August 04, 2006

IdentityWatch: Cloning the RFID, swimming the channel on the cheap, the Russian view, AML success rate, and the genesis of Id Theft?

"Hackers clone e-passports" from wired reports that the RFID in the new passport formfactor can be cloned for peanuts:

Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country's e-passport, since all of them will be adhering to the same ICAO standard.

Lynn says that sounds somewhat akin to the "yes card" clones of sda chip&pin that started to show up in the 90s [1, 2].

And now for something completely different:

Confidence in the Government's immigration policy - insofar as it has one - is at rock bottom. The latest revelation was buried in a threat assessment issued by the Serious Organised Crime Agency yesterday. It revealed that the cost of a clandestine passage from France to Britain is now just £150.

Is that with a free Identity, or don't you need one as you stride out below the white cliffs of Dover? I've postulated on the basis of this and other collected resources that $1000 is the value of your identity. Over in Russia, Vlad Miller also came up with a $1000 maximum liability number which he uses when selling identity certification. He writes (from email):

My estimations of the liability amount was mostly based on similar indirect research of black market prices. According to the majority of my sources (paper and internet press as well as some unofficial discussions with old-hat officials from MIA) russian black market has two main fake identity (mostly domestic passports) offers:

1. Fake real identity, that is just a counterfeit document that looks real (at glance or under a more in-detail examination). Those cost 100-800 USD depending on the quality of forgery.

2. Real fake identity, that is a *real* and fully legal identity document issued on a *fake* name. These IDs can't be detecter with any forgery detection techniques; in some cases you can't determine this is a forgery even by inquiry to the official MIA database because this fake name is entered there too (this is resembling to real fake IDs used by undercover operatives). Such forgeries cost starting at 1200 USD (just filled on a legal blank) and may run up to 2000 USD and even more (fake information is inserted into the database).

I've made some security risks calculations, and final $1000 came up.

Our routine survey of fake Ids does not challenge:

The fake IDs were for more than 20 countries including South Korea, Singapore, Germany and the United States. Police also found about 1,500 visas for Australia, Malta, Moldova, the European Union (EU), Canada, Japan and South Africa. ... The suspects admitted that the gang charged about 4,000 baht ( 105 U.S. dollars) for producing a fake passport. They added forgery had become easy with the help of high-tech digital equipment.

Where this comes to the point is in the application of money. Here's Dani's Report from the Wild East:

I have participated in a conference titled "Banking and Criminal Law" organized by the International Association of Penal Law (AIDP, http://www.penal.org ) where the following figures were announced for 2005 in Hungary:

Reports by banks and law-firms concerning possible money-laundering: approx. 14000
Investigations initiated by the police: 8
Cases heared at court: 2
Guilty verdicts: 0
At the same time, the estimated volume of money laundering through the Hungarian financial system during the same year: $4 billion.

These figures came as a shock to some of the participants (including myself). This proves that the immensely expensive snooping machinery that requires one or two full-time employees at major branches (the guy dealing with the paperwork required for reporting suspicious cash transactions), which both customers and banks hate, is completely ineffective. Banks were forced into compliance by the regulation that puts the criminal responsibility for money-laundering on the teller, if s/he failed to report it; thus, they end up reporting almost every transaction, just in case. Same for law firms and escrow agencies (these two functions are traditionally performed by the same companies in Hungary).

On the other hand, living without a bank account is nearly impossible in Hungary (for instance, it is illegal to pay salaries in cash for a wide range of jobs) and it is becoming increasingly burdensome to transact without the banks' participation. It's getting worse year by year.

