This report on passport vulnerabilities made the news round last week, but the GAO report was not posted until this week. GAO-09-447 dated March 2009 — “Undercover Tests Reveal Significant Vulnerabilities in State’s Passport Issuance Process” has the following details:
A genuine U.S. passport is a vital document, permitting its owner to travel freely in and out of the United States, prove U.S. citizenship, obtain further identification documents, and set up bank accounts, among other things. Unfortunately, a terrorist or other criminal could take advantage of these benefits by fraudulently obtaining a genuine U.S. passport from the Department of State (State).
There are many ways that malicious individuals could fraudulently obtain a genuine U.S. passport, including stealing an American citizen’s identity and counterfeiting or fraudulently obtaining identification or citizenship documents to meet State requirements. GAO was asked to proactively test the effectiveness of State’s passport issuance process to determine whether the process is vulnerable to fraud.
To do so, GAO designed four test scenarios that simulated the actions of a malicious individual who had access to an American citizen’s personal identity information. GAO created counterfeit documents for four fictitious or deceased individuals using off-the-shelf, commercially available hardware, software, and materials. An undercover GAO investigator then applied for passports at three United States Postal Service (USPS) locations and a State Department-run passport office.
The GAO investigator was easily able to obtain four genuine U.S. passports using counterfeit or fraudulently obtained documents. In their most egregious case, the GAO investigator obtained a U.S. passport using counterfeit documents and the SSN of a man who died in 1965. In another case, their undercover investigator obtained a U.S. passport using counterfeit documents and the genuine SSN of a fictitious 5-year-old child—even though his counterfeit documents and application indicated he was 53 years old.
GAO states that State and USPS employees did not identify their documents as counterfeit in any of their four tests. GAO acknowledged that although it doesn’t know what checks, if any, State performed when approving their fraudulent applications, it issued a genuine U.S. passport in each case. All four passports were issued to the same GAO investigator, under four different names.
GAO notes that the State Department operates 17 domestic passport-issuing offices, where most passports are issued each year. These offices are located in Aurora, Colorado; Boston; Charleston, South Carolina; Chicago; Honolulu; Houston; Los Angeles; Miami; New Orleans; New York; Norwalk, Connecticut; Philadelphia; Portsmouth, New Hampshire; San Francisco; Seattle; and 2 offices in Washington, D.C.—a regional passport agency and a special issuance agency that handles official U.S. government and diplomatic passports. Fifteen of these offices are regional passport agencies that process in-person applications in addition to applications received by mail. The remaining 2 facilities—Charleston, South Carolina, and Portsmouth, New Hampshire—are mega-processing centers with no access to the public.
GAO reports that they briefed State Department officials on the results of their investigation.
“They agreed that our findings expose a major vulnerability in State’s passport issuance process. According to State officials, the department’s ability to verify the information submitted as part of a passport application is hampered by limitations to its information sharing and data access with other agencies at the federal and state levels. They said that some federal agencies limit State’s access to their records due to privacy concerns or the fact that State is not a law enforcement agency.
In addition, they said that State does not currently have the ability to conduct real-time verification of the authenticity of birth certificates presented by passport applicants. They added that birth certificates present an exceptional challenge to fraud detection efforts, as there are currently thousands of different acceptable formats for birth certificates.
Further, they indicated that there are difficulties with verifying the authenticity of drivers’ licenses. Moreover, they said that although State attempts to verify SSN information submitted on passport applications on a daily basis with SSA, the results of this datasharing process are imperfect.
State officials acknowledged that they have issued other fraudulently obtained passports but did not offer an estimate of the magnitude of the problem. In order to improve State’s current passport fraud detection capabilities, officials said that State would need greater cooperation from other agencies at both the federal and state levels, and the ability to access other agencies’ records in real time. Subsequent to our briefing, State officials informed us that they identified and revoked our four fraudulently obtained U.S. passports, and that they would study the matter further to determine what steps would be appropriate to improve passport issuance procedures. We did not verify the accuracy of these State officials’ statements. We also briefed a representative of USPS on the results of our investigation, who did not offer any comments at the time of our briefing.”
You can read the whole thing here.
Update 3/18: This made it to the Daily Press Briefing here.
QUESTION: Yeah. Apparently, there’s a GAO report – I think it came out at the end of last week – about scams to get passports. And the State Department at that point was saying they hadn’t seen the report. Have you seen it? Do you have a comment on the inherent ability to do this —
MR. WOOD: Yeah, we certainly have seen the report, and clearly there were some errors made with regard to these particular four passports. We’re going to make sure that this type of thing doesn’t happen again, which will mean putting in place a process – better processes for ensuring that, you know, that passports are provided – that are accurate, up-to-date, and you know – yeah.
QUESTION: But you’re just saying those four. I mean, is there a broader issue here of compromising other passports?
MR. WOOD: Not that I’m aware of. This was just – I believe the report was focused on – I think it was four individuals who were kind of operating under – for the GAO who were able to obtain passports with faulty information. And what I’m saying is that the Department is working on trying to put in place procedures to make sure that that type of thing does not happen again.
One individual, four passports! Man, please read the one page summary next time!