ID card 'chip and PIN' proposal raises security fears

• Tags:
• Credit,
• Payments,
• Warned,
• Identity

Nick Heath silicon.com

Published: 16 Apr 2009 09:19 BST

• 
• 
• 
• 
• 

The government has proposed adding chip-and-PIN capabilities to ID cards, but questions remain over whether such a move would be beneficial — or even possible — at this late stage in the £4.7bn project.

With the project still dogged by doubts over what practical benefits the cards will offer to the public, the Identity and Passport Service (IPS) last week raised the possibility of adding chip-and-PIN functionality, with IPS chief executive James Hall saying the IPS is now in discussions with the financial services industry.

"One of the issues on the table is whether we should introduce chip-and-PIN technology into the card. If we conclude that chip and PIN is a key part of making it useful there's no technical reason why we couldn't do it," Hall said in a statement.

The EMV technology standard that underpins chip-and-PIN transactions in UK credit and debit cards could be vital in any attempt to make chip-and-PIN ID cards useful.

EMV is the common technology standard used in card readers and ATMs in the UK that allows them to recognise all chip-and-PIN cards and be used to authenticate payments and withdrawals at shops and banks across the country. It stands for Europay, MasterCard and Visa, the three payment groups that originally developed the standard.

According to Colin Whittaker, head of security for UK payments association Apacs, the inclusion of EMV technology on ID cards could ultimately see the cards offer a common standard for authenticating identity remotely using the PIN number.

With chip-and-PIN ID cards, holders could access new government and private-sector services online using the PIN to verify their identity. Business too could take advantage of such functionality: instead of phoning an IPS verification line to check staff have permission to work in the UK, companies could ask them to verify their identity using the card's PIN.

If it were possible to add chip-and-PIN capabilities there could be benefits for the government and taxpayer too: relying on EMV technology and cryptography could cut the cost of implementing the scheme, as the infrastructure to authenticate the cards could be modelled around the tried-and-tested chip-and-PIN terminals and networks, used to verify card payments across the UK every day.

"All those sorts of technological challenges are understood and a lot of the technology needed to deliver these things using EMV are almost commodity items," Whittaker said.

The inclusion of EMV is not without its downsides, however. Clive Longbottom, service director for business processes facilitation at analyst house Quocirca, questioned the desirability of chip and PIN and warned that adding EMV functionality would make ID cards less secure.

'No idea' about security
"It will be disastrous to try and add chip and PIN to ID cards as it has proven not to be secure on credit and debit cards. It is less secure than the previous signature-based system," Longbottom said.

"It just goes to demonstrate that the government has no idea of what security really is."

Longbottom added that the system was also vulnerable to PIN numbers being spied on in public and to criminals hacking terminals to steal card transaction and PIN details.

Cambridge University security researcher Richard Clayton added that PIN functionality could open up new avenues for identity fraudsters.

Using a PIN number to prove identity online and access government services risked fraudsters setting up spoof public service sites to steal PINs and personal details, in the same way criminals set up fake banking sites today, he said.

"You could find somebody using your PIN to log into the [Department for Work and Pensions] website and redirect your pension to a different address."

Threat to project
Clayton warned chip and PIN could threaten the entire project. "Introducing new ideas and changing the specification in the middle of a project is a recipe for the whole thing not working. This is why so many government IT projects go over budget and fail."

"If it was such a good idea why was it not introduced at the beginning?" Clayton asked.

Fraudsters may have some time to wait for the inclusion of chip-and-PIN functionality on ID cards, however.

Apacs's Whittaker added there have been no indications from discussions with the IPS or from ID cards legislation that the inclusion of chip and PIN technology is being considered, despite the fact that the cards will be made available to the general public in two years' time.

"What a wonderful functionality that would be but that's not going to be flagged as being available in identity cards, which leads us to believe that there is no EMV functionality in the card," said Whittaker. "You can see no evidence that says it is going to be implemented. Going back to the strategic delivery plan and secondary legislation I find it questionable how those aspirations can be met."

Indeed, the inclusion of chip-and-PIN functionality would appear to be backtracking by the government.

Earlier this year in response to criticisms about missing PIN functionality, identity minister Meg Hillier argued against adding too many features to the card.

"If you try and lay too much on something then you risk overwhelming it and making it too complex," she said.

Credit: Chip and PIN for ID cards: Not such a sharp idea? from silicon.com

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed