Slashdot Mirror
Security App For the New German Personal ID Hacked
prefec2 writes "On Nov. 1st Germany started to issue new personal ID cards which include a security chip. In combination with a reading device and an application on a PC at home, secure transactions can be made. However, the required application can be compromised using DNS spoofing and a wrong SSL certificate (article in German)."
I think it was that Shakespeare dude who said, "The best laid schemes of mice and men. Go oft awry"
Or, as the philosopher Simpson said, "D'oh!"
Mod down people who tell people how to mod in their sigs
If you have need for such an identification card and trackable number within the government database to allow you access to government services such as healthcare, what is the best identification system in that case?
(article in German)
Most of us will have an excuse not to read TFA this time.
(As if lack of an excuse ever made much difference.)
Sheesh, evil *and* a jerk. -- Jade
Scheisse!
"The best-laid schemes o' mice an' men, gang aft agley,"
And for one, Shakespeare wasn't Scottish...
How does it matter? Does it let you get the secret key from a card, or somehow pretend to have a different ID?
I though the point of using a smartcard is that PCs cannot be trusted.
Is this about a MiTM attack without physical access to the PC?
First, to TFA: there is no problem with the ID itself, just with the security of the special PC software than can work with them. As most /.ers know, there is quite a hacker community in Germany, and these problems are really not too bad. In order to compromise the software you first have to do a DNS hack, then fake a certificate, then... In a nutshel, yes, there are problems, but they aren't too bad and will be relatively easy to fix.
The ID itself is really cool. Among other things, it supports secured anonymous transactions. How many governments are there that willingly support anonymity for their citizens?
Enjoy life! This is not a dress rehearsal.
You have to know that our (German) current ID card is being photocopied for many kinds of quick transactions/deals. Someone can give you something without paying in advance and you give him a copy of your ID card, so he can find you, when you forgot to pay or give something back. You can optionally give the ID card directly as security.
Now... the new ID... it is explicitly forbidden to photocopy it and even leave it unattended somewhere.
Why? Because there are some critical numbers printed on the new German ID cards that no one should know. Isn't it great? Imagine that someone printed your social security number on your new "great and modern ID card"!
And here comes the first loop hole: banks always have needed and still will need your ID card photocopied to open an account. Guess what happens? They will get a special permit to do this (it has been already decided to keep the current account registration system working).
...But they aren't functional yet. I think it's mostly intended for e-gov, though.
Emotions! In your brain!
I like this rule that forbids to give the card out of your hands. Hopefully it will put some common sense in some heads and I can stop shaking my head over all those idiots who willingly give their credit cards out of their hands and let people do stuff they can't see with it, but then wonder about their crazy bills.
And banks don't "need" an ID card or copies of an ID card to open an account. Any method which can prove that you are the guy who opened the account would do it.
Do you ever eat at nice restaurants?
And since the ID card and desktop software know nothing about the operating system they run on there is no way to be sure they will behave as expected.
http://michaelsmith.id.au
Just give them your passport. They will happily accept it. That's what I and most foreigners living in Germany use to authenticate, because we don't have an ID card.
another potential hole here is the social aspect of the deployment: it is only for Germans. And you have a large percent of foreigners living there, who use the same services as Germans. And I don't people from far away countries. I mean even other europeans who happen to live in Germany in accordance to all European rules.
These people use credit cards, do bank transactions, on-line shopping, etc. For these people, of which I belong to, our only means of authenticating is the passport. So in the end every single procedure that does not wish to lock out non-Germans must have a way to not use this ID.
So yes, this new Id might protect some Germans, but if there is a workaround, loop-holes will always be there.
This is not a bug, it's a feature.
Now they can upload their spying tool to everybody without a warrant. All they need to do is accidentally mixup the new release of the passportapp with the trojan.
How do I uncompress my MD5 archive?
The current terms of service (which you accept when you get this thing) are that the program is safe by definition. The user has to keep the pc free of viruses. Zerodays are the users fault as well, what so ever.
Which basically means, when ever somebody does something bad with your id, the damage is yours.
They even read, that you should only keep it on the card reader for the few seconds of usage.
