Back in February 2021, we wrote a blog discussing how to prevent sophisticated physical document fraud, focusing on what the fraud looks like today and what can be done to reduce it. With the Secure Identity Alliance releasing a new report offering in-depth guidance on fighting passport fraud, now is a good time to revisit this subject.
There can be no doubt that document fraud is a serious crime and one that often leads to other significant threats for citizens, including human trafficking, drug smuggling, and terrorism. While it may seem like using fake passports is something reserved solely for spy, action or thriller movies, 47% of the fraudulent documents detected at European Union external borders in 2019 were passports. And, this problem is only set to grow, as criminals use more sophisticated techniques to forge documents. It is therefore essential that security experts and industry bodies come together to jointly develop innovative ways to protect ID documents, making them more intuitive to authenticate and fraud easier to detect.
Security is a gradual process, not binary
Ensuring document security protocols are up to date requires a close and consistent monitoring of technology evolution and threats, to keep a step ahead in that constant race against fraud. Passports, just like any other product, need to be protected from their conception using the principle of ‘cybersecurity by design’. Integrating security from the start of a product’s lifecycle is now a must-have in the fight against criminal activity. What’s more, in order to constantly stay one step ahead of fraudsters, the continued addition of new protective features, materials or techniques is essential.
Enhancing software security in passports
Securing the embedded software in a passport is also imperative. As demonstrated in eID cards, one way to enhance security in citizen credentials is to use open platforms – thanks to their post-issuance capabilities. This means if a key or algorithm is exposed in an attack, the issuer can switch to another algorithm, change the applet or deactivate faulty services – thus protecting citizens’ data. In essence, this addresses the natural security erosion over the life of a product as new types of attacks are developed.
Recent evolution in Common Criteria Certification
Over the last 25 years, Common Criteria certification has been the undisputed reference for securing a document’s embedded software. This certification has been essential in providing guidance for what cybersecurity assessments need to take place for all ID documents, both at their time of purchase and during their operational lifetime as well as within the secure document’s embedded software.
Until June 2019, Common Criteria certifications had no expiry date and were valid until the product was phased out. However, since then the EU Cyber Act & Common Criteria Recognition Arrangement has revised their approach regarding the lifetime security assessment. Instead, a five-year administrative validity period is now enforced. In practice, this means a security re-assessment is required before the five years end in order to extend the validity of the certificate.
The new regulation also strongly recommends that cybersecurity products offer the ability to be patched after their issuance, as part of a resilient strategy.
How governments can ensure the issuance of secure documents
When thinking about bolstering ID document security, governments should try to follow these four key principles: anticipate, resist, react, restore. This will allow them to deliver the intended outcome of protecting their citizens in spite of adverse cyber events.
Using this method, governments can ensure as many attacks as possible are prevented – making life difficult for hackers, the severity of attacks are reduced, the impact if an event happens is managed properly, and that they use these experiences to improve their future offering.
To fulfil this, governments need a long-term embedded software roadmap, with regular security surveillance and Common Criteria certification maintenance of the embedded software. They also need to make sure they are phasing out older products and migrating to new ones at regular intervals.
Finally, documents already in the field need to have upgradable features so the latest security upgrades can be made available to citizens through the use of a Document Lifecycle Management platform.
Using the information provided by the Secure Identity Alliance’s latest report, government authorities now have more guidance on the tools and techniques they need to fight document fraud. With this detailed analysis of the current document fraud landscape, public bodies are able to select the best security features when designing their documents to protect their citizens against fraud.
Only by deploying the latest security features, and through the use of emerging defensive technologies, can governments stay ahead in the permanent race against fraud. This revolves around actively monitoring any new threats to protect sensitive assets today, but also to anticipate future needs. This is our commitment to Cyber Resilience.
If you would like to know more about the security upgrade available in our latest secure embedded software range for identity documents, please tweet us @ThalesDigiSec or visit our dedicated webpage here.