A German Pirate Party member has created a website designed to spoof electronic ID card software. German authorities say that while this attack is possible, its potential for damage remains low.
The new digital ID cards were released in late 2010
On Monday, a German computer security researcher revealed a new method to circumvent security measures for the new German digital ID card software.
Jan Schejbal, a German currently living in Stockholm, and a member of the German Pirate Party, posted on his blog a method of "phishing," or spoofing the official German government website as a way to trick Germans to giving up their login details.
The phishing scam concept is the second security work-around Schejbal has produced for the new ID card since they were released.
The new cards, which became available November 1, 2010, and will gradually replace current German cards, contain an RFID wireless chip - the same kind found in many contactless security or payment keycards. The chip stores digital versions of the card holder's photo, name, address, date of birth, height, eye and hair color and location of issuance.
The Interior Ministry and the Federal Office for Information Security (BSI) claim the cards will help the government provide easy-to-use digital signatures and other government services, as well as protection against online scams and phishing attacks. Germans can also use the IDs in place of a passport when traveling within the European Union.
Estonia has had digital ID cards for eight years
Schejbal's latest hack was revealed when he posted a fake website on the German Pirate Party server that launches a decoy Windows screen that looks very similar to the actual ID card application.
German authorities remain unfazed
The BSI called the new attack a "classic phishing scheme," and said that it did not present any new threat or vulnerability to the new ID card system or software, according to spokeswoman Nora Basting.
"In the Schejbal case, the attacker would receive only the PIN of the ID card," Basting said. "The fact that an attacker knows a cardholder's PIN doesn't do any damage. Only knowing the PIN, for example, misuse of the card or the personal data of the owner is not possible, because [possession] of the electronic ID is required."
In his blog post, Schejbal called for more Internet security education for average users.
"To protect against this attack, one must learn to distinguish false from genuine windows," he wrote.
"If it is possible to move a window out of the browser window, then it is at least a real window. However, websites can also open the pop-up window that can then move freely. In all major browsers, the site can indeed hide many parts of the browser window, but the address bar (or Opera, a thin strip with the website address) will always stand to prevent expressing that a pop-up is considered a real window."
Schejbal also pointed out that when the electronic ID is active in the card reader and is being read by a computer, the light on the card reader turns from green to blue.
Author: Cyrus Farivar
Editor: Stuart Tiffen