Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Abuse concerns over UK ID card scheme

TSSI Systems : 27 October, 2008  (Technical Article)
TSSI voices its concerns over the use of biometric driving licences as de facto ID cards in a scheme which is wide open to abuse
Following a speech this week at the Biometrics Conference 2008 by identity minister Meg Hillier, who said there was 'nothing to stop' drivers' licences or other documents from being designated to work as ID cards, identity experts TSSI systems said that such an extension of UK ID cards by the back door makes the scheme vulnerable to abuse.

Hillier, UK Parliamentary Under-Secretary of State for Identity, said that under the Identity Card Act 2006, designated driving licences or documents could contain the same biometrics and security as an ID card, with details placed on the National Identity Register, (NIR), and used to verify a person's identity. Hillier's presentation at the conference showed ID cards also playing a part in accessing public services from 2015, with the minister showing a slide referencing maternity allowance, tax returns, TV licences and incapacity benefit.

"This appears to be a blatant extension of the ID card scheme by the back door, and makes it vulnerable to abuse," said Stewart Hefferman, COO, TSSI Systems. "I've been concerned about such an extension of ID card use since they were very first announced."

"The big concern with ID verification is impersonation. Unfortunately, the Government's ID card scheme does not go far enough to address this problem - and linking the NIR into a variety of different databases, all accessible by various government employees - further exacerbates the problem."

"The two main weaknesses are firstly, an over-reliance on biometric security, and secondly, the preference for centralised data storage. Together these leave the ID card system vulnerable to cloning."

Biometrics alone is not enough - "Stronger verification technology needs to be in place. Biometric technology alone does not suffice to prevent fraud - despite strong encryption, the Dutch biometric passports were cracked soon after launching. Unfortunately, there is no such thing as a 100% secure solution - and saying you've got one is an open invitation to hackers! All you can do is minimise the risk as far as possible."

"What's needed if the ID card scheme is to work, is a belt and braces approach. Storing the biometric data as an algorithmic encryption makes it impossible for even the most sophisticated fraudster to read or substitute. Even authorised personnel - and therefore any successful hackers or corrupt employees - would only be able to view binary code, and not the finger, iris or facial data itself. They would also be unable to replicate the algorithm to clone the card."

Centralised data storage is a security concern - "The way the information is stored and structured needs to be carefully implemented to avoid sowing the seeds of disaster!"

"Storing this data centrally and then linking this into a variety of databases is a security concern. Other countries such as France and Italy have stipulated that biometric information is stored only on the cards themselves - thus still within the possession of the individual."

'If it is stored centrally, then the biometric data must be stored separately from any other personal data. This would make it harder for any hacker to join up the dots and steal someone's identity or clone a card."

"I also strongly advise that back-end systems enable an audit trail of those personnel who have accessed individual records on those back end systems."
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo