Border Security
Improvements in the Department of State's Development Process Could Increase the Security of Passport Cards and Border Crossing Cards
Gao ID: GAO-10-589 June 1, 2010
In July 2008, the Department of State (State) began issuing passport cards as a lower-cost alternative to passports for U.S. citizens to meet Western Hemisphere Travel Initiative requirements. In October 2008, State began issuing the second generation border crossing card (BCC) based on the architecture of the passport card. GAO was asked to examine the effectiveness of the physical and electronic security features of the passport card and second generation BCC. This report addresses: (1) How effectively State's development process--including testing and evaluation--for the passport card and second generation BCC mitigates the risk of fraudulent use? (2) How are U.S. Customs and Border Protection (CBP) officers using the cards' security features to prevent fraudulent use at land ports of entry? To conduct this work, GAO evaluated the security features of passport cards and second generation BCCs against international standards and guidance and results from testing and evaluation and observed the inspection of these cards at five land ports of entry (POE).
State developed a passport card and second generation BCC that generally meet standards and guidance for international travel documents and include numerous, layered security features that, according to document security experts in the Department of Homeland Security, provide adequate security against fraudulent use. While following standards and guidance helps to ensure the security of these documents, State's development process could be improved. State addressed most problems identified during evaluation and testing; however, it did not address some of the resulting issues and recommendations or did not document its reasons for not doing so. In addition, State tested and evaluated the security of only prototypes of the passport card, which did not include key features such as the background artwork, personalization features, and other security features that were added or changed for the final passport card. Moreover, State did not test the security of the second generation BCC or the updated passport card expected to be issued in the second quarter of 2010. Fully testing the passport card and BCC and addressing identified problems would provide State a more complete understanding of the overall security and performance of its cards and a greater assurance that its cards are adequately secure. CBP officers in primary inspection--the first and most critical opportunity to identify individuals seeking to enter the United States with fraudulent travel documents--use a variety of methods to identify fraudulent documents, but are unable to take full advantage of the security features in passport cards and BCCs because of time constraints, limited use of technology in primary inspection, and the lack of sample documents for training. While CBP has deployed technology tools for primary inspectors to use when inspecting passport cards and BCCs, it could still make better usage of fingerprint data to mitigate the risk of imposter fraud with BCCs, the most common type of fraud. In addition, although CBP provided training on security features of the passport card and second generation BCC to inspecting officers prior to their issuance, the conduct of training without sample passport cards or second generation BCCs at the Vermont POEs visited by GAO indicate that improvements are still needed. State and DHS need to fully implement GAO's prior recommendation to improve training on new documents prior to their issuance, including the provision of exemplars to be used during training to better familiarize officers with the look and feel of the actual documents. GAO recommends that State fully address any problems found during testing and evaluation, including documenting the reasons for not addressing any of them, and test and evaluate the security features on the cards as they will be issued. State agreed with the recommendations.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Nabajyoti Barkakati
Team:
Government Accountability Office: Applied Research and Methods
Phone:
(202) 512-4499
GAO-10-589, Border Security: Improvements in the Department of State's Development Process Could Increase the Security of Passport Cards and Border Crossing Cards
This is the accessible text file for GAO report number GAO-10-589
entitled 'Border Security: Improvements in the Department of State's
Development Process Could Increase the Security of Passport Cards and
Border Crossing Cards' which was released on July 1, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
June 2010:
Border Security:
Improvements in the Department of State's Development Process Could
Increase the Security of Passport Cards and Border Crossing Cards:
GAO-10-589:
GAO Highlights:
Highlights of GAO-10-589, a report to congressional requesters.
Why GAO Did This Study:
In July 2008, the Department of State (State) began issuing passport
cards as a lower-cost alternative to passports for U.S. citizens to
meet Western Hemisphere Travel Initiative requirements. In October
2008, State began issuing the second generation border crossing card
(BCC) based on the architecture of the passport card. GAO was asked to
examine the effectiveness of the physical and electronic security
features of the passport card and second generation BCC. This report
addresses: (1) How effectively State‘s development process”including
testing and evaluation”for the passport card and second generation BCC
mitigates the risk of fraudulent use? (2) How are U.S. Customs and
Border Protection (CBP) officers using the cards‘ security features to
prevent fraudulent use at land ports of entry? To conduct this work,
GAO evaluated the security features of passport cards and second
generation BCCs against international standards and guidance and
results from testing and evaluation and observed the inspection of
these cards at five land ports of entry (POE).
What GAO Found:
State developed a passport card and second generation BCC that
generally meet standards and guidance for international travel
documents and include numerous, layered security features that,
according to document security experts in the Department of Homeland
Security, provide adequate security against fraudulent use. While
following standards and guidance helps to ensure the security of these
documents, State‘s development process could be improved. State
addressed most problems identified during evaluation and testing;
however, it did not address some of the resulting issues and
recommendations or did not document its reasons for not doing so. In
addition, State tested and evaluated the security of only prototypes
of the passport card, which did not include key features such as the
background artwork, personalization features, and other security
features that were added or changed for the final passport card.
Moreover, State did not test the security of the second generation BCC
or the updated passport card expected to be issued in the second
quarter of 2010. Fully testing the passport card and BCC and
addressing identified problems would provide State a more complete
understanding of the overall security and performance of its cards and
a greater assurance that its cards are adequately secure.
CBP officers in primary inspection”the first and most critical
opportunity to identify individuals seeking to enter the United States
with fraudulent travel documents”use a variety of methods to identify
fraudulent documents, but are unable to take full advantage of the
security features in passport cards and BCCs because of time
constraints, limited use of technology in primary inspection, and the
lack of sample documents for training. While CBP has deployed
technology tools for primary inspectors to use when inspecting
passport cards and BCCs, it could still make better usage of
fingerprint data to mitigate the risk of impostor fraud with BCCs, the
most common type of fraud. In addition, although CBP provided training
on security features of the passport card and second generation BCC to
inspecting officers prior to their issuance, the conduct of training
without sample passport cards or second generation BCCs at the Vermont
POEs visited by GAO indicate that improvements are still needed. State
and DHS need to fully implement GAO‘s prior recommendation to improve
training on new documents prior to their issuance, including the
provision of exemplars to be used during training to better
familiarize officers with the look and feel of the actual documents.
Figure: Passport Card and Second Generation BCC:
[Refer to PDF for image: photographs of a Passport Card and Second
Generation BCC]
Source: State Department.
[End of figure]
What GAO Recommends:
GAO recommends that State fully address any problems found during
testing and evaluation, including documenting the reasons for not
addressing any of them, and test and evaluate the security features on
the cards as they will be issued. State agreed with the
recommendations.
View [hyperlink, http://www.gao.gov/products/GAO-10-589] or key
components. For more information, contact Nabajyoti Barkakati at (202)
512-4499 or barkakatin@gao.gov.
[End of section]
Contents:
Letter:
Background:
State's Development Process Resulted in Cards That Generally Meet
Standards and Guidance for International Travel Documents, but
Improvements Could Be Made:
Card Designs Generally Meet International Civil Aviation Organization
Security Standards for Machine Readable Travel Documents:
Card Designs Generally Meet Security and Prosperity Partnership
Recommended Standards for Secure Proof of Status and Nationality
Documents to Facilitate Cross-Border Travel:
Card Designs Generally Meet DHS's Policy for Physical Security Features:
CBP Officers Use a Variety of Methods to Detect Travel Document Fraud,
but Limitations in the Use of Technology and Training Affect Their
Ability to Fully Utilize the Document Security Features:
DHS Deployed New Technology Systems at Ports of Entry to Aid in the
Inspection of Passport Cards and Second Generation BCCs:
Limitations in the Use of Technology and Inspection Time Restrict the
Use of Security Features in the Inspection of Passport Cards and BCCs:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Scope and Methodology:
Appendix II: Comments from the Department of State:
Appendix III: Comments from the Department of Homeland Security:
Tables:
Table 1: Number of Fraudulent U.S. Passport Cards and BCCs Detected at
U.S. Ports of Entry, Fiscal Year 2009:
Table 2: Missing ICAO-recommended Basic Features and Mitigating Factors:
Figures:
Figure 1: Front and Back of Passport Card:
Figure 2: Front and Back of Second Generation BCC:
Figure 3: WHTI Tear Sheet with Instructions on the Use of RFID-enabled
Cards in English and Spanish:
Figure 4: Signage for Use of RFID-enabled Cards at Vehicle POE:
Abbreviations:
BCC: border crossing card:
CBP: U.S. Customs and Border Protection:
DHS: Department of Homeland Security:
FDL: Forensic Document Laboratory:
ICAO: International Civil Aviation Organization:
ICE: U.S. Immigration and Customs Enforcement:
ISO: International Organization for Standardization:
L-1: L-1 Identity Solutions:
NIST: National Institute of Standards and Technology:
POE: port of entry:
RFID: radio frequency identification:
SPP: Security and Prosperity Partnership:
US-VISIT: U.S. Visitor and Immigrant Status Indicator Technology:
WHTI: Western Hemisphere Travel Initiative:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
June 1, 2010:
The Honorable Howard L. Berman:
Chairman:
Committee on Foreign Affairs:
House of Representatives:
The Honorable Edolphus Towns:
Chairman:
Committee on Oversight and Government Reform:
House of Representatives:
The Honorable Brian P. Bilbray:
The Honorable Christopher P. Carney:
The Honorable Jane Harman:
The Honorable Zoe Lofgren:
House of Representatives:
In response to section 7209 of the Intelligence Reform and Terrorism
Prevention Act of 2004, the Department of Homeland Security (DHS) and
the Department of State (State) implemented the Western Hemisphere
Travel Initiative (WHTI). WHTI is an effort to require a passport or
other document, or combination of documents, sufficient to denote
identity and citizenship for all travel into the United States by U.S.
citizens and by categories of individuals for whom documentation
requirements had previously been waived. In July 2008, State began
producing and issuing passport cards as a lower-cost alternative to
passports for U.S. citizens to meet WHTI requirements at sea and land
borders. The use of Border Crossing Cards (BCC)[Footnote 1] by Mexican
nationals to enter the United States at the land border from Mexico
was unaffected by the implementation of WHTI.[Footnote 2] In October
2008, State began producing and issuing a redesigned second generation
BCC.
