Self-satirising ID card madness. So they’ve actually got as far as issuing some significant contracts. We’ll begin by noting that one of them has gone to CSC, last seen introducing the joy of Cerner software to the NHS National Programme for IT. But much more to the point, what is this talk about using the Chip-and-PIN infrastructure?
This is an insanely stupid idea, and is probably explained by the fact that someone has realised that there are no biometric readers, nobody wants them, there are no plans for how to deploy them, and the totality of Government thinking on the subject can be summed up as “private sector ponies!”
We already know that the system, although more secure than the old one, is quite fallible and has been successfully attacked. We further know that there are even merchant terminals in circulation with unauthorised GSM radios in them that send messages to numbers in Pakistan. It is also true that the UK version of EMV doesn’t provide two-factor authentication because the PIN is stored on the card. This means that someone preparing a fake card who could steal bank card PINs could also steal National ID ones and make the card work in a reader.
The importance of this cannot be overstated. The primary mechanism of authentication is not the one the makers say is the primary one, it’s the one that gets used the most. There are currently several million EMV terminals; there are zero biometric ones. Further, the biometric technologies involved have high failure rates; EMV has well over 99 per cent uptime and even higher exactitude. Therefore it will be used and the biometrics won’t, so a rational attacker won’t worry about the biometrics unless they really have to.
In fact, because of the false positive issue, the biometrics will be gainsaid by the EMV. Think about it. As a checker, you will with mathematical certainty encounter regular false positives. (You’ll also encounter false negatives, but you won’t know about them.) However, you will only very rarely encounter a real positive. Therefore, if a biometric check doesn’t match, you will believe it to be a false alarm, and you will very probably ask the person presenting it to enter their PIN.
Also, the government seems to have abandoned the idea of doing direct biometric-to-database checks and instead wants to authenticate a biometric held on the card to the user, like looking at the photograph on a passport. This means that it is much easier to fool anyway, because the card can be altered to match the user. But adding an additional “check” which is in fact easier to fake means that this is more likely to work.
A fundamental problem with EMV is that there is no out-of-band verification of the transactions. You have to trust the card reader, and there is no obvious way of verifying it. Personally, I always turn it over and look under it because all the hardware attacks I’ve read about involve drilling a hole through the back, but if the remote management interface has been left with the password set to “password” this won’t help me at all.
Various efforts to improve this exist; there are systems that send an encrypted message to an application on your mobile phone to get your authorisation, so that if someone else is trying to spend your money, you’ll get unsolicited authorisation requests, and if a card reader is actually a fake you *won’t* get an authorisation request and your bank won’t pay.
But this doesn’t exist in the UK, so the government is suggesting integrating what it thinks is the gold standard of identification into a significantly weaker security system; it’s in the nature of security that the weakest link determines the strength of the whole.
Now here’s the self satirising bit. As before with the old bank card system, the banks have been trying to pretend that EMV is infallible and that anyone who loses money is a fraud. The test case that will probably end this madness is coming right up, at the same time as the government wants to use the system for ID cards!