Feeds

Biometric ID cards an insecure menace, says EU ID outfit

Don't do it, and fix the passports ASAP, apparently...

3 Big data security analytics techniques

The EU-funded FIDIS (Future of Identity in the Information Society) project has warned that implementation of the current generation of biometric travel ID will dramatically decrease security and privacy, and increase the risk of identity theft. In the Budapest Declaration, which derives from FIDIS' September meeting in Budapest, FIDIS calls for short-term damage control measures to be taken (because biometric ID is already being rolled out), and for "a new convincing and integrated security concept" to be developed within the next three years.

FIDIS points out that the new generation of biometric Machine Readable Travel Document (MRTD) is remotely readable at a distance of 2-10 metres, and that current security simply isn't good enough to protect it. Access control is "susceptible to circumvention or hacking" and there is "risk of ubiquitous, unobserved authentication to MRTD data by authorised or unauthorised third parties, enabling tracking of people carrying a passport". The most significant problems with these MRTDs are, says FIDIS:

- Biometrics in MRTDs currently cannot be revoked and since biometric features of the users such as fingerprints and facial features cannot easily be changed, "stolen" biometrics can be abused for a long period of time

- Insufficient key management with BAC: The key to access data on the RFID tag is stored on the passport itself and can be read by humans and machine scanners. This means that anybody who has had physical access to the passport and e.g. made an optical copy, could store the key information and use it to access data on the RFID tag

- Eavesdropping of communication between RFID tag and reader and brute force attack on BAC using documented cryptographic weaknesses to discover data

- Cloning of RFID tags in MRTDs

- Abuse of the remote readability of RFID tags in passports, for e.g. person sensitive ignition of ‘smart bombs’

FIDIS' proposed short-term damage-control measures should be of particular interest to those who - like, say, the UK Home Office - propose to use ICAO standard biometric travel ID more broadly, both in the public and private sectors. Don't, says FIDIS. Use of MRTDs should be confined to its defined purpose of "authentication of international travellers" and they should "not be extendable to authentication in the private sector."

Citizens should be made aware of the risks of handing the documents over to private organisations (say, hotel registration), and "security measures such as Faraday cages should be integrated immediately into current MRTDs by the European member states". Which is a trick we'd like to see for biometric ID cards, cards not generally coming with covers, which is where you'd put the Faraday cage if your passports were fitted with them. Which in the case of the UK at least, they aren't.

And alongside these measures, steps should be taken to deal with the failure of biometric authentication due to false rejection or enroll errors, and we should be planning to combat MRTD-perpetrated ID and data theft.

In the longer term, a complete re-evaluation and redesign should be carried out, and it should be considered "whether these technologies are actually necessary, or if technologies which are more secure and privacy-preserving (such as contact smartcards instead of contactless mechanisms) are sufficient." Could we all be going to wake up in ten years time and conclude biometric ID was a really dumb idea? It's a thought. (FIDIS home) ®

High performance access to file storage

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.