The BBC reports today that a van containing blank UK passports and visa inserts was commandeered and 24 boxes of documents stolen, about 1/2 mile from the specialist printing works where they were produced. Some 3,000 passports and visa stickers are reckoned to have been stolen. The indications seem to be that this was a specifically-targeted theft.
In itself, this doesn't necessarily represent a massive disaster - though it is certainly embarrassing for the Foreign Office, which was about to distribute the documents to its consulates overseas. After all, the passports still have to be convincingly 'personalised' with laminated photographs and - ideally - valid data on their embedded chips. It is this latter security mechanism which is being cited by Labour's Deputy Leader, Harriet Harman (Gordon Brown being on holiday at the moment), as the main mitigation of risk arising from this breach.
However, it does call to mind the post I wrote on Day One of this blog, describing the way in which the reliability of any credential depends on a whole chain of events, each of which must contribute to the security of the system as a whole. For example, if the process of issuing a passport to a given individual does not do a good job of establishing that the person in question really matches the details being encapsulated in the passport, the reliabiltiy of the credential is undermined. Likewise, if the process of matching the person against the passport when it is presented can be spoofed, then the passport is not really doing its job.
I referred to this series of events as the "chain of trust", each link of which plays a role in preserving the usefulness of the passport as a credential. Exactly the same principle applies here: if the blank documents are not adequately secured throughout the process of their manufacture and distribution, the integrity of the system as a whole is compromised. (I gave a similar example based on blank birth certificates back in early 2006...).
The other lesson to apply in cases like this, I think, is one derived from the work done by the Liberty Alliance ID Theft SIG (Special Interest Group). One of that group's findings was this: when some form of identity theft occurs, the exploitation of that theft for identity-related fraud very often does not take the most obvious form. If a payment card is stolen, yes, the most common fraud committed is to use that card for fraudulent payments... but in the case of other credentials (such as passports and driving licenses), the exploiters tend to get much more creative. As one counter-fraud officer notes in this passport theft incident - the one thing those blank passports are relatively unlikely to be used for is entry into the UK. The question of how they will get used is probably taxing some creative minds right now.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}