Entries Tagged "ID cards"

Page 9 of 10

Identity Cards Don't Help

Emily Finch, of the University of East Anglia, has researched criminals and how they adapt their fraud techniques to identity cards, especially the “chip and PIN” system that is currently being adapted in the UK. Her analysis: the security measures don’t help:

“There are various strategies that fraudsters use to get around the pin problem,” she said. “One of the things that is very clear is that it is a difficult matter for a fraudster to get hold of somebody’s card and then find out the pin.

“So the focus has been changed to finding the pin first, which is very, very easy if you are prepared to break social convention and look when people type the number in at the point of sale.”

Reliance in the technology actually reduces security, because people stop paying attention:

“One of the things we found quite alarming was how much the human element has been taken out of point-of-sale transactions,” Dr Finch said. “Point-of-sale staff are told to look away when people put their pin number in; so they don’t check at all.”

[…]

Some strategies relied on trust. Another fraudster trick was to produce a stolen card and pretend to misremember the number and search for it on a piece of paper.

Imagine, she said, someone searching for a piece of paper and saying, “Oh yes, that’s my signature”; there would be instant suspicion.

But there was utter trust in the new technology to pick up a fraudulent transaction, and criminals exploited this trust to get around the problem of having to enter a pin number.

“You go in, you put the card in, you type any number because you don’t know what it is. It won’t go through. The fraudster — because fraudsters are so good with people — says, ‘Oh, it’s no good, I haven’t got the hang of this yet. I could have sworn that was my number… I’ve probably got it confused with my other card.’

“They chat for a bit. The sales assistant, who is either disinterested or sympathetic, falls back on the old system, and swipes the card through.

“Because a relationship of empathy has already been established, and because they have already become accustomed to averting their gaze when people put pin numbers in, they don’t check the signature at all.

“So fraud is actually easier. There is very little vigilance at the point of sale any more. Fraudsters know this and they are taking advantage of it.”

I’ve been saying this kind of thing for a while, and it’s nice to read about some research that backs it up.

Other articles on the research are here, here, and here.

Posted on September 6, 2005 at 4:07 PMView Comments

UK Border Security

The Register comments on the government using a border-security failure to push for national ID cards:

The Government spokesman the media could get hold of last weekend, leader of the House of Commons Geoff Hoon, said that the Government was looking into whether there should be “additional” passport checks on Eurostar, and added that the matter showed the need for identity cards because “it’s vitally important that we know who is coming in as well as going out.” Meanwhile the Observer reported plans by ministers to accelerate the introduction of the e-borders system in order to increase border security.

So shall we just sum that up? A terror suspect appears to have fled the country by the simple expedient of walking past an empty desk, and the Government’s reaction is not to put somebody at the desk, or to find out why, during one of the biggest manhunts London has ever seen, it was empty in the first place. No, the Government’s reaction is to explain its abject failure to play with the toys it’s got by calling for bigger, more expensive toys sooner. Asked about passport checks at Waterloo on Monday of this week, the Prime Minister’s spokeswoman said we do have passport checks — which actually we do, sort of. But, as we’ll explain shortly, we also have empty desks to go with them.

Posted on August 11, 2005 at 1:28 PMView Comments

RFID Cards for U.S. Visitors

The Department of Homeland Security is testing a program to issue RFID identity cards to visitors entering the U.S.

They’ll have to carry the wireless devices as a way for border guards to access the electronic information stored inside a document about the size of a large index card.

Visitors to the U.S. will get the card the first time they cross the border and will be required the carry the document on subsequent crossings to and from the States.

Border guards will be able to access the information electronically from 12 metres away to enable those carrying the devices to be processed more quickly.

According to the DHS:

The technology will be tested at a simulated port this spring. By July 31, 2005, the testing will begin at the ports of Nogales East and Nogales West in Arizona; Alexandria Bay in New York; and, Pacific Highway and Peace Arch in Washington. The testing or “proof of concept” phase is expected to continue through the spring of 2006.

I know nothing about the details of this program or about the security of the cards. Even so, the long-term implications of this kind of thing are very chilling.

Posted on August 2, 2005 at 6:39 AMView Comments

How Banks Profit from ID Theft

Wells Fargo is profiting because its customers are afraid of identity theft:

The San Francisco bank, in conjunction with marketing behemoth Trilegiant, is offering a new service called Wells Fargo Select Identity Theft Protection. For $12.99 a month, this includes daily monitoring of one’s credit files and assistance in dealing with cases of fraud.

