Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK National ID Card Cloned In 12 Minutes

Posted by timothy on from the but-it's-secure-says-so-right-on-the-label dept.

Death Metal writes with this excerpt from Computer Weekly, which casts some doubt on the security of the UK's proposed personal identification credential: "The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning. The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card. Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes."

10 of 454 comments (clear)

  1. Outstanding. by palegray.net · · Score: 5, Interesting

    I just can't wait for national ID cards here in the States! It'll be great for plausible deniability: "Oh, you say you saw ID? Prove it was really me."

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    1. Re:Outstanding. by Rakishi · · Score: 5, Insightful

      And the government expert witness, on the goverment's payroll of course, will say the ID is nearly infallible and you'll end up in jail. We send people to death row on little more than unreliable eye witness testimony, why do you think anyone gives a damn how many people may have copies of your ID?

    2. Re:Outstanding. by TheRaven64 · · Score: 5, Informative

      Who did the UK Government get to test the security on these cards?

      They got quite a competent group of people, as is the policy of the current government. These people issued a report that the cards were insecure and did not solve any problems that actually existed (they actually made some quite interesting recommendations about the problems related to ID that the government could try to solve). Also in keeping with the government's policy (see also: Gower's Report) this advice was completely disregarded. Fortunately, the recent set of expenses scandals kicked the most vocal advocates of the ID card out of the cabinet.

      --
      I am TheRaven on Soylent News
    3. Re:Outstanding. by goaliemn · · Score: 5, Insightful

      Actually, you are incorrect. There are court cases saying you have to present ID if demanded by a cop.

      The cop was responding to a possible house break in. He had to "cross the threshold" to verify this, and he had to verify the person he was talking to was the actual owner. If they believe that a crime is/has occured, there are lower thresholds to entering a possible crime scene. Their job, at that point, is to verify that a crime hasn't occured, and hold anyone who may have committed the crime.

      It wasn't an anonymous tip. The woman who made the call has been harassed and ridiculed for the call. I don't see how that's an anonymous tip.

      I'll throw in that the professor shouldn't have started by showing the cop his college ID. That doesn't verify that you live at the house, and not everyone knows all the professors at a school.

  2. The solution is simple... by nadamucho · · Score: 5, Funny

    Just ban cell phones and laptop computers!

    1. Re:The solution is simple... by GeorgeStone22 · · Score: 5, Funny

      "The real shame is the government has spent billions of our tax dollars without acknowledging this fact. Is it even a British company thats producing the cards? Or are these tax dollars going to another economy?"

      What a great comment from the daily mail article.
      Tax dollars in the UK. Amazing.

  3. Took longer than I'd have expected. by webreaper · · Score: 5, Funny

    Guess they got spent a bit longer on the security aspect than most Government IT projects then.

  4. Re:Hang on by krou · · Score: 5, Informative

    Actually, TFA is a post on Computer Weekly, who read the Daily Mail so you don't have to.

    Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes.

    He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.

    He then rewrote data on the card, reversing the bearer's status from "not entitled to benefits" to "entitled to benefits".

    He then added fresh content that would be visible to any police officer or security official who scanned the card, saying, "I am a terrorist - shoot on sight."

    So, no, it is actually pretty bloody scary, as they successfully changed the biometrics of the copy.

    --
    'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
  5. Re:Can't have digital security by Koookiemonster · · Score: 5, Interesting

    What's interesting about technology like this -- such as electronic voting, passports with chips etc -- is that geeks are often against it. Geeks, who generally love technology and gadgetry, are saying no. Maybe the legislators should listen -- assuming that at least some of them actually care.

  6. It copies, but does it validate? by sulliwan · · Score: 5, Insightful

    Storing a simple hash of the card contents with the hardcoded UID of the card and checking if they match when reading a card is enough to prevent any such attack. While you can copy the card and even change contents on it, it will never validate as an authentic card. Aside from that, smartcards have really gotten quite smart, as far as I know, there are no practical attacks against the newer MiFare cards(most hacks on Desfire or newer systems target the implementation of the system, not the cards themselves).