« Tony Blair’s authoritarian populism is indefensible and dangerous
The Creep becomes a rush to add features »

Schneier: ID cards will worsen ID theft

Tom Espiner writes in ZDNet UK:

Security expert Bruce Schneier has slated the UK’s ID card scheme, saying that not only will it not solve e-crime, it will also make ID theft worse.

The security guru told ZDNet UK on Wednesday that the risks of implementing a centralised ID card scheme were “severe”, with little return on the investment required.

“Having a single ID is much more dangerous [than multiple IDs],” said Schneier. “ID theft is fraud due to impersonation. If you have a centralised ID card, you are making that ID that much more valuable to criminals,” Schneier added.

Bruce Schneier is a renowned security expert who has published widely on cryptography and data security. His weblog and monthly newsletter on security issues are both widely read in the IT industry.

This entry was posted by andrew on Thursday, April 27th, 2006 at 14:42 and is filed under Anti, General, UK News Articles. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

5 Responses to “Schneier: ID cards will worsen ID theft”

  1. nina steggar Says:
    April 27th, 2006 at 18:20

    I think the thing that worries me is that the dead database is going to be incorporated into the live one. If I can gain access to the dead db then I can copy a file and remove the biometrics and substitute my own. I can then write something back to the original db to corrupt the old file and since the person is dead they’ll leave it.

    Nice one Home Office.

  2. Nigel Sedgwick Says:
    April 28th, 2006 at 14:18

    ZDNet quotes Bruce Schneier: “Having a single ID is much more dangerous [than multiple IDs], [...] ID theft is fraud due to impersonation. If you have a centralised ID card, you are making that ID that much more valuable to criminals, [...]”

    True. But defending a single vulnerable point is usually easier than defending a multiplicity of vulnerable points. [Think of all those utility bills that banks seemingly accept so readily as proof of identity/address. Plus, in the USA, the Social Security Number (SSN): that "secret knowledge", like a password or PIN, that is thrown about like confetti.]

    The issue is more complicated than given in the ZDNet quote, though such simple things suit those partisans who favour rhetoric over analysis.

    Best regards

  3. dunx Says:
    May 4th, 2006 at 12:37

    But attacking a single vulnerable point is also easier than a multiplicity – hence the utility bills. Sure, it is a pretty “out-dated” form of confirming someone is who they say they are. But is being all modern and technological the point?

    Balance what is happening in such a transaction with the actual need to link a name to a person. When opening a bank account all the bank REALLY needs to know is that someone is opening an account and has some money to hand over. The bank then gives the person a token that allows them to withdraw that money in the future. The only point where names are “needed” is to fulfill bureaucratic needs (or as I prefer to think of them, dangerous impulses that in other areas might be controlled with medication).

    I think the banks asking for utility bill reflects the level of importance banks place on this point in the transaction. They go through the motions because they have to.

    The actual task of making sure that someone has the right to access money in an account, the task people might rightly care about, is handled rather differently – or should be.

    When we use something as flimsy as “identity” to make access to things like money possible the system is weak. Perhaps trying to make identity stronger isn’t the best solution to such problems.

  4. Nigel Sedgwick Says:
    May 4th, 2006 at 19:49

    @dunx, who wrote: “When opening a bank account all the bank REALLY needs to know is that someone is opening an account and has some money to hand over.”

    What the bank actually needs to do (for better or worse and in addition to what they might themselves choose to do) is comply with the money laundering regulations, as described here: http://fsahandbook.info/FSA/html/handbook/ML

    And concerning attacks, the security of your whole system is the security of the weakest link (pace Schneier). Less links to check equals more security.

    Best regards

  5. dunx Says:
    May 5th, 2006 at 12:17

    Like I said – the bank asks for weak forms of ID in order to fulfill something bureaucratic, not to protect the security of peoples’ money.

    Banks aren’t currently using weak forms of ID to give access to peoples’ money are they? No – because they know they are weak.

    Should banks be using government issued ID cards confirmed against a biometric to fulfill their legal obligations? I am sure they will make a decision based on the cost of implementing such a system, balanced against the cost to them of failures in the current system. If the government requires them to do it they will do it. If doing it allows them to pass all liability for fraud on to the victim of that fraud, I am sure they would find it a good reason for doing it.

    I think that Schneiers point about using a single ID scheme being weak is that it is proposed that system will be used in lots of places and for lots of purposes. If the ID card is cracked for one purpose it is cracked for all of them. ID theieves who figure out how to crack the system can completely steal peoples’ identities and use them for more purposes than pinching some utility bills from their dustbin.

Search provided by Google

April 2006
M T W T F S S
« Mar   May »
 12
3456789
10111213141516
17181920212223
24252627282930