A trade representative demonstrates the functions of a biometric passport scanner, similar to scanners used at immigration checkpoints in Malaysian airports, in Kuala Lumpur. Malaysia pioneered using biometric passports to curtail immigration fraud. Photgorapher: Tengku Bahar/AFP via Getty Images

Malaysia pioneered using biometric passports to curtail immigration fraud. Sixteen years later, the ability of two identity thieves to board a Malaysian Airline plane that went missing exposed the technology as far from foolproof.

The electronic travel documents are embedded with a chip storing the holder’s personal information: a facial photograph, height, weight and sometimes fingerprints and scans of their iris. The information on the e-passports, first developed by Kuala Lumpur-based Iris Corp., can be verified with a government database during checks at immigration control points.

Lax checking procedures and sophisticated counterfeiting techniques mean that biometrics passports aren’t fail safe, six security experts said in interviews. Two passengers who used stolen European passports to get past immigration officers and board Malaysian Airline System Bhd.’s Flight 370 may have either used altered documents or they weren’t fully checked by immigration authorities, they said. One of the stolen passports, belonging to an Austrian citizen, had biometric features, said Thomas Weiss, a spokesman for the nation’s Foreign Ministry.

“Malaysia led the world in establishing biometric passports, and how could this have happened?” said Louis Sorrentino, a Florida-based managing officer for aviation safety consultant ICF International. “I’m baffled by it.”

Screening Oversight

Iris developed the world’s first electronic passport in Malaysia in 1998, according to the company’s website, and says its technology has spread across Asia, Africa and the Middle East. Passports issued to Malaysian citizens contain a person’s headshot and a thumbprint.

The passports stolen from Thailand that two passengers used to board the Beijing-bound flight, which disappeared without a trace three days ago, weren’t checked against an international database of stolen passports, according to Interpol. Planes were boarded more than a billion times last year without the travel documents being screened against the register, the international police agency said March 9.

“There’s an important point that everybody needs to keep in mind: The document itself cannot guarantee the security of the whole system,” said Stefan Barbu, head of secure identity for the Americas at NXP Semiconductor NV, the largest global provider of chips for e-passports. “Yes, it will be secure if you implement the appropriate policies, but this, unfortunately, isn’t always the case.”

Passenger Identified

Reports that two passengers traveled on stolen passports fueled speculation of a terrorist attack on the plane. Malaysian authorities today said one of the two was an Iranian who had no links to terror groups.

Pouria Nour Mohammad Mehrdad, 19, got on board using the Austrian passport and aimed to migrate to Germany, Inspector General of Police Khalid Abu Bakar said in Kuala Lumpur. Normal procedures were followed by authorities in granting a visa when he entered Malaysia, Khalid said.

“We have been checking his background, we have also checked him with other police organizations, on his profile, and we believe that he is not likely to be a member of any terrorist group,” Khalid said. Another person, who boarded using a stolen Italian passport, is being investigated.

Iris’s passport chip technology can’t be forged or hacked, according to the company.

‘Not Hacked’

“The security of the electronic component, as far as we know, has not been compromised,” Tan Say Jim, chief executive officer, said by phone. “The security on the electronic passport, as far as we know, none of our passports have been hacked.”

About 100 countries now use e-passports, according to NXP. The use of biometrics to check identities dates to at least 1858, when British civil servants started using palm prints to seal contracts, said Gene Meltser, technical director of consultant Neohapsis Labs.

The technology now is ubiquitous, with Apple Inc. using a fingerprint reader, Touch ID, in its latest iPhone 5s. Yet within days of its release, a German group claimed to have bypassed the scanner using a photograph of someone’s fingerprint, according to media reports.

Addressing concerns expressed by a U.S. senator last year, Apple said the fingerprint information is encrypted and stored securely inside the device and not on Apple servers.

‘Glass Eye’

Samsung Electronics Co., the world’s biggest phone maker, also uses a fingerprint reader in its upcoming Galaxy S5 smartphone. Samsung was studying using eye recognition technology in the phone, which experts said was harder to fake, though still possible.

“Iris hacking, though more difficult, can be done by scanning the iris and printing it on a glass eye,” said Hector Hoyos, chief executive officer of New York-based Hoyos Labs, which develops authentication technology. “In China, there are mail-order services that can replicate a person’s print or iris and courier it back to the purchaser in 48 hours. It really is a brave new world.”

It’s much easier to take advantage of the failure of the system than to counterfeit or to hack a document, according to Barbu of NXP.

Canada and the European Union currently are deploying biometric passports, while the U.S. is studying their efficacy, Hoyos said. The U.S. embedded chips with some information in passports following the Sept. 11 attacks. Ultimately, passports may need to be eliminated entirely in favor of biometrics that can’t be hacked and algorithms that assess a person’s “liveness,” Hoyos said.

Iris Scanning

In 2004, Abu Dhabi started scanning people’s irises upon entry and exit to verify identities, said Janice Kephart, founder and chief executive officer of Secure Identity & Biometrics Association, a Washington-based industry group.

Those measures are only as effective as the people enforcing them, experts said.

“Biometric passports, if it’s connected to a database that is current and managed properly, that’s the most effective security check,” Sorrentino said. “But if it’s not connected to anything and a green light just goes on, we have more problems than we know.”