UK National ID Card Cloned In 12 Minutes 454
Death Metal writes with this excerpt from Computer Weekly, which casts some doubt on the security of the UK's proposed personal identification credential: "The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning. The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card. Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes."
Outstanding. (Score:5, Interesting)
Re:Outstanding. (Score:5, Insightful)
And the government expert witness, on the goverment's payroll of course, will say the ID is nearly infallible and you'll end up in jail. We send people to death row on little more than unreliable eye witness testimony, why do you think anyone gives a damn how many people may have copies of your ID?
This is the biggest problem (Score:5, Interesting)
And the government expert witness, on the goverment's payroll of course, will say the ID is nearly infallible and you'll end up in jail.
I think this is symptomatic of the biggest single problem with so many government powers.
Things will inevitably go wrong in any system as large and complicated as running a national government. This will be true even if everyone tries to be diligent and acts with nothing but good intentions. There is no point either pretending that this won't happen or pretending that it would be better if we dropped all government systems that could possibly cause such problems no matter how much good they might otherwise do.
However, there should always be a system in place that allows mistakes to be detected and put right quickly, and without making things any worse for the unlucky victim. This is particularly true in cases of mistaken identity or other factual errors, where the consequences might be anything from financial loss such as being denied benefits or overtaxed, through loss of reputation and all the damage to relationships and career that might entail, right through to violent arrest and detention (or worse).
As a declaration of interest, I am particularly sceptical about any claims relating to ID, because I was once overtaxed significantly due to a case of mistaken identity at a government tax office. It was bad enough that I was left short of money to pay my rent without warning, but even worse that it took nearly three months and a huge amount of effort on my part to get it put right, and I never received so much as a real apology or full explanation afterwards. I can forgive a data entry error by someone who's probably earning near the minimum wage and typing hundreds or thousands of these numbers every day. I can't forgive a system that damages me for months afterwards because it can't acknowledge that it made a mistake.
Re: (Score:2)
Whooooosh yourself. (S)he's right. The justice system is stacked in favour of the state.
Re: (Score:2, Insightful)
No, the justice system is stacked in favor of the largest entity involved, regardless of whether or not it's in the state's interest. Didn't you notice that "victimless crimes" don't go punished when millions of people lose their life's savings as a result of a single individual, but /do/ go punished when someone may have lost a single DVD sale?
Re: (Score:3, Funny)
No wonder Americans are getting fat.
Re: (Score:3, Insightful)
Please avoid the use of the term "victimless crime" when talking about fraud, theft, or copyright violation. It muddies the waters for true victimless crimes -- personal drug use, consensual sex work, communist ideals, etc.
Re: (Score:2)
Perhaps GP should have spelt things out thus: Whoosh [wiktionary.org].
Re: (Score:3, Insightful)
Yeah.... it's really popular to say that. Like Microsoft *^%*%$(*($ sucks!.
In this particular instance, it's not so easy to go with the cynicism. If this hack is really that easy, you should be able to come up with a security expert willing to counter than government security expert.
EXTRA points, if you clone the Judge's ID while in the courtroom and buy 100 black 12" dildos in his/her name and produce the receipt.
Judg
Re: (Score:3, Informative)
It's not really that difficult to show your ID was cloned. It isn't like it doesn't happen today with current IDs. Illegal aliens are doing it, underage drinkers do it (often on college campuses), and people purpetrating ID theft do it.
Where the problem is going to be is when the person has some sort of motive and opportunity to commit whatever crime is in question. Most often the ID evidence will have a witness saying it was in fact you and in some cases there will be video or photographic evidence to coll
Re: (Score:3, Insightful)
Well I think we are mostly in agreement. What you are talking about is corroborating evidence, motive, and intent. I do agree when there is an eyewitness that states it was you that provided the ID during the criminal act, it becomes very difficult to argue about the ID at that point.
The original poster, much farther up the thread, was basically stating, "prove it". Eye witnesses help do that. Any type of corroborating evidence is going to help to do that.
However, when the use of the ID becomes the only
Re: (Score:3, Interesting)
Re: (Score:3, Funny)
Now it's truly redundant!
Why no, Mr. Policeman, I don't seem to have my National ID card with me.
Re:Outstanding. (Score:5, Insightful)
Actually, you are incorrect. There are court cases saying you have to present ID if demanded by a cop.
