Home & Office

S'pore: Biometric passports are secure

The immigration authority in the island-state, along with other industry experts, brushes aside fears that e-passports can be hacked.
Written by Vivian Yeo, Contributor

SINGAPORE--The country's immigration authority, which has started to issue biometric passports, says fears that e-passports can be hacked are unfounded.

Commenting on a recent report that a German researcher had demonstrated that passports equipped with radio frequency identification (RFID) tags could be cloned, an ICA spokesperson noted in an e-mail that the claims "have not been supported by other experts".

She added: "The Singapore Biometric Passport complies with the recommendations and requirements laid down by the International Civil Aviation Organization. These include security standards established to ensure the integrity of passports."

Smart card vendor Gemalto has also urged governments not to worry about the security features of e-passports.

"The contactless smart card technology chosen for electronic passports is very different from the RFID technology used for inventory tracking, which do not require high levels of security and privacy protection," noted Martin McCourt, president of South Asia at Gemalto, in an e-mail response to queries from ZDNet Asia.

Gemalto supplied the contactless smart card technology for Singapore's e-passport rollout, and more recently secured a win with the U.S. Government Printing Office, which will on behalf of the U.S. Department of State incorporate the contactless technology in all new U.S. passports issued in 2007.

According to McCourt, the passport information in an e-passport cannot be changed. This means that immigration control authorities reading the information stored on the chip can determine the wrongful use of another person's chip information by verification through physical scrutiny. In addition, because information on the chip is digitally signed by the issuing country's passport authority, any attempts to create fake passport credentials will be detected, he pointed out.

New features, higher price
According to a statement issued on Jul. 25 by Singapore's Immigration and CheckPoints Authority (ICA), the country's new biometric passport or BioPass will cost S$80 (US$50.15) for walk-in applications at ICA's office, and S$70 (US$43.88) for online and mail applications. The new rates represent an increase of about 33.3 percent for applications in person, and 40 percent for applications via post or the Internet.
The increase in Singapore's passport price is almost comparable to the fare hike in the U.K. adult e-passport, which crept from 42 pounds (US$76.74) to the current 51 pounds (US$93.19), and is slated to rise again to 66 pounds (US$120.60) on Oct. 5.
In line with ICAO requirements, ICA will not allow for changes to the holder's particulars, including the photograph, once the BioPass is issued. The BioPass holder will have to apply for a new passport if he needs to update any of his personal particulars.

McCourt's views echo that of Randy Vanderhoof, executive director of the Smart Card Alliance, a non-profit association representing over 100 organizations from various sectors. In a statement last week, Vanderhoof called reports of the so-called vulnerability "untrue and demonstrate a lack of understanding" of how the multiple security layers in place work in the new e-passport system.

"Even if someone could copy the information on your e-passport chip, it doesn't achieve anything because all of the information is locked together in such a way that it can't be changed," he said. "It's no different than someone stealing your electronic passport and trying to use it. No one else can use it because your photo is on the chip and they're not you."

Even as experts argue that an e-passport cannot be cloned in its entirety, a Japan-based researcher has voiced out concerns about the risk of data security breaches. Achmad Rully, research associate at the Waseda University Media Network Center, said in an e-mail interview with ZDNet Asia that it appears to be "too early" to introduce e-passports, as "research about privacy protection is not yet adequate".

Rully plans to speak on this topic at the Bellua Cyber Security Asia 2006 conference in Jakarta, Indonesia, later this month. He will also demonstrate, using the Indonesia e-passport launched in February 2006, how a bearer's privacy can be compromised.

Said Rully: "How can we assume that someday government data protection cannot be breached? If government protection is breached, then our non-revocable private data will be in the wild. And somebody could pretend to be [any of] us using their sophisticated fake ID. "[Taken to] the extreme, if a government introduces biometric passports with our non-revocable private data inside the passport, it means that the government is making a time bomb for us," he added.

Editorial standards