×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK National ID Card Cloned In 12 Minutes

timothy posted more than 4 years ago | from the but-it's-secure-says-so-right-on-the-label dept.

Security 454

Death Metal writes with this excerpt from Computer Weekly, which casts some doubt on the security of the UK's proposed personal identification credential: "The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning. The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card. Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

454 comments

Outstanding. (5, Interesting)

palegray.net (1195047) | more than 4 years ago | (#28983663)

I just can't wait for national ID cards here in the States! It'll be great for plausible deniability: "Oh, you say you saw ID? Prove it was really me."

Re:Outstanding. (5, Insightful)

Rakishi (759894) | more than 4 years ago | (#28983713)

And the government expert witness, on the goverment's payroll of course, will say the ID is nearly infallible and you'll end up in jail. We send people to death row on little more than unreliable eye witness testimony, why do you think anyone gives a damn how many people may have copies of your ID?

Re:Outstanding. (-1, Redundant)

palegray.net (1195047) | more than 4 years ago | (#28983729)

Whooooosh.

Re:Outstanding. (1)

Keeper Of Keys (928206) | more than 4 years ago | (#28983873)

Whooooosh yourself. (S)he's right. The justice system is stacked in favour of the state.

Re:Outstanding. (2, Insightful)

Anonymous Coward | more than 4 years ago | (#28983919)

No, the justice system is stacked in favor of the largest entity involved, regardless of whether or not it's in the state's interest. Didn't you notice that "victimless crimes" don't go punished when millions of people lose their life's savings as a result of a single individual, but /do/ go punished when someone may have lost a single DVD sale?

Re:Outstanding. (2, Funny)

IBBoard (1128019) | more than 4 years ago | (#28983821)

Or "You want to buy alcohol*? Can I see some ID? Can you prove that's your real age and not a faked infallible ID card?" :)

* Proper phrase inserted since I'm English ;)

Re:Outstanding. (0)

Anonymous Coward | more than 4 years ago | (#28983999)

ID for alcohol? What, do we have a bunch of kids running around Slashdot?

Re:Outstanding. (1)

trib4lmaniac (962599) | more than 4 years ago | (#28984077)

Have you tried buying alcohol in the UK? Shopkeepers here would ask their own grandmother.

Re:Outstanding. (1, Informative)

Anonymous Coward | more than 4 years ago | (#28984241)

I was waiting for a plane in JFK and was sitting in a bar and saw the staff refuse to serve a 82 year old man a small beer before he showed ID (he was as bored as everyone in that snow storm so he really tried to talk the bar girl to not demand the id, but she was adamant).

Re:Outstanding. (4, Informative)

IBBoard (1128019) | more than 4 years ago | (#28984099)

You're allowed to buy alcohol from 18 in the UK, but they're now asking for ID if you look under 25. Also, my 35 year old sister-in-law has been asked for ID several times in Colorado, USA (where she lives). It's not just the young 'uns who need ID ;)

Re:Outstanding. (2, Informative)

AlecC (512609) | more than 4 years ago | (#28984213)

Apparently (i.e. I read on the net, so not very reliable), some shops have a policy of ID every Nth customer, regardless of appearance. Which got a 75-year-old irate when he was refused service because he wasn't carrying ID.

Re:Outstanding. (4, Interesting)

siloko (1133863) | more than 4 years ago | (#28983917)

I think there are two things of note. First the article is in the Daily Mail which has a populist agenda usually veering alarmingly to the right. They have jumped on the anti-id bandwagon so maybe this article should be taken with a pinch of salt. Secondly if it is true it raises some interesting points. Who did the UK Government get to test the security on these cards? How do you respond to such a public relations disaster? How to you tally lax security with bullet proof identification and if this is not possible what plausible reason is there for rolling these things out nationally? I would be very interested to get a Government spokesmen on Question Time squirming to reply to those questions, because they are essentially unanswerable whilst still clinging to the existing policy. And too much money has been spent for this Government to change it now . . .

Re:Outstanding. (4, Insightful)

FourthAge (1377519) | more than 4 years ago | (#28984029)

Anti-ID card people, not just the "right wing" (ohnoes!) Daily Mail, always said that something like this was inevitable regardless of the effort put into securing the cards. The Government always brushed their concerns aside while expanding the list of people who would have access to the National ID Register.

If you got a Government spokesman on Question Time, and you were able to get into QT to ask an awkward question, then he would be as evasive as they have always been. Probably he'd just try to distract attention from the real issues. But the point is moot because all QT questions are vetted. The BBC wouldn't want to put the Government on the spot.

Re:Outstanding. (1)

lorenzo.boccaccia (1263310) | more than 4 years ago | (#28984087)

it's always the same problem. as soon as you start using an identification device as an authentication device, you're screwed, as identity thefts all over the world could concentrate on a convenient and small target. too much incentive on cracking the card for it to work.

