To do so, GAO designed four test scenarios that simulated the actions of a malicious individual who had access to an American citizen’s personal identity information. GAO created counterfeit documents for four fictitious or deceased individuals using off-the-shelf, commercially available hardware, software, and materials. An undercover GAO investigator then applied for passports at three United States Postal Service (USPS) locations and a State-run passport office.[From Security Document World]
And the results? Did the ever-vigilant staff, the best IT that money can buy and the process designed by top management consultants come together to defeat these almost trivial attempts to deceive?
In its four tests simulating this approach it was successful in obtaining a genuine U.S. passport in each case.[From Security Document World]
Perhaps biometrics might help. I was in Dubai a couple of weeks ago, and there’s no messing about letting people get false passports there I’m sure…
About 54,000 people were arrested at Dubai International Airport last year after failing iris scan, a senior official from the Ministry of Interior said on Monday. Brigadier Bin Surour said border security is one of the biggest challenges all countries face in maintaining national security. “We will soon use an individual’s DNA as a means to verify people’s identity at borders,” he said.[From Gulfnews: Dubai’s iris scan helps arrest 54,000 suspects last year]
As anyone familiar with the problem understands, the issues are orthogonal. Using bogus “feeder” documents to obtain a virtual identity (such as an entry in a passport database) is not affected in any way by the use of biometrics to match a physical person to that virtual identity. If anything, biometrics make for a bigger problem: once the bogus identity is in the system, then the use of biometrics means that the identity will never be questioned. Computer says yes, so to speak. If there is going to be a “gold standard” government identity, then anyone able to breach the security of the database on which it rests is then inside the wire and can do what they like, since from then on the biometrics will confirm whatever identity the miscreant has planted.
I quite like the idea of using DNA tests at the borders, though. Anything that works better than IRIS would be great (although to be fair when I came through T5 last week, I was standing in a long line for passport control and I saw three people using the IRIS line, and two of them got through, which is pretty good).
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]