Three years ago, a News of the World reporter posed as a freelance pilot, paid £150 for a British Airways uniform and used a fictitious company name and false date of birth to obtain a security pass.
This enabled him to use the fake ID to get into Birmingham Airport, where he was able to board a plane started up for him by an airport engineer. This same pass also got him past security at Gatwick Airport.
The latest airport security glitch happened in December 2002. After getting past security, thieves took off with a $6.5 million heist from Heathrow airport. Because all airport staff were issued with ID cards, airport security suspected an inside job. Governments and airport security officials all over the world are, rightly so, reviewing and upgrading their security systems – such as baggage scanners and metal detectors – but they are omitting the most important aspect of security protection: how to guarantee that terrorists or criminals don't have the capability to create fake IDs, thus allowing them access to restricted sites.
Mistrust begets mistrust
A lot has improved in terms of escalated security and baggage checking procedures, but a key problem remains, that is, guaranteeing the proper verification of a passenger's or airport/airline employee's true identity. It remains extremely easy to fraudulently obtain or create false ID cards and passports, and this is generally the first step in the security protocol. While there has always been some awareness around air travel identity fraud, it was not until September 11 that it has become top of the agenda, driven by travelers' own concerns. Never before have we seen such a reluctance to travel by air, all caused by potential terrorist threats and our disbelief in the air space industry's ability to prevent similar attacks from happening again. The simple truth is that people's trust in governments' and the air traffic industry's ability to prevent terrorist attacks at airports has been damaged and needs to be rebuilt. Governments and the air travel industry therefore need to create a much stronger means of identification.
Trust begets accomplishment
The goal must be to have a secure authentication method in place that eliminates the risk of deceitful individuals traveling under a false identity, or operating within airports facilities without proper authorization. This is something today's identification methods simply cannot offer.
As the most secure, versatile and portable identification and communication medium, smartcards have emerged as the optimal solution for providing both reliable physical and logical identification, while at the same time securing the individual's privacy and integrity. Smartcards have since September 11 become a focus of interest for solving security issues in the air travel industry. Their ability to store, protect and manage personal data, such as picture ID, fingerprints, digital certificates, etc., makes them unrivalled devices for hosting identity credentials, offering authentication capabilities that standard identification documents are unable to match.
Besides the smartcard's strong security advantages, it is a highly flexible identification tool in the sense that it enables the user to dynamically manage personal information on the card. Just like a miniature PC, the smartcard, unlike an optical or magnetic stripe card, has an operating system able to utilize key technologies such as Java Card, allowing so called 'post-issuance' services. This ability to upgrade, remove and add identity data or applications in the chip allows for a much longer life-span than what is the case for standard identity documents such as driver's licenses or passports, which eventually need to be replaced due to common occurrences in life such as a change of name or address. Instead passengers and air travel industry employees can continue to use the same ID card as their identity profiles change over time.
Moreover, through advanced operating systems, smartcards are able to process data and communicate with computing devices, enabling them to perform cryptographic operations based on public key infrastructure (PKI), the de-facto standard for internet-based transactions. This capability allows an issuer to include web-based applications on the card, such as e-ticketing solutions where a cardholder can purchase tickets and even do check-in online.
Besides being compatible with PKI and Java technologies, one of the strongest forms of identity authentication is achieved by combining smartcards with biometry technology. This today represents a preferred solution for a majority of smartcard-based identity programs. When speaking about biometrics we refer to technologies for measuring and analyzing unique human body characteristics, such as fingerprints, eye retinas, voice patterns, etc., especially for authentication purposes. Within airport security, fingerprint recognition has so far been the dominant biometry technology put into practice.
When used in combination with fingerprint recognition, the card is used in order to store someone's fingerprint template in the chip, together with other personal information including demographic data and picture ID. For example, a traveler approaching an immigration checkpoint is able to insert the traveler's ID card into a terminal reader and have his or her fingerprint scanned. By matching the scanned fingerprint against what is stored on the card, the traveler's identity is authenticated. Upon valid authentication passage is allowed. Besides preventing unauthorized entry, it also acts to reduce immigration clearance time, something that today constitutes a big problem at many international airports.
Naturally the same technology can be applied for airport and airline workers, such as cargo shippers, food service personnel, or even pilots, entering access restricted areas. It is also within these closed user groups that we can expect smartcards in combination with biometry technology to be implemented first, mainly because deployment within closed user groups is more scalable and thus also more manageable than issuing smart ID cards to hundreds of millions of air travelers. There are however both existing deployments as well as ongoing initiatives targeted towards travelers.
Secure air travel deployments and initiatives
So far, the deployment of such smartcard-based ID programs has been limited. However, as far back as 1994, Singapore pioneered the implementation of travelers' ID cards by deploying the nation's Immigration Automated Clearance System. Under this scheme, trans-border workers and frequent travelers are still today being issued smartcards containing their biometric fingerprints for secure identification and automated immigration clearance at Singapore's major points of entry.
Now the increasingly loud technology buzz around smartcards has spawned new airport security initiatives around the world, striving to implement new standards for secure identification of passengers and personnel. One of the more proactive initiatives is being spearheaded by the European Commission's S-Travel (Secure-Travel) project. Scheduled to pilot in 2004, it aims to provide the European air transport community with a standard technical framework for more secure and convenient passenger travel through the use of a combined smartcard and biometry solution.
In the U.S., the new homeland security agency has launched the Transportation Workers Identification Card (TWIC) program. The TWIC program intends to issue secure ID badges based on high-capacity smartcards and biometrics to all employees working within the transportation industry. The TWIC card will have to be carried by all travel industry related employees in order to prevent unauthorized access to sensitive and protected areas. Selected pilots for the scheme will be launched in 2003.
Traveling in the Future
There is still much work to be done between public and private organizations in the air travel industry to ensure that security risks are minimized at all airports or travel checkpoints. However, the first steps are already being taken. Identity verification and authentication must remain at the very heart of all the initiatives that are currently being developed, and rightly so. With smartcard developments focused on securing our personal data and strengthening the verification through a combination of biometric technology, we have the ability to protect our most important asset – our identity.
Olivier Chavrier is director of marketing ID and security for Gemplus (www.gemplus.com)