Feeds

Biometric ID cards an insecure menace, says EU ID outfit

Don't do it, and fix the passports ASAP, apparently...

The Power of One eBook: Top reasons to choose HP BladeSystem

The EU-funded FIDIS (Future of Identity in the Information Society) project has warned that implementation of the current generation of biometric travel ID will dramatically decrease security and privacy, and increase the risk of identity theft. In the Budapest Declaration, which derives from FIDIS' September meeting in Budapest, FIDIS calls for short-term damage control measures to be taken (because biometric ID is already being rolled out), and for "a new convincing and integrated security concept" to be developed within the next three years.

FIDIS points out that the new generation of biometric Machine Readable Travel Document (MRTD) is remotely readable at a distance of 2-10 metres, and that current security simply isn't good enough to protect it. Access control is "susceptible to circumvention or hacking" and there is "risk of ubiquitous, unobserved authentication to MRTD data by authorised or unauthorised third parties, enabling tracking of people carrying a passport". The most significant problems with these MRTDs are, says FIDIS:

- Biometrics in MRTDs currently cannot be revoked and since biometric features of the users such as fingerprints and facial features cannot easily be changed, "stolen" biometrics can be abused for a long period of time

- Insufficient key management with BAC: The key to access data on the RFID tag is stored on the passport itself and can be read by humans and machine scanners. This means that anybody who has had physical access to the passport and e.g. made an optical copy, could store the key information and use it to access data on the RFID tag

- Eavesdropping of communication between RFID tag and reader and brute force attack on BAC using documented cryptographic weaknesses to discover data

- Cloning of RFID tags in MRTDs

- Abuse of the remote readability of RFID tags in passports, for e.g. person sensitive ignition of ‘smart bombs’

FIDIS' proposed short-term damage-control measures should be of particular interest to those who - like, say, the UK Home Office - propose to use ICAO standard biometric travel ID more broadly, both in the public and private sectors. Don't, says FIDIS. Use of MRTDs should be confined to its defined purpose of "authentication of international travellers" and they should "not be extendable to authentication in the private sector."

Citizens should be made aware of the risks of handing the documents over to private organisations (say, hotel registration), and "security measures such as Faraday cages should be integrated immediately into current MRTDs by the European member states". Which is a trick we'd like to see for biometric ID cards, cards not generally coming with covers, which is where you'd put the Faraday cage if your passports were fitted with them. Which in the case of the UK at least, they aren't.

And alongside these measures, steps should be taken to deal with the failure of biometric authentication due to false rejection or enroll errors, and we should be planning to combat MRTD-perpetrated ID and data theft.

In the longer term, a complete re-evaluation and redesign should be carried out, and it should be considered "whether these technologies are actually necessary, or if technologies which are more secure and privacy-preserving (such as contact smartcards instead of contactless mechanisms) are sufficient." Could we all be going to wake up in ten years time and conclude biometric ID was a really dumb idea? It's a thought. (FIDIS home) ®

Top three mobile application threats

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.