Estonia Tests "Contactless" ID-Cards 251
borkee writes "Estonian MEAC and CMB start testing a new version of a national ID card containing what they call 'contactless' extensions. Although they do not specifically disclose to us, taxpayers, what technology is used there, it must be quite obvious that it's nothing less than RFID. Add to this, they'll have person's biometrics in memory. (Security gurus of course know: biometrics just don't work.) Soon you can track us poor Estonians by our GSM phones and by our ID cards too!"
so ? (Score:3, Insightful)
and as always when new technology is introduced, it will probably take a long time (let's say 2 years or so) until every department (communal house, police department, hospital,..) which needs to get information from your id card, will have the correct reader installed, so until then it's used the old fashoned way.
btw are you guys required to have your id card with you all the time ?
Re:so ? (Score:4, Informative)
Re:so ? (Score:5, Insightful)
No, they're not interested in the average Joe as long as he remains that. But should he ever become or try to become someone of power and importance (or just too annoying), they'd love to have all sorts of dirt to wreck your life, career and credibility. It is considerable leverage both to prevent you becoming an influence, and controlling you if you do.
The KGB etc. were notorious for collecting vast amounts of information. Most of it they never needed, but they had it in case that person was turning out to be a problem. As long as you are a good little pawn and do nothing "wrong", there is no problem. That was true even in the Soviet union. So then you don't have any problem with them gathering this information?
Kjella
Re:so ? (Score:2, Funny)
Re:so ? (Score:2)
You also have the problem that there is a catagory of people interested in the "average Joe". Criminals, especially organised crime (which includes other country's "intelligence services), for purposes of identity theft...
The KGB etc. were notorious for
Re:so ? (Score:2)
Personally, I wouldn't care if they collect
Ummm, you hate privacy? (Score:4, Insightful)
The problem with this technology is it not only tracks you, it will allow tracking of your activities. What you buy. Where you go. The ability to, for good or bad, compile a docier on your life.
The only thing preventing this from happening before was the sheer logistics of it. Now that its real, I would like to wake people out of slumber.
I mentioned the ability to do good. I might even call them selling point excuses:
Tailored ads. Stand in front of a Coke machine with reader-"Mr. Jones, you like Cherry Coke! It's been a while since you've had one! Go ahead-we won't tell the Other cola co.!" This ad is beamed into your head(REAL technology-trial balloon tested in Japan!)-another distraction. If they are powerful enough readers, billboards changes to emphasize something in area based on your personal tastes.
Use for convenience. Make it a feature before it becomes mandatory.
For inventory/shipping control. Box 'a' has XXX going to YYY. You don't even need to scan for it directly.
Look folks, Walmart is forcing the use of tags on all their products. If the reader can read your RFID, it can read those too. Instant knowledge base of all the things you do, what you buy, or don't. Become a nonprofitable customer not well dealt with. Ack.
The potential for abuse is way to great. I have heard of no laws about the use of RFID tags. Right now they are being used on Gillette razors, being very expensive and easily stolen. Problem is, these chips are being made by the billion. You tryin' to tell me they sell BILLIONS of razors? Bah! There are 'plastic watch' chips for military use, used in Haiti for the refugee crisis.
Some tech specs-they are supposed to be burnt out at time of purchase, but they aren't, possible shielding on metal products(cans, etc.) Current readers have up to 20' read range. To deactivate them, microwave for a few secs, but set item on fire. Some are embedded in sandals. That would come in handy for tracking you. Unless you are an anti 1984ist(wow!, created a newspeak!), this should start to sound nasty. Someone with a scanner with devious intent could know all about you by scanning your curbed Hefty Cinchsack. Take an item, plant at a scene of a crime. *knock knock* "Mr. Jones, we have evidence that links you to...."
Like I said, there are ZERO laws concerning the use of these buggers. No search warrants, just scanning.
I try to be well informed, but biometrics seems better, because you know when they are being accessed, but still intrusive. With this junk(RFID), you will have the Law of Unintended consequences knocking on your door.
There are way too many possible abuses to go into, thx for patiently reading rant.
Re:Ummm, you hate privacy? (Score:2)
Re:so ? (Score:2)
you know, there is a free world outside of america too. we do not need resueing. rather, PLEASE dont rescue us.
