The new ID cards will debut in November 2010Image: Bundesministerium des Innern
Good news for hackers
September 23, 2010
The highly-touted new national ID cards are easily hackable, computer experts say. But the ministry responsible for the new cards is standing behind its technology.
Beginning in November 2010, German citizens who apply to renew their national ID cards will receive feature-rich cards capable of storing data-banking information and biometric statistics. About the size of a standard credit card, the new cards will also enable card-holders to make financial transactions with state authorities over the Internet.
The high-tech cards are supposed to provide enhanced security for online purchases. But this week, the Chaos Computer Club, a German-based group of computer hackers, demonstrated for a WDR television program that they could easily crack the personal identification number (PIN) of a test model of the new ID cards.
Once a hacker has got hold of the PIN, he or she could impersonate the cardholder on the Internet and make purchases. And, he or she could easily change the PIN of the card.
"For the card owner, that means he won't even be able to access the data on his own card - he won't have the PIN anymore," Chaos Computer Club member Constanze Kurz told the broadcaster WDR.
In order to make purchases from a home computer, the cardholder inserts his ID into a special card reader to verify his identity. The Federal Office for Information Security (BSI) has acknowledged that it is possible to use so-called Trojan malware to crack PINs when the user is using a simple version of the card reader. The effect is similar to the 'keystroke' logging software that records every character typed on a keyboard.
An expensive mistake
The government has already spent about 24 million euros ($30.5 million) for about a million of the basic version of the readers. Experts recommend the use of high-quality readers, which have their own keyboard for entering the PIN, in order to foil potential hackers.
But the Federal Office for Information Security, which developed the cards, has stressed that even with the known weaknesses of the simple card reader, the authentication process is still much safer than a username and password combination.
The ID card is still to be introduced according to plan, ministry spokesman Tim Griese told Deutsche Welle.
"There are no additional security measures planned in light of the current discussions," said Tim Griese of the Federal Office for Information Security.