New German Government ID Hacked By CCC

wiedzmin writes "Public broadcaster ARD's show 'Plusminus' teamed up with the known hacker organization 'Chaos Computer Club' (CCC) to find out how secure the controversial new radio-frequency (RFID) chips were. The report shows how they used the basic new home scanners that will go along with the cards (for use with home computers to process the personal data for official government business) to demonstrate that scammers would have few problems extracting personal information. This includes two fingerprint scans and a new six-digit PIN meant to be used as a digital signature for official government business and beyond." That was quick. Earlier this year, CCC hackers demonstrated vulnerabilities in German airport IDs, too.

Re:Government's reply: Stick Head in Sand

[Peeteriz]

It's far safer than magnetic cards; I've heard no fraud cases where the PIN has been successfully extracted from the chip or the chip data cloned - reading the chip's contents would generally be far more expensive than the maximum money limits on the card. Mag-stripe cards can be cloned by a cafe waiter or a tiny 10$ device hidden on an ATM and then your money used in any place that "verifies" only signatures.

Also for the ID card - if it has some way to send the fingerprint data or encryption key outwards, then that is a design fuckup; but if it is only able to verify pin and sign message packets with the key if the pin is valid, and permanently erase the key if pin is entered wrongly a few times, then the security is quite adequate.