected, then downloaded to his laptop, the unique serial numbers of two pedestrians' electronic US passport cards embedded with radio frequency identification, or RFID, tags. Within an hour, he'd "skimmed" the identifiers of four more of the new, microchipped PASS cards from a distance of 20 feet. ... Meanwhile, Homeland Security has been promoting broad use of RFID even though its own advisory committee on data integrity and privacy warned that radio-tagged IDs have the potential to allow "widespread surveillance of individuals" without their knowledge or consent.'"

30 of 276 comments (clear)

  1. Security by tsa · · Score: 4, Insightful

    It's strange that politicians and other managers seem to have a totally different idea of the meaning of the word 'security' than other people.

    --

    -- Cheers!

    1. Re:Security by innerweb · · Score: 4, Insightful

      What the heck do you think they intended the RIFD passports for? They are meant to be used to track people. They are working as intended.

      InnerWeb

      --
      Freud might say that Intelligent Design is religion's ID.
    2. Re:Security by Hurricane78 · · Score: 3, Insightful

      You act as if they were interested in your security at all.
      Which just shows how effective their strong twisted reality is. It even affects you to the point where you believe they would be acting ouf of the interest of the people. :)

      Don't worry, we all fell for it. As long as we learn from it, that is ok. :)

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
    3. Re:Security by kamapuaa · · Score: 3, Funny

      I think it's even stranger that Slashdot has a totally different idea of the meaning of "cruising Fisherman's Wharf" than I do. My version has more sailors involved.

      --
      Slashdot: providing anti-social weirdos a soapbox, since 1997.
    4. Re:Security by Poingggg · · Score: 3, Informative

      Who the Hell carries their passport around all day in their home country? Most of the time I imagine it would be sitting in a safe place at home.

      Here in the Netherlands we have to be able to prove our identity any time the police asks for it. The only way accepted by them is to show your passport, so we officialy HAVE TO carry our passports with us any time we are outside.
      Thank you America and your 'War on Terror' to give our political creeps an excuse to put that one through our throats!

      --
      What person will donate an airborne act of love?
    5. Re:Security by michaelhood · · Score: 4, Interesting

      Here in the Netherlands we have to be able to prove our identity any time the police asks for it. The only way accepted by them is to show your passport, so we officialy HAVE TO carry our passports with us any time we are outside.
      Thank you America and your 'War on Terror' to give our political creeps an excuse to put that one through our throats!

      You really found a way to blame your country's [perceived] fascism on another country thousands of miles away? Congrats.

    6. Re:Security by Grismar · · Score: 4, Informative

      Sadly, Poingggg is voicing an ever more common popular Dutch adage: "most of the world's current problems are America's" fault. And an American making a quip about it will probably garner little more than a "Typical" from the likes of Poingggg.

      Being Dutch myself, I would like to add that Poingggg is wrong, or at least woefully incomplete. We -are- required by law to be able to show our ID, however we are not by law required to carry it. This may seem silly, since you need to carry it to be able to show it, but what it means is that police are not allowed to ask for ID unless you are under suspicion of some other offense (that is, other than not carrying your ID).

      Also, the ID produced does not have to be a passport. Dutch driver's license or Dutch identity cards are also accepted valid IDs. Additionally, the law only applies to people over the age of 14.

      So, the only people at serious risk from getting their ID's copied as described (when not using a tinfoil wallet) are people in the age range 15-18 (impossible to get a valid driver's license), foreigners (only a passport, or some specific documents pertaining to asylum and long-term stay will do) and people unable or unwilling to get a driver's license.

      And sofar, the only people fined for not being able to produce the ID have been - to my knowledge - people who refused to produce it (even when allowed to retrieve it from elsewhere) or people who committed some other punishable offense in addition to not carrying the ID.

  2. Nothing to worry about... by vrmlguy · · Score: 5, Interesting

    You just need to buy an RFID shield for your passport and you can put your mind at ease. Unless, of course, you want to worry about how they don't work.

