Hong Kong Gets Smart ID Cards

darnellmc writes: "This AP article is about Hong Kong's new smart ID cards (mandatory) with "embedded computer chips that hold names, pictures and birthdates -- as well as a digital template of both thumbprints". The picture in the article shows a man holding them and smiling. The article also mentions "Hong Kong's government backed down on proposals to have the cards carry health and bank records". The Hong Kong government hopes to add optional features like using them as driving licenses and library cards. This government learned nothing from the USA's abuse of the Social Security number, this is much worse. Hoping one card will do it all. These cards are also in the works in other countries like Finland, Malaysia and Japan where they are to be optional. Thailand is working on a mandatory card."

Re:ID Card Threat?

[palmersperry]

The "threats" that I'm aware of are :-

1) Compulsory ID cards only make sense if it's requirement to always carry them, and *that* only makes sense if the Police can stop anyone and ask to see them at anytime - at which point you're perilously close to a police state[1].

2) Badly implemented smart cards will make it easy for the theft of other peoples identities.

[1] Of course, Hong Kong has been perilously close (if only in geographic terms) to a police state ever since the Chinese revolution!

Already cracked.

[Noryungi]

From what I can see on the picture (not clear), the cards are standardized "smart"-chip cards.

These have been cracked, almost trivially, by a French hacker a year or two ago -- the models he cracked were bank/ATM cards.

All in all, I fail to see what the fuss is all about. Dealing with Chinese police is not easy, but this is not a surprise for most users, is it?

If such a card was introduced in, say, the European Union, citizens would probably have the right to:

• A. Refuse to show your card or swipe it in a card reader unless the person in front of you could produce reasonable evidence he/she is works for a law enforcement agency. That excludes giving your card to a merchant in order to buy something, for instance.
• B. Access all data which is contained on the card, and requests modifications and/or removal of sensitive information.

I am almost certain that the legal protections detailed above would be respected in a court of law, and enforced by the European Court for Human Rights.

Of course, that type of legal protection is only available in the EU, and not in Hong Kong. Or in the USA, for that matter...

So, on one hand, there is a chance of Big-Brotherish abuse... or a chance of ID theft or false-ID flood. Pick your poison. Fun future ahead for Hong Kong residents.

Re:What kind of crack are they on

[regen]

how long will it be before someone builds a remote reader that can pull info just by walking within a few feet of one?

I really doubt this would be an issue. The smart cards have no power supply nor do they have a radio transmitter. It would be extremely difficult to remotely power a device and remotely sense extract data from the device. You could possibly extract information from a reader when the device is in use, but it would be much easier to set up a fake reader to do this rather than doing it remotely from a real card reader.

This is similar to problems faced with ATM machines. A few years ago people started setting up fake ATM which would capture your ATM card info and PIN and then return an error. The crooks would forge new cards and clean out your account. No need to sniff data from working real ATMs when people would use your bogus ATM.

Re:What kind of crack are they on

[fssd]

Okay, I live in Hong Kong. Actually that's not the worse part, as serveral ppl has mentioned, we would not mind carry such card around, since this is required by law to carry one around(smart or non-smart one, just like the SS). The problem is the way that they choose the vendor, who ever get the lowest price got it. The problem is the vendor who bid the project, Pacific Cyberworks is not well known on such technology locally. They claim they can finish the whole thing within 18 months cycle, which if you think more about it, it's a ridiculous short time frame. Not to mention their bid is half of the second lowest bid. That makes me have a really bad feeling that the security on such system would not be throughly tested at all. sigh...

Re:ID Card Threat?

[osolemirnix]

"Compulsory ID cards only make sense if it's requirement to always carry them..."
I beg to differ.

Compulsory only means that every citizen has to have one, so that he can identify himself when needed (either if required by law or if he chooses). It doesn't necessarily mean that it's compulsory to carry the card at all times, neither does it mean that police must be allowed to stop and ask to see it without good reason.

There are dozens of situations where it makes perfect sense to have a reliable standardized ID, to be able to identify yourself.

As an example: the US authorities do not even have the slightest clue about the status of people living in their country. I used to live in the US for a year when I was 17 years old. I had a SSN and I got a drivers license there. When I turned 18, I got a letter from the draft office asking me to register with them. I don't exactly know how they got my name and birthdate, but I assume via the drivers license or SSN registration. Fact is, I never was a US citizen. At the time I got the letter I had already left the US (it was forwarded). The US draft office knew nothing about this. It required several letters to convince them that their registration process didn't even apply to me (as a non-US citizen). The only thing that did was my (non-US) ID.