Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK National ID Card Cloned In 12 Minutes

Posted by timothy on from the but-it's-secure-says-so-right-on-the-label dept.

Death Metal writes with this excerpt from Computer Weekly, which casts some doubt on the security of the UK's proposed personal identification credential: "The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning. The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card. Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes."

76 of 454 comments (clear)

  1. Outstanding. by palegray.net · · Score: 5, Interesting

    I just can't wait for national ID cards here in the States! It'll be great for plausible deniability: "Oh, you say you saw ID? Prove it was really me."

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    1. Re:Outstanding. by Rakishi · · Score: 5, Insightful

      And the government expert witness, on the goverment's payroll of course, will say the ID is nearly infallible and you'll end up in jail. We send people to death row on little more than unreliable eye witness testimony, why do you think anyone gives a damn how many people may have copies of your ID?

    2. Re:Outstanding. by IBBoard · · Score: 2, Funny

      Or "You want to buy alcohol*? Can I see some ID? Can you prove that's your real age and not a faked infallible ID card?" :)

      * Proper phrase inserted since I'm English ;)

    3. Re:Outstanding. by siloko · · Score: 4, Interesting

      I think there are two things of note. First the article is in the Daily Mail which has a populist agenda usually veering alarmingly to the right. They have jumped on the anti-id bandwagon so maybe this article should be taken with a pinch of salt. Secondly if it is true it raises some interesting points. Who did the UK Government get to test the security on these cards? How do you respond to such a public relations disaster? How to you tally lax security with bullet proof identification and if this is not possible what plausible reason is there for rolling these things out nationally? I would be very interested to get a Government spokesmen on Question Time squirming to reply to those questions, because they are essentially unanswerable whilst still clinging to the existing policy. And too much money has been spent for this Government to change it now . . .

    4. Re:Outstanding. by Anonymous Coward · · Score: 2, Insightful

      No, the justice system is stacked in favor of the largest entity involved, regardless of whether or not it's in the state's interest. Didn't you notice that "victimless crimes" don't go punished when millions of people lose their life's savings as a result of a single individual, but /do/ go punished when someone may have lost a single DVD sale?

    5. Re:Outstanding. by FourthAge · · Score: 4, Insightful

      Anti-ID card people, not just the "right wing" (ohnoes!) Daily Mail, always said that something like this was inevitable regardless of the effort put into securing the cards. The Government always brushed their concerns aside while expanding the list of people who would have access to the National ID Register.

      If you got a Government spokesman on Question Time, and you were able to get into QT to ask an awkward question, then he would be as evasive as they have always been. Probably he'd just try to distract attention from the real issues. But the point is moot because all QT questions are vetted. The BBC wouldn't want to put the Government on the spot.

      --
      The tao of democracy: the government you can vote for is not the real government.
    6. Re:Outstanding. by IBBoard · · Score: 4, Informative

      You're allowed to buy alcohol from 18 in the UK, but they're now asking for ID if you look under 25. Also, my 35 year old sister-in-law has been asked for ID several times in Colorado, USA (where she lives). It's not just the young 'uns who need ID ;)

    7. Re:Outstanding. by AlecC · · Score: 2, Informative

      Apparently (i.e. I read on the net, so not very reliable), some shops have a policy of ID every Nth customer, regardless of appearance. Which got a 75-year-old irate when he was refused service because he wasn't carrying ID.

      --
      Consciousness is an illusion caused by an excess of self consciousness.
    8. Re:Outstanding. by AlecC · · Score: 3, Insightful

      I think unforgeable ID is up there with Perpetual Motion Machines on the list of impossible. Just as good (and expensive) engineering can make machines that will run for a long time. good (and expensive) engineering can make the cost of forgery high, This is the way money is protected from forgery: the cost of the machinery to make it is very high. This is no problem for the Mint, which amortizes it of millions of banknotes. But for criminals, it means the number of notes they have to circulate before getting their money back is very high, and risks leaving a trail back to them. Unfortunately, ID cards by their nature cannot be produced in a central, well guarded, press. The technology for creating them must be cheap enough to distribute to hundreds of local offices. Which means it is cheap enough for criminals to duplicate. Conversely, the value of one really well forged ID card is high, whereas the value of one forged banknote of value ordinary enough to pass around easily is not very great.

      But I entirely agree with you (and TFA): the ID card system is a stalking horse to get a central database of the population in order to keep an eye on everybody. Freedom includes the freedom to err. If you wish, as the authorities seem to, to remove all possibility of error, you tautologously remove all freedom.

      --
      Consciousness is an illusion caused by an excess of self consciousness.
    9. Re:Outstanding. by palegray.net · · Score: 2, Funny

      Whooooosh.

      Now it's truly redundant!

      Why no, Mr. Policeman, I don't seem to have my National ID card with me.

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    10. Re:Outstanding. by TheRaven64 · · Score: 5, Informative

      Who did the UK Government get to test the security on these cards?

      They got quite a competent group of people, as is the policy of the current government. These people issued a report that the cards were insecure and did not solve any problems that actually existed (they actually made some quite interesting recommendations about the problems related to ID that the government could try to solve). Also in keeping with the government's policy (see also: Gower's Report) this advice was completely disregarded. Fortunately, the recent set of expenses scandals kicked the most vocal advocates of the ID card out of the cabinet.