The cop was responding to a possible house break in. He had to "cross the threshold" to verify this, and he had to verify the person he was talking to was the actual owner. If they believe that a crime is/has occured, there are lower thresholds to entering a possible crime scene. Their job, at that point, is to verify that a crime hasn't occured, and hold anyone who may have committed the crime.
It wasn't an anonymous tip. The woman who made the call has been harassed and ridiculed for the call. I don't see how that's an anonymous tip.
I'll throw in that the professor shouldn't have started by showing the cop his college ID. That doesn't verify that you live at the house, and not everyone knows all the professors at a school.
Re:Outstanding. (Score:5, Insightful)
The grandparent poster was correct, and your correction scares the hell out of me. Learn your rights. Use them. Or you lose them.
Comment removed (Score:5, Insightful)
Re:Outstanding. (Score:4, Interesting)
The case on point is Hiible [dailykos.com]. Follow the links for more info.
The ACLU [aclu.org] also has a very good resource.
Re: (Score:3, Informative)
wrong link sorry hiible [wikipedia.org]
Re: (Score:3, Insightful)
It's thoroughly depressing to see in our society the authoritarian outlook that someone deserves to be arrested for giving "attitude", in his own home no less. The officer's job is to protect and serve. As two police chiefs interviewed on NPR stated, an officer in that situation should be attempting to get done w
Re: (Score:3, Insightful)
A lady saw a guy breaking in a door and called the cops; the guy owned the house, so he had a right to do so. But a reasonable person would also understand that if you just broke into your house, there is a chance a neighbor called the cops. That happened and all he had to do was show his ID so the cop could verify it was his house. When he didn't do that, the cop had a duty to all land owners to detain him unt
Re: (Score:3, Interesting)
I'm not debating whether the cop should have showed up to check out the call, nor whether he should have tried to verify that Gates was the homeowner. Since we have conflicting information about what happened, it's pointless to argue over whether Gates was acting reasonably. However, to the best of my knowledge (note, I haven't followed this story closely) both people agree that a) Gates eventually showed ID that satisfied the officer that he was the homeowner, and b) Gates did not attempt to physically
falsely convicted (Score:3, Interesting)
We send people to death row on little more than unreliable eye witness testimony
We do?
The US does. The Innocence Project [innocenceproject.org] has proven the innocence or had arranged the pardon of 4 people this past week. Ernest Sonnier [innocenceproject.org] had been in prison 23 years for rape when a DNA test cleared him. A report on the lab that originally ran tests that was used to convict him "details dozens of testing errors and questionable practices uncovered at the Houston lab." [innocenceproject.org] I don't recall if it was Alabama or Louisiana but one o
Re: (Score:3, Insightful)
I don't get why people think they're "forced" to pay taxes. Taxes are simply the fee for receiving a service (or rather, a set of services) which is provided by the government. If you don't pay the fee, you shouldn't receive the service; that's how paid services work.
Now, sure, the government can throw you in jail if you don't pay your taxes. But even then, you're still receiving services you haven't paid for - you're getting free food, free cable TV, free room and board, and so on.
If you don't want to p
Re: (Score:3, Funny)
Or "You want to buy alcohol*? Can I see some ID? Can you prove that's your real age and not a faked infallible ID card?" :)
* Proper phrase inserted since I'm English ;)
Re:Outstanding. (Score:5, Informative)
You're allowed to buy alcohol from 18 in the UK, but they're now asking for ID if you look under 25. Also, my 35 year old sister-in-law has been asked for ID several times in Colorado, USA (where she lives). It's not just the young 'uns who need ID ;)
Re: (Score:2, Informative)
Apparently (i.e. I read on the net, so not very reliable), some shops have a policy of ID every Nth customer, regardless of appearance. Which got a 75-year-old irate when he was refused service because he wasn't carrying ID.
Re: (Score:3, Funny)
Re:Outstanding. (Score:5, Interesting)
Re:Outstanding. (Score:5, Insightful)
Anti-ID card people, not just the "right wing" (ohnoes!) Daily Mail, always said that something like this was inevitable regardless of the effort put into securing the cards. The Government always brushed their concerns aside while expanding the list of people who would have access to the National ID Register.
If you got a Government spokesman on Question Time, and you were able to get into QT to ask an awkward question, then he would be as evasive as they have always been. Probably he'd just try to distract attention from the real issues. But the point is moot because all QT questions are vetted. The BBC wouldn't want to put the Government on the spot.