Considerable attention has been focused on the risks associated with
the use of travel documents by noncitizens attempting to fraudulently
enter the United States. Preventing, detecting, and responding to the
fraudulent use of travel documents is essential to protecting U.S.
citizens and interests at home and abroad. The integrity of legitimate
travel documents is dependent upon the combination of well-designed
security features and issuance and inspection processes that lead to
detection of fraudulent attempts to obtain and use travel documents.
In fiscal year 2009, more than 13,000 fraudulent border crossing cards
and 4,500 fraudulent passports were intercepted by DHS's U.S. Customs
and Border Protection (CBP) at all U.S. ports of entry (POE).[Footnote
3] U.S. travel documents have been used fraudulently in connection
with other crimes, including narcotics trafficking, alien smuggling,
and even terrorism. State's Bureau of Consular Affairs issues
passports and visas, including passport cards and BCCs, and CBP
inspects these documents at ports of entry.
In response to your request, this report focuses on the effectiveness
of the physical and electronic security features of the passport card
and second generation BCC. Specifically, it examines the following two
questions: (1) How effectively does State's development process--
including procurement and testing and evaluation--for the passport
card and second generation BCC mitigate the risk of fraudulent use?
(2) How are CBP officers using the security features of passport cards
and second generation BCCs to prevent fraudulent use at land POEs? To
answer these questions, we evaluated the security features of passport
cards and second generation BCCs and assessed the inspection of these
cards at land POEs. We did not evaluate the issuance processes for
these cards because they follow the procedures for passport and visa
issuance and we have completed recent work on these issuance
processes.[Footnote 4]
To determine how effectively State's development process for the
passport card and second generation BCC mitigates the risk of
fraudulent use, we interviewed officials from State's Bureau of
Consular Affairs, CBP, and the Forensic Document Laboratory (FDL) in
DHS's U.S. Immigration and Customs Enforcement (ICE). We interviewed
State and DHS officials on the designs for the security features of
the passport card and BCC and assessed them against applicable
standards and guidelines. We also reviewed the results of testing and
evaluation of the prototype passport cards conducted by the National
Institute of Standards and Technology (NIST), FDL, CBP, the Bank of
Denmark, and Sandia National Laboratory and reviewed how State and DHS
used the results of the testing and evaluation activities. Finally, we
interviewed officials at the Tucson Passport Center to understand and
observe how second generation BCCs are personalized.
To determine how CBP officers use the security features of passport
cards and second generation BCCs to prevent fraudulent use at land
POEs, we interviewed officials from CBP and reviewed CBP policies,
procedures, guidance, and training documents regarding the inspection
of travelers presenting passport cards and second generation BCCs for
the purpose of entry to the United States, including the use of the
cards' physical security features and cardholder information retrieved
from CBP border inspection systems. We conducted site visits to five
land POEs in two port areas to interview CBP officials and observe the
inspection process of travel documents to understand how CBP officers
use the physical security features and DHS database information to
verify the eligibility of a traveler presenting a passport card or BCC
to enter the United States. See appendix I for the POE selection
methodology and further details on our scope and methodology.
We conducted this performance audit from January 2009 to June 2010, in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.
Background:
WHTI implements Section 7209 of the Intelligence Reform and Terrorism
Prevention Act of 2004, as amended,[Footnote 5] which requires DHS, in
consultation with State, to develop and implement a plan to require
U.S. citizens and other individuals for whom documentation had
previously been waived to show a passport or other document, or
combination of documents sufficient to denote identity and citizenship
when entering the United States. DHS implemented WHTI documentation
requirements at air ports of entry on January 23, 2007,[Footnote 6]
and at land and sea ports of entry on June 1, 2009.[Footnote 7] The
final land and sea rule provides that:
* U.S. citizens entering at sea or land POEs must present a valid U.S.
passport, U.S. passport card, trusted traveler card, Merchant Mariner
Document when traveling on official maritime business, or U.S.
military ID when traveling on official orders;[Footnote 8] and:
* Mexican nationals applying for admission as a temporary visitor for
business or pleasure may present a BCC in lieu of a passport to enter
the United States when arriving from Mexico at land POEs or when
arriving by pleasure vessel or ferry.
State, in cooperation with DHS, is responsible for the development of
passport cards and BCCs. The Bureau of Consular Affairs is responsible
for the issuance of passport cards and BCCs, and CBP inspects the
documents at ports of entry to the United States.
On December 31, 2007, State issued a final rule establishing the
passport card as a lower-cost alternative to passport books--$45 for a
passport card versus $100 for a passport book--for departure from and
entry to the United States through land and sea ports of entry between
the United States and Mexico, Canada, the Caribbean, and Bermuda.
[Footnote 9] The passport card cannot be used for international air
travel. In February 2008, State began accepting applications for
passport cards, and in March 2008, it awarded a contract to L-1
Identity Solutions (L-1) for passport card stock, personalization
equipment, and related technical services. State began issuing the
first generation passport card on July 14, 2008 and the updated second
generation passport card in mid-April 2010. The passport card is valid
for up to 10 years and only issued to U.S. nationals, using the same
application form and evidence of citizenship or nationality as
required for passport books.[Footnote 10]
On October 1, 2008, State assumed responsibility for the production of
BCCs, issuing a redesigned, second-generation BCC.[Footnote 11] All
first-generation BCCs will expire before October 2018. The design of
the second generation BCC is based on the construction and security
features of the passport card. State uses the same contract to procure
BCC cardstock and the personalization equipment can be used to
personalize both types of cards. The BCC is valid for up to 10 years
and is only issued to Mexican citizens.[Footnote 12]
The passport card and second generation BCC use vicinity radio
frequency (RF) technology to store and transmit a unique number that
can be used by CBP to retrieve information about the cardholder.
As amended, the Intelligence Reform and Terrorism Prevention Act of
2004 required DHS and State to certify that they have met certain
criteria prior to implementing WHTI documentation requirements at sea
and land borders, including:
* NIST certification that the passport card architecture meets or
exceeds International Organization for Standardization (ISO) security
standards and best practices for protection of personal information;
* making the passport card available to U.S. citizens; and:
* installing the infrastructure to process the passport cards and
training employees to use the new technology at ports of entry.
State and DHS certified that they met these conditions on February 24,
2009.
The security of passport cards and BCCs and the ability to prevent and
detect their fraudulent use are dependent upon a combination of well-
designed security features and inspection procedures that utilize the
available security features of the document. A well-designed document
has limited utility if inspectors do not inspect the security features
to verify the authenticity of the document. In 2007, we reported on
the security of passports and visas, including first generation BCCs.
In our report, we made several recommendations to State and DHS
regarding the planning and design process for its travel documents,
ensuring that needed technology is available at ports of entry, and
better training for CBP officers at the ports of entry.[Footnote 13]
Passport Card and Border Crossing Card Fraud:
Threats to the security of travel documents include counterfeiting of
a complete travel document, construction of a fraudulent document,
photo substitution, deletion or alteration of text, removal and
substitution of pages, theft of genuine blank documents, and assumed
identity by imposters. Features of travel documents are assessed by
their capacity to secure a travel document against the following:
* Counterfeiting--unauthorized construction or reproduction of a
travel document.
* Forgery--fraudulent alteration of a travel document, including
attacks such as photo substitution, and deletion or alteration of text.
* Imposters--use of a legitimate travel document by people falsely
representing themselves as legitimate document holders.
Most reported passport card and BCC fraud is impostor fraud. In fiscal
year 2009, CBP detected 13,530 passport cards and BCCs presented by
travelers attempting to enter the United States through all U.S. POEs
that were either fraudulent or were valid documents used by imposters
(see table 1). Over 90 percent of these documents were genuine
documents presented by imposters. The most frequent fraudulent
attempts were by imposters attempting to use a legitimate BCC.
