The point of the ID Card is to make people _feel_ safe. The point of the Daily Mail is to make people _feel_ scared. So this article is not surprising.
Note I'm not saying the card makes you safe or that the Daily Mail actually puts you at risk. It's all about how you feel.
I very much doubt they did. What they did is read information from the card, which is it's very purpose. Then they wrote a card with their own information, and signed it with an invalid key. I am not, as yet, terrified.
The sound of a million Daily Mail readers spilling their cornflakes: With a few more keystrokes on his computer, Laurie changes the cloned card so that whereas the original card holder was not entitled to benefits, the cloned chip now reads 'Entitled to benefits'.
While fraud and false entitlement are the obvious problems and motivation for criminality, what really bothered me was the potential for 'swatting', as exemplified by the 'I'm a terrorist, shoot on sight' gag; I'm surprised the DM editors left this in. (Swatting is a term for extremely anti-social phone phreakers to call down heavily armed law enforcement on an entirely innocent party for lulz).
Consider that it's not so unusual for a contractual applicant (eg a new hire) to hand over their ID to a trusted person so they can make a photocopy for their records. It would be easy to arrange a deliberate switcheroo or other unauthorized modification. But good luck, as the holder of a card, trying to explain to the anti-terrorist squad why your ID card is screaming a warning to them after a police officer scans your ID after falling for some pretext (a 'noise complaint from a neighbor', for example).
Obviously, this is more likely to be the stuff of professional espionage rather than casual trollery - but my point is that it would be relatively easy to implement, while positively Kakfaesque for the victim, thanks to bureau- and securocratic faith in technology. The first time I applied for a driving license in the US (as a recent arrival from Europe) I was astonished to learn that there was an arrest warrant out for me - or more accurately, someone with my name and birthdate - in Georgia, and it took me several minutes to convince the DMV person that I had only arrived in the USA 72 hours previously.
That's why there will have to be corroborating evidence that you are a terrorist - like brown skin.
There used to be a similar problem in the old days, the police test for explosive also showed positive if you had handled playing cards. So there had to be corroborating evidence - being Irish.
I usually call it the Daily Fail (for the very reasons you cite), but I have to admit that this was a well-written and informative article.
This is also a textbook case of government IT procurement gone wrong; what's startling and newsworthy here is just how easily it can be subverted with consumer-level hardware - as opposed to, say, needing the power of a small cluster located in Foreignlandia 'industrial park'. Doubtless this will lead to a review and upgrade of technical requirements (at added public expense, since they weren't properly defined to begin with) and yet another cycle of (failing) security-through-obscurity.
its like having my complete account balance and transactions in my debit card, instead of just the card number. sounds silly, can't understand why they are doing it.
So they can scan the card with a device that is not connected to any network. At best they could cryptographically sign the card to insure the information is at worst a copy of valid information. But, I don't see them doing this any time soon.
PS: As to why you would want a device that can work without a network think terrorists taking down the network, classic government incompetence, or just lower costs.
If terrorists have already taken down the network, what's the point of an ID card or any of the billions spent on increasing our "safety"....?
On that subject, has anyone done the numbers on the number of people that would be saved by putting the same money spent on anti-terror bullshit into the NHS vs the number of people saved from terrorism?
The intent isn't (purely) anti-terrorism. It's an effort towards reducing things like benefit fraud, too. So any success from the card reduces these kind of budget 'leaks.'
Maybe I just don't get it, but why would it be good to have information encoded on a card or passport? Wouldn't it be better to have an ID number on the card that could then be linked up to a record on the computer?
Like, let's say that an officer needs my ID. What is he going to trust more: the information stored on my card that could be tampered with or the information in their database that I don't have as easy access to? If it just looked me up by ID number, they'd get my picture, name, address on their screen, but it would be harder for me to get in and fake that - since, even if I changed the ID number, I might be able to fake that I'm a different person until they compare the picture on file. And heck, if each card had a unique ID, you could then determine if a card was a stolen card. If the data is just on the card, it remains valid after being reported stolen. Heck, cryptographically sign the ID number so people can't fake it easily.
Not that I'm defending or promoting whatever their aim is, but even if you agree with their aim, why put the data on the card? Keep it secure and only have it available when the card is scanned by a legitimate person. The card carries whether state benefits are given to a person? How soon until someone can just switch that boolean on the card?
The information on the card should be digitally signed; the information on the card should be verifiably untampered. I'm convinced the article itself fails to take account of how digital signing works.
The benefit of keeping signed data on the card is to avoid network lookups; a reader should be able to, for example, decode a jpeg photo of you held on the card and allow a policeman with a hand-held reader to tell that you are who you say you are.