Re:so ? (Score:3, Funny)
Posted anonymously to avoid observation by the KG^H^HDHS. Oh, damn...
Why are you arresting me? (Score:2)
Maybe you spent a few too many hours in a mosque.
Maybe you a postman...
Re:so ? (Score:5, Insightful)
Re:so ? (Score:5, Interesting)
I guess we're used to having it with us always and don't find this weird.
It sometimes amazes me about all the fuzz some countries make (UK now, but otoh, UK is against just about anything new
or I sometimes just wonder how countries like the USA can even operate well without id cards or anything like that.
OK in the USA they use the social security number or driver license as id card, which gives problems with id theft because your unique key (which would be on your id card) is also used for other functions. Why not just put this unique key on your id card and only use it for identifying you ?
OK people say then want to be free and do whatever they want. Bad luck. At the same time you want to get social security, get unemployment money, drive a car, and much more, so at least prove who you are when you want to cash that check.
Having an id card and not needing to have it with you also gives the possibility for abuse.
In the end the 'good' people who don't do anything wrong aren't bothered by it, and at least it can stop mis-use by people who want to defraud the system.
Recently there was a program on tv about people in France driving without driver licenses (driver license with points, have to many violations and they revoke it), one of the guys had a friend who looked like him, so if he got stopped he said to the policeman he didn't have his papers with him, but his name was Y and then this friend would go to the police station to say he did the offence.
Duh.. At least these kind of things could be stopped if you needed to have your papers with you all the time.
That's only one example, I guess there are many more you can come up with in which people commit fraud by saying they're someone else.
Re:so ? (Score:2)
I think in general we're not against everything new here in the UK - infact we're generally quite pissed off at usually being the last to get something. The problem ATM is that the government wants to bring in a ill thought out ID scheme which will cost us tax payers millions, won't do any good, and most of the population don't want it. Unfortunately that goes for everything this government does - huge nationwide protests about the amount of tax on fuel
Re:so ? (Score:3, Informative)
It's not that we're against everything new, it's more the clouds of spurious chaff thrown out by David Blunkett, the curious quantities of ignorance shown to con arguments and the ludicrous execution of said that tends to suggest that the taxpayer will end up shelling for a form of identity that *should be* adequately covered by photo driving licenses a
It's a matter of trust (Score:2)
The ID card in itself isn't the problem, so much as the handing of a unique identifing key which is common accross every database ever stored on you, the goverment is then free to intergrate that database into one huge database, there designing proper leglislation to add to the number of things which are stored in the database but none to remove information.
And then what stops them from using the increased computational capacity of the future to look at the database and
Re:so ? (Score:2)
I also wouldn't like to be stopped regularly and without any apparent reason. But although I live in a country where you are in principle required to have an ID card (Germany), that never happened to me. I have to show my ID when I travel abroad (outside the EU countries which signed the Schengen treaty - between those there usually are no border contro
Re:so ? (Score:2)
So then they ask your id to write your ticket and know they have the correct id and not a name/id you just made up.
Random stopping people and asking for their papers isn't happening if that's what you think or imply with the gestapo reference.
Re:so ? (Score:2)
That is a rather naive point of view.
Re:so ? (Score:2)
In fact, in an effort to reward good drivers, some places stupidly pull over good drivers and give them rewards (I don't remember what, but like movie passes or something). Obviously, the people being pulled over because they were driving well are very annoyed (they were obviously on their way somewhere).
Re:so ? (Score:2, Insightful)
Really? You're obviously white, middle-class and living in a nice part of town. ID cards are widely used to systematically harass ethnic minorities and anyone else the police decide they don't like the look of. This is especially true in a country like Belgium, which I recall being critisised by Amnesty International for exactly this kind of Gestapo behaviour.
Re:so ? (Score:3, Interesting)
Re:so ? (Score:3, Interesting)
I just wanted to say that id cards in general are not a bad thing on themselves.
I wonder how other countries do without, and if this doesn't give more possibilities to for mis-use and fraud.
My impression is they can be useful and help society in general, if used properly.
