Who are you? Who who? Who who?

Lizzie pointed me to the Guardian’s interesting article on passport security—digital passports make it easier to pose as someone else. No need to steal someone’s passport when you can duplicate it and travel as someone else. Also interesting from a privacy angle: broadcasting passport data via RFID “up to a few meters […] depending on the chosen radio frequency and antenna design/size” (according to Wikipedia). But even if that length isn’t often repeatable, the reliable length is certainly long enough to stand next to someone whose passport data you’d like to gather.

Consider this scenario: A postman involved with organised crime knows he has a passport to deliver to your home. He already knows your name and address from the envelope. He can get your date of birth by several means, including credit-reference agencies or from the register of births, marriages and deaths (and, let’s face it, he delivers all your birthday cards anyway).

He knows the expiry date – 10 years from yesterday, give or take a day, when the passport was mailed to you. That leaves the nine-digit passport number. NO2ID says reports from its 30,000 members up and down the country are throwing up a number of similarities in the first four digits of the passport number, so that reduces the number of permutations, potentially leaving five purely random numbers to establish.

“If the rogue postman were to take your passport home, without opening the envelope he could put it against a reader and begin a ‘brute force’ attack in which your computer tries 12 different permutations every second until it has the right access codes,” says [thebunker.net‘s Kent] Laurie. “A five-digit number would take 23 hours to crack at the most. Once all those numbers were established, you could communicate with the RFID chip and steal all the information. And your passport could be delivered to you, unopened and just a day late.”

Thanks to Lizzie for the tip.