The Register® — Biting the hand that feeds IT

Feeds

EU agency runs rule over ID cards for online banking logins

A study by an EU cybersecurity agency into the use of electronic identity cards for online banking has highlighted seven types of vulnerability and 15 possible threats. ENISA (the European Network and Information Security Agency) compared the suitability of smart eID cards to other authentication techniques for online banking, …

This topic is closed for new posts.
Dan 10
FAIL

Wording

The universal smart ID card may well be 'technoloigcally feasible', but not by the companies that will be awarded the contracts for it!

(Remember, we're talking about firms which cannot even manage a tax credits system, or keep some data secure)

Flocke Kroes

It is not technically difficult

The amount and the person to be paid must be displayed on the card or you do not know how much you are paying or who you are paying it to. The buttons needed to authenticate must be on the card or you do not know who is logging them. The software must be open source so it can be checked. The software must be stored in ROM that can be read by external devices so you can tell it matches the source code.

The hard part is collecting a bigger bribe for the banks than the people who want insecure banking.

Anonymous Coward
Anonymous Coward

Transactional memory.

None of these measures will prevent the bank from stealing your money (again).

kevin biswas
Black Helicopters

Number of the beast

rant, froth, gibber etc

Boring Bob
FAIL

Why bother?

Why not use your banking card for authentication? If this idea was any good banks would already be supplying customers with smartcard readers for internet authentication and transactions. They don't do so today because it is too much of a head-ache/expensive to sort out. I cannot see how using your ID card is any different to the card your bank gives you.

Anonymous Coward
Anonymous Coward
Reply Icon

In Spain...

In Spain the new ID cards have chips (whilest most bank cards do not, even the new ones). You can buy a USB ID card reader all over the place (and only about 10€) Some online banking systems are starting to interface with them for additional identification.

Sadly being from the UK, my Spanish registration "card" is actually a piece of A4 paper. Only a few more months before I can change my nationality though :)

Tom Chiverton 1
FAIL
Reply Icon

Barclays do

Barclays do this, and yes, it's an utter pain (see the Facebook group). So much so they've given in and allowed normal access again (except you have to retype your card details once a fortnight for some reason).

Captain Mainwaring
WTF?

Thin end of the wedge?

A Pan-European e-ID Card for access to online e-services, have I got that correct? Forgive my natural cynicism about all things European, but could this not easily be morphed into a more general-purpose European citizen card as well?

If this is a universal access card for all citizens in the EU, then presumably personal credential checks would have to be done before it is issued to the individual citizen. Once this is done however, this could become by chance or intended design a new national identity card of the new European superstate. I am quite sure there are people in Brussels today who would love to see such a pipedream become a reality, if not today or next year, then certainly in the medium term. What better way to weld together all nations of Europe together than by a single plastic token of citizenship?

Oh well, may be not. Perhaps I've been reading too many conspiracy theories on the UKIP website recently!

The Fuzzy Wotnot
Thumb Up

Really?

The banking industry is quite capable of screwing up it's own business, without any help of security obsessed government agencies and their contract greedy mates!

Anonymous Coward
Anonymous Coward

Could aqcuiesce, if:

"Universal" ID has the problem that it assumes an ideal world where it is desirable to use one and the same identity for everything you do. This is absolutely not the case and one need but recall the ruckus around the BDSM-club-goers that suddenly had to have their ID recorded on entrance to see why. So, we need hard partitioning of the various identities of you as a person, much more than "hard binding" to the issuee, and with close control of the contained information given to the issuee, much more so than the issuer (which is the government or some other organisation wishing to guarantee the identifying). And, there needs to be support for "zero knowledge" proofs, allowing you to prove you are entitled to whatever it is you want to do without disclosing all the other information on the card, or even any information but that entitlement at all. The latter is certainly mathematically feasible. Implementing it has all the usual security caveats, with one added: It so far is Not On The Agenda At All. Change that, in fact actually roll it out, and we'll talk. Before that, all I say is "non".

Ball boy
FAIL

Some questions still need answering

One of the problems they should address is the obvious one: The more companies that have some kind of handshake with an ID card system, the more likely it is to be compromised; it's simply that much more desirable to be able to lift your identity AND have your cash at the same time!

Once you have this all-singing, all dancing behemoth (you can tell I'm a fan, can't you?), who's going to update it? If I move house, will I lose access to my bank? I'll bet they'll update their customer database a whole week before Gov.UK get around to updating BigBrother.net

If ^h^h When it is compromised, how in hell will they roll-out the security upgrades to everyone?

Answers on a postcard - I don't trust anything more advanced anymore.

Anonymous Coward
Anonymous Coward

No thanks

If I have IDX for site X, and IDY for site Y, then there is no cross over of information there. If I have a single card IDZ for site X and Y, then they have a single piece of shared information IDZ from which to data mine. That's the unwanted linkage problem

Plus if I get IDZ stolen from site X, I've also lost it for site Y. That's the 'molehills into mountains' problem. It makes each breach more serious.

Since its common to TWO sites it's at a higher risk of being stolen, the weakest site is the one easiest to lose it... weak link in the chain problem.

I don't see the gain, I do see a lot of needless pain there. I'd prefer to have 2 factor authentification.

Single ID card for bank logins? No thanks.

Anonymous Coward
FAIL

National ID cards

Another bad idea coming your way soon.

TeeCee
FAIL

Multiple eggs / single basket?

Day one: EU issues super-fandango-encrypted "card for everything".

Day two: The entire EU moves to using super-fandango-encrypted "card for everything" for, er, everything.

Day three: The Russian Mafia smash the humungoflop barrier with their multi-billion dollar supercomputer cluster built to crack EU super-fandango-encryption.

Day four: The lights go out across Europe. A front organisation for the Russian Mafia makes a cash offer in Euro for the entire continent.

It's basic Capitalism innit. Make it worth doing and somebody'll do it.

keddaw
Black Helicopters

When is Animal Farm becoming reality?

EU-wide ID card can be used to travel without the hassle of a passport. You can also buy stuff with it. To keep tabs on all potential terrorists we need an EU-wide police force that can keep track of all movement and purchases of citizens within the UK. They also have basic knowledge of where you are going when you leave the EU and where you return from, plus some sharing arrangements with other countries to track your external movements.

So we have an EU-wide police force, run ostensibly by the EU parliament, answerable to no-one and superceding national police forces.

I can't see any possible downside or abuses in this, can you?

deadlockvictim
Big Brother

»When is Animal Farm becoming reality?

Didn't 'Animal Farm' become reality in 1917? Do you mean '1984' perchance?

However, I'm waiting for 'Brave New World' to become reality: lovely, lovely soma and the chance to go off and irritate the gammas and deltas.

Oh well.

keddaw
FAIL

@deadlockvictim

Actually it may have been 'Keep The Aspidistras Flying" that I was thinking of.

Did the fact I didn't even use the Big Brother picture not maybe give away teh fact it was intentional?

This topic is closed for new posts.