Department of State:
Undercover Tests Reveal Significant Vulnerabilities in State's Passport Issuance Process
GAO-09-447: Published: Mar 13, 2009. Publicly Released: Mar 13, 2009.
A genuine U.S. passport is a vital document, permitting its owner to travel freely in and out of the United States, prove U.S. citizenship, obtain further identification documents, and set up bank accounts, among other things. Unfortunately, a terrorist or other criminal could take advantage of these benefits by fraudulently obtaining a genuine U.S. passport from the Department of State (State). There are many ways that malicious individuals could fraudulently obtain a genuine U.S. passport, including stealing an American citizen's identity and counterfeiting or fraudulently obtaining identification or citizenship documents to meet State requirements. GAO was asked to proactively test the effectiveness of State's passport issuance process to determine whether the process is vulnerable to fraud. To do so, GAO designed four test scenarios that simulated the actions of a malicious individual who had access to an American citizen's personal identity information. GAO created counterfeit documents for four fictitious or deceased individuals using off-the-shelf, commercially available hardware, software, and materials. An undercover GAO investigator then applied for passports at three United States Postal Service (USPS) locations and a State-run passport office.
GAO's investigation shows that terrorists or criminals could steal an American citizen's identity, use basic counterfeiting skills to create fraudulent documentation for that identity, and obtain a genuine U.S. passport from State. GAO conducted four tests simulating this approach and was successful in obtaining a genuine U.S. passport in each case. In the most egregious case, an undercover GAO investigator obtained a passport using counterfeit documents and the Social Security Number (SSN) of a man who died in 1965. In another case, the investigator obtained a passport using counterfeit documents and the genuine SSN of a fictitious 5-year-old child GAO created for a previous investigation--even though the investigator's counterfeit documents and application indicated he was 53 years old. All four passports were issued to the same GAO investigator, under four different names. In all four tests, GAO used counterfeit and/or fraudulently obtained documents. State and USPS employees did not identify GAO's documents as counterfeit. GAO's investigator later purchased an airline ticket under the name used on one of the four fraudulently obtained U.S. passports, and then used that passport as proof of identity to check in to his flight, get a boarding pass, and pass through the security checkpoint at a major metropolitan-area airport. At a briefing on the results of GAO's investigation, State officials agreed with GAO that the investigation exposes a major vulnerability in State's passport issuance process. According to State officials, State's fraud detection efforts are hampered by limitations to its information sharing and data access with other federal and state agencies. After GAO's briefing, State officials notified GAO that they identified and revoked GAO's four fraudulently obtained U.S. passports, and were studying the matter to determine the appropriate steps for improving State's passport issuance process.