Feeds

'RFID the lot of them!' UK ID card to use ICAO reader standard

Hello, the National Tagging Register...

  • alert
  • submit to reddit

Top three mobile application threats

Because of the nature of the technology, there will be a risk whenever the card is being used for identification, rather than solely when it is being 'officially' read via its contactless capability. For most purposes this capability is unlikely to be needed.

Burnham says that the forms of verification currently being considered are "card, PIN and biometric identification", i.e. whether the picture matches the face, whether the bearer can enter the PIN and whether the biometrics of the person match either those on the card (local check) or the National Identity Register (online check). These forms of verification are being discussed with "various organisations who would be potential users", and the discussions cover "what performance is acceptable".

The discussions have not yet reached a conclusion, but it seems perfectly possible that the Home Office's vaunted scheme, protected by magic biometric technology, will in most cases operate as picture ID or a pin-protected card, which are the options least likely to add to cost and inconvenience to interested organisations.

In those cases where a biometric check is used, the Home Office has been considering measures that could be employed to combat spoofed biometrics. Burnham didn't give an answer on the use of contact lenses to fool iris recognition, but said that methods to deal with faked fingerprints could include "selecting a random finger for verification, from those available, rather than using only one fingerprint on all occasions. This also gives flexibility around issues arising from short term damage to fingers, such as a cut." This interesting idea, one notes, would inevitably add greatly to delays, confusion and failure rates at border checkpoints, and prove discouraging to commercial organisations considering using the more secure (allegedly...) biometric check.

One of the bodies the Home Office is consulting on biometric security issues is GCHQ's Communications and Electronic Security Group. We note that this organisation's FAQ currently includes this categorical statement: "There are currently no approved biometrics applications, and we do not expect any to be available in the near future as none of the technologies have yet, in our view, reached the stage where we would be happy with them as the sole access control mechanism." Have they told the Home Office?

While they're about it, they might care to discuss the use of single identification numbers, where the Home Office's views seem somewhat underdeveloped. Asked what assessment of the risks posed by the use of a single national identity number had been made, Burnham replied that an "extensive risk assessment of the use of a single identifying number has been conducted by experienced fraud and security experts. This has resulted in the selection of a new single identifying number that is unrelated to any number issued by the Government at the present time." So, the Government has assessed that existing identity number systems are too broken to use, and decided to invent a new, universal one instead.

It's worth noting that the Home Office's answers on issues of verification and security almost all lead to "the integrity of the National Identity Register" as a backstop. Thus, the "performance of one particular identifier or technology [which might be used in verification] is not the key determinant" because during enrolment a false match on one particular biometric "would be resolved by other biometric matches or by inconsistencies with the information held about the applicant and the record against which it had been matched." Which appears to indicate that the primary concern is for the data held by the Government to be solid, with the security offered to the user (which is surely the user's primary concern) coming a distant second or third. Similarly, supervision of enrolment would "reduce" (sic) the likelihood of fake biometrics being successful, and details of how the Government proposes to stop this becoming a simple key to ID fraud cannot be provided "in order to protect the integrity of the National Identity Register."

Effectively, it's a system which by design puts all of its eggs in one basket, and is dependent on that basket being made impregnable via measures which the Government will never reveal or discuss. Trust us...

Costings update

On which subject, the Home Office has published its promised rebuttal of the London School of Economics' report on ID cards. The Home Office document (available here) has a very brief section on costings, which largely boils down to claims that the LSE used the wrong figures, and that the Home Office has access to other figures (which it still won't share with us) that justify its own costings entirely.

As William Heath points out at Ideal Government, "How the assumptions work comes down to whether you trust the Home Office, its intentions, and its manner of doing business. Of course the Home Office has a self-image of itself as the good guys being hampered by a tedious liberties lobby in its fight against evil. It trusts itself. But it hasn't won many friends during all this process. The cause did seem to win Tony Blair as a convert. And there's a cluster of businesses hoping for patronage. But I've yet to hear of anyone won over by the arguments as put by the Home Office."

It's doubtful whether the Home Office rebuttal merits a rebuttal rebuttal, but now the wretched thing exists we face the tedious prospect of Ministers confidently claiming that the LSE study has now been thoroughly discredited. The LSE is preparing its response, but has told Kable that the Home Office document contains substantial material errors and appears ot contain false assumptions about the LSE's alternative blueprint. ®

Related stories:

Make ID cards foolproof pleads Met chief
Clarke's ID card cost laundry starts to break surface
Privacy groups slam US passport technology

Top three mobile application threats

More from The Register

next story
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.