Fraudulent use of passport cards and second generation BCCs is much
lower than that of first generation BCCs mainly because there are many
fewer issued, with over 8 million valid first generation BCCs in
circulation but only about 2.3 million passport cards and 435,000
second generation BCCs issued by the end of November 2009.
Table 1: Number of Fraudulent U.S. Passport Cards and BCCs Detected at
U.S. Ports of Entry, Fiscal Year 2009:
Travel document: Passport card;
Impostor: 43;
Counterfeit/altered: 0;
Total: 43.
Travel document: First generation BCC;
Impostor: 12,318;
Counterfeit/altered: 987;
Total: 13,305.
Travel document: Second generation BCC;
Impostor: 170;
Counterfeit/altered: 12;
Total: 182.
Travel document: Total;
Impostor: 12,531;
Counterfeit/altered: 999;
Total: 13,530.
Source: GAO analysis of DHS and State data.
[End of table]
Document Security Features:
To combat document fraud, security features are used in a wide variety
of documents, including currency, identification documents, and bank
checks. Security features are used to prevent or deter fraudulent
alteration or counterfeiting of such documents. In some cases, an
altered or counterfeit document can be detected because it does not
have the look and feel of a genuine document. For instance, in U.S.
passport cards and second generation BCCs, detailed designs and
figures with specific fonts and colors can often be used by inspectors
to identify nongenuine documents.
While security features can be assessed by their individual ability to
help prevent the fraudulent use of the document, it is more useful to
consider the entire document design and how all of the security
features combine to help secure the document. Layered security
features tend to provide better security by minimizing the risk that
the compromise of any individual feature of the document will allow
for unfettered fraudulent use of the document. An individual security
feature may provide protection against more than one type of threat,
but no feature can protect against them all and no single feature is
100 percent effective at eliminating a type of threat. Designing
secure documents requires the use of a range of security features
combined in an appropriate way within the document. The best
protection is obtained from a balanced set of features and techniques
providing multiple layers of security in the document that combine to
deter or defeat fraudulent attack.
Card Application and Issuance Processes:
The application and issuance process for the passport card is the same
as for passports, using the same application form. After an
application is successfully adjudicated by passport examiners at State
Department passport agencies, the passport card will be produced.
State personalizes each passport card by printing the photo,
biographical data, and other needed information on the card. The card
is then mailed to the traveler. In general, passport cards are
personalized at State's Arkansas Passport Center, but the Tucson
Passport Center also has the capacity for high volume personalization
of the cards and most passport agencies have the capability of
personalizing limited volumes of cards.
The application and issuance process for the BCC is unchanged for the
second generation BCC and is managed through the U.S. consulates in
Mexico. After visa officers in Mexico approve an application for a
BCC, the BCCs will typically be produced at the Tucson Passport
Center. Using blank BCC cardstock, State personalizes each BCC by
printing the photo, biographical data, and other needed information on
the card. The card is then delivered to the appropriate consulate in
Mexico for issuance to the traveler.
In each case, the cardstock is produced by one of L-1's subcontractors
and it incorporates the background art and some of the security
features already incorporated. As will be explained later in this
report, some security features are added to the card during the
personalization process.
Inspection of Travel Documents to Enter the United States:
In general, travelers seeking admission to the United States must
present themselves and a valid travel document for inspection to a CBP
officer. The inspection process requires officers to determine the
admissibility of the traveler by questioning the individual and
inspecting the presented travel documents. In the first part of the
inspection process--primary inspection--CBP officers inspect travelers
and their travel documents. The officer can then compare the
information on the travel documents with information retrieved from
CBP border inspection systems to determine if they may be admitted or
should be referred to secondary inspection for further questioning and
document examination. If additional review is necessary, the traveler
is referred to secondary inspection--an area away from the primary
inspection area--where another officer makes a final determination to
admit the traveler or deny admission for reasons such as the
presentation of a fraudulent or counterfeit travel document.
State's Development Process Resulted in Cards That Generally Meet
Standards and Guidance for International Travel Documents, but
Improvements Could Be Made:
State's designs for the first and second generation passport card and
the second generation BCC generally meet standards and guidance for
international travel documents and DHS policies for travel credentials
and, in general, the recommended security features that are not
included are compensated for by other security features or would not
greatly increase the security of the cards.[Footnote 14] However,
while including all security features recommended by guidance and
standards for international travel cards can help ensure the security
of passport cards and BCCs, security assessments and testing of the
cards are necessary to identify any vulnerabilities and to modify the
security features to address these vulnerabilities. During its
development process, State addressed most of the issues raised and
recommendations made during evaluation and testing of the prototype
passport card, but it either did not address some of the issues and
recommendations, or it did not fully document its decisions for not
doing so. Moreover, State tested and evaluated the security and
durability of only prototypes of the passport card, which did not
include the personalization printing or background artwork. Without
fully evaluating the impact of the issues and recommendations on the
security and performance of the cards and testing and evaluating the
final designs for the first and second generation passport card and
second generation BCC, State does not have a complete understanding of
the cards' overall security and performance.
Passport Cards and Second Generation BCCs Generally Meet International
Travel Documents Standards and Guidance:
The passport card and second generation BCC generally meet
International Civil Aviation Organization and Security and Prosperity
Partnership standards, as well as the DHS Policy for Physical Security
Features, for international travel documents. These documents provide
guidance on security features and data elements to include on travel
documents to prevent fraudulent use.
Card Designs Generally Meet International Civil Aviation Organization
Security Standards for Machine Readable Travel Documents:
The International Civil Aviation Organization (ICAO)--the United
Nations specialized agency for civil aviation--document 9303 on
machine-readable travel documents provides standards for passports and
other travel documents that can be used for international travel,
including recommended security standards and data elements for travel
documents.[Footnote 15] The recommended security features are divided
into two categories, basic security features that are considered
essential and additional features recommended for enhanced security.
The passport card includes 8 of approximately 11 ICAO recommended
basic security features and the BCC includes 7 of the 11 basic
security features. However, the security that would be offered by the
missing features is either provided by other security features or
would not significantly improve the security of the cards. Both cards
contain many of the recommended additional features. Table 2 provides
further details about the missing ICAO basic security features and the
factors on the cards that mitigate their omission. The ICAO standards
also provide data element requirements for the personalization of
travel documents. The passport card contains 10 of the 11 required
data elements and second generation BCC contain 9 of the 11 required
data elements. Neither card contains the signature of the cardholder,
which does not significantly impact the security of the cards because
signatures are easy to forge and thus provide little protection
against document fraud. In addition, the second generation BCC lacks a
document number on its biographical face, which is both a security
feature and data element. There is, however, a unique inventory
control stock number on the back of the card. While the presence of a
unique identifier is important, the location does not play a major
role in the overall card security.
Table 2: Missing ICAO-recommended Basic Features and Mitigating Factors:
ICAO-recommended basic security feature: Two-color guilloche pattern
to protect against copying[A];
Reasons why the missing feature does not significantly impact the
security of the documents: A guilloche pattern is incorporated in the
optically variable device (OVD), which displays kinematic and rainbow
effects as the angle of viewing is changed.[B] This provides a higher
level of counterfeit resistance than the traditional two-color
guilloche pattern.
ICAO-recommended basic security feature: Anti-scan pattern to protect
against copying;
Reasons why the missing feature does not significantly impact the
security of the documents: Features such as the OVD and optically
variable logo provide similar protection.
ICAO-recommended basic security feature: Ultraviolet fluorescent ink
on both sides;
Reasons why the missing feature does not significantly impact the
security of the documents: An ultraviolet image is printed on the
front of the cards but not on the back. The overall security of the
cards is not negatively affected because the primary threat is the
alteration of biographical data on the front of the cards.
ICAO-recommended basic security feature: Unique document number on
second generation BCC;
Reasons why the missing feature does not significantly impact the
security of the documents: There is a unique inventory control stock
number on the back of the card. While the presence of a unique
identifier is important, the location does not play a major role in
the overall card security.
Source: GAO analysis of ICAO standards and State's designs for the
passport card and second generation BCC.
[A] A guilloche pattern consists of continuous fine lines that form a
unique image that is difficult to copy or recreate without access to
the originating equipment, software, and parameters used to create the
original design.
[B] OVDs significantly change appearance depending on the angle of
illumination and observation and are designed to prevent copying by
photomechanical means.
[End of table]
Card Designs Generally Meet Security and Prosperity Partnership
Recommended Standards for Secure Proof of Status and Nationality
Documents to Facilitate Cross-Border Travel:
The Security and Prosperity Partnership (SPP)--an effort among the
United States, Canada, and Mexico to develop a common security
strategy--developed Recommended Standards for Secure Proof of Status
and Nationality Documents to Facilitate Cross-Border Travel to align
with ICAO document 9303, which provide recommended nonbinding minimum
standards and, for additional measures of security, best practices for
documents used for travel between the United States and Canada.
