Slashdot Mirror
UK National ID Card Cloned In 12 Minutes
Death Metal writes with this excerpt from Computer Weekly, which casts some doubt on the security of the UK's proposed personal identification credential: "The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning. The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card. Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes."
I unfortunately read the article...
He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.
Lets hope this puts the final nail in the coffin for this stupid idea.
Sig (appended to the end of comments you post, 120 chars)
Actually, TFA is a post on Computer Weekly, who read the Daily Mail so you don't have to.
So, no, it is actually pretty bloody scary, as they successfully changed the biometrics of the copy.
'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
You're allowed to buy alcohol from 18 in the UK, but they're now asking for ID if you look under 25. Also, my 35 year old sister-in-law has been asked for ID several times in Colorado, USA (where she lives). It's not just the young 'uns who need ID ;)
ID tends to be something like a driver's license or passport. Other measures can be used (e.g. by banks) if you don't drive and haven't been on holiday. Similarly the Government in the UK has some fairly simple ID cards for teenagers who want to prove their age to buy alcohol but don't have a driver's license or passport.
It's not impossible, and it all depends on how hard the passport etc is actually checked, but there are all the normal measures of holograms and watermarks.
It's generally:
a) the extra crap that the government wants to store on there for no good reason
b) the extra crap that the government wants to store in a database (for probably quite bad reasons)
c) the extra expense to get said extra information
d) the fact that the main argument is "do it or teh terrorororoists winz!"
e) the fact that so much money has been poured in to them and they're obviously so broken
f) the fact that it'll become enforceable to display your ID, with the next step being "no ID on the spot? that's a crime"
Indeed. Please tag this story "DailyFail".
I've no grounds for arguing with the facts, and certainly agree with the disgust for these ID cards, but any story in the Mail that touches on "scrounging foreigners damaging our property values and insulting the sacred memory of Princess Di" is not to be trusted.
Neither cards nor verification hardware require the master private key to be present.
Just like SSL, in a good implementation of ID cards each card is issued its own private and public keys, signed by the root private key (which is kept in secrecy). Then ID card uses this PK to encrypt communications. Verification hardware only needs the root public key to check that the ID card is legit.
Who did the UK Government get to test the security on these cards?
They got quite a competent group of people, as is the policy of the current government. These people issued a report that the cards were insecure and did not solve any problems that actually existed (they actually made some quite interesting recommendations about the problems related to ID that the government could try to solve). Also in keeping with the government's policy (see also: Gower's Report) this advice was completely disregarded. Fortunately, the recent set of expenses scandals kicked the most vocal advocates of the ID card out of the cabinet.
I am TheRaven on Soylent News