Countermeasures for highest risks
The controls to mitigate the high-scoring risks related to topic 2 can be:
1. No EU rules and regulations on border control
Regulation at EU level on border control, i.e. requirements on reading the chip, automated biometric verification, implementation of fingerprint verification, inspection systems, mobile readers and ABC systems, requirements for second line inspection and referral to second line inspection.
2. No verification of fingerprints at second line inspection
Regulation at EU level on implementation of fingerprint verification, inspection systems, mobile readers and ABC systems, requirements for second line inspection and referral to second line inspection.
3. Lack of specific training of border guards on e-passport handling Training of EU border guards specifically focused on e-passport handling.
4. No standard procedures when the security mechanisms fail
Defining standard procedures, preferably at EU level, but also at a national level, on handling failures in reading the chip or verifying the chip security mechanisms.
5. No standard procedures when reading the chip fails
Defining standard procedures, preferably at EU level but also at a national level, on handling failures in reading the chip or verifying the chip security mechanisms.
Further discussion
There are three types of risks which score high for this topic: (a) that there are no EU requirements or standard procedures, e.g. for referral to second line inspection when first line verification fails, (b) that fingerprints are not verified at second line inspection and (c) that border guards are not sufficiently trained on specifically handling e-passports.
The purpose of border control is to keep ineligible persons (i.e. persons without the correct rights, persons mentioned on watch lists, persons personating someone else) out of the country. First line border control aims to pick all travellers who require more thorough inspection. From an efficiency perspective, first line border control must be performed fast or in an automated way. A border guard has on average 10 seconds to determine whether the passport is genuine, belongs to the holder, and the traveller is eligible to enter the country. When there is doubt, a more thorough investigation is required. This is normally done at second line border control where more time is available to investigate the passport and its holder. The traveller can be questioned, information systems can be checked, and additional means to establish the authenticity of the passport may be available.
When inspection is performed only visually by a border guard, referral to second line when in doubt is obvious. However, when automated inspection of the chip or automated biometric verification fails at a manned booth or border guard operated mobile inspection system, referral to second line may not be done if the border guard at first line inspection does not consider this necessary based on a visual inspection of the passport and its holder. This then, however, undermines the security added by the e-passport chip. Since border control has become a shared task in the EU Schengen area, the participants indicated that a common policy on the importance of the chip in the passport with respect to the passport booklet seems necessary. Similarly, the participants indicated that it seems logical to have a common policy on border control in general, including requirements for first and second line border control, referral to second line inspection, using the chip, automated biometric verification, inspection systems, mobile readers and ABC systems.
Time considerations seem to make fingerprint verification not suitable for first line border control at manned booths or when mobile inspection systems are used by border guards, but it seems to be an effective way to determine or rule out lookalike fraud at second line inspection. Fingerprints have been added to passports to provide a more reliable way to verify the holder‘s identity. Using this potential seems logical. And since border control has become a shared task in the EU Schengen area, the participants indicated that it seems logical to have common requirements within the EU on the use of fingerprint verification at (second line) border control. One workshop participant, however, remarked that this may be difficult for border control points with a low number of foreign travellers. A participant also remarked that at second line, the focus is on the traveller, asking him/her questions and doing a background check, meaning that fingerprint verification does not add to the verification process at second line.
Border control agencies have years of experience checking paper travel documents. The chip is a relatively new addition only present in passports issued since 2006. Use of the chip at border control is even a more recent development. This means border control agencies are still lacking the experience in chip inspection which they have for inspection of the paper documents. This is considered a serious risk by the respondents. The risk posed by this lack of experience with chip inspection could be diminished by training border control agents specifically on handling e-passports.
A remarkable outcome of the risk assessment on topic 2 is that the absence of fingerprint
verification at ABC systems is not considered a serious or even intermediate risk. This puts a lot of trust on the automated verification of the face against the image stored in the chip, which might not be based on numbers.
6.5.3.3. Topic #3: Unavailability of a reliable inspection infrastructure
# Hypothetical vulnerability Average
risk rating [1-25]
13 Likelihood that fingerprint verification doesn‘t work because of:
13-1 No working verifying PKI up to inspection systems 15 13-2 No exchange mechanism for certificates (requests) with other countries (SPOC or bilateral) in own country
14
13-3 Other countries are not able to receive or sign DVCA certificate requests 11 13-8 Quality of fingerprints stored in chip too low (reliability) 10 13-7 No fingerprint scanners at second line inspection 9 13-4 No fingerprint scanners at first line manned booth 7 13-5 No fingerprint scanners at first line mobile inspection system 7
13-6 No fingerprint scanners at ABC systems 6
15 Not checking AA or CA 12
16 IS only support AA or only CA (one exclusively, not both) 11
2 Insufficient security in Systems Development Life Cycle of border control systems (V.65) 11 4 Insufficient confidentiality protection of (EAC) private keys (V.61) 10 3 Insufficient integrity protection of (storage of) public key certificates (DS certificates,
CSCA) (V.60)
10
14 Not checking PA or not correctly/fully checking PA because of
14-1 No verification of the signature by IS (only the hash values) 10 14-5 Illegitimate insertion of CSCA certificates in IS 9 14-2 No verification of certificates (spoofing of CSCA possible) 9
14-3 (CSCA) certificates unavailable 8
14-4 DS certificates unavailable 7
14-6 No proper use of CRLs (placement/distribution takes too long, CRLs are not 7
downloaded/used)
5 Lack of centralised security standards (V.1) 9
1 Insufficient logical/network access controls in border control systems (V.64) 9 11 Not showing the facial image from the chip to the border guard
11-2 First line mobile inspection system 8
11-1 First line manned booth 7
11-3 Second line inspection system 7
12 Purposely misconfigured terminals 8
8 No EU protection profile for inspection systems and ABC systems 8 7 No functional specifications for inspection systems and ABC systems 7 10 Not explicitly comparing the MRZ from data page to MRZ from chip 7
6 Accidentally misconfigured terminals
6-2 Technical communication problems due to software 6
6-1 Technical communication problems due to hardware 4
9 Technical problems with interpretation of e-passport data 5
Table 12 - Average risk ratings usage topic #3
The following charts were produced based on the attendee responses. Per hypothetical
vulnerability, the ratings are displayed as a 25% percentile- 75% percentile box, with the average displayed as the border between the light and dark red boxes. The minimum and maximum ratings are visualised in error bars. Thus, 50% of the respondents rated the risk within the range of the box (and, thus, 25% below and 25% above), while the average is the change in colour of the box.
Figure 17 - Usage topic #3 risk rating