Slashdot Mirror
Estonia Tests "Contactless" ID-Cards
borkee writes "Estonian MEAC and CMB start testing a new version of a national ID card containing what they call 'contactless' extensions. Although they do not specifically disclose to us, taxpayers, what technology is used there, it must be quite obvious that it's nothing less than RFID. Add to this, they'll have person's biometrics in memory. (Security gurus of course know: biometrics just don't work.) Soon you can track us poor Estonians by our GSM phones and by our ID cards too!"
Admittedly, I dont know too much about the Estonian political system etc, to comment on the issue of choice, and how much of it the people there had when their government decided to introduce such a thing. However, it has been my experience that outside the US, a lot of cultures dont seem to make that big a deal about privacy, so maybe it is not that big a deal after all to Estonian citizens.
OTOH, RFIDs have already been implemented by clubs, etc to have painless billing, etc, so there are at least a few people around the world who dont think they are that big a deal.
Living in the US, however, my own fears are based on what I have heard about the privacy issues surrounding such technology, in that anyone with a scanner can find out a dangerous amount of information about you without your knowledge or consent; so to me it seems like a bad idea at least until someone can manage to convince me otherwise about how my information will be protected.
No we don't need to have our ID card with us all the time. It's required to own a card if you're older than 15 but you could just keep it home in a box.
Biometrics have a limited recognition rate, that means: a considerable amount of false positives (wrongly identified) or false negatives (wrongly refused). Often all you can do is having a compromise, either admitting the false positives to have less false negatives, or having lots of people wrongly refused by the system, so the human operators have to manually sort out the remainings.
Due to the limited recognition rate, you can often easily fool a biometric scanner. Face recognition systems are often fooled by holding a picture of the right person before the lense. Same often works for iris scanners. Finger print scanners can be fooled by fake fingerprints made from wax (stearine). Hand scanner sometimes are easiest. Cut out a cardboard with the right hand profile.
Most of those biometric scanners thus should never run unattended, to minimize manipulation as stated above. And if you have humans watch the scanners, you could as easily have those humans perform the checks themselves, probably getting better recognition rates.
Biometric scanners may give you additional security, if you use all the common methods like picture ids, signature and similar too, because now an attacker has not only to disguise himself accordingly, but has to fake the biometric data too. But without a central database for crosschecking the data, its rather meaningless. If he can fake a picture ID with his face and a false name, he can also fake the biometric data to fit his own data. As a stand alone tool the biometric scanners are not really ready.
People just don't understand what biometrics are for. They are not appropriate as a primary means of verifying identity, but they do work well as a supplement to other methods.
I think the problem is you've got some sales monkeys who are selling the idea of biometrics as an authentication pancea to pointy-haired types, which is just further proof that non-technical people should never be in a position of authority or act in a primary decision making capacity where technology is concerned.
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
RFID can be used if you get lost? The range of RFID is about 2 meters most afaik...
The country Dilbert always goes to is Elbonia.
the resources to fabricate fingerprints that will fool the reader...
Almost all security is simply a means of raising the cost of hacking it to a level above it's value.
It has been well established that cost and resources involved in defeating a fingerprint scanner amount to little more than some gummi bears.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
A full one third of the population there speaks Russian. It is a local language whether you want it or not. Compare the situation with that of the Swedish language in Finland. Shame, I tells ya.
"It sometimes amazes me about all the fuzz some countries make (UK now, but otoh, UK is against just about anything new :-) when id cards are introduced,"
It's not that we're against everything new, it's more the clouds of spurious chaff thrown out by David Blunkett, the curious quantities of ignorance shown to con arguments and the ludicrous execution of said that tends to suggest that the taxpayer will end up shelling for a form of identity that *should be* adequately covered by photo driving licenses and passports.
I should point out that the latter two identification methods have been redesigned in the past decade to stop counterfeiting, but in the case of the passports, blanks were on the streets within two weeks of the unveiling. Saying that you require another piece of identification is a tacit admission that your system is compromised, and we should be fixing those systems (seriously, I'll say it again...passports) rather than introducing another.
One of the reasons why this isn't necessarily the case is that the real kicker for a national ID card is the national ID card database; that's why this is being pushed so hard.
"At least these kind of things could be stopped if you needed to have your papers with you all the time."
Yeah, we have photos on our driving licenses now. The procedure is that you're given a document that indicates what you need to go into a police station with, then you have to present them within seven days or you'll have a warrant issued for your arrest. That's the UK method.
"At the same time you want to get social security, get unemployment money, drive a car, and much more, so at least prove who you are when you want to cash that check."
To take your points;
Social Security - We in the UK are issued a National Insurance number at 16. This is a primary form of identification because it links back to the Inland Revenue and the DSS. The same for unemployment money.
Drive a Car - Photo driving licenses that are backed with a database at the DVLA in Swansea. Incidentally the same place that records your car ownership, and the primary database queried by police.
Cash that check - Signatures are still considered the best form of identification for this, and most banks can call up a digitised copy of your signature for checking. I tend to carry my passport if more information is needed.
In terms of confirming your identity in the UK, most times a photo id is requested (passport, students union, driving license) along with two utility bills or bank statements.
This creates an 'intersection' of supporting information rather than relying on a single piece of documentation; a national ID card would be a single piece of information for which the only checking tools will available to law enforcement and government; given the record of other forms of ID, it seems unlikely that this will patch the hole it's intended for.
Oddly Draconis
Too cynical to live, too stubborn to die.
This is a magnetic card which needs to be moved about 1 1/2 inch in front of the reader . The magnetic card is topped by a Photo ID , so it the contactless means almost zero wear and tear of swiping.
... being a card-puncher like this means they track my in and out timings (like when I leave my floor for lunch or stuff).
..
:)
All doors in the office open as soon as you flash the ID cards (the doors beep , and everyone looks up at you as if to say "what are you doing roaming around")
The entry into various rooms are restricted like this (this is an outsourcing company , so clients are very very paranoid about "nonfull disclosure" being maintained). Testing server room doors could with your ID could even get you fired here
It need not be RFID or anything magic - just extend the reader to something like the metal detector in an airport to read this magnetic ink (holding this against the noonday sun shows that these are lines/bar-codes running the whole length of the card like those security threads in currency)....
And I'm sitting here clocking the first 9 1/2 of the 47 1/2 hours needed for the week , commenting on slashdot
Quidquid latine dictum sit, altum videtur
While all the points you mentioned are valid concerns, especially False Acceptance Rate (FAR) & False Rejection Rate (FRR), there is technology that overcomes most of these limitations.
Have a look at AuthenTec's TruePrint Technology. In summary, "TruePrint Technology uses a patented radio frequency (RF) imaging technique that allows the sensor to generate an image of the shape of the live layer of the skin that is buried beneath the surface of the finger." This makes spoofing of fingerprints nearly impossible.
In fact, AuthenTec are quickly dispelling the myth that biometrics are inherently insecure. Have a look at the Fujitsu's hot-off-the-factory-line F900iC [Japanese]. This is the first phone to fully encorporate mobile commerce (m-commerce), and all authentication is performed via that tiny AES2510 AuthenTec swipe sensor.
DoCoMo (think: user base in the millions) would be mad to trust a technology that you suggest is "not really ready."
And yes, I work for AuthenTec ;-).