Risk assessment of Malaysian e-Passport PKI based on ISO 27000 series International Standards / Mohd Faizul Ya'kub

Malaysia was the 1st country in the world to issue biometric passports (e-Passport) in 1998. Recent years, a number of vulnerabilities in e-Passport have been identified in the first and second generation of e-Passports. These vulnerabilities can lead to security issues such as cloning, spoofing, skimming, eavesdropping and identity theft crimes. Countries in European Union (EU) had taken steps to rectify the issues and enhance their e-Passport security features. However, there is lack of case studies conducted to review the Malaysian e-Passport security risk assessment according to International Standards. The objectives of this study are to identify the security risk in Malaysian e-Passport PKI and to recommend the feasible solution for future enhancement. A qualitative method was used in this study where a set of interview questions prepared and interviews been conducted to four participants. The data been analysed using Thematic Analysis and presented based on risk assessment methodology in ISO 27000 series International Standards. The risk assessment consists of two approaches; risk analysis and risk evaluation. The risk analysis identified resource identification and valuation, risk identification and risk measurement of Malaysian e-Passport PKI. While in risk evaluation, it focuses on risk mitigation and prioritizing protection activities for future enhancement. The results reveal that the Cloning, Man in the Middle, Spoofing and server related issues are the risk of Malaysian e-Passport. For recommendation, the result is to implement Password Authenticated Connection Establishment (PACE) and follow ICAO standards. The significance of this research will help policy-makers to make decision on the future direction of Malaysian e-Passport and ensure Malaysian citizens having secured e-Passport technologies for travelling overseas.