It’s reprehensible that Wells Fargo doesn’t offer this service for free.

Actually, that’s not true. It’s smart business for Wells Fargo to charge for this service. It’s reprehensible that the regulatory landscape is such that Wells Fargo does not feel it’s in its best interest to offer this service for free. Wells Fargo is a for-profit enterprise, and they react to the realities of the market. We need those realities to better serve the people.

Posted on July 27, 2005 at 7:42 AMView Comments

How to Not Fix the ID Problem

Several of the 9/11 terrorists had Virginia driver’s licenses in fake names. These were not forgeries; these were valid Virginia IDs that were illegally sold by Department of Motor Vehicle workers.

So what did Virginia do to correct the problem? They required more paperwork in order to get an ID.

But the problem wasn’t that it was too easy to get an ID. The problem was that insiders were selling them illegally. Which is why the Virginia “solution” didn’t help, and the problem remains:

The manager of the Virginia Department of Motor Vehicles office at Springfield Mall was charged yesterday with selling driver’s licenses to illegal immigrants and others for up to $3,500 apiece.

The arrest of Francisco J. Martinez marked the second time in two years that a Northern Virginia DMV employee was accused of fraudulently selling licenses for cash. A similar scheme two years ago at the DMV office in Tysons Corner led to the guilty pleas of two employees.

And after we spend billions on the REAL ID act, and require even more paperwork to get a state ID, the problem will still remain.

Posted on July 19, 2005 at 1:15 PMView Comments

Spelling Errors as a Counterfeiting Defense

This is a weird rumor.

ID cards in Belgium are being printed with intentional misspellings in an attempt to thwart potential fraudsters.

Four circular arcs on the ID cards show the country’s name in different languages — French, Dutch, German and English. According to the article, the German and English arcs will be spelled incorrectly, and misspellings will also appear elsewhere on the cards. The idea is that people making counterfeit cards won’t notice the misspellings on the originals and will print the fraudulent cards with the names spelled properly.

More information is here:

To trick fraudsters, the Home Office has introduced three circular arcs on the card — just beneath the identity photos — where you will find the name of the country in the official languages spoken in Belgium — French, Dutch and German, as well as in English. But instead of ‘Belgien’ in German, the ID card incorrectly uses the name ‘Belgine’ and instead of ‘Belgium’ in English, the card reads ‘Belguim’. Vanneste has promised other errors will be printed on the card to “further confuse fraudsters”. With any luck, these will not be revealed.

I’m not impressed with this as a countermeasure. It’s certainly true that poor counterfeits will have all sorts of noticeable errors — and correct spelling might certainly be one of them. But the more people that know about the misspellings, the less likely a counterfeiter will get it wrong. And the more likely a counterfeiter will get it wrong, the less likely anyone will notice.

I’m all for hard-to-counterfeit features in ID cards. But why make them grammatical?

Posted on June 1, 2005 at 7:58 AMView Comments

REAL ID

The United States is getting a national ID card. The REAL ID Act (text of the bill and the Congressional Research Services analysis of the bill) establishes uniform standards for state driver’s licenses, effectively creating a national ID card. It’s a bad idea, and is going to make us all less safe. It’s also very expensive. And it’s all happening without any serious debate in Congress.

I’ve already written about national IDs. I’ve written about the fallacies of identification as a security tool. I’m not going to repeat myself here, and I urge everyone who is interested to read those two essays (and even this older essay). A national ID is a lousy security trade-off, and everyone needs to understand why.

Aside from those generalities, there are specifics about REAL ID that make for bad security.

The REAL ID Act requires driver’s licenses to include a “common machine-readable technology.” This will, of course, make identity theft easier. Assume that this information will be collected by bars and other businesses, and that it will be resold to companies like ChoicePoint and Acxiom. It actually doesn’t matter how well the states and federal government protect the data on driver’s licenses, as there will be parallel commercial databases with the same information.

Even worse, the same specification for RFID chips embedded in passports includes details about embedding RFID chips in driver’s licenses. I expect the federal government will require states to do this, with all of the associated security problems (e.g., surreptitious access).

