Usage topic 1 - Operational and Technical security of Electronic Passports

2. Chip broken on purpose

Thorough second line inspection when the chip of an e-passport is broken so this isn‘t an advantage to cross the border illegally.

o Use material for the data page of the e-passport which shows when the e-passport has been microwaved and place the chip in this data page.

3. Lack of centralised security standards (refer to second line).

Regulation at EU level regarding border control standards and procedures.

Further discussion

Risks related to technical interoperability issues score low.

The highest-scoring risk is use of national identity cards as travel documents. Within the European Union, national identity cards can be used as travel documents between Schengen and

non-Schengen countries. In certain EU Member States, national identity cards are the most used travel documents by EU citizens to cross the border. All EU citizens can use their national identity cards to return to the European Union from abroad. National identity cards can also be used as travel documents for certain countries outside the EU (based on bilateral agreements).

However, contrary to passports issued by EU Member States, national identity cards do not need to comply with a common specification. National identity cards, for example, do not need to contain a chip or may contain a contact chip. The security of national identity cards can be significantly less compared with EU passports, thus, making unauthorised border crossing on the basis of a falsified or counterfeited national identity card more likely than on the basis of a passport.

To counter the threat national identity cards pose for unauthorised border crossing, participants suggested that regulation at EU level is required. Such regulation may either require the use of passports at external border crossings, or establish (minimum) requirements for security features that national identity cards should fulfil to function as travel documents. Compliance of the identity cards to, for example, the EU passport specification could be required.

The second-highest scoring risk is a (purposely) broken chip in an e-passport. When the chip of an e-passport is broken, the passport is still valid to enter the EU or to cross borders within the EU between Schengen and non-Schengen countries. When the chip is broken, the additional security offered by the chip cannot be used. This additional security includes the possibility of automated face and fingerprint verification, the possibility to show the facial image stored in the chip to the border guard to be compared with the image on the data page and to the holder, the checking of the authenticity of the chip and the chip data and the possibility to compare the biographic data in the chip to the biographic data on the data page. It may, therefore, be advantageous to break the chip on purpose, thus enhancing the possibilities of a lookalike fraud and use of counterfeited or falsified passports. Conversely, a broken chip does attract extra unwelcome attention for the attacker.

Breaking the chip is rather easy (e.g. using microwave radiation) and is hard to detect.¹⁷ Conversely, a broken chip is likely to attract more attention, which may not be welcome for the attacker.

When the chip is supposed to be read at border control, but does not work, the passport will be visually inspected. Although it will not (immediately) be clear whether the chip broke down accidentally or was broken on purpose or perhaps even whether the chip is not working in combination with the inspection system, the passport should be checked more thoroughly than

17 The UK has passports where the data page containing the chip visibly changes when microwave radiation is applied.

standard visual first line border control inspection to counter the enhanced risk of unauthorised border crossing. Preferably, the passport should be referred to second line inspection.

Some participants mentioned that the chip is not the only security feature of the passports, that at the moment a significant number of passports does not have a chip yet, and that quite often the chip isn‘t read at border control anyway. The high score of the risk, however, indicates that many participants consider it a serious risk.

The third-highest scoring risk is the lack of centralised security standards, e.g. about referral to second line inspection. Because of the absence of internal borders within the EU Schengen area, the quality of external border control in one Member State influences the security of all Member States.

Inadequate border control of a Member State poses a risk to all Member States within the Schengen area. Therefore, a minimum set of centrally imposed or harmonised security standards for border control would be a way to ensure a base level. Topic #2: Possibilities of (second- generation) e-passport are not fully used or not used correctly

The average risk scores of the different vulnerabilities are indicated in the table below.

# Hypothetical vulnerability Average

risk rating [1-25]

6 No EU rules and regulations on border control

6-8 No requirements for referral to second line when first line verification fails 12 6-5 No requirements for first line mobile inspection systems operated by border guard 11 6-6 No requirements for ABC systems (supervised by border guard) 11

6-7 No requirements for second line inspection 11

6-3 No requirement to use fingerprints when present 11

6-1 No requirement to read the chip when present 11

6-4 No requirements for first line fixed inspection systems operated by border guard 11 6-2 No requirement on automated biometric verification when chip is present 10 12 No verification of fingerprints at

12-4 Second line inspection system 12

12-2 First line mobile reader 8

12-1 First line manned booth 8

12-3 ABC system 6

9 Lack of specific training of border guards on e-passport handling 12

8 No standard procedures when the security mechanisms fail 10

7 No standard procedures when reading the chip fails 10

1 Insufficient guidance provided by border system to border guard (V.51) 9 2 Insufficient operational ability for border control to evaluate security mechanisms of the

e-passport (V.52)

10 Not using the chip at all 8

11 No automated verification of facial image at

11-3 ABC system 8

11-4 Second line inspection system 7

11-2 First line mobile reader 7

11-1 First line manned booth 6

4 Insufficient biometric quality (V.59) 8

3 Issues when verifying biometrics during border control (V.56) 7

5 Lack of centralised security standards (V.1) 5

Table 11 - Average risk ratings usage topic #2

The following charts were produced based on the attendee responses. Per hypothetical

vulnerability, the ratings are displayed as a 25% percentile- 75% percentile box, with the average displayed as the border between the light and dark red boxes. The minimum and maximum ratings are visualised in error bars. Thus, 50% of the respondents rated the risk within the range of the box (and, thus, 25% below and 25% above), while the average is the change in colour of the box.

Figure 16 - Usage topic #2 risk rating 0

5 10 15 20 25 30

6-8 12-4 9 6-5 6-6 6-7 6-3 6-1 6-4 8 7 6-2 1 12-2 2 10 11-3 12-1 4 3 11-4 11-2 12-3 11-1 5

Perceived risk level

Hypothetical vulnerability

In document Operational and Technical security of Electronic Passports (Page 157-161)