Re:Outstanding. (0)

Anonymous Coward | more than 4 years ago | (#28984043)

I just can't wait for national ID cards here in the States! It'll be great for plausible deniability: "Oh, you say you saw ID? Prove it was really me."

Why the future tense? You're required to carry papers in your vehicle, to acquire (legal) pharmaceuticals, to buy alcohol, and so on...

Re:Outstanding. (1)

Big Hairy Ian (1155547) | more than 4 years ago | (#28984153)

Is there a country in the World that has an ID card system that can't be forged/cloned??? Although I object to the idea of a national ID card what has me really worried is the amount of info they are talking about putting on it. I don't really want my entire medical history + NI number stored on a chip that can be hacked from 20 feetaway
If you think ID theft is bad now just wait until these things come out.

The thing that no one ever thinks of.. (3, Insightful)

SirFozzie (442268) | more than 4 years ago | (#28983687)

With these things, that if it can be read by a device, then it can be broken. All that differs is how long will it take to break it..

Re:The thing that no one ever thinks of.. (4, Insightful)

TheLink (130905) | more than 4 years ago | (#28983835)

Of course it can be copied. However if I try to show YOUR ID card "as is", to a guard it might not work - he might realize that I look a bit different from you.

If the ID contains a digital store of your photo and other biometrics on it that is digitally _signed_, even though it can be copied it'll be much harder to tamper with it. And you can only create a new ID if you can sign it with a valid signature.

Of course in the real world, the _printed_ photo might be all the guards check.

Also in the real world, creating fake IDs might not be that hard - you might be able to bribe/trick someone to create a new legit ID for you, or steal/borrow the signing machines + keys (or the backup certs+keys).

BUT, once they realize what has happened, they can revoke your certs (and maybe even those who were responsible for helping you). While this sort of thing might not be that effective against suicidal terrorists, it works well for oppressing your own citizens.

If they start tying these IDs to travel and payment, then it works even better for keeping the sheep in line...

Go figure.

Re:The thing that no one ever thinks of.. (4, Interesting)

martyros (588782) | more than 4 years ago | (#28983943)

If you'd RTFA, you'd see that he also changed a ton of information as well, and created a fake ID with the modified information; including a line that said, "I am a terrorist, please shoot me on sight."

IOW, there's no security, signing, encryption, anything at all (or if there is it's so broken that it might as well not be there). The fact that it's computerized makes it easier to fake out rather than harder, and simultaneously gives the illusion of being more reliable rather than less. It's bad all around.

Re:The thing that no one ever thinks of.. (1)

TheLink (130905) | more than 4 years ago | (#28984019)

Yeah I know, I'm just talking about the next step that they're probably going to suggest as a solution, and how that might not be so wonderful either ;).

Re:The thing that no one ever thinks of.. (0)

Anonymous Coward | more than 4 years ago | (#28984135)

If you think you should trust articles about ePassports and ID's on face value, then you are very naive indeed. I can't think of any article on Slashdot that mostly correct. Most of them were completely incorrect, up to the point of being about a completely different card (e.g. the US ePassport card instead of internationally valid ePassport). People having "cloned" the information without bothering about the signature is starting to be old news.

Re:The thing that no one ever thinks of.. (1, Redundant)

raju1kabir (251972) | more than 4 years ago | (#28983955)

RTFA please. They altered the information on the cloned card and it read true. Clearly there is either no, or a very weak, cryptographic validation mechanism.

Re:The thing that no one ever thinks of.. (1)

TheLink (130905) | more than 4 years ago | (#28984063)

That's nice. Since I am not a UK citizen, I think it is good for me if they continue to use such a broken system.

Because if my country becomes even crappier, it might make it easier for me to move to the UK, and get an ID that's "Entitled to benefits" :).

Seriously though, I was just talking about the proper way of doing things, and how even the proper way won't work that well against the evil terrorists (which is what is often used as an excuse to introduce such systems).

Re:The thing that no one ever thinks of.. (1)

IBBoard (1128019) | more than 4 years ago | (#28983875)

Ditto for DRM.

The DRM thinking: "I know, lets give people the lock and the key and hope they don't break it"
The "cram stuff on a smart chip" thinking: "I know, lets give people all of the data that we wrote there in some way and assume that they can't change it"

So much for "never trust a user's input" (which should cover anything that the user has access to).

You'd have thought that some kind of checksum on top of the data might have helped a bit. At least then you need a large stash of valid cards to reverse engineer the checksum algorithm.

Re:The thing that no one ever thinks of.. (1)

TheLink (130905) | more than 4 years ago | (#28984003)

DRM is a different thing from ID.