Re: (Score:2)
Re:Outstanding. (Score:5, Insightful)
BBC is no more going to criticize the government's ideas, than would PBS criticize the Congress.
I'm guessing you live outside the UK. The BBC has a long and well documented history of complaints from all factions of UK Government. Google "Jeremy Paxman" or "Robin Day" to discover how political interviews should be conducted. Programmes like "Newsnight" and "Panorama" frequently run stories that are highly critical of government policy.
Re: (Score:3, Interesting)
My evidence would be the questions that are NOT asked on Question Time!
Politicians get an undeservedly easy ride on this and all BBC news programmes. The purpose of these programmes to give the impression of independence, giving the Ministers a hard time. This is created by disagreeing with the Government on minor issues. The hope is that the British people will believe that the BBC is on their side when something really important comes up.
Modern propagandists do not behave like Goebbels. They do not presen
Re:Outstanding. (Score:5, Informative)
Who did the UK Government get to test the security on these cards?
They got quite a competent group of people, as is the policy of the current government. These people issued a report that the cards were insecure and did not solve any problems that actually existed (they actually made some quite interesting recommendations about the problems related to ID that the government could try to solve). Also in keeping with the government's policy (see also: Gower's Report) this advice was completely disregarded. Fortunately, the recent set of expenses scandals kicked the most vocal advocates of the ID card out of the cabinet.
Re: (Score:3, Informative)
Also in keeping with the government's policy (see also: Gower's Report) this advice was completely disregarded.
For those who don't know, the Gower's report was on intellectual property policy.
I wish the U.S. did something similar - getting together an independent panel of experts, not hand-picked bureaucrats, to look in-depth at important issues. And of course, actually act in keeping with the reports. Another UK report of interest to slashdot - the Byron Report, which looked at the effects of video games and the Internet on children. Quite even-handed, and makes notes about how there is a "polarisation of research
Re: (Score:3, Informative)
Re: (Score:2)
If you think ID theft is bad now just wait until these things come out.
Re: (Score:3, Insightful)
I think unforgeable ID is up there with Perpetual Motion Machines on the list of impossible. Just as good (and expensive) engineering can make machines that will run for a long time. good (and expensive) engineering can make the cost of forgery high, This is the way money is protected from forgery: the cost of the machinery to make it is very high. This is no problem for the Mint, which amortizes it of millions of banknotes. But for criminals, it means the number of notes they have to circulate before getti
Advertizing (Score:2, Funny)
I think that will boost Nokia sales in the UK!
Re: (Score:2)
And lower Labour Party sales at the same time ;)
Re: (Score:3, Funny)
Huh? Labour is for sale again?
I knew it, damn socialists. Those Tories are somewhat more honorable, once bought they at least stay bought.
The thing that no one ever thinks of.. (Score:4, Insightful)
With these things, that if it can be read by a device, then it can be broken. All that differs is how long will it take to break it..
Re:The thing that no one ever thinks of.. (Score:5, Insightful)
If the ID contains a digital store of your photo and other biometrics on it that is digitally _signed_, even though it can be copied it'll be much harder to tamper with it. And you can only create a new ID if you can sign it with a valid signature.
Of course in the real world, the _printed_ photo might be all the guards check.
Also in the real world, creating fake IDs might not be that hard - you might be able to bribe/trick someone to create a new legit ID for you, or steal/borrow the signing machines + keys (or the backup certs+keys).
BUT, once they realize what has happened, they can revoke your certs (and maybe even those who were responsible for helping you). While this sort of thing might not be that effective against suicidal terrorists, it works well for oppressing your own citizens.
If they start tying these IDs to travel and payment, then it works even better for keeping the sheep in line...
Go figure.
Re:The thing that no one ever thinks of.. (Score:5, Interesting)
If you'd RTFA, you'd see that he also changed a ton of information as well, and created a fake ID with the modified information; including a line that said, "I am a terrorist, please shoot me on sight."
IOW, there's no security, signing, encryption, anything at all (or if there is it's so broken that it might as well not be there). The fact that it's computerized makes it easier to fake out rather than harder, and simultaneously gives the illusion of being more reliable rather than less. It's bad all around.
Re: (Score:2)
Re: (Score:3, Insightful)
I worked for banks and government agencies. And while both are lacking in the security department, banks at least have standard that doesn't give me the chills every time I think of it.