However, people on
Re:so ? (Score:2)
If you have a flawed ID system it gives a false sense of trust. For example, (living in the US) I could tell you a dozen ways to obtain a false driver's license. However, when the police or a business tries to identify you, they will trust that document much more than they would a simple statement, yet that document is no more turstworthy.
Re:so ? (Score:2)
The remark that citizens should have some trust of their government is just ignorant. The government should always be suspect. History is full of the murders and userpations of government. The 20th century saw 200 million people murdered by their nation states and only a minor fraction by criminals. In every case the first line of the userpation was an Identity card. This isn't paranoia, it is fact.
If a government wants me to trust it, I for one will always reply , "Trust but verify!" Even then I wil
Info on Biometrics not being safe ? (Score:5, Interesting)
That's very interesting, and I've never heard about it before. I mean surely the pattern in your eyes and your fingerprints are unique and does not change, no ?
Re:Info on Biometrics not being safe ? (Score:2, Insightful)
So as soon as someone has your fingerprint they can just make a fake thumb and be you anywhere they go.
Re:Info on Biometrics not being safe ? (Score:5, Informative)
Due to the limited recognition rate, you can often easily fool a biometric scanner. Face recognition systems are often fooled by holding a picture of the right person before the lense. Same often works for iris scanners. Finger print scanners can be fooled by fake fingerprints made from wax (stearine). Hand scanner sometimes are easiest. Cut out a cardboard with the right hand profile.
Most of those biometric scanners thus should never run unattended, to minimize manipulation as stated above. And if you have humans watch the scanners, you could as easily have those humans perform the checks themselves, probably getting better recognition rates.
Biometric scanners may give you additional security, if you use all the common methods like picture ids, signature and similar too, because now an attacker has not only to disguise himself accordingly, but has to fake the biometric data too. But without a central database for crosschecking the data, its rather meaningless. If he can fake a picture ID with his face and a false name, he can also fake the biometric data to fit his own data. As a stand alone tool the biometric scanners are not really ready.
Re:Info on Biometrics not being safe ? (Score:2)
Re:Info on Biometrics not being safe ? (Score:2)
That I think is the big gotcha - they are not ready yet - as these technologies improve, and as more money is poured into these kinds of research, we will see marked improvements in these systems...
Re:Info on Biometrics not being safe ? (Score:2)
The problems of Biometrics (Score:4, Insightful)
where can you revoke your fingerprint and have a new one issued?
You don't need new fingerprints... (Score:2)
Even if someone fakes your biometric information, the lost/stolen card doesn't work anymore.
Re:The problems of Biometrics (Score:2)
Re:Info on Biometrics not being safe ? (Score:2, Informative)
While all the points you mentioned are valid concerns, especially False Acceptance Rate (FAR) & False Rejection Rate (FRR), there is technology that overcomes most of these limitations.
Have a look at AuthenTec's [authentec.com] TruePrint Technology. In summary, "TruePrint Technology uses a patented radio frequency (RF) imaging technique that allows the sensor to generate an image of the shape of the live layer of the skin that is buried beneath the surface of the finger." This makes spoofing of fingerprints nearly imp
Re:Info on Biometrics not being safe ? (Score:2)
All together create a quite high security, because it checks for three different things: 1) Something the user possesses (the phone with the right ID), 2) Something the user knows (the PIN to activate the phone) and 3) something the user
Re:Info on Biometrics not being safe ? (Score:3, Insightful)
Re:Info on Biometrics not being safe ? (Score:3, Interesting)
If someone manages to compromise this, say by lifting one of your prints off a discarded coke can, or removing one of your eyeballs, then you're - as the kids say - 0wned.
Sure biometrics may be mildly harder to compromise than a password, but a password is a hell of a lot easier to revoke if it has been compromised.
Re:Info on Biometrics not being safe ? (Score:3, Insightful)
That's the problem, if an attacker can bypass the sensor and feed data directly into the recognition engine (which can be as simple as splicing a few cables) all he needs is a copy of your biometric data (which he can get from doing the same thing to any sensor you use) and he can present your authentication credentials anywhere that biometrics are used.
If your credit card or passport is stolen, it can be blo
Re:Info on Biometrics not being safe ? (Score:3, Interesting)
I think we can assume that if they thought the results of such a study would be positive they would be pouring money at it, in the hope of being able ditch that embarassing `images are very like themselves' study.