If I copy your DVD, the player doesn't care - it works.

The ID problem is different - just because I took your _genuine_ passport, doesn't mean I can use it to travel. The guy would notice that I look different from the photo.

If they digitally sign the ID, it doesn't make copying or reading harder, but it makes tampering and forgery harder.

A Dictatorship will find it very useful to be able to revoke certs of dissidents. Such things might be more useful against troublesome sheep, than renegade wolves.

So be careful, some solutions may be very good at solving rather different problems from what was "advertised".

Re:The thing that no one ever thinks of.. (1)

IBBoard (1128019) | more than 4 years ago | (#28984073)

Yes, DRM is different to ID, but they're making what appears to be a very similar mistake by assuming that they can give all of their important information to a user (e.g. lock and key or biometrics etc) and assuming that nothing bad can happen with it.

The best idea with keeping information secure is to not give it away, but the ID cards don't seem to follow that idea in the slightest.

Re:The thing that no one ever thinks of.. (4, Interesting)

daem0n1x (748565) | more than 4 years ago | (#28984057)

Here in Portugal we've had ID cards since the 19th century. We were pioneers in the usage of smart cards as ID cards, together with Belgium and Finland.

While our old paper ID cards were easily falsifiable, the new smart card is virtually impossible to falsify. It has a lot of physical security measures, a few holograms, engravings, etc. As to the chip, all the data in the chip is digitally signed by the government. The RSA private keys inside are generated by the card during personalisation, and are not extractable. I dare you try to create a false one. The British card seems to be a cheap piece of shit.

Anyway, what's all the fuss about ID cards? What do you use to identify yourself? Social Security card? Driver's license? How hard it is to forge one of these?

Re:The thing that no one ever thinks of.. (2, Insightful)

Vanders (110092) | more than 4 years ago | (#28984103)

Anyway, what's all the fuss about ID cards?

It isn't the physical card. I couldn't give a rats ass about the card (Other than it's a cheap piece of shit, as you point out). It's the gigantic, interlinked database that will go with the card, which will track everything I do, and be accessible by almost every public worker you can imagine.

Re:The thing that no one ever thinks of.. (4, Informative)

IBBoard (1128019) | more than 4 years ago | (#28984107)

What do you use to identify yourself? Social Security card? Driver's license?

ID tends to be something like a driver's license or passport. Other measures can be used (e.g. by banks) if you don't drive and haven't been on holiday. Similarly the Government in the UK has some fairly simple ID cards for teenagers who want to prove their age to buy alcohol but don't have a driver's license or passport.

How hard it is to forge one of these?

It's not impossible, and it all depends on how hard the passport etc is actually checked, but there are all the normal measures of holograms and watermarks.

Anyway, what's all the fuss about ID cards?

It's generally:

a) the extra crap that the government wants to store on there for no good reason
b) the extra crap that the government wants to store in a database (for probably quite bad reasons)
c) the extra expense to get said extra information
d) the fact that the main argument is "do it or teh terrorororoists winz!"
e) the fact that so much money has been poured in to them and they're obviously so broken
f) the fact that it'll become enforceable to display your ID, with the next step being "no ID on the spot? that's a crime"

The solution is simple... (5, Funny)

nadamucho (1063238) | more than 4 years ago | (#28983697)

Just ban cell phones and laptop computers!

Re:The solution is simple... (5, Funny)

GeorgeStone22 (1532191) | more than 4 years ago | (#28983997)

"The real shame is the government has spent billions of our tax dollars without acknowledging this fact. Is it even a British company thats producing the cards? Or are these tax dollars going to another economy?"

What a great comment from the daily mail article.
Tax dollars in the UK. Amazing.

Took longer than I'd have expected. (5, Funny)

webreaper (1313213) | more than 4 years ago | (#28983747)

Guess they got spent a bit longer on the security aspect than most Government IT projects then.

I liked the advert off to the side (0)

Anonymous Coward | more than 4 years ago | (#28983749)

The advertisement on Slashdot off to the side said, "Security You Can Trust." How sarcastically fitting.

Technical details? (1)

Orlando (12257) | more than 4 years ago | (#28983761)

Does anyone have any technical details on how this was achieved?

Re:Technical details? (1)

siloko (1133863) | more than 4 years ago | (#28983951)

Does anyone have any technical details on how this was achieved?

I guess you aren't familiar with the Daily Mail [dailymail.co.uk] , they are usually quite thin on details. Great at hyperbole though!

