Slashdot Mirror
Estonia Tests "Contactless" ID-Cards
borkee writes "Estonian MEAC and CMB start testing a new version of a national ID card containing what they call 'contactless' extensions. Although they do not specifically disclose to us, taxpayers, what technology is used there, it must be quite obvious that it's nothing less than RFID. Add to this, they'll have person's biometrics in memory. (Security gurus of course know: biometrics just don't work.) Soon you can track us poor Estonians by our GSM phones and by our ID cards too!"
like someone wants to track you ?
and as always when new technology is introduced, it will probably take a long time (let's say 2 years or so) until every department (communal house, police department, hospital,..) which needs to get information from your id card, will have the correct reader installed, so until then it's used the old fashoned way.
btw are you guys required to have your id card with you all the time ?
Learn about pinball machines on www.flippers.be
Where can I read about biometrics not being safe ?
That's very interesting, and I've never heard about it before. I mean surely the pattern in your eyes and your fingerprints are unique and does not change, no ?
Check out my PHP Url Validator
Admittedly, I dont know too much about the Estonian political system etc, to comment on the issue of choice, and how much of it the people there had when their government decided to introduce such a thing. However, it has been my experience that outside the US, a lot of cultures dont seem to make that big a deal about privacy, so maybe it is not that big a deal after all to Estonian citizens.
OTOH, RFIDs have already been implemented by clubs, etc to have painless billing, etc, so there are at least a few people around the world who dont think they are that big a deal.
Living in the US, however, my own fears are based on what I have heard about the privacy issues surrounding such technology, in that anyone with a scanner can find out a dangerous amount of information about you without your knowledge or consent; so to me it seems like a bad idea at least until someone can manage to convince me otherwise about how my information will be protected.
"I for instance have a finger print reader on both my palmtop and my desktop."
And everyone else, for instance, has access to your fingerprints on every object you've touched in recent time.
Or are you using gloves?
A good ID verifying-device (card, token, whatever):
* Does not contain or rely on biometrics. Generally can change, and once copied/forged one can never change the identifying information.
* Is capable of doing public-key encryption on-card. The information that identifies the person never leaks to the device. (Technically, this can be done with symmetric encryption as well in conjunction with a trusted centralized server, but this has some drawbacks.)
* Has a PIN, so that stealing the card is not sufficient to impersonate a person.
* Has a PIN entry keypad *on-card*, so that false readers and bogus ATMs cannot steal PINs.
* If any data must go back to the card owner, has a rudimentary display *on-card* (say, a calculator-style LCD display), so that a false reader or bogus ATM cannot say that someone is paying "$10.00 to WalMart" for something and actually having them pay "$14.00 to Joe Hacker".
* Should support a scheme where personal identity is not disclosed, but a persona is (my "persona" at the moment is "0x0d0a"). This is because any national ID card will naturally be used by other systems as well, and without this step, severe privacy abuses will occur. This requires use of a trusted, centralized server or of a card that can natively store multiple identities.
* Allows one to disable the trusted nature of the the card quickly and easily if it is lost, and in a manner that cannot be easily done by others (which would allow a denial-of-service attack against the card owner).
* Can handle water, crushing force, and high temperature.
* Can fit in a wallet.
* Should have the ability to log identity verification usage, so that the user can sync his card up with a computer or similar and check to see what he actually signed off on two days ago.
This certainly isn't a complete list of desireable characteristics, but it's a start.
May we never see th
I can't read the article, but are you sure it's talking about RFID? Contactless smartcards are different to RFID tags. Maybe the paranoia's well founded, but there is a very important difference between an application card which can be pressed to a reader rather than inserted, and a tag which is designed to be tracked from several feet away.
Which is this?
Almost all security is simply a means of raising the cost of hacking it to a level above it's value.
You are completely correct, and I have implemented a cunning plan that has made the effort of hacking me not worth doing.
I have no life, no job, no financial prospects and no worth to my identity. I plan to soon get a criminal record and become a terror suspect. Eventually I will also return my internet connection to a 2400bps modem, and will be insanely secure, as there will be no worth in breaking my security
Take that, evil hackers of the world, TAKE THAT!
