Re: THC releases video and tool to create fakeePassports

[Michael Holstein <michael.holstein () csuohio edu>]

> Incredibly, last week, after performing a series of security tests on
> the passport application process and discovering some failures, the US
> GAO still state they don't know much about the fraudulent methods:
> http://www.gao.gov/new.items/d09583r.pdf
>   

Ironically, all their fancy methods for "detecting fraud" discuss 
cross-checking the SSN of the applicant, when in fact, the SSN isn't 
even required to process a passport application (although the IRS can 
technically fine you $500 if you don't).

Ever actually READ the back of the passport application? The relevant 
information is at the top of page 3
http://www.state.gov/documents/organization/100004.pdf

Heck .. you can get a passport without any ID *at all* if you bring a 
"family bible record of your birth" and somebody that can vouch for your 
identity (see page 2 of the above application).

Oh .. and the funniest thing of all on the application .. bottom of page 4 :

"The electronic chip must be read using specially formatted readers, 
which protects the data on the chip
from unauthorized reading."
 
"specially formatted" .. meaning anything from this list? : 
http://rfidiot.org/index.html#Hardware

Regards,

Michael Holstein
Cleveland State University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/