Hang on (1, Insightful)

RMH101 (636144) | more than 4 years ago | (#28983765)

I've not read TFA, because it's the Daily Mail, and I'd rather poke my eyes out with needles, but I'm assuming until I hear otherwise that this is duplication of an ID card, not creation of a new one: i.e. you end up with a clone, containing the original biometric data, rather than it being an exploit that can manufacture new, seemingly valid, ID cards for new individuals. Check the biometrics on the copy, and it won't match up with the person who's holding the clone.
Still bad, just not as scary as the headline suggests. Note the Mail's reason for existence is to print scaremongering headlines to give the UK's middle classes something to moan about: immigration, foreigners, bureaucracy in europe, etc.

Re:Hang on (4, Informative)

sifi (170630) | more than 4 years ago | (#28983785)

I unfortunately read the article...

He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.

Lets hope this puts the final nail in the coffin for this stupid idea.

Re:Hang on (1)

RoFLKOPTr (1294290) | more than 4 years ago | (#28983823)

I unfortunately read the article...

He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.

Lets hope this puts the final nail in the coffin for this stupid idea.

If they had any sense whatsoever, all that data would be stored on the server and the card would simply have an ID number (and MAYBE a name) programmed into it. The fact that their system simply believes what's on the card and doesn't check a central database to make sure that the card hasn't been tampered with is just plain stupid.

Re:Hang on (2, Insightful)

Rosco P. Coltrane (209368) | more than 4 years ago | (#28983909)

If they had any sense whatsoever, all that data would be stored on the server and the card would simply have an ID number (and MAYBE a name) programmed into it. The fact that their system simply believes what's on the card and doesn't check a central database to make sure that the card hasn't been tampered with is just plain stupid.

So instead, they should trust the ID number? How is a number pointing to a block of data on a remote server is safer than the block of data itself? That's what credit cards are (they have a number in them, that ATMs and pay points check against the credit company's database), and this particular industry is rife with electronic fraud.

Re:Hang on (0)

Anonymous Coward | more than 4 years ago | (#28983965)

I guess it's safer because, unless you can find someone on the government database who matches your description, it doesn't matter what ID number you put on your card, because when they look up that person's description it won't be you.

Re:Hang on (1)

raju1kabir (251972) | more than 4 years ago | (#28983973)

The ID number is safer because at least then you have a prayer of getting reliable data.

If you do have robust end-to-end security then you can see the canonical biometrics for the person in question and validate them with local equipment.

If you rely on something that is entirely under the control of the public, someone will find a way to tamper with it, it is only a question of how long it will take. Once they do, you will have to issue new cards to everyone, which will cost millions and just start the cycle over again.

Re:Hang on (1)

Mascot (120795) | more than 4 years ago | (#28983985)

The difference is that if the data is on the server, I would not be able to clone your card, then change the biometrics to my height etc. and pass myself off as you.

With that data on the card, and no server verification, I could.

Of course, the necessary assumption here is that the data on the server is not as readily modifiable as those on the card.

Re:Hang on (0)

Anonymous Coward | more than 4 years ago | (#28983913)

I think they've already established that they have no sense whatsoever. Which unfortunately means they'll probably keep going ahead with the stupid idea. At least until the Conservatives get into power. I'm hoping they do, even though I'm sure they'll eventually come up with a different set of stupid ideas.

Re:Hang on (4, Insightful)

makomk (752139) | more than 4 years ago | (#28983921)

Oh, no doubt you can clone a new card with modified data. The real question is - can you get it to verify as genuine in Government readers now you've modified it? Unless the Government's really screwed up, the cards should have digital signatures, which means any unauthorised changes to the data will make them invalid. The Daily Mail article not only doesn't do a good job of addressing this issue, it fails to realise how significant an obstacle it is. I bet they only bothered to check the card in unofficial readers that don't verify anything...

Re:Hang on (0)

Anonymous Coward | more than 4 years ago | (#28984089)

Unless the Government's really screwed up, the cards should have digital signatures, which means any unauthorised changes to the data will make them invalid.

I don't know the details here, obviously, but "clone" to me implies that there aren't any unauthorized changes, simply because there are no changes at all.

Think of it as replay attacks [wikipedia.org] . How do you guard against those unless you've got an active device that is able to perform *some* kind of computation - generating tokens etc.? A passive device that merely presents (possibly encrypted) information to a reader device cannot guard against this, I think.

Re:Hang on (0)

Anonymous Coward | more than 4 years ago | (#28984143)

yes you can. is on tfa.

Re:Hang on (0)

Anonymous Coward | more than 4 years ago | (#28983791)

From TFA (computer weekly btw, not daily fail) "Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes. He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information. He then rewrote data on the card, reversing the bearer's status from "not entitled to benefits" to "entitled to benefits". He then added fresh content that would be visible to any police officer or security official who scanned the card, saying, "I am a terrorist - shoot on sight."

Re:Hang on (5, Informative)

krou (1027572) | more than 4 years ago | (#28983799)

Actually, TFA is a post on Computer Weekly, who read the Daily Mail so you don't have to.

Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes.

He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.

He then rewrote data on the card, reversing the bearer's status from "not entitled to benefits" to "entitled to benefits".

He then added fresh content that would be visible to any police officer or security official who scanned the card, saying, "I am a terrorist - shoot on sight."

So, no, it is actually pretty bloody scary, as they successfully changed the biometrics of the copy.

Re:Hang on (1)

stupid_is (716292) | more than 4 years ago | (#28983923)

He then added fresh content that would be visible to any police officer or security official who scanned the card, saying, "I am a terrorist - shoot on sight."

So, no, it is actually pretty bloody scary, as they successfully changed the biometrics of the copy.

I think this is a good idea and folks should be encouraged to make such modifications to MPs ID cards - in particular Wacky Jacqui and Alan Johnson, but this list could easily expand

Re:Hang on (1)

Dekker3D (989692) | more than 4 years ago | (#28983963)

you call it scary, i call it wonderful. sure, i'm stuck with the same nonsense here in holland (rfid chip on id cards, and soon the same thing on driver's licenses), but this means they'll have a good reason to change things. crack it often enough, and they'll eventually give up. not sure how, not sure why, but they will. probably from some financial expert telling them it's just too costly to keep pouring money into this project.

all hail our... rfid-card reading overlords? scratch that, nevermind.

Re:Hang on (1)

Kaa42 (137049) | more than 4 years ago | (#28983813)

I'm sorry, but why do you feel you should post if you can't be bothered to read TFA? And why do you then go on to say it's not as scary as the headline suggests when you dont know what the article is about?

From TFA:

"He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.
He then rewrote data on the card, reversing the bearer's status from "not entitled to benefits" to "entitled to benefits".
He then added fresh content that would be visible to any police officer or security official who scanned the card, saying, "I am a terrorist - shoot on sight.""

Re:Hang on (2, Informative)

AmiMoJo (196126) | more than 4 years ago | (#28983815)

TFA says they managed to change the data on the card. It's still not clear if that is enough to make your own card or if it would fool a biometric scanner.

Biometrics are a terrible way to establish identity, which is why banks don't use them. Aside from the ease with which things like fingerprint scanners can be fooled, your biometric data can change (e.g. you burn your finger, loose and eye, get cosmetic surgery). That means there has to be a system for getting your card updated with the new data, and if such a system exists you can guarantee it will be open to abuse.

Re:Hang on (1)

HetMes (1074585) | more than 4 years ago | (#28983851)

You may be right, but it like shopping for new car, the salesman suggesting this brand new model of unknown manufacturer like it's the best car available, and the rear view mirror falling off before you leave the parking lot for a test drive. The car may run for a couple of blocks, but it does not bode well. Would you buy this car?

Re:Hang on (1)

Dekker3D (989692) | more than 4 years ago | (#28983981)

the salesman will just convince you it's a feature, to save weight. and we all know lower weight means better mileage. you don't want a high mileage, do you now?
someone shoot this man! he's an oil-guzzling terrorist!

in other news: yay! a car analogy!

Re:Hang on (0)

Anonymous Coward | more than 4 years ago | (#28983853)

article says they changed all biometric stuff too and made a copy.

that said, it's not known if the device supposed to read it for government agencies is capable of crossreferencing the biometric and checking some sort of hash present on the card itself to see if it is valid for the card info. possibly the cracker ignored some 'junk data', thus invalidating the hash check in government devices... that said, with time the local hash can easily be defeated.

either way, the only way to make this 'safer' would be to give the device that does the reading access to the main database and check if all information checks out (probably by using a hash for security reasons though, no actual information sent). that, of course, is never done with e-IDs as far as i know.

btw, is the card a normal passive thing you need to insert into a reader, or will it contain RFID as well?

Re:Hang on (4, Informative)

gsslay (807818) | more than 4 years ago | (#28984137)

Indeed. Please tag this story "DailyFail".

I've no grounds for arguing with the facts, and certainly agree with the disgust for these ID cards, but any story in the Mail that touches on "scrounging foreigners damaging our property values and insulting the sacred memory of Princess Di" is not to be trusted.

So what? (1)

patch0 (1339585) | more than 4 years ago | (#28983807)

Am I the only person here thinking that cloning a card containing biometric data means very little? I mean, unless you're gonna have plastic surgery too it makes little difference who has measurements of your cheekbones and ears. Not that I like ID cards mind you and I'm also nervous of biometric data being collected on me, but I'm not sure it's as much of a big deal as it might be.