I dont't think, it's too hard to format this lil' pecker and rewrite the data, when the specific card readers/writers become aviable. Since it's contactless, U don't have to show the real pic on the card anyway.
And about this GSM-tracking? I'd like to whack that bastard who came up with the idea to bring this to the public. It's pretty dawm hard to give your girlfriend impression you're doing overtime @work, when your phone puts you in the strip-club.
GSM-LocatorSimple.
the resources to fabricate fingerprints that will fool the reader...
Almost all security is simply a means of raising the cost of hacking it to a level above it's value.
It has been well established that cost and resources involved in defeating a fingerprint scanner amount to little more than some gummi bears.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Well, with a criminal record and being terror suspect, I guess there are some agencies which would be very interested in breaking your security.
The Tao of math: The numbers you can count are not the real numbers.
Once you detect fraud being done with your biometric identity,
where can you revoke your fingerprint and have a new one issued?
Before this gets labeled flamebait, this kind of intrusion really pisses me off.
The problem with this technology is it not only tracks you, it will allow tracking of your activities. What you buy. Where you go. The ability to, for good or bad, compile a docier on your life.
The only thing preventing this from happening before was the sheer logistics of it. Now that its real, I would like to wake people out of slumber.
I mentioned the ability to do good. I might even call them selling point excuses:
Tailored ads. Stand in front of a Coke machine with reader-"Mr. Jones, you like Cherry Coke! It's been a while since you've had one! Go ahead-we won't tell the Other cola co.!" This ad is beamed into your head(REAL technology-trial balloon tested in Japan!)-another distraction. If they are powerful enough readers, billboards changes to emphasize something in area based on your personal tastes.
Use for convenience. Make it a feature before it becomes mandatory.
For inventory/shipping control. Box 'a' has XXX going to YYY. You don't even need to scan for it directly.
Look folks, Walmart is forcing the use of tags on all their products. If the reader can read your RFID, it can read those too. Instant knowledge base of all the things you do, what you buy, or don't. Become a nonprofitable customer not well dealt with. Ack.
The potential for abuse is way to great. I have heard of no laws about the use of RFID tags. Right now they are being used on Gillette razors, being very expensive and easily stolen. Problem is, these chips are being made by the billion. You tryin' to tell me they sell BILLIONS of razors? Bah! There are 'plastic watch' chips for military use, used in Haiti for the refugee crisis.
Some tech specs-they are supposed to be burnt out at time of purchase, but they aren't, possible shielding on metal products(cans, etc.) Current readers have up to 20' read range. To deactivate them, microwave for a few secs, but set item on fire. Some are embedded in sandals. That would come in handy for tracking you. Unless you are an anti 1984ist(wow!, created a newspeak!), this should start to sound nasty. Someone with a scanner with devious intent could know all about you by scanning your curbed Hefty Cinchsack. Take an item, plant at a scene of a crime. *knock knock* "Mr. Jones, we have evidence that links you to...."
Like I said, there are ZERO laws concerning the use of these buggers. No search warrants, just scanning.
I try to be well informed, but biometrics seems better, because you know when they are being accessed, but still intrusive. With this junk(RFID), you will have the Law of Unintended consequences knocking on your door.
There are way too many possible abuses to go into, thx for patiently reading rant.
This mind intentionally left blank.
The KKK a bunch of sheetheads? You decide!
It has pretty much always been possible to track any given persons GSM mobile phone. You wouldnt believe the amount of crimes this has helped solve and prevent as well as the amount of people who get lost and get found only thanks to their phone signal. Everyone I know owns a mobile phone. Everyone I know KNOWS that you can be tracked through your cellphone. I am yet to hear ANYBODY complain.
A passport is not the same as a national ID card. No one is required to hold a passport, so can refuse to show it, or pretend that they do not have one. The same goes for driving licenses.
A compulsory national ID card is very different. You cannot claim not to have it, and hence can be required to produce it - even if that requirement is not immediate.