      --
      I am TheRaven on Soylent News
    11. Re:Outstanding. by EdIII · · Score: 2, Insightful

      Whooooosh yourself. (S)he's right. The justice system is stacked in favour of the state.

      Yeah.... it's really popular to say that. Like Microsoft *^%*%$(*($ sucks!.

      In this particular instance, it's not so easy to go with the cynicism. If this hack is really that easy, you should be able to come up with a security expert willing to counter than government security expert.

      EXTRA points, if you clone the Judge's ID while in the courtroom and buy 100 black 12" dildos in his/her name and produce the receipt.

      Judge's follow the money and actual proof. I will agree, that when a case becomes circumstantial, and the defendant has a bad lawyer, things can go wrong quickly. However, I doubt after the 500th case where proof was brought before the judge by such PAC's like the EFF, that ANY judge will seriously give credence to such a provably shitty ID system.

      That original poster brings up a VERY good point, if not sarcastically, and for apparent personal/unethical gain. If the ID system is really that bad, how can an informed judge (the responsibility of the lawyer and an affect of case precedence) allow evidence based on that system to put you in jail in a criminal trial? It's credibility is sorely lacking, and it should have been well known at that point that any whiz kid with a laptop could clone your National ID. If it really is that easy....

      Now a civil trial may be a different matter.... You would have to convince the jury that your ID was cloned and that it really was not you. If they don't believe you, you're fucked. Civil trials have a heck of lot less to do with proof and right and wrong, as they do with who is more attractive to the jury.

    12. Re:Outstanding. by complete+loony · · Score: 2, Funny

      There's a liquor shop in Australia with a sign something like "If you look like you might be under 25 we have to ask for ID, take it as a compliment."

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    13. Re:Outstanding. by commodore64_love · · Score: 2, Interesting

      You are not obligated to show a U.S. policeman your ID or any other papers unless (a) you're behind the wheel of a car (b) they have a warrant issued by a judge or (c) they saw you doing something illegal (probable cause).

      This is what the cop did wrong in the case of the black professor:
      - He should have never crossed the threshold of the house
      - He had no right to demand ID of an owner standing inside the house

      The proper course was for the officer to obtain a warrant from a judge, which then would have enabled him to get an ID or enter the home. Of course no judge would have issued that warrant because an anonymous phonecall is not probable cause, according to the U.S. Supreme Court.

      The black professor had every right to be angry, and I would have acted in a similar fashion (and I'm a white guy). It's called the right of free speech. In your own home, you can stand there all day long calling cops shitheads and other curse words, and the cops have no authority to arrest you. That right is protected by the Supreme Law of the land.

      President Obama, rather than invite the cop for a sitdown, should have stated accurately that the cop violated constitutional law.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    14. Re:Outstanding. by necro81 · · Score: 2, Informative
      If you had bothered to read the article...

      He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.

      He then rewrote data on the card, reversing the bearer's status from "not entitled to benefits" to "entitled to benefits".

      He then added fresh content that would be visible to any police officer or security official who scanned the card, saying, "I am a terrorist - shoot on sight."

      He's not just reading off or copying the information, he's cloning the card, and demonstrating that he can change things in the process. So, using your analogy, the demonstration proves he not only can copy a page of Chinese writing, he can read and understand it, edit it, and print it back out to make it look just like the original.

    15. Re:Outstanding. by sumdumass · · Score: 2, Informative

      It's not really that difficult to show your ID was cloned. It isn't like it doesn't happen today with current IDs. Illegal aliens are doing it, underage drinkers do it (often on college campuses), and people purpetrating ID theft do it.

      Where the problem is going to be is when the person has some sort of motive and opportunity to commit whatever crime is in question. Most often the ID evidence will have a witness saying it was in fact you and in some cases there will be video or photographic evidence to collaborate.

      The situation will not be much different then it is today.

    16. Re:Outstanding. by langelgjm · · Score: 2, Informative

      Also in keeping with the government's policy (see also: Gower's Report) this advice was completely disregarded.

      For those who don't know, the Gower's report was on intellectual property policy.

      I wish the U.S. did something similar - getting together an independent panel of experts, not hand-picked bureaucrats, to look in-depth at important issues. And of course, actually act in keeping with the reports. Another UK report of interest to slashdot - the Byron Report, which looked at the effects of video games and the Internet on children. Quite even-handed, and makes notes about how there is a "polarisation of research paradigms" between the US and UK.

      The closest thing in the U.S. I've seen is the president's council on Bioethics, and those reports never seem to make as concrete recommendations as the UK ones.

      --
      "Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
    17. Re:Outstanding. by EdIII · · Score: 2, Insightful

      Well I think we are mostly in agreement. What you are talking about is corroborating evidence, motive, and intent. I do agree when there is an eyewitness that states it was you that provided the ID during the criminal act, it becomes very difficult to argue about the ID at that point.

      The original poster, much farther up the thread, was basically stating, "prove it". Eye witnesses help do that. Any type of corroborating evidence is going to help to do that.

      However, when the use of the ID becomes the only evidence from the state, the situation changes dramatically IMO. It would be as if you could show the DNA evidence was wrong 75% of the time. If that were really true, you could never convict on that alone.

      You are right though, as you seem to imply, that most cases in a courtroom are going to have substantially more evidence than a National ID card to establish that the defendant was the person committing the crime. As it should be, really.

    18. Re:Outstanding. by CodeArtisan · · Score: 4, Insightful

      BBC is no more going to criticize the government's ideas, than would PBS criticize the Congress.

