Feeds

Biometric ID cards an insecure menace, says EU ID outfit

Don't do it, and fix the passports ASAP, apparently...

The next step in data security

The EU-funded FIDIS (Future of Identity in the Information Society) project has warned that implementation of the current generation of biometric travel ID will dramatically decrease security and privacy, and increase the risk of identity theft. In the Budapest Declaration, which derives from FIDIS' September meeting in Budapest, FIDIS calls for short-term damage control measures to be taken (because biometric ID is already being rolled out), and for "a new convincing and integrated security concept" to be developed within the next three years.

FIDIS points out that the new generation of biometric Machine Readable Travel Document (MRTD) is remotely readable at a distance of 2-10 metres, and that current security simply isn't good enough to protect it. Access control is "susceptible to circumvention or hacking" and there is "risk of ubiquitous, unobserved authentication to MRTD data by authorised or unauthorised third parties, enabling tracking of people carrying a passport". The most significant problems with these MRTDs are, says FIDIS:

- Biometrics in MRTDs currently cannot be revoked and since biometric features of the users such as fingerprints and facial features cannot easily be changed, "stolen" biometrics can be abused for a long period of time

- Insufficient key management with BAC: The key to access data on the RFID tag is stored on the passport itself and can be read by humans and machine scanners. This means that anybody who has had physical access to the passport and e.g. made an optical copy, could store the key information and use it to access data on the RFID tag

- Eavesdropping of communication between RFID tag and reader and brute force attack on BAC using documented cryptographic weaknesses to discover data

- Cloning of RFID tags in MRTDs

- Abuse of the remote readability of RFID tags in passports, for e.g. person sensitive ignition of ‘smart bombs’

FIDIS' proposed short-term damage-control measures should be of particular interest to those who - like, say, the UK Home Office - propose to use ICAO standard biometric travel ID more broadly, both in the public and private sectors. Don't, says FIDIS. Use of MRTDs should be confined to its defined purpose of "authentication of international travellers" and they should "not be extendable to authentication in the private sector."

Citizens should be made aware of the risks of handing the documents over to private organisations (say, hotel registration), and "security measures such as Faraday cages should be integrated immediately into current MRTDs by the European member states". Which is a trick we'd like to see for biometric ID cards, cards not generally coming with covers, which is where you'd put the Faraday cage if your passports were fitted with them. Which in the case of the UK at least, they aren't.

And alongside these measures, steps should be taken to deal with the failure of biometric authentication due to false rejection or enroll errors, and we should be planning to combat MRTD-perpetrated ID and data theft.

In the longer term, a complete re-evaluation and redesign should be carried out, and it should be considered "whether these technologies are actually necessary, or if technologies which are more secure and privacy-preserving (such as contact smartcards instead of contactless mechanisms) are sufficient." Could we all be going to wake up in ten years time and conclude biometric ID was a really dumb idea? It's a thought. (FIDIS home) ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.