ZDNet Continues to Spread Misinformation About E-Passports

Blogger Robin Harris gets his facts wrong about RFID transponders in passports yet again.
Published: July 21, 2009

I’ve never been a huge advocate of putting RFID tags in government documents, because unlike with products, people don’t have a choice about whether to carry a license or a passport. And unless there are adequate safeguards to protect the holder’s privacy, using RFID creates the potential for abuse. Still, I find the distortions being spread by ZDNet blogger Robin Harris troubling—and I think it’s important to set the facts straight.

Last week, I wrote about how Harris confused e-passports, which use secure RFID technology and shields, with PASS cards, which don’t use security because they don’t store any personally identifiable information (see Another Blogger Confuses the RFID Issue). This week, Harris has posted yet another blog on e-passports in which he says it’s very easy to spoof them. As proof, he cites a video that claims it shows Elvis Presley’s face on a self-scan terminal at Amsterdam’s Schipol Airport (see Elvis, your e-passport is ready!).

The problem is that the image ZDnet displays is not the image of Elvis on a chip in a passport. It was uploaded to a smart card that uses the same air interface protocol as e-passports. So naturally, when the smart card is presented to an interrogator for e-passports, it will read the data on the transponder.

The video and blog make a big deal of the fact that the self-scan kiosk at Schipol raises no alert about the long-dead Elvis being the passport holder. But the self-scan kiosk was only put in place to show travelers what’s on the chip. It serves no security role whatsoever. The passport readers used by customs agents, on the other hand, authenticate the transponder to spot cloned devices. And it should be obvious, even to someone like Harris, that if you handed your smart card to a customs agent, he or she would not be fooled into thinking it was a passport, and if you tried to take the smart card chip and put it into the passport, the tampering would be evident.

The fact that you can make a smart card carry data similar to what’s in a passport is akin to photocopying money: You can do it, but if you try to pass either off as legitimate, you will be arrested.

Harris writes, “The larger point is that RFID passports, driver’s licenses, credit cards and other identity documents are a Bad Idea,” claiming RFID credit cards “can be hacked for $8 from a foot or more away.” As I’ve pointed out before, reading data on a transponder is not the equivalent of being hacked.

The only data that’s stored on the transponder in an RFID-enabled credit card is the information printed on the front of the card—name, credit card number and expiration date—so anyone reading the data stored on the RFID chip from a foot away is getting the same information a waiter or gas station attendant gets when you hand over your credit card. If this information is so super-secret, why is it printed on the front of the card? And doesn’t Harris understand that the credit card companies have systems in place to detect the fraudulent use of legitimate credit card numbers, so that even if you got data off the card, you couldn’t use it?

Harris calls to mind Gilda Radner’s Emily Litella character on Saturday Night Live. Litella would do angry editorials on the show’s “Weekend Update,” denouncing such things as “violins on television,” the “Eagle Rights Amendment,” “presidential erections,” and “protecting endangered feces.” Once told that she had misunderstood the issue, Litella would end her segment with a polite “Never mind.” Perhaps when Harris realizes he’s attacking e-passports only because he’s ill-informed about the issue, he’ll fess up to his ignorance and set the facts straight. At the very least, he should publish a blog that says: “E-passports—never mind.”

Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below. To read more of Mark’s opinions, visit the RFID Journal Blog or click here.