[Footnote 16] Both the passport card and BCC generally meet SPP
recommended standards. Both cards include all 6 of the security
features required to meet the minimum standard. The passport card
contains all 9 of the data elements required to meet the minimum
standard and the second generation BCC contains 8 of the 9 data
elements required to meet the minimum standard. In addition, the cards
include many security features recommended as a best practice. The
second generation BCC does not have the document version data element,
which indicates to inspectors the version of the document they are
inspecting so that they know what the card should look like and what
security features it should have. However, this is not a concern
because the second generation BCC looks completely different from the
first generation BCC.
Card Designs Generally Meet DHS's Policy for Physical Security Features:
The DHS Screening Coordination Office created the DHS Policy for
Physical Security Features as a result of its efforts to identify how
DHS can improve its credentialing programs. The policy addresses
physical security features that prevent counterfeiting, alteration,
and fraud of credentials and provides a minimum standard for physical
security features for DHS credentialing programs, including requiring
a minimum of two security features. The policy also includes
requirements for data elements for travel documents to enable border
officers to assess the identity and admissibility of travelers. The
passport card and BCC contain all required security features, the
passport card contains 10 of the 11 required data elements, and the
BCC contains 9 of the 11 required data elements for the travel
environment specified in the policy. Neither card contains height
information and the second generation BCC does not include the
cardholder's place of birth. Not including these data elements does
not significantly affect the security of the cards because the cards
contain layers of security to protect against fraudulent use. DHS
plans to remove both height and place of birth as a minimum
requirement in the next version of its policy.
Layered Features Contribute to Overall Security of Passport Cards and
Second Generation BCCs:
The designs of the passport card and BCC contain numerous, layered
features that provide protection against fraudulent use (see figs. 1
and 2). For example, the OVD can help protect against counterfeiting
because it is difficult to copy and recreate and it helps protect
against forgery because it overlaps the photograph and biographical
data, making it difficult to alter them without causing visible damage
to the OVD. In addition, the complex symbolic codes and pseudocodes
provide protection against counterfeiting and forgery because they are
based on cardholder characteristics and cannot be accurately created
for counterfeit cards or altered for forged cards unless the
counterfeiter has broken the codes. Laser engraving is used to print
the cardholder's image as well as the personalization information,
combining flat and tactile printing. Laser engraving permanently
blackens the plastic below the surface of the card to protect against
counterfeiting and forgery by making it difficult to alter without
causing damage.
Figure 1: Front and Back of Passport Card:
[Refer to PDF for image: 2 photographs]
Front of U.S. sample passport card;
Back of U.S. sample passport card.
Source: State Department.
[End of figure]
Figure 2: Front and Back of Second Generation BCC:
[Refer to PDF for image: 2 photographs]
Front of Second Generation BCC;
Back of Second Generation BCC.
Source: State Department.
[End of figure]
In meetings between GAO and FDL on the security of the final passport
card and second generation BCC designs after State had begun issuing
the cards, FDL officials indicated that they believed that the
security of the final cards against fraud is adequate. However, they
continue to recommend that State use a solid polycarbonate body with
laser engraving at or below the layer of background artwork to provide
stronger protection against layer separation, photo substitution, and
data alteration, as they had recommended when they performed the
counterfeit deterrence study on the prototype passport cards during
procurement.[Footnote 17]
FDL also recommended to State, based on reviewing an intermediate
printing of the passport card, that it add rainbow printing on the
front of the card, which would make the card more difficult to copy
and counterfeit.[Footnote 18] Regarding the second generation BCC,
which they had not formally assessed, FDL officials suggested using a
more easily recognizable, finite design for the background of the BCC,
like the eagle on the passport card. It is easier to see a poor
reproduction of a well-known, finite design than an abstract one, like
the butte on the BCC.
State officials said that they respond to recommendations based on
whether the cost justifies the security benefit gained as well as
potential program delays that may result from implementation. They
indicated that they did not change to a solid polycarbonate body
because there are problems using polycarbonate in the radio frequency
identification (RFID) chip layer and it would increase the cost of the
cards.[Footnote 19] In addition, at the time, the card manufacturer
thought that the technology for security printing on polycarbonate was
too new and State didn't believe that using layers of polycarbonate
over layers of polyvinyl chloride posed any significant problems.
Since procurement, the technology for laser engraving and printing the
background artwork on polycarbonate has improved, but there continue
to be technical issues that impact the feasibility of its use. State
also does not believe that laser engraving below the layer of the
background artwork significantly improves the security of the cards
because any attempt to alter the data or photo would visibly damage
the card. In addition, State officials believe the recommendation to
add rainbow printing on the front of the cards is more a preference
than a requirement and is satisfied with having it just on the back of
the cards. State officials have indicated that they will consider
FDL's suggestion for a finite design for the background of the BCC
when they design new documents or redesign the existing ones.
State's Development Process for Passport Cards and Second Generation
BCCs Could be Improved:
At the beginning of the development process for the passport card,
State investigated available security technologies and worked with
DHS, including CBP and FDL, to determine which physical security
technologies and features to require for passport cards. These
included laser engraving printers for personalization, tactile
element(s) over the photo area, a logo with color shifting ink, and an
optically variable device either provided by State or proposed by
vendor. In addition, State, based on input from DHS, included a
vicinity read RFID chip to facilitate faster processing at ports of
entry. The RFID chip stores a unique number that references cardholder
information in State's issuance databases. State also determined that
the cards must comply with ICAO recommendations for card format
official travel documents.[Footnote 20] These requirements were
incorporated into the procurement solicitation issued in May 2007.
The source selection and procurement process began when State
developed the request for proposal (RFP), which was released in May
2007. The contract was awarded to L-1 in March 2008 for passport
cards.[Footnote 21] During the source selection and procurement
process for passport cards, prototype passport cards from prospective
contractors underwent evaluation and testing related to durability,
RFID performance, and security requirements. Sandia National
Laboratory (Sandia) evaluated the durability and radio frequency (RF)
effectiveness against national and international standards; CBP tested
the RFID performance in mock CBP vehicle lanes; and FDL performed
counterfeit deterrence studies. State implemented most of the
recommendations made and addressed most of the issues raised during
evaluation and testing. For example, in response to FDL
recommendations, State embedded the OVD below the surface of the card
and included microline printing in the background artwork. In
addition, State either amended the RFP based on NIST's recommendations
or provided a written reason why a recommended change was not made.
While State addressed most of the issues raised and recommendations
made during evaluation and testing of the prototype passport card, it
either did not address some of the issues and recommendations or did
not document its reasons for not doing so. For example, State did not
assess the risk of not following FDL's recommendation that State
submit the final passport card for analysis of the security features,
which State did not do because it was in the final stages of
procurement when the design was finalized and it wanted to meet
schedule, or FDL's recommendation that it add rainbow printing to the
front of the card. State also did not assess the potential risk posed
by the card's failure to meet peel strength and ultraviolet light
exposure test requirements that were found during Sandia's tests prior
to the issuance of the cards. While State officials do not believe
that the problems identified by the failed tests will affect the
operational use of the cards, they were not able to explain why these
failures were not assessed prior to decisions to proceed with card
production. Moreover, State assessed, but did not document its reasons
for not addressing FDL's concern that the shallow depth of the laser
engraving left the cards susceptible to alteration and recommendation
to use a solid polycarbonate body to mitigate this. State officials
decided not to follow the recommendation to use a solid polycarbonate
body based on the costs and benefits of implementing it; they believe
that the depth of the laser engraving was sufficient and decided
against using a solid polycarbonate body due to cost and technical
issues. Without performing and documenting a full assessment of
recommendations made and problems found during testing and evaluation,
including the potential effect not addressing them could have on the
performance of the card, State does not fully understand the security
and durability of the card.
After awarding the contract for passport cards, the contractor
manufactured cards according to State's final design, which were made
into exemplars--genuine documents used for training purposes. These
cards were inspected for problems with the security features and
printing and any problems were recorded. Some of the cards were also
sent to CBP to test the RFID performance. State indicated that it
encountered a small percentage of manufacturing problems and the cards
met CBP RFID performance requirements. The second generation BCC
underwent similar inspection of the security features and printing
after it was added to the passport card contract and manufacturing
began.
State designed the background artwork as well as codes that are
embedded into both the passport card and BCC during personalization.
These codes vary between the passport card and BCC, with the BCC
containing more codes with greater depth and complexity because it was
produced later, providing State with more time to develop them. The
codes are based on the holder's personal information. The simplest
codes can be used for document authentication by primary inspectors
and the most complex codes can be used for forensic analysis.
While testing and evaluation was performed on prototype passport cards
during the source selection process, these activities did not assess
security features designed by State, including the background artwork
or embedded personalization codes. The focus of the test and
evaluation activities was to evaluate offerings from prospective
contractors. Security features that were added or changed from the
prototype passport cards and incorporated into the final passport card
were also not evaluated and durability testing was not performed on
the final design, despite failures encountered during testing.
Further, because the second generation BCC was added to the passport
card contract, it did not undergo any formal security testing and
evaluation activities and no security or durability testing was done
on the second-generation passport card, which includes changes to the
card construction due to the inclusion of a different RFID chip. The
background artwork and the security features added during the
personalization process are key components of the layered security of
the passport card and second generation BCC. However, without tests or
evaluations that demonstrate the ability of these features to
effectively contribute to the security of the cards, State does not
have the needed assurance that its cards have been designed with
adequate security.