    --
    Nothing for 6-digit uids?
    1. Re:Nothing to worry about... by blackraven14250 · · Score: 5, Insightful

      And safety is really easy to come by in a hotel in Somalia.

    2. Re:Nothing to worry about... by camperdave · · Score: 3, Insightful

      Or you could, you know, stick the thing in the microwave for ten seconds. Enough to zap the chip, not enough to toast the paperwork.

      Good luck trying to cross the border with your "forged" passport.

      --
      When our name is on the back of your car, we're behind you all the way!
    3. Re:Nothing to worry about... by theeddie55 · · Score: 4, Informative

      Except that the RFID shield you reference is entirely different to the passport shielding that video demonstrates to be ineffective.

      --
      Blazing Spiders
    4. Re:Nothing to worry about... by houghi · · Score: 5, Interesting

      Well, as Fisherman's Wharf is a tourist attraction, I would think that the majority of the people are tourists.

      And about the part that says about what people should do, people should design a secure system where one of the factors is that people WILL carry them around on Fisherman's Wharf. Do not blame the users for usage, blame the designer for not putting it in the design.

      The 'stupidity' of the users is well known and well documented. Persons are smart, people are stupid. If you deal with security, that is what you have to think about. If you don't, your design will be flawed.

      --
      Don't fight for your country, if your country does not fight for you.
    5. Re:Nothing to worry about... by MojoRilla · · Score: 3, Insightful

      No, people shouldn't have to pay $20 for a way to make this technology safer. The government should improve their own shielding, and use more secure protocols for RFID transmission.

  3. Gosh... by feepness · · Score: 3, Funny

    If only these same people who secured my passport were in charge of my healthcare as well, then everything would be great!

    1. Re:Gosh... by Atmchicago · · Score: 3, Insightful

      [sarcasm]Yes, heaven forbid the United States catch up with the rest of the developed world and get a system that works better while costing less.[/sarcasm] Passport security and health systems have nothing to do with each other, please let you brain do the thinking, not your mouth or your gut.

      --

      You can lead a horse to water, but you can't make it dissolve.

    2. Re:Gosh... by maxume · · Score: 4, Interesting

      The U.S. doesn't make any passing attempt at running an efficient health care system. For people that can afford it, spectacular care is available here.

      So the well off have plenty to fear from government intervention, they face the potential for higher taxes and the potential for lower availability of care (vast amounts are spent on extreme measures in the U.S.).

      Sure, it would probably be healthier for us as a society to provide a more equitable system, but let's not pretend that it is going to be better for everyone.

      --
      Nerd rage is the funniest rage.
  4. Poor encryption by MobyDisk · · Score: 3, Interesting

    Passports use BAC encryption, which is obviously pretty weak.

  5. Re:Fighting the wrong battle by petes_PoV · · Score: 3, Informative
    A lot of times, you have a photo of the "suspect" who's movement you want to track (either from other surveillance, or a mugshot - or even from their passport phot. The reason you're told not to smile is because the P.R. software has a harder time dealing with it - same with glasses wearers.). All that's needed is to feed the photo into the recognition system and give it all your CCTV footage to crunch. This is how surveillance societies like Britain tend to do it now.

    You're right though, that you can't just type in "tell me where Joe Soap went on thursday afternoon" into the system and get an list of his/her whereabouts, but for targeted individuals, tracking without their permission has been available for some time.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  6. Passport RFID borders on criminal negligence IMHO by cheros · · Score: 4, Interesting

    I cannot imagine that even a SINGLE conversation with someone mildly conversant in basic security, no, just having common sense, would not have indicated that uncontrolled ID reading from a distance was a VERY VERY bad idea. It suggests to me that such a conversation was either not had, someone has a LOT of shares in RFID manufacturing or there is something else behind this rush to promote even more ID theft.