      I'm guessing you live outside the UK. The BBC has a long and well documented history of complaints from all factions of UK Government. Google "Jeremy Paxman" or "Robin Day" to discover how political interviews should be conducted. Programmes like "Newsnight" and "Panorama" frequently run stories that are highly critical of government policy.

    19. Re:Outstanding. by goaliemn · · Score: 5, Insightful

      Actually, you are incorrect. There are court cases saying you have to present ID if demanded by a cop.

      The cop was responding to a possible house break in. He had to "cross the threshold" to verify this, and he had to verify the person he was talking to was the actual owner. If they believe that a crime is/has occured, there are lower thresholds to entering a possible crime scene. Their job, at that point, is to verify that a crime hasn't occured, and hold anyone who may have committed the crime.

      It wasn't an anonymous tip. The woman who made the call has been harassed and ridiculed for the call. I don't see how that's an anonymous tip.

      I'll throw in that the professor shouldn't have started by showing the cop his college ID. That doesn't verify that you live at the house, and not everyone knows all the professors at a school.

    20. Re:Outstanding. by GNious · · Score: 2, Interesting

      If I understand correctly, a U.S. Goverment Official (e.g. Police person or personette) can demand you show your ID if you aren't a U.S. citizen. How they're to know, I've no idea.

      G

    21. Re:Outstanding. by camperdave · · Score: 2, Funny

      No, the justice system is stacked in favor of the largest entity involved

      No wonder Americans are getting fat. :-)

      --
      When our name is on the back of your car, we're behind you all the way!
    22. Re:Outstanding. by internic · · Score: 2, Insightful

      The professor should have done so, and thanked the officer for being so quick to protect his residence. But no. The professor had to dish out attitude, and he got what he deserved because of it.

      It's thoroughly depressing to see in our society the authoritarian outlook that someone deserves to be arrested for giving "attitude", in his own home no less. The officer's job is to protect and serve. As two police chiefs interviewed on NPR stated, an officer in that situation should be attempting to get done what he has to and then de-escalate the situation. There was no valid ground for arrest here (which is likely why the charges were dropped).

      People shouldn't be dicks to cops, just as they shouldn't be dicks to people in general, but only in an authoritarian society can the cops arrest anyone who they feel does not show them the proper respect. This is the real issue of the case, which has been lost amongst all the discussion about race.

      --
      "You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
    23. Re:Outstanding. by Unordained · · Score: 2, Insightful

      Please avoid the use of the term "victimless crime" when talking about fraud, theft, or copyright violation. It muddies the waters for true victimless crimes -- personal drug use, consensual sex work, communist ideals, etc.

    24. Re:Outstanding. by iamhigh · · Score: 2, Insightful

      I agree that we can't fold to every whim of the police and let them abuse our rights, but...

      A lady saw a guy breaking in a door and called the cops; the guy owned the house, so he had a right to do so. But a reasonable person would also understand that if you just broke into your house, there is a chance a neighbor called the cops. That happened and all he had to do was show his ID so the cop could verify it was his house. When he didn't do that, the cop had a duty to all land owners to detain him until he could verify who owned the house.

      Should he have been arrested? Maybe. Surely if he never showed ID; how else can they verify the info? Even if he did, he probably took an hour of the officer's time. Do you know who pays those bills? We all do. Screw this one guy for wasting the time of everyone (now even the president) on a situation that should have been easily resolved if he wasn't acting like a horse's ass.

      --
      No comprende? Let me type that a little slower for you...
    25. Re:Outstanding. by AndersOSU · · Score: 3, Interesting

      The case on point is Hiible. Follow the links for more info.

      The ACLU also has a very good resource.

    26. Re:Outstanding. by AndersOSU · · Score: 2, Informative

      wrong link sorry hiible

    27. Re:Outstanding. by internic · · Score: 2, Interesting

      I'm not debating whether the cop should have showed up to check out the call, nor whether he should have tried to verify that Gates was the homeowner. Since we have conflicting information about what happened, it's pointless to argue over whether Gates was acting reasonably. However, to the best of my knowledge (note, I haven't followed this story closely) both people agree that a) Gates eventually showed ID that satisfied the officer that he was the homeowner, and b) Gates did not attempt to physically assault the officer. Based on that information, I'd say it's totally inappropriate for him to be arrested in his own home.

      Gates may well have been acting like a jerk (like I said, we can't know), but that should not be an arrestable offense in a free society. As far as waisting time, there is the charge for impeding an investigation, which could be used but only in extreme cases. The extra cost of this to the tax payer would almost certainly be extremely small, and I'm willing to pay a few more bucks of taxes if it means that police cannot arrest anyone they arbitrarily decide is a jerk or waisting their time.

      --
      "You call it a new way of thinking; I call it regression to ignorance!" -- Operation Ivy
    28. Re:Outstanding. by FourthAge · · Score: 2, Interesting

      My evidence would be the questions that are NOT asked on Question Time!

      Politicians get an undeservedly easy ride on this and all BBC news programmes. The purpose of these programmes to give the impression of independence, giving the Ministers a hard time. This is created by disagreeing with the Government on minor issues. The hope is that the British people will believe that the BBC is on their side when something really important comes up.

      Modern propagandists do not behave like Goebbels. They do not present one set of facts, they present two, but misrepresent and omit details about the second. This gives the illusion of independence while serving their agenda.