Re:Info on Biometrics not being safe ? (Score:2)
Re:Info on Biometrics not being safe ? (Score:2)
Re:Info on Biometrics not being safe ? (Score:3, Insightful)
Let's step back a bit and look at the two things needed for an authentication system...
1. Input device - the means to input the credentials into the system. These include fingerprint scanners, and keyboards for passwords etc.
2. Credentials - Fingerprints, passwords, one-time codes etc.
Traditionally, every outhentication credential can be copied or stolen eventually. So, if someone learns your password or steal
Um ... (Score:2)
Sweeping statement (Score:3, Insightful)
They do? There are plenty of viable biometric measurements out there. They are not 100% reliable, but when compared to wetware trying to remember passwords they stack up pretty well.
I for instance have a finger print reader on both my palmtop and my desktop. In the limited environment I have, they identify and authorize perfectly well.
Re:Sweeping statement (Score:4, Insightful)
And everyone else, for instance, has access to your fingerprints on every object you've touched in recent time.
Or are you using gloves?
Re:Sweeping statement (Score:2)
Also, if someone has the resources to fabricate fingerprints that will fool the reader, I don't think there's going to be a whole lot I can do about it. Almost all security is simply a means of raising the cost of hacking it to a level above it's value.
Re:Sweeping statement (Score:5, Funny)
You are completely correct, and I have implemented a cunning plan that has made the effort of hacking me not worth doing.
I have no life, no job, no financial prospects and no worth to my identity. I plan to soon get a criminal record and become a terror suspect. Eventually I will also return my internet connection to a 2400bps modem, and will be insanely secure, as there will be no worth in breaking my security
Take that, evil hackers of the world, TAKE THAT!
Re:Sweeping statement (Score:4, Insightful)
Re:Sweeping statement (Score:2)
So there is no point in having the identification hardware in the first place.
if someone has the resources to fabricate fingerprints that will fool the reader,[...]
IIRC, this consists of a small quantity of gelatine.
Re:Sweeping statement (Score:4, Informative)
Almost all security is simply a means of raising the cost of hacking it to a level above it's value.
It has been well established that cost and resources involved in defeating a fingerprint scanner amount to little more than some gummi bears. [google.com]
-
Re:Sweeping statement (Score:2)
How does one go about making use of those finger prints, and how hard would it really be to make a system that defends against false readings?
Re:Sweeping statement (Score:3, Interesting)
Google knows all. [google.com]
how hard would it really be to make a system that defends against false readings?
Apparently very hard. It seems that all commonly available scanners are easily defeated by Gummi Bears.
-
Re:Sweeping statement (Score:2)
Photoetching can be used to create molds, for example, either to fake fingers or finger covers.
Of course, you can defend against such forgeries by measuring things like skin conductivity and temperature, but those are even easier to fake than the actual print.
Fingerprints, like most biometrics, are just not that difficult to copy. Compare it the protection against forgery we have in currency, and the protection of being a pattern of ridges on a lea
Re:Sweeping statement (Score:2)
pardon my ignorance, but (Score:3, Informative)
OTOH, RFIDs have already been implemented by clubs, etc to have painless billing, etc, so there are at least a few people around the world who dont think they are that big a deal.
Living in the US, however, my own fears are based on what I have heard about the privacy issues surrounding such technology, in that anyone with a scanner can find out a dangerous amount of information about you without your knowledge or consent; so to me it seems like a bad idea at least until someone can manage to convince me otherwise about how my information will be protected.
Re:pardon my ignorance, but (Score:5, Informative)
Re:pardon my ignorance, but (Score:2)
Re:pardon my ignorance, but (Score:2)
Re:pardon my ignorance, but (Score:2)
Re:pardon my ignorance, but (Score:2)
Cool (Score:3, Interesting)
Broken (Score:5, Insightful)
* Does not contain or rely on biometrics. Generally can change, and once copied/forged one can never change the identifying information.
* Is capable of doing public-key encryption on-card. The information that identifies the person never leaks to the device. (Technically, this can be done with symmetric encryption as well in conjunction with a trusted centralized server, but this has some drawbacks.)
* Has a PIN, so that stealing the card is not sufficient to impersonate a person.