    You can read ID from a distance which means it's now possible to create hidden bombs that lie dormant until there are enough people of a certain nationality nearby, it's possible to clone an identity and I suspect it won't be long before you can edit the biometric, making the theft of your LIFE complete because of "the 'pjuter is always rite" syndrome.

    In the process other associated idiots are building up databases which are unnecessary (it works prefectly without) and which are a reversal of approach - normally your identity is only collected AFTER you have committed a crime, not BEFORE. You're now guilty until you prove it wasn't you who left a cloned identity behind. All of that without you noticing someone has been near to your passport, you no longer have control over who sees the data. Hello girls, welcome to stalking v2.

    Actually, if you want political emotional scare stories, as the EU has now made one passport per person mandatory, it's also "Hello kids, welcome to 'brief your local paedophile'".

    It would be really good if the clowns who dream up such stuff would be the first to suffer the consequences, all of them. Because I don't think they will learn otherwise - this is causing risk, not fixing identity issues. /rant

    --
    Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
  7. Re:Fighting the wrong battle by digitalchinky · · Score: 3, Interesting

    Those billion cameras are primarily a reactive system, not proactive. While they were initially sold on the public as a crime prevention and safety thing, they don't exist that way any longer. I guess in many ways it is a good thing that there are just too many to be monitored in real time. This makes your simple trip to the store utterly irrelevant and not of interest to anyone - but if your trip happens to coincide with some idiot crashing his car in to the aforementioned store, knocking you down in the process, then someone, be it insurance, police, ambulance, or whatever, might dredge it up for review. All in all you and I are just lost in the noise while the only valuable signal makes the nightly news.

    RFID is a pretty good filter if your aim is to create a choke point (i.e. immigration counters) - you can file people past a scanner, snap off their picture without them knowing, have a drone somewhere do a comparison with the databased image, or run it through your super computer in the basement to do it for you.

  8. Re:Passport RFID borders on criminal negligence IM by maxume · · Score: 3, Interesting

    The cards discussed in this article strictly provide a number, so they are just being used as a glorified barcode (maybe they have some security features that a barcode doesn't, but the guy scanning the numbers already knows how to bypass them, so they are irrelevant); a barcode is just as easy to link to a government database and introduces all the same problems with securing the database, so the only additional threat created by the RFID here is the ability to track the person holding the card (leakage of identity info is the same with a barcode, and there are no biometrics to edit on the card).

    Still, it doesn't seem like the chip adds anything, and it certainly sucks for people to be able to automatically identify the card (not the person, just the card) at a distance.

    --
    Nerd rage is the funniest rage.
  9. Big Brother Concerns? by madsheep · · Score: 3, Insightful

    Well I am completely against the apparent weak encryption and their lack of shielding but I think the big brother concerns are a little overblown. I don't think this is part of some massive systems to track us. Unless the U.S. is setting up this massive trackng network on cruise ships and all over foreign countries... I don't think it will suck in much.. unless of course they enjoy getting receiving data from my passport that always reports that I am 1) at home or 2) on my way to the airport. Seriously.. what U.S. citizen carries their passport everywhere they go domestically?

  10. Re:Dupe of a dupe of a dupe. by Metasquares · · Score: 4, Insightful

    Yes, but the people in charge still haven't listened!

  11. Yes and no by Anonymous Coward · · Score: 5, Interesting

    I live in Finland and we do have a public healthcare system here. That doesn't mean that here wouldn't also be private healthcare available. Those who dislike the public system (which works pretty well but is underfunded so waiting lines can be hours long in any non non-emergency case) can go to the private clinics. In addition to competing with each other, private clinics also need to compete with the public health care. It sets some kind of a status quo of "If you don't manage to offer extremely good service, people will just use public healthcare".

    So I don't think that the wealthy do need to worry about potential for lower availability of care. Public healthcare just gives best of both worlds... In theory.