State has completed a redesign of the passport card with the primary
purpose of incorporating a new RFID chip that has a unique tag
identifier.[Footnote 22] The use of the unique tag identifier is
intended to prevent cloning of the RFID chip. State took the
opportunity to incorporate changes to improve the physical security
features of the card, including using more robust layers of
pseudocodes that bring them to the depth and complexity of those used
on the BCC and a more complex OVD. The updated card also contains
additional physical security features, including a secondary image of
the cardholder and steganography in the primary image and
microprinting in the secondary image of the cardholder.[Footnote 23]
State began issuing the second generation passport card in mid-April
2010.
The redesigned card has not undergone formal security or durability
testing and evaluation. State officials believe that evaluation
activities were not necessary because the appearance of the card is so
similar to the one currently issued, the changes improved the security
of the card, and it did not consider the durability failures
encountered during prototype passport card testing to be significant.
In 2007, we recommended that State periodically reassess the security
features when planning the redesign of its travel documents.[Footnote
24] State agreed with the recommendation and has taken steps to
address it. However, there was no assessment of the final passport
card or second generation BCC prior to issuance and there is no plan
to formally assess the second generation passport card prior to
issuance. Such an assessment could identify potential vulnerabilities
in the security of these cards before they could be exploited. There
have been no reports of successful fraudulent use of the cards and the
addition of more security features to the passport card was not in
response to any threats or vulnerabilities and should further
strengthen the card against fraud. State and FDL inspected counterfeit
second generation BCCs that were intercepted and found that none of
the security features or personalization codes had been compromised.
However, by not following a structured process for assessing the
security features of the passport card prior to issuing the second
generation passport card, State missed an opportunity to identify and
address any potential vulnerabilities of the passport card's design to
resist fraudulent use.
In response to our 2007 recommendation, State created a new position
in the Bureau of Consular Affairs responsible for the coordination of
the efforts of various State organizations involved in designing and
ensuring the security of documents issued by Consular Affairs--the
Forensic Document Design and Integrity Coordinator. Because this
position was created in September 2009, the coordinator was not
involved in the development process of the first-generation passport
card or the second generation BCC card and was only minimally involved
in the development process of the second-generation passport card--
only providing input to the post-production processes.
CBP Officers Use a Variety of Methods to Detect Travel Document Fraud,
but Limitations in the Use of Technology and Training Affect Their
Ability to Fully Utilize the Document Security Features:
The inspection of passport cards and BCCs at POEs is a key element in
preventing the fraudulent use of these documents. Inspection officers
rely on interviews and observations of travelers and the examination
and verification of documents using CBP border inspection systems to
detect fraud. To aid in the inspection of passport cards and second
generation BCCs, CBP deployed RFID readers and new software in vehicle
lanes at land ports of entry. However, the limited amount of time
officers have to conduct inspections restricts the use of security
features on passport cards and BCCs to just a few visual and tactile
features. Greater use of biometrics of travelers presenting BCCs could
provide additional verification that the BCCs are valid and belong to
the travelers presenting the documents, helping to address Impostor
fraud. Further, while CBP officer training on the passport card and
BCC was timely, the provision of exemplars to the ports of entry for
training purposes is still lacking. The CBP port director--responsible
for supervising and directing all work activities at POEs--of the POEs
we visited along the Northern border indicated that the POEs there did
not have exemplars of either card. Without exemplars available during
training, these officers were unable to fully familiarize themselves
with the look and feel of the security features in these documents
before inspecting them.
Inspection Officers Rely on Interviews and Observations of Travelers,
Examination of Documents, and Traveler Information Stored in CBP
Border Inspection Systems to Detect Fraud:
CBP officers in primary inspection rely on interviewing and observing
travelers, visually and manually examining documents, and accessing
cardholder information, such as the traveler's name and photo, in CBP
border inspection systems to detect fraudulent passport cards and
BCCs. CBP officers observe travelers' demeanor, question them about
their travel, and compare travelers with biographic data and photos on
travel documents and in CBP inspection systems to help them detect
fraud. Officers inspect only a limited number of security features on
travel documents due to time constraints, particularly along the
southern land border where there is high traveler volume through many
land border POEs. When inspecting documents, they look for signs of
alteration, compare the photo and traveler, examine the biographic
page and examine the look and feel of the document to determine
whether it is valid. If the officer suspects fraud, they can send
travelers to secondary inspection for further screening and, in the
case of BCC holders, a comparison of traveler fingerprints with those
stored in the U.S. Visitor and Immigrant Status Indicator Technology
(US-VISIT), one of the CBP border inspection systems, to verify their
identity.
DHS Deployed New Technology Systems at Ports of Entry to Aid in the
Inspection of Passport Cards and Second Generation BCCs:
To aid in the inspection of passport cards, second generation BCCs,
and other travel documents with vicinity RFID chips, CBP made two
related technology deployments to its ports of entry. First, it
upgraded the client software to its border inspection systems at
vehicle and pedestrian lanes at land border ports of entry. The
vehicle primary client software provides a graphical user interface
for CBP officers to access U.S. visa and passport information,
including the traveler's photograph. State provides the information to
CBP border inspection systems from its issuance databases: the
Consular Consolidated Database for visas, including BCCs, and the
Passport Information Electronic Retrieval System for passports and
passport cards. Access to this information allows for better
identification of fraudulent photos, biographical data alteration, or
counterfeit cards. The vehicle primary client software is operational
in most vehicle lanes at all but two land border ports of entry. CBP
upgraded the pedestrian client software, which already provided access
to visa information, to display passport information.
Second, CBP deployed RFID readers in vehicle lanes at land border
ports of entry that can read the RFID chips in the passport card,
second generation BCC, and other WHTI-approved documents. WHTI has
deployed RFID to 420 lanes at the top 46 land border POEs, which
handle more than 95 percent of land border traffic. Travelers can hold
up their passport card or second generation BCC when entering vehicle
lanes at these POEs to allow RFID readers to read the RFID tag in the
cards.[Footnote 25] The RFID system then automatically looks up
traveler's information from CBP border inspection systems and presents
it to inspecting officers on the Vehicle Primary Client.
CBP has installed signage in RFID reader-equipped vehicle lanes and
provides WHTI tear-sheets that are available in English, Spanish, and
French that instruct cardholders on how to use RFID-enabled documents,
which includes passport cards and BCCs (see fig. 3). In addition,
State includes a letter in Spanish with BCCs containing instructions
on how to use the cards at POEs.
Figure 3: WHTI Tear Sheet with Instructions on the Use of RFID-enabled
Cards in English and Spanish:
[Refer to PDF for image: illustration]
3 Simple Steps For U.S. Land Border Entry:
3 Pasos Sencillos Para Cruzar Fronteras Estadounidenses Por Tierra:
For more information, please visit www.GetYouHome.gov.
Para mas informacion, visite el sitio www.GetYouHome.gov.
WHTI:
U.S. Customs and Border Protection:
Step 1:
Stop at beginning of lane & wait for signal.
Detengase a la entrada del carril y espere la senal.
While stopped, the driver and all passengers should pull out their
required travel documents. Wait for a sign to proceed. Note that
traffic management may be a bit different depending upon location. At
some, you will see a green light that signals you to go; at others,
proceed when the vehicle ahead of you clears or the officer waves you
through.
En cuanto el auto se detenga, el conductor y todos los pasajeros deben
sacar los documentos de viaje requeridos. Espere hasta recibir una
serial para seguir adelante. Tenga en cuenta que la gestion vehicular
puede ser diferente, segun el lugar. En algunos casos, se iluminara
una luz verde para indicarle que debe proceder; en otros, puede
avanzar cuando el auto enfrente hays pasado o un oficial le ordene el
paso.
Step 2:
Hold card up & drive through to booth.
Sostenga la tarjeta en alto y avance por el carril.
As you drive through the lane, the driver and all passengers should
hold their travel documents up so that the flat face of the card(s)
show through any window on the driver's side of the vehicle. Your
RFIDenabled cards will be automatically read as you transit down the
lane.
Conforme el auto avance por el carril, el conductor y todos los
pasajeros deben sostener los documentos de viaje de tal manera que la
cara plane de la tarjeta pueda verse a traves de cualquier ventana del
lado del conductor. Las tarjetas dotadas can tecnologia RFID podran
ser lefties automaticamente a medida que avance por el carril.
Step 3:
Stop at officer's booth.
Detengase en la garita.
Proceed to booth. Stop for inspection at booth and be prepared to show
the officer documents for all travelers in the vehicle.
Avance hasta la garita. Detengase para fines de inspeccion y preparese
pars mostrarle al oficial los documentos de cada uno de los viajeros,
en caso de que asi lo solicite.
Source: Department of Homeland Security.
