August 04, 2006

IdentityWatch: Cloning the RFID, swimming the channel on the cheap, the Russian view, AML success rate, and the genesis of Id Theft?

"Hackers clone e-passports" from wired reports that the RFID in the new passport formfactor can be cloned for peanuts:

Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country's e-passport, since all of them will be adhering to the same ICAO standard.

Lynn says that sounds somewhat akin to the "yes card" clones of sda chip&pin that started to show up in the 90s [1, 2].

And now for something completely different:

Confidence in the Government's immigration policy - insofar as it has one - is at rock bottom. The latest revelation was buried in a threat assessment issued by the Serious Organised Crime Agency yesterday. It revealed that the cost of a clandestine passage from France to Britain is now just 150.

Is that with a free Identity, or don't you need one as you stride out below the white cliffs of Dover? I've postulated on the basis of this and other collected resources that $1000 is the value of your identity. Over in Russia, Vlad Miller also came up with a $1000 maximum liability number which he uses when selling identity certification. He writes (from email):

My estimations of the liability amount was mostly based on similar indirect research of black market prices. According to the majority of my sources (paper and internet press as well as some unofficial discussions with old-hat officials from MIA) russian black market has two main fake identity (mostly domestic passports) offers:

1. Fake real identity, that is just a counterfeit document that looks real (at glance or under a more in-detail examination). Those cost 100-800 USD depending on the quality of forgery.

2. Real fake identity, that is a *real* and fully legal identity document issued on a *fake* name. These IDs can't be detecter with any forgery detection techniques; in some cases you can't determine this is a forgery even by inquiry to the official MIA database because this fake name is entered there too (this is resembling to real fake IDs used by undercover operatives). Such forgeries cost starting at 1200 USD (just filled on a legal blank) and may run up to 2000 USD and even more (fake information is inserted into the database).

I've made some security risks calculations, and final $1000 came up.

Our routine survey of fake Ids does not challenge:

The fake IDs were for more than 20 countries including South Korea, Singapore, Germany and the United States. Police also found about 1,500 visas for Australia, Malta, Moldova, the European Union (EU), Canada, Japan and South Africa. ... The suspects admitted that the gang charged about 4,000 baht ( 105 U.S. dollars) for producing a fake passport. They added forgery had become easy with the help of high-tech digital equipment.

Where this comes to the point is in the application of money. Here's Dani's Report from the Wild East:

I have participated in a conference titled "Banking and Criminal Law" organized by the International Association of Penal Law (AIDP, ) where the following figures were announced for 2005 in Hungary:

Reports by banks and law-firms concerning possible money-laundering: approx. 14000
Investigations initiated by the police: 8
Cases heared at court: 2
Guilty verdicts: 0
At the same time, the estimated volume of money laundering through the Hungarian financial system during the same year: $4 billion.

These figures came as a shock to some of the participants (including myself). This proves that the immensely expensive snooping machinery that requires one or two full-time employees at major branches (the guy dealing with the paperwork required for reporting suspicious cash transactions), which both customers and banks hate, is completely ineffective. Banks were forced into compliance by the regulation that puts the criminal responsibility for money-laundering on the teller, if s/he failed to report it; thus, they end up reporting almost every transaction, just in case. Same for law firms and escrow agencies (these two functions are traditionally performed by the same companies in Hungary).

On the other hand, living without a bank account is nearly impossible in Hungary (for instance, it is illegal to pay salaries in cash for a wide range of jobs) and it is becoming increasingly burdensome to transact without the banks' participation. It's getting worse year by year.

