UK National ID Card Cloned In 12 Minutes 454
Death Metal writes with this excerpt from Computer Weekly, which casts some doubt on the security of the UK's proposed personal identification credential: "The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning. The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card. Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes."
Re:Hang on (Score:5, Informative)
I unfortunately read the article...
He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.
Lets hope this puts the final nail in the coffin for this stupid idea.
Re:Hang on (Score:5, Informative)
Actually, TFA is a post on Computer Weekly, who read the Daily Mail so you don't have to.
So, no, it is actually pretty bloody scary, as they successfully changed the biometrics of the copy.
Re:Hang on (Score:3, Informative)
TFA says they managed to change the data on the card. It's still not clear if that is enough to make your own card or if it would fool a biometric scanner.
Biometrics are a terrible way to establish identity, which is why banks don't use them. Aside from the ease with which things like fingerprint scanners can be fooled, your biometric data can change (e.g. you burn your finger, loose and eye, get cosmetic surgery). That means there has to be a system for getting your card updated with the new data, and if such a system exists you can guarantee it will be open to abuse.
Re:Outstanding. (Score:5, Informative)
You're allowed to buy alcohol from 18 in the UK, but they're now asking for ID if you look under 25. Also, my 35 year old sister-in-law has been asked for ID several times in Colorado, USA (where she lives). It's not just the young 'uns who need ID ;)
Re:The thing that no one ever thinks of.. (Score:5, Informative)
ID tends to be something like a driver's license or passport. Other measures can be used (e.g. by banks) if you don't drive and haven't been on holiday. Similarly the Government in the UK has some fairly simple ID cards for teenagers who want to prove their age to buy alcohol but don't have a driver's license or passport.
It's not impossible, and it all depends on how hard the passport etc is actually checked, but there are all the normal measures of holograms and watermarks.
It's generally:
a) the extra crap that the government wants to store on there for no good reason
b) the extra crap that the government wants to store in a database (for probably quite bad reasons)
c) the extra expense to get said extra information
d) the fact that the main argument is "do it or teh terrorororoists winz!"
e) the fact that so much money has been poured in to them and they're obviously so broken
f) the fact that it'll become enforceable to display your ID, with the next step being "no ID on the spot? that's a crime"
Re:Hang on (Score:5, Informative)
Indeed. Please tag this story "DailyFail".
I've no grounds for arguing with the facts, and certainly agree with the disgust for these ID cards, but any story in the Mail that touches on "scrounging foreigners damaging our property values and insulting the sacred memory of Princess Di" is not to be trusted.
Re:Outstanding. (Score:2, Informative)
Apparently (i.e. I read on the net, so not very reliable), some shops have a policy of ID every Nth customer, regardless of appearance. Which got a 75-year-old irate when he was refused service because he wasn't carrying ID.
Re:Outstanding. (Score:1, Informative)
I was waiting for a plane in JFK and was sitting in a bar and saw the staff refuse to serve a 82 year old man a small beer before he showed ID (he was as bored as everyone in that snow storm so he really tried to talk the bar girl to not demand the id, but she was adamant).
Re:Can't have digital security (Score:5, Informative)
Neither cards nor verification hardware require the master private key to be present.
Just like SSL, in a good implementation of ID cards each card is issued its own private and public keys, signed by the root private key (which is kept in secrecy). Then ID card uses this PK to encrypt communications. Verification hardware only needs the root public key to check that the ID card is legit.
Re:Hang on (Score:2, Informative)
In other words, yes the government did really screw up.
On a side note, does slashdot have to link to a link to the article?
Not a cloned document (Score:3, Informative)
Whilst this is a failure of some rudimentary security system that was supposed to protect the data stored on the chip, this is anot a cloned card per se.
The chips on these ID cards, and the new UK passports, are there to enhance the integrity of the DOCUMENT, not be secure stand-alone identifiers alone. For instance you can easily copy the data on a chip once the security has been defeated but to accurately copy the paper part of the document including the watermarks, UV sensitive fibres, holograms, raised ink, irridescent coatings, etc. takes a lot of time and effort that most people won't bother with. Some do bother as a lot of bent banknotes will testify to.
These cards like the passports SHOULD when tested/checked be read by a human being who knows how to check the security features (e.g running your fingers over the top of a banknote to check the raised ink), check the details and the photo are correct and do not seem to have been tampered with, then they can check that the data on the chip matches the data printed on the paper/plastic. If they match then there's a very high chance that the card/passport is genuine.