[End of figure]
When a vehicle enters a vehicle lane at a port of entry, the occupants
can see signs instructing them on how to hold RFID-enabled documents
to allow them to be read (see fig. 4). The RFID reader attempts to
read any RFID-enabled documents in the vehicle. The vehicle then
approaches the booth where the CBP officer inspects the occupants'
travel documents. If one or more of the documents was not read,
whether because there was a read failure or one or more of the
documents are not RFID-enabled, the CBP officer can read the RFID tags
of any RFID-enabled document with an RFID reader at the booth, read
the machine readable zone of any valid travel document with a document
reader in the booth, or manually look up travelers' information using
the data printed on the documents.
Figure 4: Signage for Use of RFID-enabled Cards at Vehicle POE:
[Refer to PDF for image: 2 photographs]
Sign in French;
Sign in Spanish.
Source: GAO.
[End of figure]
In pedestrian lanes, a traveler presents his or her travel document to
the CBP officer who can inspect it and look up the traveler's
information by either electronically reading the machine readable zone
of the travel document with a document reader or manually looking up
the travelers' information.[Footnote 26] The officer can then compare
the information on the travel documents with information retrieved
from CBP border inspection systems and with the traveler being
inspected to determine if they may be admitted or should be referred
to secondary inspection for further questioning and document
examination.
Limitations in the Use of Technology and Inspection Time Restrict the
Use of Security Features in the Inspection of Passport Cards and BCCs:
Officers in primary inspection--the first and most critical
opportunity at U.S. ports of entry to identify individuals seeking to
enter the United States with fraudulent travel documents--are unable
to take full advantage of the security features in passport cards and
BCCs due to the limited use of technology in primary inspection.
In our prior work examining the inspection of travel documents at
POEs, we found that, due to time constraints and the large volume of
travelers, primary officers inspect only a limited number of security
features on travel documents and only electronically read travel
documents to query records in CBP border inspection systems when
deemed appropriate for the inspection situation, given the local
traffic flow and traveler wait times.[Footnote 27] CBP officers often
rely on a few visual and tactile security features of the passport
cards and BCCs--such as raised printing and the embossed seal--in
addition to their interviews to identify fraudulent use of the
documents. When visiting POEs along the Northern and Southern borders,
CBP port directors told us that they are able to authorize less than
100 percent handling of travel documents and the port director of the
POEs we visited on the Southern border told us he can authorize less
than 100 percent electronic reading or manual lookup of travel
documents during times of heavy traffic to mitigate long waits,
although this happens only rarely in the POEs we visited on the
Northern border. During our visits to POEs on the Northern and
Southern borders, we observed 100 percent handling and electronic
reading of travel documents. However, in 2008, only about 49 percent
of travel documents were machine read in vehicle primary inspections,
while in 2009 about 63 percent were read. Part of this increase may be
attributed to the decrease in vehicle traffic during that period.
According to CBP crossing estimates for vehicle lanes indicate, there
was about a 10 percent decrease in vehicle traffic across the border
between 2008 and 2009.
In our prior work examining the security of BCCs, we found that DHS
was not fully utilizing the biometric features of the BCCs--that is
fingerprint data--and recommended that DHS develop a strategy for
better utilizing these features.[Footnote 28] At the time, we found
that only a small percentage of travelers with BCCs are referred to
secondary inspection where their fingerprints can be compared to those
in US-VISIT. These checks are usually performed only if a primary
officer determines travelers are traveling beyond the geographic
limits or exceeding the number of travel days allowed for use of the
BCC, or if there are concerns about the traveler. The use of biometric
checks of travelers presenting BCCs provides additional verification
that the travel documents are valid and belong to the travelers
presenting the documents, helping to address Impostor fraud--the most
significant type of fraud associated with BCCs. In fiscal year 2009,
CBP officers intercepted over 12,000 BCCs used by imposters. Even with
the second generation BCC, Impostor fraud is much more common than
fraud cases where the card has been counterfeited or altered. In
fiscal year 2009, 170 cases of Impostor fraud were detected with the
second generation BCC while only 12 cases of altered or counterfeit
second generation BCCs were detected. While the deployment of the
Vehicle Primary Client to CBP land POEs provides officers more
information on BCC holders, Impostor fraud remains a significant risk.
In 2008, CBP developed a Mission Need Statement for U.S. Pedestrian
Biometric Deployment to provide an additional security check at land
border POEs, whereby existing single-print readers, which scan 1
fingerprint for comparison with the cardholders fingerprint
information stored in the CBP border inspection systems, currently
being replaced with 10-print readers, which scan all 10 fingerprints
for comparison, in secondary inspection would be reallocated to
pedestrian primary lanes to enable inspecting officers with suspicions
of a BCC holder's identity to verify the individual against
fingerprint records. As of March 2010, these systems have been
deployed to all 136 pedestrian lanes at POEs across the southwest
border. However, CBP only has only plans to install them at select
vehicle lanes at remote POEs that have both vehicle and pedestrian
lanes. CBP indicated that there are operational challenges to
implementing biometric verification at busy POEs, which make secondary
inspection the most efficient place to perform biometric verification.
CBP Officer Training on New Travel Cards Was Timely, but Exemplars
Were Not Available at All Ports of Entry:
Previously, we recommended that State and DHS collaborate to provide
CBP inspection officers with better training for the inspection of
documents issued by State, including training materials that reflect
changes to State-issued travel documents and the provision of
exemplars prior to issuance. State and DHS agreed with the
recommendation and have taken steps to address it. For example, CBP
provided training to inspection officers on the passport card and
second generation BCC prior to their issuance and provides continuing
information to officers on document fraud. This training is done
during musters[Footnote 29] that include materials such as Fraudulent
Document Analysis Unit[Footnote 30] bulletins on document security
features and counterfeit documents and exemplars of the documents; as
part of other training done by CBP for inspecting officers; through
conferences; and through access to online information on the
documents. CBP officials also indicated that they provided exemplars
of the passport card and second generation BCC to all POEs to train
CBP officers prior to the cards' appearance at the POEs. However,
while CBP officials at POEs we visited along the Northern and Southern
borders indicated they had received training on the passport card and
second generation BCC, officials at POEs along the Northern border
indicated that they did not receive exemplars of either card and hence
were unable to include them in their training of their officers. In
our prior work, we found that the use of alerts and bulletins alone do
not provide officers with an understanding of the look and feel of the
actual documents. While State and DHS have taken positive steps in
response to our recommendation to improve its training of officers on
travel documents, the lack of exemplars at the POEs along the Northern
border indicates that improvements are still needed. As State
continues to update its travel documents, we continue to believe that
State and DHS need to fully implement our prior recommendation to
improve training of its officers on new documents prior to their
issuance, which includes the provision of exemplars so that they can
be used during training to better familiarize officers with the look
and feel of the cards.
Conclusions:
Ensuring the integrity of passport cards and BCCs is an essential part
of border security requiring continual vigilance to facilitate the
travel of those entitled to enter the United States and prevent the
entry of those who are not. Preventing the fraudulent use of travel
documents requires a combination of well-designed documents with
layered security features and an inspection process that utilizes
these security features. A well-designed document has limited utility
if inspection officers do not utilize the available security features
to detect attempts to falsely enter the United States. Although
designs for the passport card and the second generation BCC generally
meet or exceed standards and guidelines for international travel
documents, inclusion of all security features recommended by guidance
and standards for international travel documents does not guarantee
that the security features are of sufficient quality and are designed
to ensure the overall security of the cards. State's development
process could be improved to better assess the security of its cards
and to fully address problems and issues found during the testing and
evaluation of its cards, which could provide greater assurance that
State has secure, well-performing documents. We have previously
recommended that State periodically assess the security features when
redesigning its travel documents. It did not do so when redesigning
the passport card. By conducting such an assessment, State potentially
could have identified and addressed any vulnerabilities of the
passport card's design to resist fraudulent use. State has taken
actions to conduct such assessments in future redesigns, which, if
effectively implemented, should better position State to identify
vulnerabilities in its travel documents' abilities to resist fraud
before they can be exploited. Security assessments and testing can
provide the added assurance that the cards meet security requirements.
However, State did not fully assess or test the security features
incorporated on the passport card or the second generation BCC.
Although State performed testing and evaluation on prototype passport
cards, it did not test and evaluate the final designs for the passport
card or second generation BCC, nor did it test and evaluate its recent
redesign of the passport card. Further, while State addressed most
problems found during its testing, it either did not fully address the
issues and recommendations or it did not fully document its decisions
for not doing so. More fully conducting testing of the passport card
and BCC and addressing identified problems would provide State with a
fuller understanding of the overall security and performance of the
cards and greater assurance that its cards have been produced with
adequate security.