* Has a PIN entry keypad *on-card*, so that false readers and bogus ATMs cannot steal PINs.
* If any data must go back to the card owner, has a rudimentary display *on-card* (say, a calculator-style LCD display), so that a false reader or bogus ATM cannot say that someone is paying "$10.00 to WalMart" for something and actually having them pay "$14.00 to Joe Hacker".
* Should support a scheme where personal identity is not disclosed, but a persona is (my "persona" at the moment is "0x0d0a"). This is because any national ID card will naturally be used by other systems as well, and without this step, severe privacy abuses will occur. This requires use of a trusted, centralized server or of a card that can natively store multiple identities.
* Allows one to disable the trusted nature of the the card quickly and easily if it is lost, and in a manner that cannot be easily done by others (which would allow a denial-of-service attack against the card owner).
* Can handle water, crushing force, and high temperature.
* Can fit in a wallet.
* Should have the ability to log identity verification usage, so that the user can sync his card up with a computer or similar and check to see what he actually signed off on two days ago.
This certainly isn't a complete list of desireable characteristics, but it's a start.
Re:Broken (Score:4, Interesting)
Estonians, dont whine about ID cards; do what the Australians did [google.com] and refuse to carry them at all.
Your government will withdraw the scheme. Guaranteed.
Re:Broken (Score:3, Insightful)
If it contains NO biometrics at all, it becomes very difficult to make sure the ID actually matches the person presenting it. Imagine a passport without a photo or any other biometrics...
Way too geeky, and miss the point. (Score:3, Insightful)
I _AM_ me, not only do I know this for an ABSOLUTE FACT, but those people that I know (family, friends, lovers, ect) also know it (and vice versa of course)
Outside of a body-snatcher type science fiction film I am my own walking talking biometric identifier, even a 20-seconds-to-complete perfect genetic clone still won't fool anyone unless you can ALSO fill that perfect genetic clone with a perfect copy of my brain and memories, attitudes, experiences, dreams, fears, etc etc etc.
The idea that ANY subset o
Re:Way too geeky, and miss the point. (Score:2)
EG
I _can_ verify that that is indeed my driving licence.
My driving licence cannot ever verify that this is indeed me.
Re:Way too geeky, and miss the point. (Score:2)
The real point of your driving licence is to prove that you are permitted to drive certain catqagories of of motor vehicles on the public road. Generally that you have passed some tests to show basic competence and have not subsequently been caught doing stupid things which endanger other road users.
Re:Broken (Score:3, Interesting)
In smartcard-like systems (which differ from credit card systems), the PIN is not for the benefit of the ATM -- the smartcard would *never* hand over a PIN if it could get it directly from the user. As soon as you enter a PIN in smartcard, the ATM hands off the PIN to the smartcard and then is supposed to promptly "forget" about the PIN. The PIN is just what
Biometrics DO work, when used appropriately (Score:3, Informative)
I think the problem is you've got some sales monkeys who are selling the idea of biometrics as an authentication pancea to pointy-haired types, which is just further proof that non-technical people should never be in a position of authority or act in a primary decision making capacity where technology is concerned.
Re:Biometrics DO work, when used appropriately (Score:2)
All the discussion about gummy bears and digging out eye-balls makes me laugh. Most secure installations I've been around have a guard standing next to the biometric device to prevent any manipulation of the device in an unusual way. I think the only time I've seen unattended biometrics has been at Black Mesa [sierra.com], an
RFID or contactless? (Score:3, Insightful)
Which is this?
Mmmm... Possibilities :) (Score:3, Interesting)
And about this GSM-tracking? I'd like to whack that bastard who came up with the idea to bring this to the public. It's pretty dawm hard to give your girlfriend impression you're doing overtime @work, when your phone puts you in the strip-club.
GSM-Locator [delfi.ee]Simple.
Why RFID? (Score:2)
Smartcards like this are usually contactless in that they can be at most several millimetres away from the reader (The power levels achieved typically allow only a very small separation (a few millimeters) between the card and the reader.)
I guess that They can increase the power signal until a satellite can read it, but AFAIK if they can do that, privacy issues are the least of my worries.
Re:Why RFID? (Score:2)
Wrong. The ones at my work can read cards 12"+ away from the pad.