Field 15 of the card is reserved for PKI. Specifically, this field can be used to sign the rest of the data on the card. There's really no reason why the state can't sign the data on the card using a private key and make a public key available for verification.
"Each one of these files is supposed to be protected with a special digital key, so that if anyone attempts to change it, the card would be identifiable as a fake to any official with a digital chip reader."
What the reporter and his friend did was read the plaintext (which is exactly what is intended), then choose some new data and sign it with their own private key, claiming they had 're-locked' the card. But of course they haven't -- the digital signatures will be different. When the cards are used (validated against the corresponding public key) you'd find that the signature was invalid.
I think what they've proved is that plaintext is readable, and that if they had a government private key, they could add a digital signature. And that it's easy to produce cards with new data, so long as no-one verifies the digital signature.
19 comments
[ 3.3 ms ] story [ 50.5 ms ] threadNote I'm not saying the card makes you safe or that the Daily Mail actually puts you at risk. It's all about how you feel.
hopefully this'll make the gov implement better security measures, should they decide to go ahead with the card.
Consider that it's not so unusual for a contractual applicant (eg a new hire) to hand over their ID to a trusted person so they can make a photocopy for their records. It would be easy to arrange a deliberate switcheroo or other unauthorized modification. But good luck, as the holder of a card, trying to explain to the anti-terrorist squad why your ID card is screaming a warning to them after a police officer scans your ID after falling for some pretext (a 'noise complaint from a neighbor', for example).
Obviously, this is more likely to be the stuff of professional espionage rather than casual trollery - but my point is that it would be relatively easy to implement, while positively Kakfaesque for the victim, thanks to bureau- and securocratic faith in technology. The first time I applied for a driving license in the US (as a recent arrival from Europe) I was astonished to learn that there was an arrest warrant out for me - or more accurately, someone with my name and birthdate - in Georgia, and it took me several minutes to convince the DMV person that I had only arrived in the USA 72 hours previously.
There used to be a similar problem in the old days, the police test for explosive also showed positive if you had handled playing cards. So there had to be corroborating evidence - being Irish.
This is also a textbook case of government IT procurement gone wrong; what's startling and newsworthy here is just how easily it can be subverted with consumer-level hardware - as opposed to, say, needing the power of a small cluster located in Foreignlandia 'industrial park'. Doubtless this will lead to a review and upgrade of technical requirements (at added public expense, since they weren't properly defined to begin with) and yet another cycle of (failing) security-through-obscurity.
The card should have a serial number on it. That's it. Maybe a name so that people don't get their cards mixed up.
Surely the people working on the national security of the UK are smarter than little old me.
PS: As to why you would want a device that can work without a network think terrorists taking down the network, classic government incompetence, or just lower costs.
On that subject, has anyone done the numbers on the number of people that would be saved by putting the same money spent on anti-terror bullshit into the NHS vs the number of people saved from terrorism?
Like, let's say that an officer needs my ID. What is he going to trust more: the information stored on my card that could be tampered with or the information in their database that I don't have as easy access to? If it just looked me up by ID number, they'd get my picture, name, address on their screen, but it would be harder for me to get in and fake that - since, even if I changed the ID number, I might be able to fake that I'm a different person until they compare the picture on file. And heck, if each card had a unique ID, you could then determine if a card was a stolen card. If the data is just on the card, it remains valid after being reported stolen. Heck, cryptographically sign the ID number so people can't fake it easily.
Not that I'm defending or promoting whatever their aim is, but even if you agree with their aim, why put the data on the card? Keep it secure and only have it available when the card is scanned by a legitimate person. The card carries whether state benefits are given to a person? How soon until someone can just switch that boolean on the card?
The benefit of keeping signed data on the card is to avoid network lookups; a reader should be able to, for example, decode a jpeg photo of you held on the card and allow a policeman with a hand-held reader to tell that you are who you say you are.
Field 15 of the card is reserved for PKI. Specifically, this field can be used to sign the rest of the data on the card. There's really no reason why the state can't sign the data on the card using a private key and make a public key available for verification.
"Each one of these files is supposed to be protected with a special digital key, so that if anyone attempts to change it, the card would be identifiable as a fake to any official with a digital chip reader."
The information (name, address, etc) is stored as plaintext, then signed with a private key (http://en.wikipedia.org/wiki/Digital_signature) to prove it's a real government card.
What the reporter and his friend did was read the plaintext (which is exactly what is intended), then choose some new data and sign it with their own private key, claiming they had 're-locked' the card. But of course they haven't -- the digital signatures will be different. When the cards are used (validated against the corresponding public key) you'd find that the signature was invalid.
I think what they've proved is that plaintext is readable, and that if they had a government private key, they could add a digital signature. And that it's easy to produce cards with new data, so long as no-one verifies the digital signature.