New German Government ID Hacked By CCC

← Back to Stories (view on slashdot.org)

New German Government ID Hacked By CCC

Posted by timothy on Thursday September 2, 2010 @05:53AM from the danke-sehr-fuer-die-papieren dept.

wiedzmin writes "Public broadcaster ARD's show 'Plusminus' teamed up with the known hacker organization 'Chaos Computer Club' (CCC) to find out how secure the controversial new radio-frequency (RFID) chips were. The report shows how they used the basic new home scanners that will go along with the cards (for use with home computers to process the personal data for official government business) to demonstrate that scammers would have few problems extracting personal information. This includes two fingerprint scans and a new six-digit PIN meant to be used as a digital signature for official government business and beyond." That was quick. Earlier this year, CCC hackers demonstrated vulnerabilities in German airport IDs, too.

3 of 86 comments (clear)

Min score:

Reason:

Sort:

OpenPGP by axx · 2010-09-02 05:59 · Score: 5, Insightful

Sometimes I wonder why it isn't possible to declare/register a PGP public key as official, and use that to authentify oneself. I mean, with that even email can be secure. Oh well, too complicated for the "general public" I guess, I mean keeping a spare of your (digital) key? That's far too complicated!

--
No wit here.
three courses of action... by gandhi_2 · 2010-09-02 05:59 · Score: 5, Insightful

1: fix the problems.
2: abandon the plan.
3: arrest the people who embarrassed you, suppress any mention of the incidents.
Hmmm... let's see...

--
THL phish sticks
Ugh: Identification vs authentication by jwiegley · 2010-09-02 06:29 · Score: 5, Insightful

When the hell are security "professionals" going to wake up and realize that secure access to something requires three items: identification, authentication and authorization. You CANNOT store the authentication credential with the identification. It is 100% stupid to store the pin on the identification device. Authentication credentials and authorization decisions must be kept by, and made by, the service provider. The only item that should be left with the consumer is an identification badge.
For instance, a national "ID Card" is actually a good thing IF the only thing it has stored on it or about it is the owners identification, i.e. name and unique ID number. The ONLY thing the card should provide is a way to contact a national database/server which requires two things, the unique, public ID number from the card and a fingerprint (which is NOT stored or printed on the card in any way). The ONLY information the server should return is "Yes" or "No". But see... the fingerprint cannot be stored on the card in way for the same reason that the pin in the post should never be stored on the card. If somebody other than the legitimate owner comes into possession of the card then he possesses both the identification AND the authentication pieces of the puzzle and can do whatever the legitimate owner was authorized to do.
Security: it's simple. f*cking learn it.

--
I will never live for sake of another man, nor ask another man to live for mine.