Government standards do.
That "giant back end database" will be leaked before it's done building. Worse, why not connect my passport with the magic number of some passport?
The best kind of security is still offered by the human eye, a trained guard and his judgement of character. Also a think I learned while working for banks.
Re: (Score:3, Informative)
In fact, the Daily Mail article says they used Jeroen van Beek's method of loading the card with data - however, the Wired article claims this is not actually what happens:
Unfortunately, a number of people have interpreted the Times story to mean that van Beek altered the data on a legitimate passport chip without it being detected. Englandâ(TM)s Home Office is among those who read it this way. The Office recently responded to the story by denying that anyone can change data on a passport chip without it being detected.
In fact, van Beek says he didnâ(TM)t change data on a passport chip.
Re: (Score:2, Redundant)
Re: (Score:2)
Because if my country becomes even crappier, it might make it easier for me to move to the UK, and get an ID that's "Entitled to benefits"
Seriously though, I was just talking about the proper way of doing things, and how even the proper way won't work that well against the evil terrorists (which is what is often used as an excuse to introduce such systems).
Re: (Score:2)
Ditto for DRM.
The DRM thinking: "I know, lets give people the lock and the key and hope they don't break it"
The "cram stuff on a smart chip" thinking: "I know, lets give people all of the data that we wrote there in some way and assume that they can't change it"
So much for "never trust a user's input" (which should cover anything that the user has access to).
You'd have thought that some kind of checksum on top of the data might have helped a bit. At least then you need a large stash of valid cards to revers
Re: (Score:2)
If I copy your DVD, the player doesn't care - it works.
The ID problem is different - just because I took your _genuine_ passport, doesn't mean I can use it to travel. The guy would notice that I look different from the photo.
If they digitally sign the ID, it doesn't make copying or reading harder, but it makes tampering and forgery harder.
A Dictatorship will find it very useful to be able to revoke certs of dissidents. Such things might be more useful against troublesome she
Re: (Score:2)
Yes, DRM is different to ID, but they're making what appears to be a very similar mistake by assuming that they can give all of their important information to a user (e.g. lock and key or biometrics etc) and assuming that nothing bad can happen with it.
The best idea with keeping information secure is to not give it away, but the ID cards don't seem to follow that idea in the slightest.
Re:The thing that no one ever thinks of.. (Score:5, Interesting)
Here in Portugal we've had ID cards since the 19th century. We were pioneers in the usage of smart cards as ID cards, together with Belgium and Finland.
While our old paper ID cards were easily falsifiable, the new smart card is virtually impossible to falsify. It has a lot of physical security measures, a few holograms, engravings, etc. As to the chip, all the data in the chip is digitally signed by the government. The RSA private keys inside are generated by the card during personalisation, and are not extractable. I dare you try to create a false one. The British card seems to be a cheap piece of shit.
Anyway, what's all the fuss about ID cards? What do you use to identify yourself? Social Security card? Driver's license? How hard it is to forge one of these?
Re: (Score:2, Insightful)
It isn't the physical card. I couldn't give a rats ass about the card (Other than it's a cheap piece of shit, as you point out). It's the gigantic, interlinked database that will go with the card, which will track everything I do, and be accessible by almost every public worker you can imagine.
Re: (Score:2, Insightful)
As opposed to your National Insurance Number, which you only need when applying for a passport, a bank account, a job, hospital treatment and to pay your taxes. Did I miss anything ?
Re: (Score:3, Informative)
You missed checking your post for accuracy. You don't need an NI number to apply for a British passport. I don't think you need one to open a UK bank account, although I haven't done that for several years so I'm not 100% sure: if you do then it's only to pay taxes. You don't need one to apply for a job, although if you get the job you will need to obtain one, if you don't have one, and supply it so that they can pay taxes. You don't need one for hospital treatment - there is an NHS number, but that's admin
Re: (Score:3, Interesting)
So, that is a problem with central information systems, it has nothing to do with ID or cards. The government can track everything you do without any ID cards, they will simply use other data, like SS number, simply your name, or even credit card.
In Portugal, we have an interesting system. It's constitutionally illegal to identify someone towards the several state services using a single number. We used to have several cards, for ID, for health care, for social security, for taxes, for voting.