Re:Why RFID? (Score:2)
I lifted that quote straight from a manufacturer's website, you'd think they know the operating characteristics of their cards now wouldn't you?
In any case, there are different types of cards, ranging from ones you have to touch to the pad (close-coupled cards) to ones that operate a small distance away (proximity cards) and ones like you have, (vicinity cards) not to mention real RFID tags. It makes a big difference on the applic
Isn't Estonia (Score:3, Funny)
Rus
Re:Isn't Estonia (Score:2, Informative)
Some Considerations (Score:3, Insightful)
This, and other problems that arose from the long term Soviet occupation make a secure method on identification necessary.
Under their circumstances, the Estonian Government believes security is more important than privacy.
"The" local language my ass. (Score:2, Informative)
Why assume RFID (Score:2)
This is contactless, in the sense that it is read by just being placed on top of a box on the bus. I doubt it can be read from further away (or they'd just put detectors in the door and speed up the queue).
Luckily they use a worthwhile biometric for identification. There is a photo on the card and a human being looking at it.
Re:Why assume RFID (Score:2)
God no! That would mean I lived in (shudder) London.
I don't know what technology the Lothian ones are based on, I had assuemd they were not `RFID' mostly because they predate my being aware of RFID as a technology, and the very short range. Probably I have the wrong end of the `RFID' stick, as to what the term covers. I understood it to be a standard for low-capacity, wireless scanning (ie what you need to replace barcodes) and distinct from standards for
Money (Score:2)
Re:Money (Score:2)
You know when.. (Score:2)
..you read too much Dilbert, I initially read Estonia as Elbonia. :-)
Re:Money (Score:2)
Circumventing the technology. (Score:2, Funny)
1) Fry the electronics in the card by putting it in a microwave oven etc.
2) Report the card as lost and get a new working card.
You can then keep the working card wrapped in tinfoil and use it only when you really need its identification technology.
Otherwise use the card with the disabled electronics as you would use a 'normal' ID card.
RFID == bad?? (Score:2)
Sounds like there will be a market for... (Score:3, Insightful)
...Faraday-cage id card wallets
In Finland.... (Score:4, Insightful)
libertarions unite!! whine about RFID (Score:2, Insightful)
Estonia in the EU (Score:2)
So at least for now, the Estonian government (or whoever else) cannot "just" track anyone in Estonia.
Biometrics just don't work? (Score:2)
Biometrics work. And the level of detail beats the snot out of some password.
The obvious prank (Score:2)
Sounds Pretty High-Tech (Score:3, Funny)
Oh, Estonia ... I was thinking Elbonia. Sorry - my bad.
I have Contactless ID cards too ... (Score:3, Informative)
All doors in the office open as soon as you flash the ID cards (the doors beep , and everyone looks up at you as if to say "what are you doing roaming around")
The entry into various rooms are restricted like this (this is an outsourcing company , so clients are very very paranoid about "nonfull disclosure" being maintained). Testing server room doors could with your ID could even get you fired here
It need not be RFID or anything magic - just extend the reader to something like the metal detector in an airport to read this magnetic ink (holding this against the noonday sun shows that these are lines/bar-codes running the whole length of the card like those security threads in currency)....
And I'm sitting here clocking the first 9 1/2 of the 47 1/2 hours needed for the week , commenting on slashdot
Re:In Soviet Estonia.. (Score:3, Interesting)
You'd think that the ex-Soviet countries would be really protective of their new freedoms...
Re:In Soviet Estonia.. (Score:2, Insightful)
Take it to your own level of whether this is good or bad. I'm sure the comment arguments have already started.
Re:In Soviet Estonia.. (Score:3, Interesting)
being a DDR like hellhole is a _social_ _people_ problem, not something that just spurs out of technology. you cold have a super invasive super bitchy governing system with just people and hard sticks.
besides than this I would bet these id cards to be similar to bus cards, that you would have to
Re:national id cards... all countries have them (Score:5, Insightful)
A passport is not the same as a national ID card. No one is required to hold a passport, so can refuse to show it, or pretend that they do not have one. The same goes for driving licenses.
A compulsory national ID card is very different. You cannot claim not to have it, and hence can be required to produce it - even if that requirement is not immediate.