German hackers successfully used off-the-shelf kit to extract personal data from the federal government's supposedly secure ID cards, but the government has downplayed the significance of the attack. The biometric ID cards store a scan of a user's fingerprints along with a six-digit PIN that can be used to digitally sign …
Always heartwarming to hear complete impersonation is not a problem for the government. Apparently identity fraud and such wasn't the reason they added RFID and touted "online functionality" for the card. A while back it took an unpatched windows xp installation fifteen minutes on average between hook up to the 'net and infection with some malware or other. I think the Teutons be looking at comparable numbers between first online use and impersonation for these new cards come november. Carry on German government.
At first blush, this sounds bad. But, unless one is prepared to try out some interesting fingure/skin surgery, create a very convincing false finger or borrow the finger of the hapless card owner, is this so insecure, assuming that both parts have to be correct and that finger prints are an integral part of the verification process. I suppose it may be worth trying a finger job for, say, a pension for the next ten years. Buth for most state benefits, since they seldom provide large amounts of instant cash it is hardly worth it. As for identification, if required by some official, he may spot odd behaviour involving odd fingers, apart from the usual questions and answers. Look at, say, ssh(1) protocol: fingeprint, public key, private key all relatively open. And now someone will rabbit on about cling film or cunning rubber gloves - give us a break.
Note that the card holder can opt out of the fingerprint bit - leaving only the PIN to deal with. Also, the German welfare system may be more generous than you think - but you don't have to go and collect cash, they pay it into your bank account. Is it so bad? I guess it depends how many IDs can be stolen/faked.
About the cling film/rubber gloves...... CCC also did this :-
The fingerprint is stored voluntarily.
The fingerprint is never checked in internet-transactions, although the ID-card can be used as a signature for these transactions
( This function is activated by the authorities if the holder wishes to ).
For internet transactions the card is used with a card-reader and the PIN.
Introducing the ID-card there will be 2 million el-cheapo card-readers given away free. This type of card-reader was in use when cards were hacked.
In Germany it's strictly forbidden to obtain and abuse such information, though. So the system is safe after all ( according to de Maizière's thinking )
CCC has proved before that fingerprints are quite insecure, and that a glass of wine, touched by the victim, and some tape is all you need to fool certain fingerprint reading devices. The also published the fingerprints of former German Interior Minister Wolfgang Schäuble: http://www.h-online.com/newsticker/news/item/CCC-publishes-fingerprints-of-German-Home-Secretary-734713.html
I point to the Mythbusters episode where they cracked the fingerprint scanner security measure in several different ways. The same things have been used against just about every other fingerprint based authentication system. An unattended fingerprint based authentication is as good as owned already.
So yeah, if you can get the fingerprint + PIN + card ID from one of these cards, you can do remote everything even if you do need fingerprints to authenticate over the internet, which does seem unlikely. Fingerprint scanners aren't that cheap and the readers are meant to be very cheap.
Here, you get sued for proving something like that, to the public. There, they put it on TV.
I imagine that, there, there must be a lot fewer anxiety disorders going around, as well - but that's just plain old WOT, I suppose.
Mine's the one with a cuckoo clock in the pocket.
Biting the hand that feeds IT © 1998–2019