CBP officers at many U.S. ports of entry face time constraints in
processing large volumes of people and therefore rely on a few visual
and tactile security features of passport cards and BCCs--such as
raised printing and the tactile Great Seal--in addition to their
interviews, to identify fraudulent use of these documents. To assist
officers in the inspection of passport cards and BCCs, CBP deployed
systems to its POEs that enable the reading of the RFID chips in the
cards and display information about the card holders to the officers
during inspection. Further, CBP has deployed fingerprint readers in
primary inspection of some of its pedestrian lanes, which could help
officers identify imposters fraudulently using BCCs. State and DHS
have taken steps in response to our prior recommendation to improve
its training of officers on travel documents. However, the conduct of
training without passport card or BCC exemplars at the POEs we visited
along the Northern border indicates that improvements are still
needed. As State continues to update its travel documents, we continue
to believe that State and DHS need to fully implement our prior
recommendation to improve training of its officers on new documents
prior to their issuance, which includes the provision of exemplars so
that they can be used during training to better familiarize officers
with the look and feel of the cards.
Recommendations for Executive Action:
To ensure the designs for the passport card and BCC physical security
features adequately mitigate the risk of fraudulent use, we recommend
that the Secretary of State take the following two actions to improve
the development process when conducting future redesigns or updates to
the passport card or BCC:
* Fully address any issues or problems encountered during testing,
including the documentation of reasons for not addressing any of them.
* Fully test or evaluate the security features on the cards as they
will be issued, including any significant changes made to the cards'
physical construction, security features, or appearance during the
development process.
Agency Comments and Our Evaluation:
We provided draft copies of this report to the Secretaries of State
and Homeland Security for review and comment. We received written
comments from State and DHS, which are reprinted in appendices II and
III, respectively. We also received technical comments from State and
DHS, which we incorporated into the report, as appropriate.
In its comments, State concurred with our recommendations and
described actions it is taking to address them. State acknowledges the
importance of addressing and documenting issues encountered during
testing and that complete testing should be performed on cards
whenever significant changes to the physical construction and security
features are made.
In its comments, DHS concurred with our finding that sufficient
exemplars of new documents should be available for training officer
prior to new document issuance. However, DHS commented that, while the
report addresses the importance and rate of physically handling travel
documents, handling the passport card and BCC is not necessarily the
most efficient means of verifying their validity and the cards can be
verified without handling by utilizing RFID technology, Vehicle
Primary Client, and other primary systems. We agree that the ability
to access cardholder information automatically for the passport card
and BCC can help confirm the validity of the cards. Nevertheless,
primary inspection is the first and most critical opportunity to
detect fraudulent travel documents and to combat this requires
inspecting the physical security features, as well as using electronic
systems. Both State and DHS's FDL have indicated that physical
inspection of the documents is an important part of verifying
documents. DHS also commented that, while the use of biometric
verification can help identify imposters, operational challenges at
busy ports of entry make secondary inspection, where it is currently
available, the most efficient location to perform biometric
verification. We agree that the use of biometric verification in
secondary inspection and in pedestrian lanes enables inspectors to use
fingerprint biometrics to verify the identity of the cardholder.
However, at vehicle lanes in land border POEs this capability is not
available in primary inspection. Furthermore, travelers with BCCs at
southern land border ports--the ports where BCC Impostor fraud is most
significant--are not routinely referred to secondary inspection, where
they do have the capability to utilize the fingerprint records for
comparison, thus inspectors are not making full use of the biometric
information available for BCCs.
As we agreed with your office, unless you publicly announce the
contents of this report earlier, we plan no further distribution until
30 days from the date of this letter. We will then send copies to
interested congressional committees and the Secretaries of State and
Homeland Security. In addition, the report will be available at no
charge on the GAO Web site at [hyperlink, http://www.gao.gov].
If you or your staffs have any questions about this report, please
contact me at (202) 512-4499 or barkakatin@gao.gov. Contributors to
this report include Richard Hung and Maria Stattel. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report.
Signed by:
Dr. Nabajyoti Barkakati:
Chief Technologist:
Director, Center for Science, Technology, and Engineering:
[End of section]
Appendix I: Scope and Methodology:
To determine how effectively State's development process for the
passport card and second generation BCC mitigates the risk of
fraudulent use, we interviewed officials from State's Bureau of
Consular Affairs, U.S. Customs and Border Protection (CBP), and the
Forensic Document Laboratory (FDL) in DHS's U.S. Immigration and
Customs Enforcement (ICE). We identified applicable standards and
guidelines for international travel cards. We interviewed State and
DHS officials on the designs for the security features of the passport
card and BCC and assessed them against the applicable standards and
guidelines that we identified, including standards and guidelines from
DHS, the International Civil Aviation Organization (ICAO), and the
Security and Prosperity Partnership (SPP). We also reviewed the
results of testing and evaluation of the prototype passport cards and
how State and DHS used these results because including all security
features recommended by guidance and standards for international
travel documents does not guarantee that the security features are of
good enough quality and designed well enough together to ensure the
overall security of the cards. Testing and evaluation was conducted by
the National Institute of Standards and Technology (NIST), FDL, CBP,
the Bank of Denmark, and Sandia National Laboratory. Finally, we
interviewed officials at the Tucson Passport Center to understand and
observe how second generation BCCs are personalized.
To determine how CBP officers use the security features of passport
cards and second generation BCCs to prevent fraudulent use at land
ports of entry, we interviewed officials from CBP and reviewed CBP
policies, procedures, guidance, and training documents regarding the
inspection of travelers presenting passport cards and second
generation BCCs for the purpose of entry to the United States,
including the use of the cards' physical security features and
cardholder information retrieved from CBP border inspection systems.
We conducted site visits to two POEs along the Southern border and
three POEs along the Northern border to interview CBP officials about
training and inspection procedures, as well as observe the inspection
process of travel documents to understand how CBP officers use the
physical security features and DHS database information to verify the
eligibility of a traveler presenting a passport card or BCC to enter
the United States. To assist in selecting these locations, we devised
the following selection criteria:
* RFID Reader in Primary Inspection - First we identified the 41 POEs
where CBP planned to install RF readers by June 30, 2009.
* Volume of Passport Cards and Border Crossing Cards - We considered
POEs inspecting higher volumes of passport cards and BCCs than other
POEs.
* Nearby Ports without RFID Readers - We considered POEs that had
nearby POEs without RFID readers within a 2-hour drive for northern
POEs and a 3-hour drive for southern POEs.
* Geographic Location - We considered geographic locations ensuring
that we include one POE along the border with Mexico and one along the
border with Canada.
* Pedestrian Crossing - We considered POEs on the southern border that
had pedestrian crossings, as well as vehicle crossings.
In determining potential locations to visit, we considered all of the
criteria categories together in making our selections. While the
information gathered during these site visits is not generalizable
across all land POEs, they did provide insight into the inspection
policies and procedures, as well as CBP officer training, for passport
cards and second generation BCCs.
We conducted this performance audit from January 2009 to June 2010 in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.
[End of section]
Appendix II: Comments from the Department of State:
United States Department of State:
Chief Financial 0fficer:
Washington, D.C. 20520:
May 25 2010:
Ms. Jacquelyn Williams-Bridgers:
Managing Director:
International Affairs and Trade:
Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548-0001:
Dear Ms. Williams-Bridgers:
We appreciate the opportunity to review your draft report, "Border
Security: Improvements in the Department of State's Development
Process Could Increase the Security of Passport Cards and Border
Crossing Cards," GAO Job Code 460605.
The enclosed Department of State comments are provided for
incorporation with this letter as an appendix to the final report
If you have any questions concerning this response, please contact
John Brennan, Senior Advisor, Bureau of Consular Affairs at
(202) 647-6370.
Sincerely,
Signed by:
James L. Millette:
cc:
GAO ” Richard Hung:
CA ” Janice Jacobs:
State/OIG ” Tracy Burnett:
[End of letter]
Department of State Comments on GAO Draft Report:
Border Security: Improvements in the Department of State's
Development Process Could Increase the Security of Passport Cards and
Border Crossing Cards (GAO-10-589, GAO Code 460605):
Thank you for the opportunity to comment on your draft report entitled
"Border security: Improvements in the Department of State's
Development Process Could Increase the Security of Passport Cards and
Border Crossing Cards."
The Department of State accepts the recommendations of the GAO
regarding procedures to be used for redesign and update of the
passport card and border crossing card (BCC). We agree it is essential
that issues encountered during the testing of a card be addressed and
thoroughly documented. We have taken vigorous action to address all
substantive concerns during testing or production of the passport card
and BCC. We acknowledge that more thorough documentation of these
actions would be beneficial. To address this need, the Bureau of
Consular Affairs created a permanent position for a Forensic Document
Design and Integrity Coordinator, which it filled in September 2009.
The Coordinator is a senior official who oversees document design and
security issues. The efforts that are the subject of this report
preceded creation of this office, which now is regularizing procedures
for testing and evaluation of all secure documents produced by the
Bureau and will be documenting the results in a manner that will
address GAO concerns. We also agree that complete testing of cards is
necessary whenever there are significant changes to physical
construction and security features and we are committed to regular
evaluation of document security throughout the service life of a
document. This will be among the priority tasks overseen by the
Coordinator.
Concerning steps taken in the redesign of the passport card, we would
like to note that changes to the card enhanced a travel document that
was already highly secure. The opportunity to make such enhancements
arose when it was decided to change the radio frequency identification
chip to a chip with a unique tag identifier. All of the security
features of the original document and the original artwork designs
were retained. The deliberative and decision-making process resulted
in a card, which as GAO acknowledges, generally meets standards and
guidance for international travel documents and includes numerous
layered security features.
