Slashdot Mirror
Estonia Tests "Contactless" ID-Cards
borkee writes "Estonian MEAC and CMB start testing a new version of a national ID card containing what they call 'contactless' extensions. Although they do not specifically disclose to us, taxpayers, what technology is used there, it must be quite obvious that it's nothing less than RFID. Add to this, they'll have person's biometrics in memory. (Security gurus of course know: biometrics just don't work.) Soon you can track us poor Estonians by our GSM phones and by our ID cards too!"
Admittedly, I dont know too much about the Estonian political system etc, to comment on the issue of choice, and how much of it the people there had when their government decided to introduce such a thing. However, it has been my experience that outside the US, a lot of cultures dont seem to make that big a deal about privacy, so maybe it is not that big a deal after all to Estonian citizens.
OTOH, RFIDs have already been implemented by clubs, etc to have painless billing, etc, so there are at least a few people around the world who dont think they are that big a deal.
Living in the US, however, my own fears are based on what I have heard about the privacy issues surrounding such technology, in that anyone with a scanner can find out a dangerous amount of information about you without your knowledge or consent; so to me it seems like a bad idea at least until someone can manage to convince me otherwise about how my information will be protected.
No we don't need to have our ID card with us all the time. It's required to own a card if you're older than 15 but you could just keep it home in a box.
Biometrics have a limited recognition rate, that means: a considerable amount of false positives (wrongly identified) or false negatives (wrongly refused). Often all you can do is having a compromise, either admitting the false positives to have less false negatives, or having lots of people wrongly refused by the system, so the human operators have to manually sort out the remainings.
Due to the limited recognition rate, you can often easily fool a biometric scanner. Face recognition systems are often fooled by holding a picture of the right person before the lense. Same often works for iris scanners. Finger print scanners can be fooled by fake fingerprints made from wax (stearine). Hand scanner sometimes are easiest. Cut out a cardboard with the right hand profile.
Most of those biometric scanners thus should never run unattended, to minimize manipulation as stated above. And if you have humans watch the scanners, you could as easily have those humans perform the checks themselves, probably getting better recognition rates.
Biometric scanners may give you additional security, if you use all the common methods like picture ids, signature and similar too, because now an attacker has not only to disguise himself accordingly, but has to fake the biometric data too. But without a central database for crosschecking the data, its rather meaningless. If he can fake a picture ID with his face and a false name, he can also fake the biometric data to fit his own data. As a stand alone tool the biometric scanners are not really ready.
the resources to fabricate fingerprints that will fool the reader...
Almost all security is simply a means of raising the cost of hacking it to a level above it's value.
It has been well established that cost and resources involved in defeating a fingerprint scanner amount to little more than some gummi bears.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.