Germans radio tag ID cards and phones German telcos are planning to trial NFC payment stickers next year, though from next month every German ID card will contain a radio tag able to secure internet commerce. The Germans have gone ahead and radio-enabled their ID Cards, with every card issued after 1 November containing an RFID chip capable of providing a digital …
"German telcos are planning to trial NFC payment stickers next year, though from next month every German ID card will contain a radio tag able to secure internet commerce."
That merely means the merchant gets your ID fershure with it, risking feature creep and eventual inability to do anything online unless you a) have such a card and b) sign everything you do with your full identity.
What it doesn't do is give you the citizen any assurance at all that your identity won't be abused, that there's not some man-in-the-middle attack going on, what-have-you.
Security is hard to get right. So hard, in fact, that various governments can't even admit it is hard to get right.
Clever evil plot by some shadowy cabal, or badly thought through incompetence...?
If you have an RFID tag on your ID card, you but it in a wallet that blocks radio waves when you don't want it read. If you put your mobile in a wallet that blocks radio waves... well, I think you see the problem.
How about the "Baader-Meinhof Komplex" - in that you see them introduce computer database backed ID cards to help them hunt down the Marxist threat to West Germany!
Germans (normally) are kinda touchy about personal privacy and preventing the state (or even employers)being able to "spy" on them.
If you had ever tried to run IT environments in Germany from outside of Germany, you'll know exactly what I mean...
As an Englishman in Germany I feel excluded enough already without initiatives like this. And I couldn't make a döner to save my life - maybe you are falling into the trap of thinking all immigrants in Germany are Turkish?
There's plenty of Russians and Poles here as well, they also don't know how to make döners
The Chaos Computer Club in Hamburg made front-page news the other day by completely hacking this shiny-new german ID card and the swiss version of it at the same time.
The attack vector was the combination of a compromised computer (trojan horse etc.) plus the cheapo ID card reader without own PIN pad. By reading the PIN while entered into the PIN pad software associated to the ID card reader and then leaving the ID card in the reader, it was then possible for the attacker to sign any number of transactions using the stolen identity.
The BSI (german government agency for computer security) then issued a press statement that users shouldn't leave the ID card in the reader for any more time than strictly necessary -- somehow failing to mention that the ID card is actually RFID and doesn't need to be in the reader to be read, it is sufficient if it is reasonably close.
The other problem is that there are no "proper" card readers with built-in PIN pad available or even currently being certified. The "basic" readers used in the attack are the ones selected for the starterkits in the introduction stage of the new ID card.
Link: http://www.ccc.de/en/updates/2010/sicherheitsprobleme-bei-suisseid-und-epa
(sorry, german only)
"If you had ever tried to run IT environments in Germany from outside of Germany, you'll know exactly what I mean..."
Ha, ya. I was sent to implement a Europe-wide domain on a Bavarian subsidiary out of hours. When the senior engineer escorting me suddenly found he couldn't log in, due to the necessary password change, he highlighted the problem to me by smashing his laptop into pieces. I waited until he was finished and then told him 'Try it now'. Seemingly they are not known for their sense of humour either.
If you're targeted or not, it can be assumed that a victim will be restrained a few hours to enable thieves to make what purchases they need.
A better way (if it is not yet implemented) is to have the user enter one or more PINs (user's discretion to randomize the pins, sort of like one-time PIN pad?) and maybe even demand that the points of sale be limited to ONLY those facilities that have video picture confirmation along with PIN pad entry to better protect consumers. Picture protection could be opt-in so conspiracy theorists can use less foil on their hats.
What exactly is the benefit of using contactless readers here, if standard chip and a reader would both be cheaper, and more secure? Tracking Germans' movements without them noticing ?(Just like the Met does - an Oyster reader with high-gain antenna into the backpack, and then go on the tube). Wonderful.
...doesn't anybody watch Japanese movies? Cash is still widely used, and credit cards are unpopular. Electronic wireless cards (and some mobile phones), however, are popular to the tune of an estimated 100 million in deployment [*] (and yes, I'm aware the population is only 127 million!) and able to be used for trains, vending machines (yes!), hotel rooms, general purchases...
Personally, I think these cards should need to be 'charged', it can be as simple as logging into your bank website and allocating funds. That way it is useful, but if it is compromised then you only stand to risk what you're charged it with.
As for identity. FAIL. It is hard enough to prove any means of secure form of idenity in a paper-based format. I am me, my passport says so. Is it a real passport? Can it be trusted? Did I manage to fool the authorities and rip of some dead guy's identity? I know my passport is genuine, but what if some immigration official in Dumbnuts, Minnesota challenges me to prove it's a real passport. How do I do this? Call my embassy? Then what? [re. Hamas Dubai assassination for the problems of paper document authenticity]
Now apply this to an electronic format. Data is invisible and has a propensity of being rather transient. You can inspect a real passport. If necessary under legal jurisdiction it may even be possible to take it apart. An RFID tag? Because it talks to a computer and the computer says so? Is that it? Try http://www.theregister.co.uk/2008/09/30/epassport_hack_description/ and http://www.theregister.co.uk/2008/08/06/epassport_alteration_demo/
.
In short: Payment method, could work. I might find it convenient if they were to roll out something like that here - finding change for car parking and coffee machines is always a bother. But for proving my identity? Get real...
* - source: http://www.contactlessnews.com/2010/07/20/report-card-use-m-payment-increasing-in-japan
An ID card should do only what it is - prove your identity. It should not be allowed to do anything more. And it should use something more secure than a PIN (i.e. some biometric data like your iris). I can't see why government should help sellers needs. There are payment cards - that's are designed to pay. If someone "steal" them, I want them to just be able to steal me money. Not prove they are me - maybe signing contracts, or worse....
It seems to me that germans (along with the rest of EU, and USA) thinks privacy is a thing of the past.
Why not sticking with the old and reliable smart chips, like the ones that enable our mobiles and credit cards?
I may like the idea of use my mobile to shopping (well... maybe not in Brazil, where GPRS costs 0,003 per kbyte) but the good old plastic money seems fine to me.
Why every country wants to be like China?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
