For over a decade, Customs and Border Protection has failed to properly verify e-passports (which contain biometric data) as “it lacked the software to do so,” according to a new letter sent by two top senators.

According to a 2010 report authored by the Government Accountability Office, the problem needed fixing then—and eight years later it still hasn’t been resolved.

An e-passport is essentially a passport that includes machine-readable RFID chips containing a traveler’s personal information. These more digitally secure passports, which began to be required by the United States for visitors form visa waiver countries beginning in 2007, are scanned at the border by a CBP agent’s computer. However, without a digital signature, it is impossible to validate that the data contained on the passport is actually authentic.

Matthew Green, a professor of cryptography at Johns Hopkins University, called out CBP on Thursday about the issue.

In other words, the data and a digital signature is loaded from the chip and displayed, but since the signature isn’t verified (🙄) anyone could have forged it.

— Matthew Green (@matthew_d_green) February 22, 2018

In the Thursday letter, Senators Ron Wyden (D-Oregon) and Claire McCaskill (D-Missouri) demanded that CBP resolve the problem by January 1, 2019.

Customs and Border Protection did not immediately respond to Ars’ request for comment.

https://arstechnica.com/?p=1264961