Now, we h
Re:The thing that no one ever thinks of.. (Score:5, Informative)
ID tends to be something like a driver's license or passport. Other measures can be used (e.g. by banks) if you don't drive and haven't been on holiday. Similarly the Government in the UK has some fairly simple ID cards for teenagers who want to prove their age to buy alcohol but don't have a driver's license or passport.
It's not impossible, and it all depends on how hard the passport etc is actually checked, but there are all the normal measures of holograms and watermarks.
It's generally:
a) the extra crap that the government wants to store on there for no good reason
b) the extra crap that the government wants to store in a database (for probably quite bad reasons)
c) the extra expense to get said extra information
d) the fact that the main argument is "do it or teh terrorororoists winz!"
e) the fact that so much money has been poured in to them and they're obviously so broken
f) the fact that it'll become enforceable to display your ID, with the next step being "no ID on the spot? that's a crime"
Re: (Score:3, Insightful)
Simply put:
The fuss is not about ID cards per-se, the fuss is about the UK government trying to create yet another tool to spy-upon, track and control UK residents.
CCTV all over the place, 28 days detention without trial (which the government tried to extend to 45), police abuses against peaceful demonstrators, extra-strong anti-libel laws used to silence whistle-blowers, anti-terrorist laws which are mostly used for things which have nothing to do with terrorism, attempts at setting up an infrastructure fo
Re:The thing that no one ever thinks of.. (Score:4, Insightful)
Although both Vanders and IBBoard are exactly right, security problems are very important, the real problem is the effect on individual liberty.
As citizens, we don't need the state, except to defend borders and keep the peace. But ID cards tell us that we do need the state, and that without it's blessing, we are nobody. The state is still (notionally) our servant, but now it will not help us unless we do as it says.
In a free country, the function of government is not to tell citizens what to do. It is not to control the population, to exercise power against them, to interfere in their lives. ID cards change that and this is why I do not approve of them.
The solution is simple... (Score:5, Funny)
Re:The solution is simple... (Score:5, Funny)
"The real shame is the government has spent billions of our tax dollars without acknowledging this fact. Is it even a British company thats producing the cards? Or are these tax dollars going to another economy?"
What a great comment from the daily mail article.
Tax dollars in the UK. Amazing.
Re: (Score:2)
Tax dollars in the UK. Amazing.
I think that portion of the comment answers the question.
I think I know what happened here (Score:3, Funny)
I bet they head-hunted members of the Windows XP team [zdnet.com.au] to implement this in the UK. That can't be a coincidence. Great move guys...
Took longer than I'd have expected. (Score:5, Funny)
Technical details? (Score:2)
Does anyone have any technical details on how this was achieved?
Re: (Score:2)
Does anyone have any technical details on how this was achieved?
I guess you aren't familiar with the Daily Mail [dailymail.co.uk], they are usually quite thin on details. Great at hyperbole though!
Can't have digital security (Score:5, Interesting)
If it's digital, because of the convenience, analogue security measures will be taken less seriously.
If it's digital, uninformed politicians will think it cool, and believe in it like some do in 70 virgins.
If it's digital, the process is fast and can be automated, and the threat is increased a million-fold (out of arse, of course) by sheer statistics. We need slow electronics
If it's digital, tampering is undetectable.
Either way, this digitally secure ID thing can only lead to government saying: "Look! We've tried, and you also know that the only way to do this properly is to put you all in a database and track your every move."
Can we perhaps agree on forsaking digital security just because it's cheaper and faster in cases where we don't need it anyway (i.e. when people aren't up to no good)?
Re:Can't have digital security (Score:5, Interesting)
What's interesting about technology like this -- such as electronic voting, passports with chips etc -- is that geeks are often against it. Geeks, who generally love technology and gadgetry, are saying no. Maybe the legislators should listen -- assuming that at least some of them actually care.
Re:Can't have digital security (Score:5, Interesting)
You're right. Unfortunately they only listen to the geeks they are paying to create systems like this, who are of course saying "yes, we can make an uncrackable security system" and suppressing their sniggers until they've made it out of the room with their fat cheque.
Re: (Score:2, Interesting)
If it's digital, exact copies are possible.
[...]
If it's digital, the process is fast and can be automated, and the threat is increased a million-fold (out of arse, of course) by sheer statistics. We need slow electronics
[...]
If it's digital, tampering is undetectable.
hmm.. in fact, there are smart card with microprocessor empowered with strong public key encryption that would make cloning very difficult and always detectable.
