New German, Swiss Identification Cards Not As Secure As Claimed
The new product XYZ is completely secure and hack-proof. Have you heard that from politicians or companies before? It usually turns out very soon that the claims are bogus, and that the product is not as secure as claimed.
Germany is on the brink of introducing new biometric identification cards. Those new IDs not only replace the old cards, but can also be used for identification online, for instance to contact public authorities.
That sounds great on paper. The system uses a similar concept as the well known banking standard HBCI. Users get a chip reader with their cards for online use. They put the chip into the card and need to enter a pin for security reasons whenever they sign an application or need to identify themselves online.
Members of the German Chaos Computer Club, in cooperation with Swiss security experts, have demonstrated that the security on the new ID cards is not hack-proof.
They have identified several weaknesses, including:
- Attacking computers with trojans or man in the middle attacks. Card owners with basic card readers (without a physical numpad to enter the pin) are affected by this. More advanced card readers are still prone for other attacks, including man in the middle. A million of those basic kits were ordered by the German authorities.
- Card contents and identities can be copied.
What can users do to protect their cards against abuse? Germans can get an old identification card until October this year. If a new ID card is the only option, users should make sure to either get a more advanced card reader with numpad to protect against the most basic attack forms, or make the chip on the card invalid.
How this can be done was demonstrated by a ninth grade school class some weeks ago. Brave new world, here we come..Advertisement