-How Current Immigrations System is Broken and Weak-
Illegal immigration is one of the major problems faced by many countries in this world. Usually people illegally immigrate into another country to lead a better lifestyle, to evade criminal charges in their original country, or to perform criminal activities in the country they plan to enter. Illegal immigrants usually enter a country with help of fake documents. Fake documents are not necessarily forged/counterfeit documents that look like genuine documents, but they could be genuine documents that were stolen and the theft disguises himself/herself to look like the person in document. The later case is more difficult to spot since the documents are genuine so the immigration officer will allow the person to enter unless he or the system is smart enough to detect that the person is an imposter.
Let us concentrate on illegal immigration into the USA and what the country has done so far to prevent/ minimize illegal immigration. After the 9/11 terror incident USA government realized that paper immigration documents are easy to forge so the government has replaced regular paper passports with electronic passports or e-passports, and implemented special LaserCard technology for making its permanent residency card (commonly known as Green Card) and Border Control Card (commonly known as Laser Visa). In addition to documents the immigration officials scan the fingerprint of the arriving person to make sure if he is not a criminal or previously deported person. The question is that do these new technologies used in the immigration documents reliably stop illegal immigration. Let us look at each of these technologies one by one:
1. Examining Fingerprint of a person:
The optical fingerprint readers used at the airports can be easily fooled by fake finger. Fake finger means that the person can put some kind of thin tape/covering that contains fingerprint of someone else over his finger. Since the optical fingerprint reader just takes an image of the persons fingerprint and compares it with the database, the fake fingerprint on the tape would be compared with the database. Even though the USA immigration presently scans all 10 fingerprints of a person, it is not foolproof. One may say that although possible to make one fake fingerprint, it is not easy to make fake fingerprints for all fingers; but there is sufficient evidence in the web that teaches one how to easily create a fake finger. For example the following link shows how easily latent fingerprint (fingerprint left behind on some object by the potential victim) can be lifted and used as a stencil to make fake finger.
http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en (Tutorial to make fake finger)
Following are few articles that show how the contemporary optical fingerprint readers can be fooled easily with fake finger.
· http://www.securityfocus.com/news/6717 (German hackers fool fingerprint scanners).
· http://software.silicon.com/security/0,39024655,11033437,00.htm (Japanese man fools biometric sensor with fake finger)
· http://www.asiaone.com/Travel/News/Story/A1Story20090101-111750.html (South Korean woman fools Japanese fingerprint sensor)
Since paper passports can be forged without much difficulty, e-passports have been introduced. e-passports are similar to the regular passports except for a small contactless RFID chip embedded in the back cover that is supposed to make it more secure than regular passport. The only personal information stored on the chip is the same information that is printed on the data page of the passport, including a digital version of the photograph.
Do e-passports actually provide the security they are intended for? Unfortunately NO since current e-passports are vulnerable to skimming or eavesdropping attacks by hackers. A skimming attack is when someone attempts to read the passport chip simply by beaming power at the passport. An eavesdropping attack is when someone intercepts the communication between the e-passport and reader and steals data. The owner of the e-passport will not even be aware that his information has been compromised.
Once the information is compromised the RFID chip can be cloned and rest is to make a fake passport based on the information in the chip.
Following links show evidence of how easily the information in the e-passport’s RFID can be attacked and cloned.
http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece (Fake-proof e-passports cloned in minutes)
http://www.neoseeker.com/news/9787-insecurity-of-homeland-security-rfid-passports-shown-by-researcher/ (US Homeland Security passports successfully cloned with no problem)
http://www.theregister.co.uk/2007/03/06/daily_mail_passport_clone/ (Cloning of e-passports when in mail)
Also, proposals are being made for a person’s fingerprint information to be stored in the e-passport chip, rendering added security. If a hacker manages to obtain the digitized fingerprint information from the e-passport chip then he can make fake finger using that information.
Lasercard Technology for making Green Card and Laser Visa:
Just like regular paper passports, greencard and border crossing cards can be forged without much difficulty. To solve this issue of forgery new greencards and border crossing cards (also known as Laser Visa) that are backed by Lasercard technology are issued. Lasercard is basically an optical memory card that can contain the optical digitized image of the owner’s photo and fingerprint. Though claims are made that the lasercard data cannot be altered and are hard to counterfeit some articles mention the sale of fake new greencards in Tijuana, Mexico for $500 a piece.
