Germans radio tag ID cards and phones
Have they not seen Lives of Others?
German telcos are planning to trial NFC payment stickers next year, though from next month every German ID card will contain a radio tag able to secure internet commerce.
The Germans have gone ahead and radio-enabled their ID Cards, with every card issued after 1 November containing an RFID chip capable of providing a digital signature for securing internet commerce. All this renders unsurprising the news (reported by NFC Times) that German network operators are planning to deploy sticker-based NFC tags based on their existing mpass system.
Mpass is the operator-backed brand run by Paybox, who launched a pay-by-mobile system in 1999 (your correspondent even managed to pay for a restaurant meal using the service a decade ago). These days it's limited to securing internet transactions by confirming the details over SMS, but NFC Times reports that Vodafone and O2 are planning to supply stickers for attaching to the back of mobile phones and taking mpass into the real world.
Which is probably a good thing when the German ID card is set to become the default mechanism for securing internet transactions, once it has an RFID chip embedded in it.
RFID Journal reports that the German government plans to hand out 1.2 million RFID card readers, for use by German citizens who want to be able to identify themselves over the internet. But those terminals are pretty basic, using the computer keyboard to collect the PIN (and thus open to keyloggers and the like) and to be used for identification rather than authentication. More advanced, "comfort" readers will be subsidised - these have a separate keypad and can be used to cryptographically sign electronic documents, enabling secure electronic commerce.
Security concerns are apparently addressed by government promises that only authorised companies will be able to use ID Card verification - so that's OK then.
But security isn't at the heart of the decision by Vodafone and O2 to expand mpass into retailing. The service hasn't proved particularly popular as it is, and direct competition from a government-backed (and subsidised) scheme will take away whatever success mpass has had. So the only options for the network operators at the moment are to get into retail or call it a day. ®
Security is hard
"German telcos are planning to trial NFC payment stickers next year, though from next month every German ID card will contain a radio tag able to secure internet commerce."
That merely means the merchant gets your ID fershure with it, risking feature creep and eventual inability to do anything online unless you a) have such a card and b) sign everything you do with your full identity.
What it doesn't do is give you the citizen any assurance at all that your identity won't be abused, that there's not some man-in-the-middle attack going on, what-have-you.
Security is hard to get right. So hard, in fact, that various governments can't even admit it is hard to get right.
The Chaos Computer Club begs to differ....
The Chaos Computer Club in Hamburg made front-page news the other day by completely hacking this shiny-new german ID card and the swiss version of it at the same time.
The attack vector was the combination of a compromised computer (trojan horse etc.) plus the cheapo ID card reader without own PIN pad. By reading the PIN while entered into the PIN pad software associated to the ID card reader and then leaving the ID card in the reader, it was then possible for the attacker to sign any number of transactions using the stolen identity.
The BSI (german government agency for computer security) then issued a press statement that users shouldn't leave the ID card in the reader for any more time than strictly necessary -- somehow failing to mention that the ID card is actually RFID and doesn't need to be in the reader to be read, it is sufficient if it is reasonably close.
The other problem is that there are no "proper" card readers with built-in PIN pad available or even currently being certified. The "basic" readers used in the attack are the ones selected for the starterkits in the introduction stage of the new ID card.
(sorry, german only)
This plan will instantly create an underclass of people in Germany who, unable to do any of these wonderful techno things because they don't have a German ID, are excluded further from German society.
The underclass known as "foreigners", "immigrants" or what have you.