New national ID cards are coming to Germany. The new cards boast features designed to safeguard against the hazards of the Internet age, including phishing and identity theft, but critics say there are still problems.
The new German ID cards will be released November 1
National identification cards are nothing new to Germans. Citizens have been required to show their ID card or a passport to the authorities since 1939, when the Nazis first wrote it into law. After World War II, the various occupying powers kept the policy of national ID cards for everyone over the age of 16.
On November 1, the German government is rolling out the latest incarnation of the German national ID card, the so-called electronic ID, or EID. The new cards contain a microchip using radio frequency identification technology, or RFID. This technology is already widely used in security systems for various buildings, as well as by retailers to inventory goods.
All citizens whose ID cards are expiring this year can apply for new ones, as the government begins to phase them in.
"It's an electronic means of identifying an item, in this case an ID card," said Karsten Nohl, an independent security expert, in an interview with Deutsche Welle.
The RFID capabilities of the new cards take the concept of identification further than current IDs in Germany, which are also used for international travel within the European Union. The cards can be used to identify the user on the Internet, and even to authenticate digital signatures.
At first glance, these new IDs don't look different than the current analog cards. They feature a photo, name, address, date of birth, height, eye and hair color and location of issuance, just like the old ones. But this data is also contained within the microchip in the card, and a digital biometric photograph of the cardholder.
The Federal Office for Information Security, better known by its German acronym, BSI, is developing the new cards.
"We have a lot of features in the card which are very, very useful," said Manuel Bach, the EID project manager. "For example, the protection against phishing sites which are a big problem in Germany and around the world, and we totally get rid of it using the Germany ID card."
The Chaos Computer Club circumvented the EID's security on television
Phishing websites often are set up to look like a legitimate online merchant in order to harvest personal or financial data. BSI claims that EID card holders could use the card via a digital reader connected to their computer in order to detect when a website doesn't have a correct security certificate.
Another security measure on the card is the beefed-up encryption, which is based on elliptic curve cryptography and, according to Bach, is essentially unbreakable.
Chink in the armor
Hackers tend to agree that the encryption is not the weakness in the system.
The German hacker collective, the Chaos Computer Club (CCC), raked the new system over the coals in September when they went on television and hacked the new ID using basic spyware. But it wasn't the card itself that made the hack so easy.
To take advantage of the online authentication perks for the computer, the card must be coupled with a peripheral card-reading piece of hardware. Card readers come in a variety of models, and the CCC circumvented the most basic model.
Their hackers installed a keylogger on the user's computer, enabling them to steal the PIN and then rewrite data on the ID card using that information.
It is disingenuous of the government to promote the new system as secure while such a hole exists, according to Constanze Kurz, a CCC spokeswoman.
“If you pretend that all your citizens are really good with computers, and that they can manage their own IT security on their systems, then you are definitely wrong,” she said. “The hackers will always attack the weakest point and the weakest point is the user.”
Citizens need to protect themselves better
BSI's Manuel Bach agreed that the end-user was the weakest link in the chain, but demurred, saying that computers infected with Trojan horses and other malware are already at risk of hemorrhaging data, even without the new ID card.
"The Germany ID card can't protect you from Trojan horses, it's just a piece of plastic with a microchip inside," Bach said. "So you as a citizen or computer user have a responsibility to secure your system. If you do that you're very safe, even with a basic card reader."
Despite this downside, security expert Karsten Nohl is convinced that the authentication and remote signature functions of the ID are better than the alternatives.
"This, of course, promises much more security than some wobbly line of ink on a piece of paper," he said.
With initiatives like STORK, EIDs like Germany's could become very common
Leap of faith
But Nohl is not convinced that the system is being handled with all due care.
"People shouldn't start off using this card as if there's nothing to steal from it," Nohl warned. "Once the card is stolen or can be emulated, any future application becomes vulnerable. The awareness of future abuse potential has to be created today."
Concerns such as Nohl's and those of the CCC are underlined by the fact that the use of this style of identification is on the rise.
The European Union is planning to launch a new initiative in 2011 called STORK. Through this program, 17 participating European nations with electronic IDs, including Germany, would be able to cooperate across borders.
The program claims that in the future, users will be able to start a company, get a tax refund or obtain university admissions status online.
Author: Stuart Tiffen
Editor: Cyrus Farivar