Re:So what? (1)

thredder (1211746) | more than 4 years ago | (#28983905)

Yeah, ok, no biggie, but remember that this was only an early attempt at cloning, taking just 12 minutes. If that can be done now, isn't it only a matter of time before the biometric data on a cloned card can be amended? If it stops at cloning these cards then you might be right, but isn't it more likely that this is just the first step?

Not cloned!!!! RTFA (1)

Hammer (14284) | more than 4 years ago | (#28984147)

They cloned it and then changed the data!
I know this is /. but sometimes it is a good thing to RTFA

Re:So what? (1)

raju1kabir (251972) | more than 4 years ago | (#28983983)

Am I the only person here thinking that cloning a card containing biometric data means very little?

They altered data on the cloned card. No need to get that surgery, just fudge the data to match your drooping cheekbones.

Can't have digital security (4, Interesting)

HetMes (1074585) | more than 4 years ago | (#28983811)

If it's digital, exact copies are possible.
If it's digital, because of the convenience, analogue security measures will be taken less seriously.
If it's digital, uninformed politicians will think it cool, and believe in it like some do in 70 virgins.
If it's digital, the process is fast and can be automated, and the threat is increased a million-fold (out of arse, of course) by sheer statistics. We need slow electronics
If it's digital, tampering is undetectable.

Either way, this digitally secure ID thing can only lead to government saying: "Look! We've tried, and you also know that the only way to do this properly is to put you all in a database and track your every move."

Can we perhaps agree on forsaking digital security just because it's cheaper and faster in cases where we don't need it anyway (i.e. when people aren't up to no good)?

Re:Can't have digital security (5, Interesting)

Koookiemonster (1099467) | more than 4 years ago | (#28983839)

What's interesting about technology like this -- such as electronic voting, passports with chips etc -- is that geeks are often against it. Geeks, who generally love technology and gadgetry, are saying no. Maybe the legislators should listen -- assuming that at least some of them actually care.

Re:Can't have digital security (4, Interesting)

Keeper Of Keys (928206) | more than 4 years ago | (#28983915)

You're right. Unfortunately they only listen to the geeks they are paying to create systems like this, who are of course saying "yes, we can make an uncrackable security system" and suppressing their sniggers until they've made it out of the room with their fat cheque.

Re:Can't have digital security (2, Interesting)

sdiz (224607) | more than 4 years ago | (#28983849)

If it's digital, exact copies are possible.
[...]

If it's digital, the process is fast and can be automated, and the threat is increased a million-fold (out of arse, of course) by sheer statistics. We need slow electronics

[...]

If it's digital, tampering is undetectable.

hmm.. in fact, there are smart card with microprocessor empowered with strong public key encryption that would make cloning very difficult and always detectable.

But the government just don't care (or can't tell the different)

Re:Can't have digital security (1, Insightful)

HetMes (1074585) | more than 4 years ago | (#28983881)

All it takes is theft of a single piece verification hardware, or a single breach of security to extract the private key. This will probably even go unnoticed. And we can't simply give everyone new ID each time an unauthorized person had access to a government computer, can we?

Re:Can't have digital security (1)

andot (714926) | more than 4 years ago | (#28983895)

The private key is not readable, under any circumstances. Card operates as crypto device.

Re:Can't have digital security (1)

HetMes (1074585) | more than 4 years ago | (#28983945)

Private key is not only stored on the ID cards, I think. Even so, it is not physically impossible to obtain this key, and it must be guaranteed to be secret for years. Given the ratio of perceived security to possible gain, it will be cracked. Or have you not been on the web, the past few years?

Re:Can't have digital security (1)

andot (714926) | more than 4 years ago | (#28983987)

Actually, it is pretty impossible. The technology used new smartcards makes it impossible to read protected parts even using scanning electron microscope. I did some whitepaper reading when I studied our national id-card security.

Re:Can't have digital security (1)

HetMes (1074585) | more than 4 years ago | (#28984025)

So it's 'pretty' impossible, at the moment...

Other questions come to mind, of course:
What's the failure rate of the kind of device/system you envision?
What's the backup plan if the private key is leaked, stolen or guessed somewhere in the next decade?

Re:Can't have digital security (1)

andot (714926) | more than 4 years ago | (#28984141)

You mean physical failure? I have had my card since year 2003 and card and contacts and still work perfectly. If the private key is leaked I have hotline number and certificates will be worthless in 5 minutes. And certificate has it's lifetime, after 2 years i have to get new (it can be done using internet)

Re:Can't have digital security (0)

Anonymous Coward | more than 4 years ago | (#28983961)

If the private key is in the card, it's readable. It may not be easy, it make take a few months and the budget of an Arab oil sheik (like someone named Osama), but it's readable.

If the key is not known by the card, it's not readable. But then you don't really need the microprocessor in the first place.

Re:Can't have digital security (1)

andot (714926) | more than 4 years ago | (#28984013)

It took some years and budget of IBM to ensure that it's not that easy.

