Slashdot Mirror
Security App For the New German Personal ID Hacked
prefec2 writes "On Nov. 1st Germany started to issue new personal ID cards which include a security chip. In combination with a reading device and an application on a PC at home, secure transactions can be made. However, the required application can be compromised using DNS spoofing and a wrong SSL certificate (article in German)."
If you have need for such an identification card and trackable number within the government database to allow you access to government services such as healthcare, what is the best identification system in that case?
First, to TFA: there is no problem with the ID itself, just with the security of the special PC software than can work with them. As most /.ers know, there is quite a hacker community in Germany, and these problems are really not too bad. In order to compromise the software you first have to do a DNS hack, then fake a certificate, then... In a nutshel, yes, there are problems, but they aren't too bad and will be relatively easy to fix.
The ID itself is really cool. Among other things, it supports secured anonymous transactions. How many governments are there that willingly support anonymity for their citizens?
Enjoy life! This is not a dress rehearsal.
This is nothing else than a security hole in an piece of software. It can be used to install and potentially execute malicious code on the computer. This could include the normal Zeus bot, or a key logger. In case of a key logger, it could be possible to spy the PIN associated with the ID. So if then you can also steal the ID card somehow, ... you can think of the rest.
This is very bad PR for the new ID, but neither the ID card nor the software has been hacked yet. This is just another way to install some malware on a computer.
I have no doubt though that worse things will happen. The mistakes made here are so glaringly obvious that it's hard to believe that there aren't other holes to be found.