The new product XYZ is completely secure and hack-proof. Have you heard that from politicians or companies before? It usually turns out very soon that the claims are bogus, and that the product is not as secure as claimed.
Germany is on the brink of introducing new biometric identification cards. Those new IDs not only replace the old cards, but can also be used for identification online, for instance to contact public authorities.
That sounds great on paper. The system uses a similar concept as the well known banking standard HBCI. Users get a chip reader with their cards for online use. They put the chip into the card and need to enter a pin for security reasons whenever they sign an application or need to identify themselves online.
Members of the German Chaos Computer Club, in cooperation with Swiss security experts, have demonstrated that the security on the new ID cards is not hack-proof.
They have identified several weaknesses, including:
What can users do to protect their cards against abuse? Germans can get an old identification card until October this year. If a new ID card is the only option, users should make sure to either get a more advanced card reader with numpad to protect against the most basic attack forms, or make the chip on the card invalid.
How this can be done was demonstrated by a ninth grade school class some weeks ago. Brave new world, here we come..
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.