      --
      The tao of democracy: the government you can vote for is not the real government.
    29. Re:Outstanding. by hairyfeet · · Score: 4, Insightful

      Yeah...uh huh. You haven't actually had to deal with the cops, have you? You see they have this little thing called "disorderly conduct" that pretty much means whatever the fuck they want it to mean that day. Don't show ID? Well he was being 'disorderly" so we had to haul him in, where of course we ran his prints and found out who he was.

      Trust this old greybeard son, you don't get phrases like DWB (driving while black) or testilying integrated into the language by actually having cops give a shit about the constitution. I have traveled all over the south, and talked to many that go cross country pretty much constantly and our findings match. For every 1 decent cop you got about a half dozen "bullies with badges" that are just DYING for you to give them even the flimsiest excuse to seriously fuck with you.

      I had a friend that was a long time cop take early retirement just to get away from all of his fellow cops. He said the new recruits were more like gangbangers than cops and pretty much spent their days looking to "stir up some shit", his words. So you go right ahead and tell that 220 pound steroid monster with a badge who thinks he IS the law how you know your rights and refuse to show ID and see how quick you are in the back of that patrol car. Lets just hope he doesn't decide you are "resisting arrest" while he is at it. Look up "tuning up" a suspect if you don't get the reference.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    30. Re:Outstanding. by PitaBred · · Score: 4, Insightful

      No, you don't. You have to identify yourself if asked, but you DO NOT HAVE TO PRODUCE ID. If the cop says "Show me some ID" it's perfectly legal and appropriate to say "I'm Pitabred. I don't need to show you any ID."

      The grandparent poster was correct, and your correction scares the hell out of me. Learn your rights. Use them. Or you lose them.

      --
      My blog. Good stuff (when I remember to update it). Read it.
    31. Re:Outstanding. by HeronBlademaster · · Score: 2, Insightful

      I don't get why people think they're "forced" to pay taxes. Taxes are simply the fee for receiving a service (or rather, a set of services) which is provided by the government. If you don't pay the fee, you shouldn't receive the service; that's how paid services work.

      Now, sure, the government can throw you in jail if you don't pay your taxes. But even then, you're still receiving services you haven't paid for - you're getting free food, free cable TV, free room and board, and so on.

      If you don't want to pay taxes, either lobby to get the law changed, or MOVE OUT OF MY COUNTRY.

      That is all.

    32. Re:Outstanding. by Skjellifetti · · Score: 2, Interesting

      The trick is to prove that the judge is as guilty as the defendant. There was a case some years ago involving alleged cocaine cash seized at an airport under RICO where the prosecution sought to use as evidence the fact that the money carried by the defendant was contaminated with traces of cocaine. The defense lawyer asked for some cash from the wallet of the judge and tested it right there in the courtroom for cocaine traces. Sure enough, the judge's cash also showed traces of cocaine. The prosecutor's evidence was tossed and the government forced to return the seized money.

      ... form i8675j

      No, you will need form twenty-seven B stroke six.

      --
      FreeSpeech.org
  2. Advertizing by doktorstop · · Score: 2, Funny

    I think that will boost Nokia sales in the UK!

    --
    http://www.automatiq.se
    1. Re:Advertizing by Opportunist · · Score: 2, Funny

      Huh? Labour is for sale again?

      I knew it, damn socialists. Those Tories are somewhat more honorable, once bought they at least stay bought.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. The thing that no one ever thinks of.. by SirFozzie · · Score: 3, Insightful

    With these things, that if it can be read by a device, then it can be broken. All that differs is how long will it take to break it..

    --
    People Talking in Movie shows.. people smoking in bed.. people voting republican.. GIVE THEM A BOOT TO THE HEAD!
    1. Re:The thing that no one ever thinks of.. by TheLink · · Score: 4, Insightful

      Of course it can be copied. However if I try to show YOUR ID card "as is", to a guard it might not work - he might realize that I look a bit different from you.

      If the ID contains a digital store of your photo and other biometrics on it that is digitally _signed_, even though it can be copied it'll be much harder to tamper with it. And you can only create a new ID if you can sign it with a valid signature.

      Of course in the real world, the _printed_ photo might be all the guards check.

      Also in the real world, creating fake IDs might not be that hard - you might be able to bribe/trick someone to create a new legit ID for you, or steal/borrow the signing machines + keys (or the backup certs+keys).

      BUT, once they realize what has happened, they can revoke your certs (and maybe even those who were responsible for helping you). While this sort of thing might not be that effective against suicidal terrorists, it works well for oppressing your own citizens.

      If they start tying these IDs to travel and payment, then it works even better for keeping the sheep in line...

      Go figure.

      --
    2. Re:The thing that no one ever thinks of.. by martyros · · Score: 4, Interesting

      If you'd RTFA, you'd see that he also changed a ton of information as well, and created a fake ID with the modified information; including a line that said, "I am a terrorist, please shoot me on sight."

      IOW, there's no security, signing, encryption, anything at all (or if there is it's so broken that it might as well not be there). The fact that it's computerized makes it easier to fake out rather than harder, and simultaneously gives the illusion of being more reliable rather than less. It's bad all around.

      --

      TCP: Why the Internet is full of SYN.

    3. Re:The thing that no one ever thinks of.. by daem0n1x · · Score: 4, Interesting

      Here in Portugal we've had ID cards since the 19th century. We were pioneers in the usage of smart cards as ID cards, together with Belgium and Finland.