But the government just don't care (or can't tell the different)
Re: (Score:2, Insightful)
Re:Can't have digital security (Score:5, Informative)
Neither cards nor verification hardware require the master private key to be present.
Just like SSL, in a good implementation of ID cards each card is issued its own private and public keys, signed by the root private key (which is kept in secrecy). Then ID card uses this PK to encrypt communications. Verification hardware only needs the root public key to check that the ID card is legit.
Re: (Score:2)
Re: (Score:2)
Other questions come to mind, of course:
What's the failure rate of the kind of device/system you envision?
What's the backup plan if the private key is leaked, stolen or guessed somewhere in the next decade?
Re: (Score:2)
Just check the London buses, underground and taxis for lost laptops and USB sticks. At the current loss rate, this shouldn't take more than a few weeks until someone loses a copy of the private key.
This is phenomenal news (Score:2)
Not only does it make the card next to useless for performing any more than basic "You look like the guy on here, so you're that guy" driving-license-type identification, but it also gives "reasonable doubt" to the whole ID card technology.
Now all we need is someone to get these details onto the National ID Database (when constructed, if Labour stay in, which I sincerely hope they don't) a
Surprising (Score:5, Interesting)
I work in the smartcard industry and most of the time those "breaks" mean nothing: usually the "hacker" simply reads the publicly available information and claims that the system is "broken". The reaction of the public is always interesting and shows that many users do not understand the goals of such a system, probably because the politicians that buy those systems do not explain them very well.
However in this case the article claims that they were able to clone the card AND modify the information in the cloned card, which is really the hack that those cards are trying to prevent. This article is heavier on details than many others and that makes it more credible, but the details are still muddy. I hope that the journalist missed a crucial point and that this card is not as insecure as he thinks.
Small-scale, private smartcard-based systems can be cracked, usually because they are badly installed and used. Large-scale, private smartcard-based systems can be cracked (just look into the MiFare Classic debacle) but it involves months of hard work from people with PhDs and access to expensive equipement. Large-scale, govermental smartcard-based systems can be cracked, but I would be really surprised if it took only a few minutes. Unless that hacker presents the attack in details, I will file this one in the "baseless fearmongering in order to sell more papers" folder (which is already bursting BTW).
Expensive Equipment? (Score:4, Interesting)
Re: (Score:2)
Yes, there have been. But one has to keep in mind that security is expensive and that only some applications warrant an investement in modern, secure cards. Govermental ID is certainly one of them.
Re: (Score:3, Interesting)
TV unblocking is relatively simple, they use a (symmetric) master key that is used to derive session keys. These keys need to be in memory because they are required for the decoding, which needs a lot of performance. Also, you can always "share" the smart card between friends, the smart card does not know who is requesting the session keys. These are cheap cards. Or at least, this is how it used to be, I don't keep a close watch on this.
These cards use Passive Authentication making sure that the biometric d
Re: (Score:3, Insightful)
The reaction of the public is always interesting and shows that many users do not understand the goals of such a system, probably because the politicians that buy those systems do not know what they are either.
FTFY. From the politicians' point of view the goal of the system is either a) to protect against every possible threat to individual or national security; or b) to help them keep their seats - depending on how cynical they are.
Dont.Fight.City.Hall (Score:2)
The logic is simple:
If you fight City Hall, you WILL lose.
The Govt. is a beast and it will now put this hacker on a terror list, and for good measure add him to the s3x-offender list too.
This poor guy will spend ALL his money to fight the Govt. in courts, while the Govt. uses his tax money to fight him.
Until he squeals: "If the Govt. does it, then it must be the best.", the Govt. will continue to gag him and all others who criticize it.
Love the Ending (Score:2, Insightful)
Foiling the foilers (Score:2, Funny)
It copies, but does it validate? (Score:5, Insightful)
Not a cloned document (Score:3, Informative)
Whilst this is a failure of some rudimentary security system that was supposed to protect the data stored on the chip, this is anot a cloned card per se.
The chips on these ID cards, and the new UK passports, are there to enhance the integrity of the DOCUMENT, not be secure stand-alone identifiers alone. For instance you can easily copy the data on a chip once the security has been defeated but to accurately copy the paper part of the document including the watermarks, UV sensitive fibres, holograms, raised ink, irridescent coatings, etc. takes a lot of time and effort that most people won't bother with. Some do bother as a lot of bent banknotes will testify to.
