EU agency runs rule over ID cards for online banking logins A study by an EU cybersecurity agency into the use of electronic identity cards for online banking has highlighted seven types of vulnerability and 15 possible threats. ENISA (the European Network and Information Security Agency) compared the suitability of smart eID cards to other authentication techniques for online banking …
The amount and the person to be paid must be displayed on the card or you do not know how much you are paying or who you are paying it to. The buttons needed to authenticate must be on the card or you do not know who is logging them. The software must be open source so it can be checked. The software must be stored in ROM that can be read by external devices so you can tell it matches the source code.
The hard part is collecting a bigger bribe for the banks than the people who want insecure banking.
Why not use your banking card for authentication? If this idea was any good banks would already be supplying customers with smartcard readers for internet authentication and transactions. They don't do so today because it is too much of a head-ache/expensive to sort out. I cannot see how using your ID card is any different to the card your bank gives you.
In Spain the new ID cards have chips (whilest most bank cards do not, even the new ones). You can buy a USB ID card reader all over the place (and only about 10€) Some online banking systems are starting to interface with them for additional identification.
Sadly being from the UK, my Spanish registration "card" is actually a piece of A4 paper. Only a few more months before I can change my nationality though :)
A Pan-European e-ID Card for access to online e-services, have I got that correct? Forgive my natural cynicism about all things European, but could this not easily be morphed into a more general-purpose European citizen card as well?
If this is a universal access card for all citizens in the EU, then presumably personal credential checks would have to be done before it is issued to the individual citizen. Once this is done however, this could become by chance or intended design a new national identity card of the new European superstate. I am quite sure there are people in Brussels today who would love to see such a pipedream become a reality, if not today or next year, then certainly in the medium term. What better way to weld together all nations of Europe together than by a single plastic token of citizenship?
Oh well, may be not. Perhaps I've been reading too many conspiracy theories on the UKIP website recently!
"Universal" ID has the problem that it assumes an ideal world where it is desirable to use one and the same identity for everything you do. This is absolutely not the case and one need but recall the ruckus around the BDSM-club-goers that suddenly had to have their ID recorded on entrance to see why. So, we need hard partitioning of the various identities of you as a person, much more than "hard binding" to the issuee, and with close control of the contained information given to the issuee, much more so than the issuer (which is the government or some other organisation wishing to guarantee the identifying). And, there needs to be support for "zero knowledge" proofs, allowing you to prove you are entitled to whatever it is you want to do without disclosing all the other information on the card, or even any information but that entitlement at all. The latter is certainly mathematically feasible. Implementing it has all the usual security caveats, with one added: It so far is Not On The Agenda At All. Change that, in fact actually roll it out, and we'll talk. Before that, all I say is "non".
One of the problems they should address is the obvious one: The more companies that have some kind of handshake with an ID card system, the more likely it is to be compromised; it's simply that much more desirable to be able to lift your identity AND have your cash at the same time!
Once you have this all-singing, all dancing behemoth (you can tell I'm a fan, can't you?), who's going to update it? If I move house, will I lose access to my bank? I'll bet they'll update their customer database a whole week before Gov.UK get around to updating BigBrother.net
If ^h^h When it is compromised, how in hell will they roll-out the security upgrades to everyone?
Answers on a postcard - I don't trust anything more advanced anymore.
If I have IDX for site X, and IDY for site Y, then there is no cross over of information there. If I have a single card IDZ for site X and Y, then they have a single piece of shared information IDZ from which to data mine. That's the unwanted linkage problem
Plus if I get IDZ stolen from site X, I've also lost it for site Y. That's the 'molehills into mountains' problem. It makes each breach more serious.
Since its common to TWO sites it's at a higher risk of being stolen, the weakest site is the one easiest to lose it... weak link in the chain problem.
I don't see the gain, I do see a lot of needless pain there. I'd prefer to have 2 factor authentification.
Single ID card for bank logins? No thanks.
Day one: EU issues super-fandango-encrypted "card for everything".
Day two: The entire EU moves to using super-fandango-encrypted "card for everything" for, er, everything.
Day three: The Russian Mafia smash the humungoflop barrier with their multi-billion dollar supercomputer cluster built to crack EU super-fandango-encryption.
Day four: The lights go out across Europe. A front organisation for the Russian Mafia makes a cash offer in Euro for the entire continent.
It's basic Capitalism innit. Make it worth doing and somebody'll do it.
EU-wide ID card can be used to travel without the hassle of a passport. You can also buy stuff with it. To keep tabs on all potential terrorists we need an EU-wide police force that can keep track of all movement and purchases of citizens within the UK. They also have basic knowledge of where you are going when you leave the EU and where you return from, plus some sharing arrangements with other countries to track your external movements.
So we have an EU-wide police force, run ostensibly by the EU parliament, answerable to no-one and superceding national police forces.
I can't see any possible downside or abuses in this, can you?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