Just checking one portion rather than the other defats the purpose of these designs.
Weak systems will always be exploitable. UK Border Control staff/Police/Home Office drones need to know that that no document is unforgeable and to maintain the integrity of a system requires knowledge and training on the part of those who are attempting to enforce it.
Re:Outstanding. (Score:5, Informative)
Who did the UK Government get to test the security on these cards?
They got quite a competent group of people, as is the policy of the current government. These people issued a report that the cards were insecure and did not solve any problems that actually existed (they actually made some quite interesting recommendations about the problems related to ID that the government could try to solve). Also in keeping with the government's policy (see also: Gower's Report) this advice was completely disregarded. Fortunately, the recent set of expenses scandals kicked the most vocal advocates of the ID card out of the cabinet.
Re:Hold on a second... (Score:3, Informative)
In fact, the Daily Mail article says they used Jeroen van Beek's method of loading the card with data - however, the Wired article claims this is not actually what happens:
Unfortunately, a number of people have interpreted the Times story to mean that van Beek altered the data on a legitimate passport chip without it being detected. Englandâ(TM)s Home Office is among those who read it this way. The Office recently responded to the story by denying that anyone can change data on a passport chip without it being detected.
In fact, van Beek says he didnâ(TM)t change data on a passport chip.
UK Home Office calls the report "rubbish" (Score:2, Informative)
"The Home Office has dismissed the report. "This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened," said a spokesperson.""
http://www.theregister.co.uk/2009/08/07/id_card_hacked/ [theregister.co.uk]
Re:Outstanding. (Score:3, Informative)
He's not just reading off or copying the information, he's cloning the card, and demonstrating that he can change things in the process. So, using your analogy, the demonstration proves he not only can copy a page of Chinese writing, he can read and understand it, edit it, and print it back out to make it look just like the original.
Re:The thing that no one ever thinks of.. (Score:3, Informative)
You missed checking your post for accuracy. You don't need an NI number to apply for a British passport. I don't think you need one to open a UK bank account, although I haven't done that for several years so I'm not 100% sure: if you do then it's only to pay taxes. You don't need one to apply for a job, although if you get the job you will need to obtain one, if you don't have one, and supply it so that they can pay taxes. You don't need one for hospital treatment - there is an NHS number, but that's administered entirely separately. And finally, yes, you need it to pay taxes: that's the only purpose for which you need it.
Re:Outstanding. (Score:3, Informative)
It's not really that difficult to show your ID was cloned. It isn't like it doesn't happen today with current IDs. Illegal aliens are doing it, underage drinkers do it (often on college campuses), and people purpetrating ID theft do it.
Where the problem is going to be is when the person has some sort of motive and opportunity to commit whatever crime is in question. Most often the ID evidence will have a witness saying it was in fact you and in some cases there will be video or photographic evidence to collaborate.
The situation will not be much different then it is today.
Re:Outstanding. (Score:3, Informative)
Also in keeping with the government's policy (see also: Gower's Report) this advice was completely disregarded.
For those who don't know, the Gower's report was on intellectual property policy.
I wish the U.S. did something similar - getting together an independent panel of experts, not hand-picked bureaucrats, to look in-depth at important issues. And of course, actually act in keeping with the reports. Another UK report of interest to slashdot - the Byron Report, which looked at the effects of video games and the Internet on children. Quite even-handed, and makes notes about how there is a "polarisation of research paradigms" between the US and UK.
The closest thing in the U.S. I've seen is the president's council on Bioethics, and those reports never seem to make as concrete recommendations as the UK ones.
Re:Outstanding. (Score:3, Informative)
wrong link sorry hiible [wikipedia.org]
Giving ID when suspected of a crime (Score:2, Informative)
Did you read the page you linked to? It says:
'In Hiibel v. Sixth Judicial District Court of Nevada [papersplease.org], the Supreme Court upheld state laws requiring citizens to disclose their identity to police when officers have reasonable suspicion to believe criminal activity may be taking place. Commonly known as "stop and identify" statutes, these laws permit police to arrest criminal suspects who refuse to identify themselves.'
http://www.knowmyrights.org/faq/4th-amendment/when-do-i-have-to-show-id.html [knowmyrights.org]