US officials duped in ePassport issuance sting

18 March 2009

It is a document issuer’s worst nightmare. Despite all the technology and extensive security procedures, there is nothing more worrying than issuing a genuine document to a fraudulent applicant.

This turn of events has now come to light in the USA, and what makes it more embarrassing, is that it was a planned operation against the Department of State by the US Government Accountability Office (GAO).

Clearly, a genuine US passport is a vital document, permitting its owner to travel freely in and out of the United States, prove U.S. citizenship, obtain further identification documents, and set up bank accounts, among other things. Unfortunately, if such a document falls into the hands of a terrorist or other criminal, they could easily take advantage of these benefits.

There are many ways that malicious individuals can fraudulently obtain a genuine US passport, including stealing an American citizen’s identity and counterfeiting or fraudulently obtaining identification or citizenship documents to meet State requirements.

In this operation, however, GAO was asked to proactively test the effectiveness of the US Department of State’s passport issuance process to determine whether the process is vulnerable to fraud.

To do so, GAO designed four test scenarios that simulated the actions of a malicious individual who had access to an American citizen’s personal identity information. GAO created counterfeit documents for four fictitious or deceased individuals using off-the-shelf, commercially available hardware, software, and materials. An undercover GAO investigator then applied for passports at three United States Postal Service (USPS) locations and a State-run passport office.

GAO’s investigation shows that terrorists or criminals could steal an American citizen’s identity, use basic counterfeiting skills to create fraudulent documentation for that identity, and obtain a genuine U.S. passport from State. In its four tests simulating this approach it was successful in obtaining a genuine U.S. passport in each case. In the most egregious case, an undercover GAO investigator obtained a passport using counterfeit documents and the Social Security Number (SSN) of a man who died in 1965. In another case, the investigator obtained a passport using counterfeit documents and the genuine SSN of a fictitious 5-year-old child GAO created for a previous investigation - even though the investigator’s counterfeit documents and application indicated he was 53 years old.

All four passports were issued to the same GAO investigator, under four different names. In all four tests, GAO used counterfeit and/or fraudulently obtained documents. State and USPS employees did not identify GAO’s documents as counterfeit.

GAO’s investigator later purchased an airline ticket under the name used on one of the four fraudulently obtained U.S. passports, and then used that passport as proof of identity to check in to his flight, get a boarding pass, and pass through the security checkpoint at a major metropolitan-area airport.

At a briefing on the results of GAO’s investigation, State officials agreed with GAO that the investigation exposes a major vulnerability in State’s passport issuance process. According to State officials, State’s fraud detection efforts are hampered by limitations to its information sharing and data access with other federal and state agencies.

State Department spokesman Richard Aker was reported as saying the agency regrets it issued these four passports and attributed “human error.”

He said the State Department plans to have facial recognition screening for all applicants in six months. The agency is also talking to states to see if passport officials can check states’ electronic databases to verify licenses and identification cards.