[mirages]

This is at best another forensic tool (unlocking the TPM of a locked laptop/phone for prosecution) and at worst a red herring for security flag.

- Clone a passport -> why cloning if you can issue new ones - getting risked being detected while using a clone (2 entries in 2 different countries, and you also need to look like the person) not to mention you have to destroy the passport

- Phone enclaves -> see above

- Crypto -> Hardware wallets should be kept on eye as badly as your normal wallet

- SIM Cards -> Swapping is faster, or if you're the the gov, just an intercept warrant will do the trick

- Laptops -> see above

- EMV Chips -> If you have those skills and money, I don't think you'll lose time on cloning credit/debit cards

[mschuster91]

> - Clone a passport -> why cloning if you can issue new ones - getting risked being detected while using a clone (2 entries in 2 different countries, and you also need to look like the person) not to mention you have to destroy the passport

Well... not really. ICAO compliant passports do not require storing a photo embedded in the chip, as long as you can forge the physical part of the passport (or obtain blanks) you just need the digital certificates from a "donor" passport of John Doe, print "John Doe" and his personal data (birth day/place, nationality, issuance/expiry data) on the human readable and MRZ fields, but crucially the photo of the person using the forgery.

Also, there are no centralized, cross country stores of entry/departure. Lots of places don't even register it for visa-free border crossings.

Some national ID documents, e.g. the Croatian national ID card "osobna iskaznica", do store a photo embedded in the chip, so that indeed restricts a forgery from being used by a non-lookalike.

[lxgr]

> ICAO compliant passports do not require storing a photo embedded in the chip

That's completely on the issuing country then, though, just like they e.g. might choose to not use dynamic chip authentication, which also makes the passport subject to trivial chip cloning.

I wouldn't be surprised if some e-border gates reject travel documents that don't support chip authentication or don't have a digital version of the photo covered by the issuer signature.

[patrakov]

> - Phone enclaves -> see above

Well... not really, from the viewpoint of a bank. Look, now the user can extract the key that the bank TOTP app carefully keeps, and transfer it to another (rooted) device, or use without a phone at all, meaning that this app is no longer a "something unclonable that you have" authentication factor. From a risk management and compliance perspective, that's a contract breach: the bank is legally obliged to store that secret securely, so that the user is guaranteed to complain if it could have been used by someone else.

[nly]

Two factor auth is often just used to shift blame anyway.

[lxgr]

> - EMV Chips -> If you have those skills and money, I don't think you'll lose time on cloning credit/debit cards

Experience shows that the people having the skills, money, and criminal energy to attack payment card security quite often end up doing just that.

In a way, there's an implicit and quite large pending bug bounty for EMV at all times...