      While our old paper ID cards were easily falsifiable, the new smart card is virtually impossible to falsify. It has a lot of physical security measures, a few holograms, engravings, etc. As to the chip, all the data in the chip is digitally signed by the government. The RSA private keys inside are generated by the card during personalisation, and are not extractable. I dare you try to create a false one. The British card seems to be a cheap piece of shit.

      Anyway, what's all the fuss about ID cards? What do you use to identify yourself? Social Security card? Driver's license? How hard it is to forge one of these?

    4. Re:The thing that no one ever thinks of.. by Vanders · · Score: 2, Insightful

      Anyway, what's all the fuss about ID cards?

      It isn't the physical card. I couldn't give a rats ass about the card (Other than it's a cheap piece of shit, as you point out). It's the gigantic, interlinked database that will go with the card, which will track everything I do, and be accessible by almost every public worker you can imagine.

      --
      Syllable : It's an Operating System
    5. Re:The thing that no one ever thinks of.. by IBBoard · · Score: 4, Informative

      What do you use to identify yourself? Social Security card? Driver's license?

      ID tends to be something like a driver's license or passport. Other measures can be used (e.g. by banks) if you don't drive and haven't been on holiday. Similarly the Government in the UK has some fairly simple ID cards for teenagers who want to prove their age to buy alcohol but don't have a driver's license or passport.

      How hard it is to forge one of these?

      It's not impossible, and it all depends on how hard the passport etc is actually checked, but there are all the normal measures of holograms and watermarks.

      Anyway, what's all the fuss about ID cards?

      It's generally:

      a) the extra crap that the government wants to store on there for no good reason
      b) the extra crap that the government wants to store in a database (for probably quite bad reasons)
      c) the extra expense to get said extra information
      d) the fact that the main argument is "do it or teh terrorororoists winz!"
      e) the fact that so much money has been poured in to them and they're obviously so broken
      f) the fact that it'll become enforceable to display your ID, with the next step being "no ID on the spot? that's a crime"

    6. Re:The thing that no one ever thinks of.. by FourthAge · · Score: 3, Insightful

      Although both Vanders and IBBoard are exactly right, security problems are very important, the real problem is the effect on individual liberty.

      As citizens, we don't need the state, except to defend borders and keep the peace. But ID cards tell us that we do need the state, and that without it's blessing, we are nobody. The state is still (notionally) our servant, but now it will not help us unless we do as it says.

      In a free country, the function of government is not to tell citizens what to do. It is not to control the population, to exercise power against them, to interfere in their lives. ID cards change that and this is why I do not approve of them.

      --
      The tao of democracy: the government you can vote for is not the real government.
    7. Re:The thing that no one ever thinks of.. by daem0n1x · · Score: 2, Interesting

      So, that is a problem with central information systems, it has nothing to do with ID or cards. The government can track everything you do without any ID cards, they will simply use other data, like SS number, simply your name, or even credit card.

      In Portugal, we have an interesting system. It's constitutionally illegal to identify someone towards the several state services using a single number. We used to have several cards, for ID, for health care, for social security, for taxes, for voting.

      Now, we have a single card that has all these numbers printed on the back. The databases are all separated. A worker from the Ministry of Finance can only use your tax payer ID and access only tax information. A Social Security worker can only access your SS data, etc.

      It depends a lot on culture. In our country we don't trust the government or private institutions that much. In other countries people have more trust, so they don't mind the databases.

      In the UK, there is a paradox. It's a vigilance state, in spite of the Anglo-Saxon culture being so keen on privacy and individual rights. And UK citizens (rightfully) suspect the government doesn't treat their privacy with enough care.

    8. Re:The thing that no one ever thinks of.. by Opportunist · · Score: 2, Insightful

      I worked for banks and government agencies. And while both are lacking in the security department, banks at least have standard that doesn't give me the chills every time I think of it.

      Government standards do.

      That "giant back end database" will be leaked before it's done building. Worse, why not connect my passport with the magic number of some passport?

      The best kind of security is still offered by the human eye, a trained guard and his judgement of character. Also a think I learned while working for banks. Yes, they have electronic access card readers, but they don't rely on them. They have a beefy security guy sitting next to it that looks at you and he, and he alone, decides whether you go in. That reader is mostly for show, and to make you "move" in a fairly predetermined fashion so the guard can judge your movements and watch your body talk.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    9. Re:The thing that no one ever thinks of.. by Aceticon · · Score: 2, Insightful

      Simply put:

      The fuss is not about ID cards per-se, the fuss is about the UK government trying to create yet another tool to spy-upon, track and control UK residents.

      CCTV all over the place, 28 days detention without trial (which the government tried to extend to 45), police abuses against peaceful demonstrators, extra-strong anti-libel laws used to silence whistle-blowers, anti-terrorist laws which are mostly used for things which have nothing to do with terrorism, attempts at setting up an infrastructure for widespread Internet surveillance, covert Internet censorship, the health-and-safety blank card used to pretty much ban anything the authorities feel like banning, collusion with torture, unjustified wars (Iraq), soldiers sent to (die in) war with improper equipment because the government is too cheap, parliamentarians abusing the expenses system and politicians and civil servants that have taken to visibly and frequently lie and spin as if people are all stupid.

      It's no wonder that trust in the politicians and public institutions (including the police) in the UK is at an all time low ...