These cards like the passports SHOULD when tested/checked be read by a human being who knows how to check the security features (e.g running your fingers over the top of a banknote to check the raised ink), check the details and the photo are correct and do not seem to have been tampered with, then they can check that the data on the chip matches the data printed on the paper/plastic. If they match then there's a very high chance that the card/passport is genuine.
Just checking one portion rather than the other defats the purpose of these designs.
Weak systems will always be exploitable. UK Border Control staff/Police/Home Office drones need to know that that no document is unforgeable and to maintain the integrity of a system requires knowledge and training on the part of those who are attempting to enforce it.
Re:Hang on (Score:5, Informative)
I unfortunately read the article...
He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.
Lets hope this puts the final nail in the coffin for this stupid idea.
Re:Hang on (Score:5, Insightful)
Oh, no doubt you can clone a new card with modified data. The real question is - can you get it to verify as genuine in Government readers now you've modified it? Unless the Government's really screwed up, the cards should have digital signatures, which means any unauthorised changes to the data will make them invalid. The Daily Mail article not only doesn't do a good job of addressing this issue, it fails to realise how significant an obstacle it is. I bet they only bothered to check the card in unofficial readers that don't verify anything...
Re: (Score:3, Funny)
Unless the Government's really screwed up...
Let me guess - you're new, right?
Re: (Score:2, Informative)
Re: (Score:3, Insightful)
If they had any sense whatsoever, all that data would be stored on the server and the card would simply have an ID number (and MAYBE a name) programmed into it. The fact that their system simply believes what's on the card and doesn't check a central database to make sure that the card hasn't been tampered with is just plain stupid.
So instead, they should trust the ID number? How is a number pointing to a block of data on a remote server is safer than the block of data itself? That's what credit cards are (
Re: (Score:2)
The ID number is safer because at least then you have a prayer of getting reliable data.
If you do have robust end-to-end security then you can see the canonical biometrics for the person in question and validate them with local equipment.
If you rely on something that is entirely under the control of the public, someone will find a way to tamper with it, it is only a question of how long it will take. Once they do, you will have to issue new cards to everyone, which will cost millions and just start the
Re: (Score:2)
The difference is that if the data is on the server, I would not be able to clone your card, then change the biometrics to my height etc. and pass myself off as you.
With that data on the card, and no server verification, I could.
Of course, the necessary assumption here is that the data on the server is not as readily modifiable as those on the card.
Re:Hang on (Score:5, Informative)
Actually, TFA is a post on Computer Weekly, who read the Daily Mail so you don't have to.
So, no, it is actually pretty bloody scary, as they successfully changed the biometrics of the copy.
Re: (Score:3, Informative)
TFA says they managed to change the data on the card. It's still not clear if that is enough to make your own card or if it would fool a biometric scanner.
Biometrics are a terrible way to establish identity, which is why banks don't use them. Aside from the ease with which things like fingerprint scanners can be fooled, your biometric data can change (e.g. you burn your finger, loose and eye, get cosmetic surgery). That means there has to be a system for getting your card updated with the new data, and if s
Re: (Score:2)
Re:Hang on (Score:5, Informative)
Indeed. Please tag this story "DailyFail".
I've no grounds for arguing with the facts, and certainly agree with the disgust for these ID cards, but any story in the Mail that touches on "scrounging foreigners damaging our property values and insulting the sacred memory of Princess Di" is not to be trusted.
Re: (Score:2)
They altered data on the cloned card. No need to get that surgery, just fudge the data to match your drooping cheekbones.
Re: (Score:2)
I thought with the departure of Jacqui smith, this diabolical scheme was being abolished?
Nah, it is being combined with passports. The passport service is now "The UK Identity and Passport Service". The fight against ID cards was always about the National ID Register, Britain's version of the Stasi record system. The NIR is not going anywhere, just being rebranded into a more "acceptable" form.
It wasn't just Jacqui Smith that wanted this, you see!
Re: (Score:2)
The whole concept of a secure card is crap unless it verifies against an external DB.
Not necessarily so ; it's definitely possible to have a card system that deliberately eschews a central database entirely, and just rely on digital signatures for security. The difficulty of providing security in such a system would be approximately equivalent, and mostly related to securing the signing keys, but it would be much less costly because of the lack of a need to maintain and administer the central database.
The article doesn't mention whether the edited card created would pass a digital signature