Re:Can't have digital security (1)

andot (714926) | more than 4 years ago | (#28983879)

If it's digital, exact copies are possible.

Not always. If data is crypted on the card and part which holds the actual data and private key is not readable at all, then there is no way you can clone the card. The original data never leaves the card only crypted hashes.

This is phenomenal news (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#28983869)

This is the sort of news which I would think the Government would suppress, as it undermines the validity of the card.

Not only does it make the card next to useless for performing any more than basic "You look like the guy on here, so you're that guy" driving-license-type identification, but it also gives "reasonable doubt" to the whole ID card technology.

Now all we need is someone to get these details onto the National ID Database (when constructed, if Labour stay in, which I sincerely hope they don't) and have a perfectly valid ID card manufacturing scheme. That, or we need to start living in Gattaca.

Re:This is phenomenal news (0)

Anonymous Coward | more than 4 years ago | (#28984159)

This is the sort of news which I would think the Government would suppress, as it undermines the validity of the card.

Politicians don't give a damn about validity. They push their agenda no matter what. You can write thousands of well found articles and reviews that are full of proof that a given government system is broken. All that doesn't matter. If politicians say it works, it works!

Surprising (4, Interesting)

AdamInParadise (257888) | more than 4 years ago | (#28983893)

I work in the smartcard industry and most of the time those "breaks" mean nothing: usually the "hacker" simply reads the publicly available information and claims that the system is "broken". The reaction of the public is always interesting and shows that many users do not understand the goals of such a system, probably because the politicians that buy those systems do not explain them very well.

However in this case the article claims that they were able to clone the card AND modify the information in the cloned card, which is really the hack that those cards are trying to prevent. This article is heavier on details than many others and that makes it more credible, but the details are still muddy. I hope that the journalist missed a crucial point and that this card is not as insecure as he thinks.

Small-scale, private smartcard-based systems can be cracked, usually because they are badly installed and used. Large-scale, private smartcard-based systems can be cracked (just look into the MiFare Classic debacle) but it involves months of hard work from people with PhDs and access to expensive equipement. Large-scale, govermental smartcard-based systems can be cracked, but I would be really surprised if it took only a few minutes. Unless that hacker presents the attack in details, I will file this one in the "baseless fearmongering in order to sell more papers" folder (which is already bursting BTW).

Expensive Equipment? (4, Interesting)

TerraGreyling (1605413) | more than 4 years ago | (#28984045)

Unless there have been leeps and bounds in smart card technology in the past couple of years I think this is an overstatement. A few years back I made most my money buying blank smart cards, copying the information from the satelite TV smartcards, changing a few places in the hexidecimal coding, and selling full unblocked TV. Of course we would tell the user to remove the cards from the boxes at night when the companys would do system checks that fry any unauthorized cards. And the cost of such equipment, $49.95. Not expensive and on about average, 15 minutes of work. If the UK is using the same format, that would be a real easy "hack".

Re:Expensive Equipment? (1)

AdamInParadise (257888) | more than 4 years ago | (#28984085)

Unless there have been leeps and bounds in smart card technology in the past couple of years [...]

Yes, there have been. But one has to keep in mind that security is expensive and that only some applications warrant an investement in modern, secure cards. Govermental ID is certainly one of them.

Re:Expensive Equipment? (3, Interesting)

Anonymous Coward | more than 4 years ago | (#28984181)

TV unblocking is relatively simple, they use a (symmetric) master key that is used to derive session keys. These keys need to be in memory because they are required for the decoding, which needs a lot of performance. Also, you can always "share" the smart card between friends, the smart card does not know who is requesting the session keys. These are cheap cards. Or at least, this is how it used to be, I don't keep a close watch on this.

These cards use Passive Authentication making sure that the biometric data cannot be altered. Keys are stored on a central place, well secured. Furthermore, they've got protection against anti-cloning using an asymmetric smart card processor. This is not an easy hack at all, unless the verification equipment does not have the certificates to verify the signature, because the whole of these cards relies on that.

Re:Surprising (2, Insightful)

pjt33 (739471) | more than 4 years ago | (#28984061)

The reaction of the public is always interesting and shows that many users do not understand the goals of such a system, probably because the politicians that buy those systems do not know what they are either.

FTFY. From the politicians' point of view the goal of the system is either a) to protect against every possible threat to individual or national security; or b) to help them keep their seats - depending on how cynical they are.

Erm.... (1)

MilesTails (1413987) | more than 4 years ago | (#28983907)

I thought with the departure of Jacqui smith, this diabolical scheme was being abolished? Why are they not listening, no one wants ID cards.