    10. Re:The thing that no one ever thinks of.. by pjt33 · · Score: 2, Informative

      You missed checking your post for accuracy. You don't need an NI number to apply for a British passport. I don't think you need one to open a UK bank account, although I haven't done that for several years so I'm not 100% sure: if you do then it's only to pay taxes. You don't need one to apply for a job, although if you get the job you will need to obtain one, if you don't have one, and supply it so that they can pay taxes. You don't need one for hospital treatment - there is an NHS number, but that's administered entirely separately. And finally, yes, you need it to pay taxes: that's the only purpose for which you need it.

  4. The solution is simple... by nadamucho · · Score: 5, Funny

    Just ban cell phones and laptop computers!

    1. Re:The solution is simple... by GeorgeStone22 · · Score: 5, Funny

      "The real shame is the government has spent billions of our tax dollars without acknowledging this fact. Is it even a British company thats producing the cards? Or are these tax dollars going to another economy?"

      What a great comment from the daily mail article.
      Tax dollars in the UK. Amazing.

  5. I think I know what happened here by Rosco+P.+Coltrane · · Score: 2, Funny

    I bet they head-hunted members of the Windows XP team to implement this in the UK. That can't be a coincidence. Great move guys...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  6. Took longer than I'd have expected. by webreaper · · Score: 5, Funny

    Guess they got spent a bit longer on the security aspect than most Government IT projects then.

  7. Re:Hang on by sifi · · Score: 4, Informative

    I unfortunately read the article...

    He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.

    Lets hope this puts the final nail in the coffin for this stupid idea.

    --
    Sig (appended to the end of comments you post, 120 chars)
  8. Re:Hang on by krou · · Score: 5, Informative

    Actually, TFA is a post on Computer Weekly, who read the Daily Mail so you don't have to.

    Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes.

    He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.

    He then rewrote data on the card, reversing the bearer's status from "not entitled to benefits" to "entitled to benefits".

    He then added fresh content that would be visible to any police officer or security official who scanned the card, saying, "I am a terrorist - shoot on sight."

    So, no, it is actually pretty bloody scary, as they successfully changed the biometrics of the copy.

    --
    'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
  9. Can't have digital security by HetMes · · Score: 4, Interesting

    If it's digital, exact copies are possible.
    If it's digital, because of the convenience, analogue security measures will be taken less seriously.
    If it's digital, uninformed politicians will think it cool, and believe in it like some do in 70 virgins.
    If it's digital, the process is fast and can be automated, and the threat is increased a million-fold (out of arse, of course) by sheer statistics. We need slow electronics
    If it's digital, tampering is undetectable.

    Either way, this digitally secure ID thing can only lead to government saying: "Look! We've tried, and you also know that the only way to do this properly is to put you all in a database and track your every move."

    Can we perhaps agree on forsaking digital security just because it's cheaper and faster in cases where we don't need it anyway (i.e. when people aren't up to no good)?

    1. Re:Can't have digital security by Koookiemonster · · Score: 5, Interesting

      What's interesting about technology like this -- such as electronic voting, passports with chips etc -- is that geeks are often against it. Geeks, who generally love technology and gadgetry, are saying no. Maybe the legislators should listen -- assuming that at least some of them actually care.

    2. Re:Can't have digital security by sdiz · · Score: 2, Interesting

      If it's digital, exact copies are possible.
      [...]

      If it's digital, the process is fast and can be automated, and the threat is increased a million-fold (out of arse, of course) by sheer statistics. We need slow electronics

      [...]

      If it's digital, tampering is undetectable.

      hmm.. in fact, there are smart card with microprocessor empowered with strong public key encryption that would make cloning very difficult and always detectable.

      But the government just don't care (or can't tell the different)

    3. Re:Can't have digital security by Keeper+Of+Keys · · Score: 4, Interesting

      You're right. Unfortunately they only listen to the geeks they are paying to create systems like this, who are of course saying "yes, we can make an uncrackable security system" and suppressing their sniggers until they've made it out of the room with their fat cheque.

    4. Re:Can't have digital security by Cyberax · · Score: 4, Informative

      Neither cards nor verification hardware require the master private key to be present.

      Just like SSL, in a good implementation of ID cards each card is issued its own private and public keys, signed by the root private key (which is kept in secrecy). Then ID card uses this PK to encrypt communications. Verification hardware only needs the root public key to check that the ID card is legit.

  10. Re:Hang on by AmiMoJo · · Score: 2, Informative

    TFA says they managed to change the data on the card. It's still not clear if that is enough to make your own card or if it would fool a biometric scanner.

    Biometrics are a terrible way to establish identity, which is why banks don't use them. Aside from the ease with which things like fingerprint scanners can be fooled, your biometric data can change (e.g. you burn your finger, loose and eye, get cosmetic surgery). That means there has to be a system for getting your card updated with the new data, and if such a system exists you can guarantee it will be open to abuse.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  11. Surprising by AdamInParadise · · Score: 4, Interesting

    I work in the smartcard industry and most of the time those "breaks" mean nothing: usually the "hacker" simply reads the publicly available information and claims that the system is "broken". The reaction of the public is always interesting and shows that many users do not understand the goals of such a system, probably because the politicians that buy those systems do not explain them very well.

    However in this case the article claims that they were able to clone the card AND modify the information in the cloned card, which is really the hack that those cards are trying to prevent. This article is heavier on details than many others and that makes it more credible, but the details are still muddy. I hope that the journalist missed a crucial point and that this card is not as insecure as he thinks.

