Lost Malaysian flight highlights passport system vulnerability
23 June, 2014
category: Biometrics, Contactless, Government, Library
By Mark Joynes, Director of Product Management for PKI, Government & National ID Solutions, Entrust
The tragedy of Malaysian Flight 370 introduces a number of questions regarding flight safety, border security and travel document verification. During the investigation, it came to light that a pair of stolen passports – not to be confused with fraudulent passports – were used to board the flight.
On April 4, the U.S. House of Representatives Committee on Homeland Security’s Subcommittee on Border and Maritime Security conducted a hearing, “Passport Fraud: An International Vulnerability,” that focused on this issue. Per a committee memorandum, the hearing:
- Examined the threat posed by individuals traveling on lost, stolen or fraudulent passports
- Discussed U.S. and foreign governments’ efforts to ensure the validity of air travelers’ documents.
Importance of the database
The INTERPOL Stolen and Lost Travel Document database is a critical resource that can help safeguard borders and travel – when properly used. The prime vulnerability exposed by Flight 370, as it relates to lost and stolen passports, is that countries generally don’t validate the passports of outbound passengers in any meaningful sense. Even the handfuls of countries – for example the United States – that do make use of the INTERPOL databases have not leveraged that capability to assess and verify outbound passengers.
To eliminate this vulnerability, the U.S. Department of Homeland Security indicates they are now checking all outbound documents, which could represent a virtual doubling of Homeland Security-to-INTERPOL processing over a dramatically short period of time.
The ‘eyes-on’ check
When arriving travelers make their way through customs, the Stolen and Lost Travel Document check is just one of a number of measures – both technical and procedural – that are exercised. Also included is an “eyes-on” assessment by a trained border control agent. This eyes-on check of the traveler context, providing behavior and body language clues, is a vital component in the vetting of passengers through border control.
With outbound travelers, however, the process is far less stringent. Adopting the Stolen and Lost Travel Document check for outbound passengers is an important first step to ensure lost or stolen documents are not being used. However, if the document is fraudulent or has not been reported stolen, there is nothing that can replace an outbound border control specialist with eyes-on training to pick up on important clues that something may be amiss.
Outbound validation is critical
While more than 110 countries are now issuing first-generation Basic Access Control electronic travel documents, very few – less than 15 – are electronically validating inbound passengers. And none of them are electronically validating outbound documents.
Proper electronic validation – of both incoming and outgoing passengers – provides high assurance of the integrity and authenticity of the document, significantly mitigating the threat of forgery. While the potential for technology failures is always a possibility, it still provides the means to appropriately process travel documents for secondary inspection.
Using advanced passport technology
Leveraging more advanced technologies, like those associated with mapping the biometric of the individual to a trusted record at inspection time, would significantly address mitigation of the impersonation threat. Option include:
- Advanced facial geometry/recognition mapped against a trusted representation of the individual held centrally.
- Adoption of the European Union Schengen Area ePassports that are authenticated using second-generation biometric validation based on Extended Access Control protocols.
These procedures could be implemented to verify the travel documents of both departing and arriving passengers.
When properly validated, Extended Access Control-enabled travel documents create a biometric binding to the individual and provide the highest possible assurance that the individual is who they claim to be.
In the U.S., even if there is no adoption of Extended Access Control protocols for their own document and validation technology, it may very well make sense to implement that validation for EU documents, which are also supported by Malaysia and Chile with others intending to come online.
Safeguarding non-electronic documents
To date, more than 85 countries are yet to migrate to ePassport standards. Many of these countries also lack rigorous processes around supply chain, identity-vetting and identity/credential management in general.
While the criminal focus often lies with documents that have bad standing or credibility, the non-chip documents of these countries represent a much easier target for fraudulent manipulation. While ePassports and other electronic travel documents are receiving heightened attention, vulnerabilities around the evaluation of non-electronic documents remain. The physical security features of these documents are essential to validation.
International authorities – INTERPOL, ICAO and IATA – as well as developed world countries with concern for the threat of fraudulent travel documents, need to focus their efforts on building capacity in the developing world to recommend and support the following:
- The provision of strong, fixed and variable physical document security features in machine-readable travel documents, especially where no electronic security features are anticipated
- Rigorous processes around control of supply chain, identity-vetting and identity/credential management critical to the security of the ecosystem
- Accelerated adoption of at least first-generation Basic Access Control ePassports.