Already it has been proven in the Dublin bank fraud case that lasercard technology is not imposter-proof or fake-proof. In Dublin bank case the bank lasercards were cloned and PIN numbers were obtained from shopkeepers who were paid to observe the customer while he/she was entering the PIN. The cloned card was used to withdraw money.
http://nepalinirelandnews.blogspot.com/2008/05/dublin-shop-workers-bribed-to-help-in.html (Dublin lasercard bank fraud).
Like PIN is the authenticating factor in laser bankcard, fingerprint matching of person and visual comparison of face is authenticating factor in travel documents. Lasercards that contain the optical digitized image of the owner’s photo and fingerprint can be dangerous when stolen because stolen lasercards are government issued cards and so no headach of forging. The immigration officer will not object to the stolen card’s authenticity. All that the thief needs to do is to look like the victim and also have matching fingerprints. As we already know it is not hard to fake fingerprint and people leave their fingerprints everywhere, which can be stolen be any watchful hacker.
Actually looking at the current border-crossing scenario the illegal immigrant (who could be a criminal) doesn’t have much to do. Many articles mention that the border-crossing officers just ask a few questions and don’t even care to verify the biometric information stored in the card.
· http://www.themonitor.com/onset?id=2429&template=article.html (Expensive authentication technology wasted)
From the article above we can see that authentication using lasercard technology is person (i.e. immigration officer) dependent. The officer makes the decision whether to verify biometrics in the card or not. On a busy day the officer may be too lazy to verify all information, and the country may have to pay the price for his laziness. We should also not overlook the fact that the officer could be bribed.
CONCLUSION: USA (and also the world) needs “change” in Current immigration authentication systems:
Looking at the drawbacks in the current immigration authenticating system we need a system that:
- cannot be fooled by a replica of person’s biometric details like fingerprint, face etc.
- hard to forge or counterfeit.
- is independent of human control. Authentication should be done by the system automatically and not done as per discretion of immigration officer.
- Provides a secure communication between the reader and travel document. In other words not vulnerable to skimming or eavesdropping.
-IS THERE ANY SOLUSION?-
How can e-Smart Technologies Inc. bring about this “change” in the immigration system?
e-Smart Technologies Inc. claims it can create an authentication environment that would overcome the above drawbacks. Let us ask e-Smart Technologies Inc.’s CTO and Sr. Vice President, Mr. Tamio Saito, to get more knowledge on e-Smart technology.
Interviewer: Can you please briefly explain how e-Smart authentication system works and what makes it unique in terms to security when compared to contemporary systems?
e-Smart CTO: e-Smart authentication is made on the card and fingerprint template is secured in the card through encryption. So, there is no change for anyone to change the fingerprint. Current system, employee can change the fingerprint data base and hacker can do also. And the biggest risk is if someone stole the fingerprint, no way to recover, because no one can change their finger contrasting to passwords. There are so many crime that employee to sell data base for small cash. Spy can change the fingerprint VERY EASILY by paying small money to employee, such near bankruptcy because of investment loss, alcoholic, etc.
Interviewer: Can the e-Smart authentication system be fooled using a fake finger? If not why?
e-Smart CTO: Fingerprint detection system can find out copied paper finger very easily, gummy finger by electrical way and software way. Current Optical sensor, using CCD or MOS device can be easily faked by copied fingerprint. It cannot read wet finger. Under Sunshine or strong back light, it may cause the problem. But e-Smart sensor has no such issues.
Interviewer: Is the e-Smart’s RFID chip vulnerable to skimming and eavesdropping attacks and subsequent cloning of the chip? If no, please explain what make it so special that it cannot be cloned. If yes, would the clone would it work reliably for the imposter?
e-Smart CTO: Our design is to use Biometric related key for encryption from the finger touched on the sensor in the card. Current and legacy system, being used is using just generic CHIP off the self having no unique data comes from the person who holds the card.
Interviewer: Is the e-Smart authentication technology human dependent? In other words is the verification of biometric information dependent on the discretion or mood of the immigration officer who may be lazy or busy to verify all biometric information in e-passport?
e-Smart CTO: Current system, the person entering the border can bribe, threat, collaborates the immigration officer to cheat the system. They are NOT FAIL SAFE SYSTEM. It depends on immigration officers. However, e-Smart card can be activated only when finger print of card holder matches to the data in the card. It is automatic and immigration officer independent.