    Small-scale, private smartcard-based systems can be cracked, usually because they are badly installed and used. Large-scale, private smartcard-based systems can be cracked (just look into the MiFare Classic debacle) but it involves months of hard work from people with PhDs and access to expensive equipement. Large-scale, govermental smartcard-based systems can be cracked, but I would be really surprised if it took only a few minutes. Unless that hacker presents the attack in details, I will file this one in the "baseless fearmongering in order to sell more papers" folder (which is already bursting BTW).

    --
    Nobox: Only simple products.
    1. Re:Surprising by pjt33 · · Score: 2, Insightful

      The reaction of the public is always interesting and shows that many users do not understand the goals of such a system, probably because the politicians that buy those systems do not know what they are either.

      FTFY. From the politicians' point of view the goal of the system is either a) to protect against every possible threat to individual or national security; or b) to help them keep their seats - depending on how cynical they are.

  12. Re:Hang on by Rosco+P.+Coltrane · · Score: 2, Insightful

    If they had any sense whatsoever, all that data would be stored on the server and the card would simply have an ID number (and MAYBE a name) programmed into it. The fact that their system simply believes what's on the card and doesn't check a central database to make sure that the card hasn't been tampered with is just plain stupid.

    So instead, they should trust the ID number? How is a number pointing to a block of data on a remote server is safer than the block of data itself? That's what credit cards are (they have a number in them, that ATMs and pay points check against the credit company's database), and this particular industry is rife with electronic fraud.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  13. Re:Hang on by makomk · · Score: 4, Insightful

    Oh, no doubt you can clone a new card with modified data. The real question is - can you get it to verify as genuine in Government readers now you've modified it? Unless the Government's really screwed up, the cards should have digital signatures, which means any unauthorised changes to the data will make them invalid. The Daily Mail article not only doesn't do a good job of addressing this issue, it fails to realise how significant an obstacle it is. I bet they only bothered to check the card in unofficial readers that don't verify anything...

  14. Love the Ending by TerraGreyling · · Score: 2, Insightful

    My favorite part of this article, was the response by the officials. Excuse us we need time to come up with an excuse, err.. a response to these allegations. We could just say, "Yes we care about the protection of your identity, but first I need to doublecheck the validity of that statement. Thank you."

  15. Foiling the foilers by mtthwbrnd · · Score: 2, Funny

    The system is perfectly safe ... just don't let your card out of your sight for more than 11m59s. Citizens do have to take some responsibility after all!

  16. It copies, but does it validate? by sulliwan · · Score: 5, Insightful

    Storing a simple hash of the card contents with the hardcoded UID of the card and checking if they match when reading a card is enough to prevent any such attack. While you can copy the card and even change contents on it, it will never validate as an authentic card. Aside from that, smartcards have really gotten quite smart, as far as I know, there are no practical attacks against the newer MiFare cards(most hacks on Desfire or newer systems target the implementation of the system, not the cards themselves).

  17. Expensive Equipment? by TerraGreyling · · Score: 4, Interesting

    Unless there have been leeps and bounds in smart card technology in the past couple of years I think this is an overstatement. A few years back I made most my money buying blank smart cards, copying the information from the satelite TV smartcards, changing a few places in the hexidecimal coding, and selling full unblocked TV. Of course we would tell the user to remove the cards from the boxes at night when the companys would do system checks that fry any unauthorized cards. And the cost of such equipment, $49.95. Not expensive and on about average, 15 minutes of work. If the UK is using the same format, that would be a real easy "hack".

    1. Re:Expensive Equipment? by Anonymous Coward · · Score: 3, Interesting

      TV unblocking is relatively simple, they use a (symmetric) master key that is used to derive session keys. These keys need to be in memory because they are required for the decoding, which needs a lot of performance. Also, you can always "share" the smart card between friends, the smart card does not know who is requesting the session keys. These are cheap cards. Or at least, this is how it used to be, I don't keep a close watch on this.

      These cards use Passive Authentication making sure that the biometric data cannot be altered. Keys are stored on a central place, well secured. Furthermore, they've got protection against anti-cloning using an asymmetric smart card processor. This is not an easy hack at all, unless the verification equipment does not have the certificates to verify the signature, because the whole of these cards relies on that.

  18. Re:Hang on by bythescruff · · Score: 3, Funny

    Unless the Government's really screwed up...

    Let me guess - you're new, right?

    --
    Chuck Norris: Socialism == a thousand years of darkness.
  19. Re:Hang on by gsslay · · Score: 4, Informative

    Indeed. Please tag this story "DailyFail".

    I've no grounds for arguing with the facts, and certainly agree with the disgust for these ID cards, but any story in the Mail that touches on "scrounging foreigners damaging our property values and insulting the sacred memory of Princess Di" is not to be trusted.

  20. Re:Hang on by ThatGuyJon · · Score: 2, Informative

    Each one of these files is supposed to be protected with a special digital key, so that if anyone attempts to change it, the card would be identifiable as a fake to any official with a digital chip reader.

    To get round this hurdle, we recruited the help of another technology expert, Jeroen van Beek, an Amsterdam-based computer consultant who advises many top companies on digital security.

    Drawing on the work of renowned New Zealand computer scientist Peter Gutmann, our team was able to alter the contents of each datagroup and then 'relock' them, so that the card would be accepted as genuine.