Regarding the provision of exemplars for use by other agencies, the
Department routinely produces and disseminates exemplars of all new
travel documents. Exemplars of the passport card and BCC were provided
to requesting agencies prior to the issuance of these cards. We will
continue to work closely with other agencies to make sure exemplars
are provided in sufficient quantities for training and other purposes.
[End of section]
Appendix III: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
May 20, 2010:
Dr. Nabajyoti Barkakati:
Director:
Center for Science, Technology, and Engineering:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Dr. Barkakati:
Re: GAO-10-598, Border Security: Improvements in the Department of
State's Development Process Could Increase the Security of Passport
Cards and Border Crossing Cards:
The Department of Homeland Security (DHS) appreciates the opportunity
to review and comment on the U.S. Government Accountability Office's
(GAO) draft report referenced above.
The GAO report focuses largely on the security features of the
Passport Card and Border Crossing Cards (BCC), and while these are
still important, due to technology enhancements implemented under the
Western Hemisphere Travel Initiative (WHTI), these documents' validity
can be verified electronically. With radio-frequency identification
(AHD) technology, the Vehicle Primary Client, other primary systems,
and machine readable technology, cards can be verified with no actual
handling or inspection of the document by a U.S. Customs and Border
Protection (CBP) officer. CBP considers the security features of the
cards as an additional means of verifying that the cards are genuine,
for cases when systems are not available or discrepancies are
identified.
The report mentions the rate at which the cards are actually handled
by CBP officers, yet CBP contends that physical handling of the cards
is not always necessary and is not the most efficient means of
verifying their validity. CBP's electronic systems allow an officer to
easily and efficiently identify if a document is valid without
handling it.
The largest threat, which the report acknowledges, is that of
imposters utilizing genuine documents, not that of fraudulent
documents. CBP's electronic systems at primary allow for a better
comparison of the document photo on file and biographic information
with that of the traveler, allowing for better identification of
imposters. As the report states, CBP has deployed fingerprint scanners
to pedestrian lanes to better identify imposters to BCC cards. CBP
cannot require U.S. citizens presenting a Passport Card to provide
biometrics unless fraud or other violations are suspected, so we must
rely on questioning in addition to photo and data comparison in CBP
systems. At this time, CBP does not have the capability to verify
biometrics in standard vehicle lanes, and given the operational
challenges we have at busy ports of entry, secondary inspection is
currently the most efficient location to do this. Biometric
verification is available at secondary inspection areas.
CBP concurs that sufficient exemplars of new documents should be
available for training officers prior to new document issuance.
We appreciate the opportunity to review and comment on this draft
report and we look forward to working with you on future homeland
security issues.
Sincerely,
Signed by:
Jerald E. Levine:
Director:
Departmental GAO/01G Liaison Office:
[End of section]
Footnotes:
[1] BCCs are a form of nonimmigrant visa that allow approved Mexican
nationals to enter the United States for business, pleasure, or
medical treatment without additional documentation. Travel is limited
to 25 miles from the U.S. border (75 miles if entering through certain
ports of entry in Arizona) for fewer than 30 days.
[2] Regulations implementing WHTI require Mexican nationals to present
a passport and visa when entering from Canada at the land border.
[3] A port of entry is an officially designated location (airport,
seaport, and land border locations) where CBP officers clear travelers
for entry into the United States. There are 326 ports of entry.
[4] Recent GAO work on passport or visa issuance processes includes
GAO, Addressing Significant Vulnerabilities in the Department of
State's Passport Issuance Process, [hyperlink,
http://www.gao.gov/products/GAO-09-683R] (Washington, D.C.: Apr. 13,
2009); Department of State: Undercover Tests Reveal Significant
Vulnerabilities in State's Passport Issuance Process, [hyperlink,
http://www.gao.gov/products/GAO-09-447] (Washington, D.C.: Mar. 13,
2009); Border Security: State Department Is Taking Steps to Meet
Projected Surge in Demand for Visas and Passports in Mexico,
[hyperlink, http://www.gao.gov/products/GAO-08-1006] (Washington,
D.C.: July 31, 2008); Border Security: Security of New Passports and
Visas Enhanced, but More Needs to Be Done to Prevent Their Fraudulent
Use, [hyperlink, http://www.gao.gov/products/GAO-07-1006] (Washington,
D.C.: July 31, 2007); and State Department: Improvements Needed to
Strengthen U.S. Passport Fraud Detection Efforts, [hyperlink,
http://www.gao.gov/products/GAO-05-477] (Washington, D.C.: May 20,
2005).
[5] Pub. L. No. 108-458, 118 Stat. 3638, 3823 (Dec. 17, 2004).
[6] Documents Required for Travelers Departing From or Arriving in the
United States at Air Ports-of-Entry From Within the Western
Hemisphere; Final Rule, 71 Fed. Reg. 68412 (Nov. 24, 2006).
[7] Documents Required for Travelers Departing From or Arriving in the
United States at Sea and Land Ports-of-Entry From Within the Western
Hemisphere, 73 Fed. Reg. 18384 (Apr. 3, 2008).
[8] Certain other documents may be presented by travelers on certain
closed-loop cruises or by children under the age of 16.
[9] Card Format Passport; Changes to Passport Fee Schedule; Final
Rule, 72 Fed. Reg. 74169 (Dec. 31, 2007).
[10] A passport card, for individuals 16 years or older, is valid for
10 years from the date of issuance; it is valid for 5 years for
younger travelers.
[11] From April 1998 until DHS assumed responsibility for its
functions in March 2003, the Immigration and Naturalization Service
produced the first generation border crossing card, also known as a
laser visa, and DHS's U.S. Citizenship and Immigration Services
produced the laser visa from March 2003 until October 2008.
[12] A border crossing card, for individuals 15 years or older, is
valid for 10 years from the date of issuance; as of June 4, 2010, for
younger travelers, it is valid up to the 15th birthday or 10 years,
whichever comes first.
[13] GAO, Border Security: Security of New Passports and Visas
Enhanced, but More Needs to Be Done to Prevent Their Fraudulent Use,
[hyperlink, http://www.gao.gov/products/GAO-07-1006] (Washington,
D.C.: July 31, 2007).
[14] For the purpose of this report, the designs of the passport card
and second generation BCC encompass the physical construction of the
cards, as well as other features added by the manufacturer and State.
[15] ICAO, Machine Readable Travel Documents, Part 3 Machine Readable
Official Travel Documents, Volume 1, MRTDs with Machine Readable Data
Stored in Optical Character Recognition Format, ICAO 9303 Part 3,
Third Edition (2008).
[16] Security and Prosperity Partnership Traveler Screening Systems
Working Group, Recommended Standards for Secure Proof of Status and
Nationality Documents to Facilitate Cross-Border Travel (February 2007).
[17] Counterfeit deterrence studies involve reviewing prototype
security documents using scientific instrumentation for their
adherence to recognized security printing standards, technologies, and
methods. Conclusions are based on real world experience with
compromised documents.
[18] Rainbow printing produces artwork with a gradual color change
across the card surface.
[19] An RFID chip contains a unique number that can be read remotely.
For passport cards and second generation BCCs, this unique number
references cardholder information in State and DHS databases.
[20] ICAO 9303, Part 3, Volume 1.
[21] The contract was initially awarded to General Dynamics
Information Technology in January 2008. By mutual agreement, this
contract was terminated.
[22] A unique tag identifier is a universally unique number assigned
by a registration authority to the chip manufacturer plus a unique
serial number issued by the manufacturer. It is written permanently at
the time the chip is manufactured and cannot be changed or cloned.
[23] Steganography is a technique of concealing data into a document,
usually in the cardholder's portrait or background security printing
that can only be seen when viewed with a special lens or detected by
specialized software. In the second generation passport card, codes
are embedded in the primary image of the holder and are only visible
using a viewing device.
[24] [hyperlink, http://www.gao.gov/products/GAO-07-1006].
[25] The RFID readers can also be used to read the RFID tag on CBP's
trusted traveler cards, including NEXUS, Secure Electronic Network for
Travelers Rapid Inspection (SENTRI), and Fast and Secure Trade (FAST).
[26] Machine readable zone document readers are operational in vehicle
and pedestrian lanes at all land border ports of entry.
[27] [hyperlink, http://www.gao.gov/products/GAO-07-1006] and Document
Security: Additional Actions Needed to Assess Risk and Enhance
Security of DHS Travel and Immigration-Related Documents, [hyperlink,
http://www.gao.gov/products/GAO-08-505SU] (Washington, D.C.: May 15,
2008).
[28] [hyperlink, http://www.gao.gov/products/GAO-07-1006].
[29] Musters are briefings provided daily to CBP officers to provide
relevant information, including information about new or updated
travel documents and fraud alerts.
[30] The Fraudulent Document Analysis Unit is a part of CBP tasked to
remove fraudulent travel documents from circulation and prevent
fraudulent use of travel documents to enter the United States.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: