1 / 14

Time To Reflect: Where Have we Been—Where Do We Go

Time To Reflect: Where Have we Been—Where Do We Go. Barry J. Kefauver Best Practices Workshop Bogota, Colombia November 10-12, 2008. Current Status. There are over 50 countries issuing chip-based passports More than 50% of the world’s passport issuance are now chip-based

neo
Download Presentation

Time To Reflect: Where Have we Been—Where Do We Go

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Time To Reflect:Where Have we Been—Where Do We Go Barry J. Kefauver Best Practices Workshop Bogota, Colombia November 10-12, 2008

  2. Current Status • There are over 50 countries issuing chip-based passports • More than 50% of the world’s passport issuance are now chip-based • There remain a number of countries that need to develop machine-readable passport programs before the April 2010 deadline • Work continues to refine and enhance, but implementations go quite well • The inspection of these documents lags far behind the issuance programs • The ICAO TAG met in May and decided on a work program for the coming several years

  3. Document 9303 Development • London November 2000—Contactless chips • Biometrics Selection TR 2001 • New Orleans Resolution February 2003—face, finger, iris, chips • London July 2003--Joint ICAO/ISO meeting • LDS TR 2003 • PKI TR 2003 • Biometrics Deployment TR 2003 • Canberra testing, February 2004 • Berlin, February 2005—the “Guide” • Montreal, 2005--TAG acceptance of Edition Six Part 1 • Berlin, May-June 2006—many rounds of testing leading to this • Supplement Edition Seven in preparation for posting • Prague Conformity and Interoperability Testing—September • Part 3 drafted and approved, publication underway now

  4. Fundamental Truth vs Urban Myth • 14443 and 180006c/Gen 2 • Skimming - Reading the electronic data in an IC chip surreptitiously with a reader in the vicinity of the travel document. • Eavesdropping - When data from an IC chip are intercepted by an intruder while it is being read from an authorized reader. • Cloning - Copying the data that has been placed on a chip - “Although he can clone the tag, (the hacker) says it's not possible, as far as he can tell, to change data on the chip, such as the name or birth date, without being detected. That's because the passport uses cryptographic hashes to authenticate the data.” • Shielding and the Faraday cage

  5. The Wave of the Present: Travel Document Enhancements Widespread • Document security technologies are very mature and broadly used • Contactless chips-ISO 14443 • Biometrics-face, finger, iris • Cryptography-data security and integrity • Data Sharing-bilateral, multilateral, special-purpose, commercial and government • The document itself has never been stronger

  6. Testing History • Canberra, Australia • Morgantown, West Virginia, USA - A very significant event - Participants • Sydney, Australia - Improved, but much work to be done • Laboratory testing at US NIST • Several other operational tests, e.g. BWI, Tsukuba, Berlin - Each one reflected improved interoperability • Conformity testing in Prague

  7. The So-What Test • Pragmatics of mischief - Distance - Power - Visibility • At what price? • And then “what” do you have?

  8. Factors to Keep in Mind • Biometrics--the only reason why we have a chip • The early days post 9/11 • Evolution to the present • Germany has launched fingerprint, others underway now or soon to be • The so-what test—make SURE you ask this • Not just a chip -The e-passport is everything that non-e passports are, but in addition, with a chip - Inks -OVD’s of many hues and flavors -Paper and accompanying measures to protect - Watermarks of various technologies - Security printing - Many other physical features

  9. But Still A Risky Business • The beatings will continue until morale improves • The challenges and the opportunities • I will keep bleating on this topic until the issues are addressed

  10. Issues Facing Border Control Today • Profiling • Biometrics • Data and information sharing • Privacy and data integrity • New visions of next generation technologies • Enrollment and other systems

  11. New Initiatives • Information and data sharing, real time communications capability • Centralized civil registry databases • Shift from counterfeits to fraudulent genuines • Numerous online enrollment and other-services programs are being deployed • A need for standards to smooth information gathering and sharing prior to departure • Identity theft has captured worldwide attention and concern - The average fraud amount per case has increased from $5,249 to $6,383, over two years in the US alone - The total one-year cost of identity fraud increased from $53.2 billion to $56.6 billion over those two years in the US alone - The vast majority of identity fraud victims (68%) incur no out-of-pocket expenses. (This points out that businesses are victims of fraud as well.) - Victims are spending more time to resolve identity fraud

  12. So---Now What • The story needs to be told—inform the traveling public of measures being taken and why • What identity management and biometrics do FOR you rather than TO you • Adopt a planning and risk management process that fits YOUR program’s needs

  13. Best Practices • A fundamental first step is to conduct a comprehensive risk analysis and THEN a risk management profile • Incorporate risk management measures into program planning, e.g., Frontex in EU • Standards are needed-requirements that must be addressed as minimum specifications • Fraud prevention programs-detection, deterrence, follow-up, information sharing • Monitoring and auditing document inspection processes as well as document issuance and entitlement authorizations • Implement security techniques, such as mutual authentication, cryptography and verification of message integrity, to protect identity information throughout the application • Ensure protection of all user and credential information stored in central identity system databases, allowing access to specific information only according to designated access rights • Notify the user as to the nature and purpose of the personally identifiable information (PII) collected - its usage and length of retention • Notify the user about what information is used, how and when it is accessed and by whom and provide a redress mechanism to correct information and to resolve disputes

  14. Thank you for your attention… Barry J. Kefauver Jetlag10@earthlink.net

More Related