As if those few seconds are not enough for an attack. One thing that already works easily with an exploited pc is remotely changing the useres pin, without him knowing. Well....this already is a damage for the user of a couple euro + time loss because you have to go to the local citizen center. (can anybody thinks of a nice DOS attack on the city centers)
How do I uncompress my MD5 archive?
This is very bad PR for the new ID, but neither the ID card nor the software has been hacked yet. This is just another way to install some malware on a computer.
I have no doubt though that worse things will happen. The mistakes made here are so glaringly obvious that it's hard to believe that there aren't other holes to be found.
Yes. But that doesn't mean that I'd ever let anyone except closest friends take my credit card out of my sight.
I'm from Germany, and the usage of credit cards is not so widespread here as in the USA. If it's not a business related dinner, or some kind of bigger event, most people here usually pay cash in restaurants. And as I know how much the CC companies charge those poor shop owners, I tend to use a credit card only when paying in cash or with the bank card (don't know if there's something similar in the US, you use it to draw money from ATMs or pay in shops, works all over Europe, often even in shops who wouldn't accept Amex or Visa) is not possible.
The really safe solution would have been to have a reader with PIN entry required, and have that reader directly communicate with the server (using a secure, encrypted protocol, of course), so for identification purposes, the computer acts only as a router for the secure communication. Of course that still doesn't protect against compromised readers, but I guess those are much more easy to protect than computers (after all, they are single-purpose appliances).
The Tao of math: The numbers you can count are not the real numbers.
Yeah I think this point was brought up in the dw-world article (in English) linked to this story. It's like Internet Banking, if you use it from a computer which isn't secure or which you can't reasonably trust (eg. a computer in an internet cafe) you can't expect your session to be secure. Same with this system.
I think the idea is to create a system where verified emails and documents can be securely sent, eg. if I want to cancel the contract with my phone company I use my ID+PIN reader gadget to send them a verified email or document. Instead of the current way of sending a paper letter with my signature on it (which sure as hell is not a secure system). http://de.wikipedia.org/wiki/De-Mail (the en wikipedia article is just a stub)
You wouldn't expect people to use such a system from cracked or internet cafe computers any more than they would use such computers for their internet banking.
Pre-canned Evolution Links for all those Slashdot holy wars.
I think the attacker is a different person here. If you want your data to be secure you will use a secure system. If you want to defraud the Government then you may create a deliberately insecure system.
http://michaelsmith.id.au
Banks generally do need to go above and beyond 'have a photo ID' to protect your money - they store the copy of your official ID to compare against the ID you (or "you") show next time, and to compare signatures, and to have a photo of the bad guy and solid evidence that it wasn't you if a forgery was presented the first time.
If you don't do this, then some shmuck with a forged ID can do stuff in your name. Oh - and that's the choice that most USA banks have made, so you suffer from identity theft much more than other nations do, as elsewhere just knowing your data is not that harmful to you.
Do you ever eat at nice restaurants?
That was ten years ago, when the waiter had to take your card backstage to get the imprimt.
Nowadays, they do have those small portable readers which they bring right to your table. The card no longer leaves your sight...
Most restaurants I've eaten in either bring a wireless card processing handset to your table, or they have a point that you can go to to make a payment, or both. Very few seem to want to take the card away from the table by default, now - probably because people are a lot more cautious about letting them do so.
If the banks were suffering from their lax fraud controls, they would probably do something about it.
As it stands, the bank (the victim of the fraud that the bank failed to prevent) just pushes the problem off on some individual. So the laws are terrible there (it should be straightforward for someone to repudiate an account and hear nothing more from the institution that mistakenly opened said account).
Nerd rage is the funniest rage.
True, credit cards aren't used that often outside online/mail-order transactions and what's referred to as "EC cards" is a different kind of animal ( http://en.wikipedia.org/wiki/Cheque_guarantee_card ).
The scan of your ID card also serves second purpose. In case your wallet is stolen you simply provide your name, address, date of birth and together with a visual confirmation they'll let you withdraw money at the counter until your replacement bank card is mailed to you.
You mean like on my driver's license here in the US up until a few years ago? That's why my new driver's licenses always had an unfortunate encounter with a belt sander soon after issue.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables