New German, Swiss Identification Cards Not As Secure As Claimed

Martin Brinkmann
Sep 22, 2010
Updated • Dec 13, 2014

The new product XYZ is completely secure and hack-proof. Have you heard that from politicians or companies before? It usually turns out very soon that the claims are bogus, and that the product is not as secure as claimed.

Germany is on the brink of introducing new biometric identification cards. Those new IDs not only replace the old cards, but can also be used for identification online, for instance to contact public authorities.

That sounds great on paper. The system uses a similar concept as the well known banking standard HBCI. Users get a chip reader with their cards for online use. They put the chip into the card and need to enter a pin for security reasons whenever they sign an application or need to identify themselves online.

Members of the German Chaos Computer Club, in cooperation with Swiss security experts, have demonstrated that the security on the new ID cards is not hack-proof.

They have identified several weaknesses, including:

  • Attacking computers with trojans or man in the middle attacks. Card owners with basic card readers (without a physical numpad to enter the pin) are affected by this. More advanced card readers are still prone for other attacks, including man in the middle. A million of those basic kits were ordered by the German authorities.
  • Card contents and identities can be copied.
  • No application standards for signing legal documents. The experts demonstrated that with a PDF and JavaScript contents. The JavaScript contents were not displayed to the signer of the contract, while they were displayed in Adobe's PDF reader. This means that legally binding contracts can be signed by ID card owners without them seeing all contents on the contracts.

What can users do to protect their cards against abuse? Germans can get an old identification card until October this year. If a new ID card is the only option, users should make sure to either get a more advanced card reader with numpad to protect against the most basic attack forms, or make the chip on the card invalid.

How this can be done was demonstrated by a ninth grade school class some weeks ago. Brave new world, here we come..


Previous Post: «
Next Post: «


  1. Heinzle Heinrich said on September 23, 2010 at 11:04 pm

    It’s interesting that nearly no one cares about issues like this. If you wrote something about social network games or in general about (twitter|facebook) you would have read hundreds of comments here :-]

  2. Alex said on September 23, 2010 at 8:41 am

    The title “New German, Swiss Identification Cards Not As Secure As Claimed” is misleading. It should be stated: “New German Identification Cards Not As Secure As Claimed”

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.