    We had created a perfect fake chip. The Government's 'fail-safe' security had failed.

    In other words, yes the government did really screw up.
    On a side note, does slashdot have to link to a link to the article?

    --
    I must be new here...
  21. Not a cloned document by Vollernurd · · Score: 2, Informative

    Whilst this is a failure of some rudimentary security system that was supposed to protect the data stored on the chip, this is anot a cloned card per se.

    The chips on these ID cards, and the new UK passports, are there to enhance the integrity of the DOCUMENT, not be secure stand-alone identifiers alone. For instance you can easily copy the data on a chip once the security has been defeated but to accurately copy the paper part of the document including the watermarks, UV sensitive fibres, holograms, raised ink, irridescent coatings, etc. takes a lot of time and effort that most people won't bother with. Some do bother as a lot of bent banknotes will testify to.

    These cards like the passports SHOULD when tested/checked be read by a human being who knows how to check the security features (e.g running your fingers over the top of a banknote to check the raised ink), check the details and the photo are correct and do not seem to have been tampered with, then they can check that the data on the chip matches the data printed on the paper/plastic. If they match then there's a very high chance that the card/passport is genuine.

    Just checking one portion rather than the other defats the purpose of these designs.

    Weak systems will always be exploitable. UK Border Control staff/Police/Home Office drones need to know that that no document is unforgeable and to maintain the integrity of a system requires knowledge and training on the part of those who are attempting to enforce it.

    --
    Smokey, this is not 'Nam, this is bowling. There are rules.
  22. Re:Hold on a second... by chrb · · Score: 2, Informative

    In fact, the Daily Mail article says they used Jeroen van Beek's method of loading the card with data - however, the Wired article claims this is not actually what happens:

    Unfortunately, a number of people have interpreted the Times story to mean that van Beek altered the data on a legitimate passport chip without it being detected. Englandâ(TM)s Home Office is among those who read it this way. The Office recently responded to the story by denying that anyone can change data on a passport chip without it being detected.

    In fact, van Beek says he didnâ(TM)t change data on a passport chip.

  23. UK Home Office calls the report "rubbish" by amazeofdeath · · Score: 2, Informative

    "The Home Office has dismissed the report. "This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened," said a spokesperson.""

    http://www.theregister.co.uk/2009/08/07/id_card_hacked/

    --
    U+F8FF
  24. This is the biggest problem by Anonymous+Brave+Guy · · Score: 4, Interesting

    And the government expert witness, on the goverment's payroll of course, will say the ID is nearly infallible and you'll end up in jail.

    I think this is symptomatic of the biggest single problem with so many government powers.

    Things will inevitably go wrong in any system as large and complicated as running a national government. This will be true even if everyone tries to be diligent and acts with nothing but good intentions. There is no point either pretending that this won't happen or pretending that it would be better if we dropped all government systems that could possibly cause such problems no matter how much good they might otherwise do.

    However, there should always be a system in place that allows mistakes to be detected and put right quickly, and without making things any worse for the unlucky victim. This is particularly true in cases of mistaken identity or other factual errors, where the consequences might be anything from financial loss such as being denied benefits or overtaxed, through loss of reputation and all the damage to relationships and career that might entail, right through to violent arrest and detention (or worse).

    As a declaration of interest, I am particularly sceptical about any claims relating to ID, because I was once overtaxed significantly due to a case of mistaken identity at a government tax office. It was bad enough that I was left short of money to pay my rent without warning, but even worse that it took nearly three months and a huge amount of effort on my part to get it put right, and I never received so much as a real apology or full explanation afterwards. I can forgive a data entry error by someone who's probably earning near the minimum wage and typing hundreds or thousands of these numbers every day. I can't forgive a system that damages me for months afterwards because it can't acknowledge that it made a mistake.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  25. Giving ID when suspected of a crime by Anonymous Coward · · Score: 2, Informative
    No, you don't. You have to identify yourself if asked, but you DO NOT HAVE TO PRODUCE ID. If the cop says "Show me some ID" it's perfectly legal and appropriate to say "I'm Pitabred. I don't need to show you any ID."

    Did you read the page you linked to? It says:

    'In Hiibel v. Sixth Judicial District Court of Nevada , the Supreme Court upheld state laws requiring citizens to disclose their identity to police when officers have reasonable suspicion to believe criminal activity may be taking place. Commonly known as "stop and identify" statutes, these laws permit police to arrest criminal suspects who refuse to identify themselves.'
    http://www.knowmyrights.org/faq/4th-amendment/when-do-i-have-to-show-id.html

  26. falsely convicted by falconwolf · · Score: 2, Interesting

    We send people to death row on little more than unreliable eye witness testimony

    We do?

    The US does. The Innocence Project has proven the innocence or had arranged the pardon of 4 people this past week. Ernest Sonnier had been in prison 23 years for rape when a DNA test cleared him. A report on the lab that originally ran tests that was used to convict him "details dozens of testing errors and questionable practices uncovered at the Houston lab." I don't recall if it was Alabama or Louisiana but one of them had a problem with an investigator, he had been caught manufacturing evidence. In one case though though he had been caught the state supreme court has upheld the conviction on another person on deathrow ruling to the effect than just because he manufactured evidence once it doesn't mean he did in all cases. Yet they wouldn't allow new tests.

    Falcon

    --
    Should there be a Law?