Russia is a completely different story, where the trust in the banking sector is generally low among the general population and large parts of savings are held either at home in cash (exclusively in USD during the nineties, then in Euros and in the past two years increasingly in the local currency, roubels) or lended to trustworthy friends and relatives. Major money laundering is done through off-shore banks, mostly in the baltic states (Russian-owned Latvian banks are the favorites). Even if salaries arrive to bank accounts, people tend to visit the ATM on pay-day to get some cash (most ATMs give both roubles and USD; when ATMs first appeared in Russia, they were dollar-only). Escrow agencies (of which WebMoney is technically one) are very popular in securing p2p or b2b transactions. These are very loosely regulated, use a diverse set of communication channels, and God alone can track all the financial flows. There are just too many of them.
Posted by: Daniel A. Nagy

It is relatively easy to draw a line from drugs -> ML -> AML -> identity obsession -> identity theft, albeit hard to stomach for the unforseen consequences. We can now possibly calculate the losses from AML: as identity became necessary for more and more processes, including for example the expansion of the credit society, more and more stress is placed on the weak instrument of the one true identity. In this case, the AML people have paved the way for fairly massive identity theft and concomittant fraud. Last time I saw the figures it was running around $10bn per year in the US, but maye it is more:

Nearly 10 million consumers were victimized by some form of identity theft in 2004 alone. That equals 19,178 people per day, 799 per hour and 13.3 per minute. Consumers have reportedly lost over US$5 million, and businesses have lost an estimated $50 billion or more.

The authorities will see statistics on the uselessness of AML as more evidence that they must try harder, but economists see it differently; If we reverse the cause and effect in our minds, correlation is still found to confirm our mistakes.

The late great President Ronald Reagan is often lauded as the most Austrian of leaders, but he made some mistakes. As instigator of the original war on drugs, he set the foundation for our current epidemic of identity theft, and his war fell victim to the law of unforseen consequences.

Posted by iang at August 4, 2006 08:42 AM | TrackBack
Comments

Today's Lynngram has a wealth of links on the RFID hack.

IdentityWatch: Cloning the RFID, swimming the channel on the cheap, the Russian view, AML success rate, and the genesis of Id Theft?
https://financialcryptography.com/mt/archives/000770.html
Computer hackers get lesson on cloning passport, cash card tags
http://news.yahoo.com/s/afp/20060806/tc_afp/afplifestyleinternetithacksecuritycounterfeit_060806135401
some comment
http://www.garlic.com/~lynn/aadsm25.htm#9
Researcher warns of security problem in electronic passports
http://seattlepi.nwsource.com/local/6420AP_NV_Computer_Security.html
Researchers: E-passports pose security risk
http://news.zdnet.com/2100-1009_22-6102608.html
Researchers: E-passports pose security risk
http://news.com.com/2100-7349_3-6102608.html?part=rss&tag=6102608&subj=news
Researchers: E-passports pose security risk
http://news.com.com/Researchers+E-passports+pose+security+risk/2100-7349_3-6102608.html?tag=nefd.top
Researcher: E-passports easy to clone
http://www.securityfocus.com/brief/272
Researchers: E-passports pose security risk
http://news.com.com/Researchers+E-passports+pose+security+risk/2100-7349_3-6102608.html
Researcher warns of security problem in electronic passports
http://www.mercurynews.com/mld/mercurynews/news/breaking_news/15207887.htm
Expert Warns on E-Passport Security
http://www.redorbit.com/news/technology/603572/expert_warns_on_epassport_security/index.html
Expert Issues Warning About E-Passports
http://abcnews.go.com/Technology/wireStory?id=2278740
German hackers clone RFID e-passports
http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=20856
Expert: E-passports vulnerable
http://www.azstarnet.com/news/140980
Expert Issues Warning About E-Passports
http://www.forbes.com/entrepreneurs/feeds/ap/2006/08/06/ap2929834.html
Hackers crack new biometric passports
http://politics.guardian.co.uk/homeaffairs/story/0,,1838754,00.html
Expert warns on e-passport security
http://www.msnbc.msn.com/id/14218149/
RFID e-passports hacking and terrorism risk says experts
http://www.itwire.com.au/content/view/5199/53/
Electronic passports vulnerable, expert says
http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20060806/electronic_passport_060806/20060806?hub=SciTech
RFID passports vulnerable to hackers, security expert says
http://www.theglobeandmail.com/servlet/story/RTGAM.20060806.welecpass0806/BNStory/Technology/home
German Security Consultant Clones E-Passports
http://www.allheadlinenews.com/articles/7004421125
E Passports Susceptible To Cloning
http://www.securitypronews.com/news/securitynews/spn-45-20060803EPassportsSusceptibleToCloning.html
Leader: Of course passport security is too weak
http://software.silicon.com/security/0,39024655,39161216,00.htm
Researcher warns of security problem in electronic passports
http://news.bostonherald.com/national/view.bg?articleid=151637
Expert warns on e-passport security
http://msnbc.msn.com/id/14218149/
German hackers clone RFID e-passports
http://www.desktops.engadget.com/2006/08/03/german-hackers-clone-rfid-e-passports/
German Expert: RFID Chips In E-Passports Can Be Cloned
http://www.playfuls.com/news_03822_German_Expert_RFID_Chips_In_E_Passports_Can_Be_Cloned_.html
E-passports.. a neverending story!
http://www.zone-h.org/content/view/13965/31/
Expert issues warning about e-passports
http://www.businessweek.com/ap/financialnews/D8JAN2680.htm?sub=apn_tech_down&chan=tc
The RFID Hacking Underground
http://www.wired.com/wired/archive/14.05/rfid.html