REAL ID requires that driver’s licenses contain actual addresses, and no post office boxes. There are no exceptions made for judges or police — even undercover police officers. This seems like a major unnecessary security risk.

REAL ID also prohibits states from issuing driver’s licenses to illegal aliens. This makes no sense, and will only result in these illegal aliens driving without licenses — which isn’t going to help anyone’s security. (This is an interesting insecurity, and is a direct result of trying to take a document that is a specific permission to drive an automobile, and turning it into a general identification device.)

REAL ID is expensive. It’s an unfunded mandate: the federal government is forcing the states to spend their own money to comply with the act. I’ve seen estimates that the cost to the states of complying with REAL ID will be $120 million. That’s $120 million that can’t be spent on actual security.

And the wackiest thing is that none of this is required. In October 2004, the Intelligence Reform and Terrorism Prevention Act of 2004 was signed into law. That law included stronger security measures for driver’s licenses, the security measures recommended by the 9/11 Commission Report. That’s already done. It’s already law.

REAL ID goes way beyond that. It’s a huge power-grab by the federal government over the states’ systems for issuing driver’s licenses.

REAL ID doesn’t go into effect until three years after it becomes law, but I expect things to be much worse by then. One of my fears is that this new uniform driver’s license will bring a new level of “show me your papers” checks by the government. Already you can’t fly without an ID, even though no one has ever explained how that ID check makes airplane terrorism any harder. I have previously written about Secure Flight, another lousy security system that tries to match airline passengers against terrorist watch lists. I’ve already heard rumblings about requiring states to check identities against “government databases” before issuing driver’s licenses. I’m sure Secure Flight will be used for cruise ships, trains, and possibly even subways. Combine REAL ID with Secure Flight and you have an unprecedented system for broad surveillance of the population.

Is there anyone who would feel safer under this kind of police state?

Americans overwhelmingly reject national IDs in general, and there’s an enormous amount of opposition to the REAL ID Act. This is from the EPIC page on REAL ID and National IDs:

More than 600 organizations have expressed opposition to the Real ID Act. Only two groups–Coalition for a Secure Driver’s License and Numbers USA–support the controversial national ID plan. Organizations such as the American Association of Motor Vehicle Administrators, National Association of Evangelicals, American Library Association, Association for Computing Machinery (pdf), National Council of State Legislatures, American Immigration Lawyers Association (pdf), and National Governors Association are among those against the legislation.

And this site is trying to coordinate individual action against the REAL ID Act, although time is running short. It’s already passed in the House, and the Senate votes tomorrow.

If you haven’t heard much about REAL ID in the newspapers, that’s not an accident. The politics of REAL ID is almost surreal. It was voted down last fall, but has been reintroduced and attached to legislation that funds military actions in Iraq. This is a “must-pass” piece of legislation, which means that there has been no debate on REAL ID. No hearings, no debates in committees, no debates on the floor. Nothing.

Near as I can tell, this whole thing is being pushed by Wisconsin Rep. Sensenbrenner primarily as an anti-immigration measure. The huge insecurities this will cause to everyone else in the United States seem to be collateral damage.

Unfortunately, I think this is a done deal. The legislation REAL ID is attached to must pass, and it will pass. Which means REAL ID will become law. But it can be fought in other ways: via funding, in the courts, etc. Those seriously interested in this issue are invited to attend an EPIC-sponsored event in Washington, DC, on the topic on June 6th. I’ll be there.

Posted on May 9, 2005 at 9:06 AM

Biometric Passports in the UK

The UK government tried, and failed, to get a national ID. Now they’re adding biometrics to their passports.

Financing for the Passport Office is planned to rise from £182 million a year to £415 million a year by 2008 to cope with the introduction of biometric information such as fingerprints.

A Home Office spokesman said the aim was to cut out the 1,500 fraudulent applications found through the postal system last year alone.

Okay, let’s do the math. Eliminating 1,500 instances of fraud will cost £233 million a year. That comes to £155,000 per instance of fraud.

Does this kind of security trade-off make sense to anyone? Is there absolutely nothing better the UK government can do to ensure security and safety with £233 million a year?

Yes, adding additional biometrics to passports — there’s already a picture — will make them more secure. But I don’t think that the additional security is worth the money and the additional risks. It’s a bad security trade-off.

And I’m not a fan of national IDs.

Posted on April 21, 2005 at 1:18 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.