Russia is a completely different story, where the trust in the banking sector is generally low among the general population and large parts of savings are held either at home in cash (exclusively in USD during the nineties, then in Euros and in the past two years increasingly in the local currency, roubels) or lended to trustworthy friends and relatives. Major money laundering is done through off-shore banks, mostly in the baltic states (Russian-owned Latvian banks are the favorites). Even if salaries arrive to bank accounts, people tend to visit the ATM on pay-day to get some cash (most ATMs give both roubles and USD; when ATMs first appeared in Russia, they were dollar-only). Escrow agencies (of which WebMoney is technically one) are very popular in securing p2p or b2b transactions. These are very loosely regulated, use a diverse set of communication channels, and God alone can track all the financial flows. There are just too many of them.
Posted by: Daniel A. Nagy

It is relatively easy to draw a line from drugs -> ML -> AML -> identity obsession -> identity theft, albeit hard to stomach for the unforseen consequences. We can now possibly calculate the losses from AML: as identity became necessary for more and more processes, including for example the expansion of the credit society, more and more stress is placed on the weak instrument of the one true identity. In this case, the AML people have paved the way for fairly massive identity theft and concomittant fraud. Last time I saw the figures it was running around $10bn per year in the US, but maye it is more:

Nearly 10 million consumers were victimized by some form of identity theft in 2004 alone. That equals 19,178 people per day, 799 per hour and 13.3 per minute. Consumers have reportedly lost over US$5 million, and businesses have lost an estimated $50 billion or more.

The authorities will see statistics on the uselessness of AML as more evidence that they must try harder, but economists see it differently; If we reverse the cause and effect in our minds, correlation is still found to confirm our mistakes.

The late great President Ronald Reagan is often lauded as the most Austrian of leaders, but he made some mistakes. As instigator of the original war on drugs, he set the foundation for our current epidemic of identity theft, and his war fell victim to the law of unforseen consequences.

Posted by iang at August 4, 2006 08:42 AM | TrackBack

Today's Lynngram has a wealth of links on the RFID hack.

IdentityWatch: Cloning the RFID, swimming the channel on the cheap, the Russian view, AML success rate, and the genesis of Id Theft?
Computer hackers get lesson on cloning passport, cash card tags
some comment
Researcher warns of security problem in electronic passports
Researchers: E-passports pose security risk
Researchers: E-passports pose security risk
Researchers: E-passports pose security risk
Researcher: E-passports easy to clone
Researchers: E-passports pose security risk
Researcher warns of security problem in electronic passports
Expert Warns on E-Passport Security
Expert Issues Warning About E-Passports
German hackers clone RFID e-passports
Expert: E-passports vulnerable
Expert Issues Warning About E-Passports
Hackers crack new biometric passports,,1838754,00.html
Expert warns on e-passport security
RFID e-passports hacking and terrorism risk says experts
Electronic passports vulnerable, expert says
RFID passports vulnerable to hackers, security expert says
German Security Consultant Clones E-Passports
E Passports Susceptible To Cloning
Leader: Of course passport security is too weak,39024655,39161216,00.htm
Researcher warns of security problem in electronic passports
Expert warns on e-passport security
German hackers clone RFID e-passports
German Expert: RFID Chips In E-Passports Can Be Cloned
E-passports.. a neverending story!
Expert issues warning about e-passports
The RFID Hacking Underground

Posted by: Lynngram results on RFID hack at August 7, 2006 09:01 PM

a little drift on the cloning subject
Researcher: A New passports vulnerable
Radio security tags can be cloned
Biometric passports cracked
Computer hackers get lesson on cloning passport, cash card tags;_ylt=A86.I2you9dEONYA4wsjtBAF;_ylu=X3oDMTA0cDJlYmhvBHNlYwM-
Hackers clone radio-chip passports
Biometric passport technology hacked
German passports vulnerable to hackers
Hacker Cracks, Clones RFID Passport
Experts: E-Passport Data Can Be Stolen - Wireless Chips
Hacker Cracks, Clones RFID Passport
Debit card not the safest form of plastic

Posted by: Lynngram more links on RFID hack at August 8, 2006 09:07 AM

Electronic Passport Cloning Claim Does Not Constitute Threat to Border
Security and Citizen Privacy
E-Passport ally responds to cloning claims (this somewhat assumes a human remains in the loop in conjunction with physical identifying characterists)
GAO: Passenger screening program not ready to take off (there have been stories that the issue of whether a human remains in the loop has come up in this program and there have been claims that it has also been raised in some of the e-passport programs)
GAO: Passenger screening program not ready to take off

Posted by: Lynngram -- once more with feeling at August 10, 2006 11:40 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.