Posted by: Lynngram results on RFID hack at August 7, 2006 09:01 PM

a little drift on the cloning subject
http://www.garlic.com/~lynn/2006o.html#29
Researcher: A New passports vulnerable
http://www.cnn.com/2006/TECH/08/06/passport.security.ap/index.html
Radio security tags can be cloned
http://abc.net.au/science/news/stories/s1707785.htm
Biometric passports cracked
http://www.vnunet.com/computing/news/2161836/kacers-crack-biometric
Computer hackers get lesson on cloning passport, cash card tags
http://news.yahoo.com/s/afp/afplifestyleinternetithacksecuritycounterfeit;_ylt=A86.I2you9dEONYA4wsjtBAF;_ylu=X3oDMTA0cDJlYmhvBHNlYwM-
Hackers clone radio-chip passports
http://www.newscientisttech.com/article.ns?id=dn9689&feedId=online-news_rss20
Biometric passport technology hacked
http://www.techspot.com/news/22460-biometric-passport-technology-hacked.html
German passports vulnerable to hackers
http://www.dailyindia.com/show/49215.php/German-passports-vulnerable-to-hackers
Hacker Cracks, Clones RFID Passport
http://www.ecommercetimes.com/story/52270.html
Experts: E-Passport Data Can Be Stolen - Wireless Chips
http://www.newsfactor.com/story.xhtml?story_id=01300000CL8T
Hacker Cracks, Clones RFID Passport
http://www.technewsworld.com/story/52270.html
Debit card not the safest form of plastic
http://news.cincypost.com/apps/pbcs.dll/article?AID=/20060808/BIZ/608080302/1001

Posted by: Lynngram more links on RFID hack at August 8, 2006 09:07 AM

Electronic Passport Cloning Claim Does Not Constitute Threat to Border
Security and Citizen Privacy
http://www.smartcardalliance.org/industry_news/industry_news_item.cfm?itemID=1582
E-Passport ally responds to cloning claims (this somewhat assumes a human remains in the loop in conjunction with physical identifying characterists)
http://www.securityfocus.com/brief/276
GAO: Passenger screening program not ready to take off (there have been stories that the issue of whether a human remains in the loop has come up in this program and there have been claims that it has also been raised in some of the e-passport programs)
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9002297&taxonomyId=17
GAO: Passenger screening program not ready to take off
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002297

Posted by: Lynngram -- once more with feeling at August 10, 2006 11:40 AM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.