Assessment of Malaysian E-Passport PKI based on ISO 27000 Series International Standards

Malaysia was the 1st country in the world to issue biometric passports (e-Passport) in 1998. Recent years, a number of vulnerabilities in e-Passport have been identified in the first and second generation of e-Passports. These vulnerabilities can lead to crucial security issues. Due to lack of case studies conducted to review the Malaysian e-Passport, the objectives of this study are to identify the security risk in Malaysian e-Passport PKI and to recommend the feasible solution for future enhancement. A qualitative method was used in this study where a set of interview questions prepared and interviews been conducted to four participants. The data been analyzed using Thematic Analysis and presented based on risk assessment methodology in ISO 27000 series International Standards. The risk assessment consists of two approaches; risk analysis and risk evaluation. The risk analysis identified resource identification and valuation, risk identification and risk measurement of Malaysian e-Passport PKI. While in risk evaluation, it focuses on risk mitigation and prioritizing protection activities for future enhancement. The results reveal that the Cloning, Man in the Middle, Spoofing and server related issues are the risk of Malaysian e-Passport. For recommendation, the result is to implement Password Authenticated Connection Establishment (PACE) and follow ICAO standards. The significance of this research will help policy-makers to make better decision on the future direction of Malaysian e-Passport in order to ensure Malaysian citizens having secured e-Passport.