Feeds

Biometric ID cards an insecure menace, says EU ID outfit

Don't do it, and fix the passports ASAP, apparently...

Next gen security for virtualised datacentres

The EU-funded FIDIS (Future of Identity in the Information Society) project has warned that implementation of the current generation of biometric travel ID will dramatically decrease security and privacy, and increase the risk of identity theft. In the Budapest Declaration, which derives from FIDIS' September meeting in Budapest, FIDIS calls for short-term damage control measures to be taken (because biometric ID is already being rolled out), and for "a new convincing and integrated security concept" to be developed within the next three years.

FIDIS points out that the new generation of biometric Machine Readable Travel Document (MRTD) is remotely readable at a distance of 2-10 metres, and that current security simply isn't good enough to protect it. Access control is "susceptible to circumvention or hacking" and there is "risk of ubiquitous, unobserved authentication to MRTD data by authorised or unauthorised third parties, enabling tracking of people carrying a passport". The most significant problems with these MRTDs are, says FIDIS:

- Biometrics in MRTDs currently cannot be revoked and since biometric features of the users such as fingerprints and facial features cannot easily be changed, "stolen" biometrics can be abused for a long period of time

- Insufficient key management with BAC: The key to access data on the RFID tag is stored on the passport itself and can be read by humans and machine scanners. This means that anybody who has had physical access to the passport and e.g. made an optical copy, could store the key information and use it to access data on the RFID tag

- Eavesdropping of communication between RFID tag and reader and brute force attack on BAC using documented cryptographic weaknesses to discover data

- Cloning of RFID tags in MRTDs

- Abuse of the remote readability of RFID tags in passports, for e.g. person sensitive ignition of ‘smart bombs’

FIDIS' proposed short-term damage-control measures should be of particular interest to those who - like, say, the UK Home Office - propose to use ICAO standard biometric travel ID more broadly, both in the public and private sectors. Don't, says FIDIS. Use of MRTDs should be confined to its defined purpose of "authentication of international travellers" and they should "not be extendable to authentication in the private sector."

Citizens should be made aware of the risks of handing the documents over to private organisations (say, hotel registration), and "security measures such as Faraday cages should be integrated immediately into current MRTDs by the European member states". Which is a trick we'd like to see for biometric ID cards, cards not generally coming with covers, which is where you'd put the Faraday cage if your passports were fitted with them. Which in the case of the UK at least, they aren't.

And alongside these measures, steps should be taken to deal with the failure of biometric authentication due to false rejection or enroll errors, and we should be planning to combat MRTD-perpetrated ID and data theft.

In the longer term, a complete re-evaluation and redesign should be carried out, and it should be considered "whether these technologies are actually necessary, or if technologies which are more secure and privacy-preserving (such as contact smartcards instead of contactless mechanisms) are sufficient." Could we all be going to wake up in ten years time and conclude biometric ID was a really dumb idea? It's a thought. (FIDIS home) ®

The essential guide to IT transformation

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
Founder (and internet passport fan) now says privacy is precious
TROLL SLAYER Google grabs $1.3 MEEELLION in patent counter-suit
Chocolate Factory hits back at firm for suing customers
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Primetime precrime? Minority Report TV series 'being developed'
I have to know. I have to find out what happened to my life
Sit tight, fanbois. Apple's '$400' wearable release slips into early 2015
Sources: time to put in plenty of clock-watching for' iWatch
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?