The theft of as many as 5 million passport numbers from the Marriott hotel chain last year continues to worry consumers concerned that criminals were using their information for fraud or even travel.
Unlike credit card data or personal Social Security numbers, there are few mechanisms in place to alert consumers that their passport numbers have been stolen and possibly used for fraud.
According to research from cybersecurity intelligence company Flashpoint, passport data sells in three formats on the darkweb, digital scans, templates for creating a finished passport and actual physical passports. These range in price from $5-$65 for scans, $29-$89 for templates and up to $5,000 for the finished product.
Modern entry procedures in most countries can catch forgeries and lower-priced "fake" passports have a limited use for other types of identity theft.
But some countries don't scan passport barcodes or microchips, and that's where even a low-cost phony passport can help a criminal gain entry, according to Brian Stack, vice president of engineering and darkweb surveillance at Experian.
Getting a professionally forged passport on the darkweb can routinely cost around $1,000 to $2,000, and that includes not just a victim's stolen or leaked passport information, but other items that make the passport workable in many countries.
Lower-cost versions that can pass an "eyeball test" at less-sophisticated ports can cost hundreds of dollars on the darkweb, according to Stack. These lowbrow versions can also be used for other types of identity theft, like entry at a sporting event, business, government office or school.
On the high-end, darkweb researchers have seen much more sophisticated passport forgeries that can cost criminals upward of $3,000, with additional charges for special features, like diplomatic ties, according to Charles Henderson, head of IBM's cybersecurity group X-Force Red, which conducts research on darkweb forums.
"Criminals need, at the country they are leaving or entering, at a bare minimum passport number, name, date of issue, date of expiry, and sometimes the scan bar at the bottom of the passport," Henderson said. This information is much more prevalent in breaches of passport information that involve full scans of the passport than in other breaches, like Marriott's, that have mostly just involved passport numbers and other manually entered data.
At modern ports of entry, scanners also look for other inconsistencies and can quickly flag them, including incorrect typeface or mismatched traveler information, Henderson said.
Finding out if someone is using a forged or fraudulent passport in your name is harder, however. People may be accustomed to alerts when their credit card is stolen, but "it's not like you have an audit trail of places you travel, all your comings and goings, and there isn't a way necessarily to quickly alert you to this type of fraud," he said.
The State Department has previously stated that breaches of passport information don't often translate into a forged passport, telling Fast Company that new passports have lots of security features to defend against counterfeiting and emphasizing that people can't travel on a passport number alone.
Getting a new passport can help consumers who suspect they are victims of passport identity theft, but they will also have to foot the cost of the updated document, according to the State Department.