Skip to main content

Border Security: Better Usage of Electronic Passport Security Features Could Improve Fraud Detection

GAO-10-96 Published: Jan 22, 2010. Publicly Released: Feb 22, 2010.
Jump To:
Skip to Highlights

Highlights

In 2005, the Department of State (State) began issuing electronic passports (e-passports) with embedded computer chips that store information identical to that printed in the passport. By agreement with State, the U.S. Government Printing Office (GPO) produces blank e-passport books. Two foreign companies are used by GPO to produce e-passport covers, including the computer chips embedded in them. At U.S. ports of entry, the Department of Homeland Security (DHS) inspects passports. GAO was asked to examine potential risks to national security posed by using foreign suppliers for U.S. e-passport computer chips. This report specifically examines the following two risks: (1) Can the computer chips used in U.S. e-passports be altered or forged to fraudulently enter the United States? (2) What risk could malicious code on the U.S. e-passport computer chip pose to national security? To conduct this work, GAO reviewed documents and interviewed officials at State, GPO, and DHS relating to the U.S. e-passport design and manufacturing and e-passport inspection systems and procedures.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security To ensure that border officers can more fully utilize the security features of electronic passports, the Secretary of Homeland Security should design and implement the systems functionality and databases needed to fully verify electronic passport digital signatures at U.S. ports of entry to provide greater assurance that electronic passport data were written by the issuing nation and have not been altered or forged.
Closed – Not Implemented
DHS concurred with this recommendation and in a May 26, 2010, letter stated that CBP will be developing a system to validate the digital signature of e-passports at ports of entry. Further, a database will be created of the digital certificates of U.S. e-passports that will be compatible with the validation system. In July 2011, CBP officials stated that while they have studied the issue, because of other high-priority demands, they have not been able to devote the necessary resources to design and develop a digital signature validation system. CBP officials believe such a system would aid in the inspection of e-passports and plan to revisit the issue in the next fiscal year. In January 2014, CBP officials stated that it will not be implementing a system to fully verify electronic passport digital signatures. They stated that they have had to devote their limited resources to higher-priority demands. They further stated that it was unclear whether such an investment would be worth the incremental security benefit given the biometric and biographic checks that are currently conducted on visa-holding and visa waiver travelers entering the United States.
Department of Homeland Security To ensure that border officers can more fully utilize the security features of electronic passports, the Secretary of Homeland Security, in coordination with the Secretary of State, should develop and implement an approach to obtain the digital certificates necessary to validate the digital signatures on U.S. and other nations' electronic passports to provide greater assurance that electronic passport data were written by the issuing nation and have not been altered or forged.
Closed – Not Implemented
DHS concurred with this recommendation and in a May 26, 2010, letter stated that CBP would work with State to obtain the digital certificates used for issuing U.S. e-passports. DHS further stated in its letter that CBP would continue working with State to determine the feasibility and costs of establishing a repository for the digital certificates of other nations' e-passports. In July 2011, CBP officials stated that while it could easily obtain the digital certificates from State, it has not yet done so because it has not developed the systems functionality to verify them. For non-U.S. e-passports, CBP officials stated that they have been working with State, but they have not yet identified a cost-effective mechanism to obtain digital certificates from other nations issuing e-passports. In January 2014, CBP officials stated that because it would not be implementing the systems functionality to fully verify electronic passport digital signatures, it would also not be obtaining the digital certificates to validate the digital signatures. CBP officials stated that for U.S. passports, CBP officers at the ports of entry can compare the passport data with State Department data to help validate the passport.

Full Report

Topics

Border securityComputer securityElectronic signaturesFraudMalicious codePassportsProgram evaluationRisk assessmentRisk managementSecurities fraudSecurity assessmentsSecurity policiesSecurity threatsStrategic planningPolicies and procedures