Especially if key data is local to the card, then again they do it with pin's on credit/debit cards, I'd imagine 10000 combinations doesn't take that long to crack. Who thought that was a secure idea.

Case Study: Phantasy Star online Ep 1 & 2. The character information was stored local to the user resulting in a mass of illegitimate items and characters.

The whole concept of a secure card is crap unless it verifies against an external DB.

Re:Erm.... (1)

FourthAge (1377519) | more than 4 years ago | (#28983993)

I thought with the departure of Jacqui smith, this diabolical scheme was being abolished?

Nah, it is being combined with passports. The passport service is now "The UK Identity and Passport Service". The fight against ID cards was always about the National ID Register, Britain's version of the Stasi record system. The NIR is not going anywhere, just being rebranded into a more "acceptable" form.

It wasn't just Jacqui Smith that wanted this, you see!

Re:Erm.... (0)

Anonymous Coward | more than 4 years ago | (#28984095)

Why are they not listening

They know what's best for you citizen!

Re:Erm.... (1)

Dr_Barnowl (709838) | more than 4 years ago | (#28984203)

The whole concept of a secure card is crap unless it verifies against an external DB.

Not necessarily so ; it's definitely possible to have a card system that deliberately eschews a central database entirely, and just rely on digital signatures for security. The difficulty of providing security in such a system would be approximately equivalent, and mostly related to securing the signing keys, but it would be much less costly because of the lack of a need to maintain and administer the central database.

The article doesn't mention whether the edited card created would pass a digital signature check - if such a check has been incorporated, it would almost certainly not pass inspection by a terminal that checked signatures.

It's not certain that the scheme has been well designed though. The article mentions that the "benefit entitlement" status on the card was adjusted. In a system that I had designed (and I do have some smartcard experience), the benefit entitlement indication would consist of a valid signature of data on the card by a private key held by the benefits agency, dated to expire at the appropriate reassessment interval. Such an indicator would not be so trivially simple to forge, especially if you changed the keys regularly - which would be easy and sensible for a rolling entitlement scheme.

That's beside the point in my opinion ; I agree with many others that the whole raison d'etre of the scheme is the compilation of the database itself. I would support a scheme without this database, and with the strong cryptography described above, simply because properly designed and administered it would cut down enormously on fraud, and provide a step towards a useful PKI framework standard for the UK. But this scheme does not seem to be designed with the best of intentions or any kind of integrity in design.

Dont.Fight.City.Hall (1)

freedom_india (780002) | more than 4 years ago | (#28983941)

The logic is simple:
If you fight City Hall, you WILL lose.
The Govt. is a beast and it will now put this hacker on a terror list, and for good measure add him to the s3x-offender list too.
This poor guy will spend ALL his money to fight the Govt. in courts, while the Govt. uses his tax money to fight him.
Until he squeals: "If the Govt. does it, then it must be the best.", the Govt. will continue to gag him and all others who criticize it.

Love the Ending (2, Insightful)

TerraGreyling (1605413) | more than 4 years ago | (#28984017)

My favorite part of this article, was the response by the officials. Excuse us we need time to come up with an excuse, err.. a response to these allegations. We could just say, "Yes we care about the protection of your identity, but first I need to doublecheck the validity of that statement. Thank you."

Foiling the foilers (2, Funny)

mtthwbrnd (1608651) | more than 4 years ago | (#28984023)

The system is perfectly safe ... just don't let your card out of your sight for more than 11m59s. Citizens do have to take some responsibility after all!

It copies, but does it validate? (5, Insightful)

sulliwan (810585) | more than 4 years ago | (#28984033)

Storing a simple hash of the card contents with the hardcoded UID of the card and checking if they match when reading a card is enough to prevent any such attack. While you can copy the card and even change contents on it, it will never validate as an authentic card. Aside from that, smartcards have really gotten quite smart, as far as I know, there are no practical attacks against the newer MiFare cards(most hacks on Desfire or newer systems target the implementation of the system, not the cards themselves).

Which phone has RFID? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#28984093)

Which Nokia phone has the RFID hardware?

I was thinking of buying a dedicated rig to play with, but if I can just get a new phone instead it will work out much cheaper.

Goverment dosent care (1)

He who knows (1376995) | more than 4 years ago | (#28984161)

The whole point of the ID cards for the government is to collect even more private information about anyone they can and keep it in a database for ever.

ICAO compliant (0)

Anonymous Coward | more than 4 years ago | (#28984239)

These cards seem to be ICAO compliant, so the biometrics cannot be changed unless you are able to break X509 certificate infrastructure or either RSA or ECC signatures or SHA-2 hashes. Come on guys, you can see the gold coloured chip logo for ICAO compliant ePassports right above the name of the name of the holder. Ian Grant (author of the article), you are a misinformed idiot.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...