    Recently (within the past decade) right wing government has been trying to change the way that public healthcare works here. Instead of having doctors who work for the government they try to have government buy services from private companies. In practice this works horribly.

    Government buys from the company that offers services for cheapest but that lowers the quality. And even those companies have higher prices than what government would pay directly to the doctors as the companies try to make profit. So it is slowly changing from "The best of both worlds" to "The worst of both worlds".

    One example of this is a hospital near me (Peijas in Itä-Vantaa). It used to be managed by the government but then there was a decision to privatize (if that's a word) the emergency duty. Now, if you go there complaining that your chest hurts, you might still need to wait four hours in the lobby before a doctor sees you but if they deem that you need further care and send you to the main part of the hospital... You get EKGs taken, evaluations from several doctors and so on, all for completely free of charge. (Speaking from experience here.)

    So even with the "worst of both worlds" it works somehow (which is good because I really couldn't have been able to afford the treatments in a private clinic). I just fear what happens if the rest of the hospital services will be bought from private companies too.

    Public healthcare can be done very well or very poorly depending on how it is implemented.

    As for taxation... Yeah, it raises. Can't deny you there. As a rather decently earning programmer I pay nearly half of my wage as taxes (then again, that is more than free healthcare. It includes, among other things, that government funded my university education and insured my student loan). You are wrong to assume it will hurt the wealthy, though. It uses the people who don't use the services.

    Whether you are wealthy or not, having higher taxes that provide services that you use are fine. Higher taxes hurt those who rarely have to visit a doctor, they hurt those who don't go to an university and so on. Others would have had to pay that money anyways, it just wouldn't have gone to government but directly to the private companies that provide the services. And the result might not have been any better.

  12. tracking by TheSHAD0W · · Score: 3, Insightful

    Yeah, and I'm less concerned about passports being counterfeited than I am about people carrying US passports in other countries being targeted for mugging. Those passports are valuable, you know.

  13. Here, let me fix that for you by Dachannien · · Score: 3, Insightful

    Meanwhile, Homeland Security has been promoting broad use of RFID because its own advisory committee on data integrity and privacy warned that radio-tagged IDs have the potential to allow "widespread surveillance of individuals" without their knowledge or consent.

    Fixed.

  14. Re:Dupe of a dupe of a dupe. by GuyWithLag · · Score: 3, Interesting

    There's even a YA novel (Little Brother) by Doctorow that has this issue as a plot point; somehow I doubt that the people in charge are going to read it...

  15. These aren't passports by Electros · · Score: 4, Informative

    Just to clarify, these are passport cards which are a hard plastic card that can only be used to travel between Canada the US and Mexico. The "Real" passports also have an rfid in them but they have a faraday cage built into the cover so they can only be picked up when opened.

    1. Re:These aren't passports by jpallas · · Score: 3, Informative

      Not only are PASS cards not passports, but they use a completely different technology. This story is pretty much debunked at http://www.rfidjournal.com/blog/entry/4615.

  16. Re:Passport RFID borders on criminal negligence IM by adolf · · Score: 4, Interesting

    I wrote about RFID landmines here on Slashdot, about five years ago.

    It's nice to see that someone else besides me is sufficiently realistic to understand that this can be a real problem. And it's cheap: I don't know what RFID standard passports are using, but various readers on Ebay don't seem to creep much above the $50 mark. Add a microcontroller and some code (which, of course, can be open-sourced amongst other terrorist organizations), along with a little supporting hardware, and you've got yourself a trigger for a device for less than, say, $200 and a few days/weeks of study by an aptly-minded person.

    That $200 isn't much money at all, even for a third-world organization, for an attack which is nearly guaranteed to kill one or more civilians of any country which institutes standardized RFID identification. And the best part is, they get to pick and choose which country is the enemy this week when deploying the things.

    I, for one, am not very happy about this.

    --
    Kid-proof tablet..