Brave New Digital World

This news story is way off our mission statement, but it’s so chilling that I had to post it here.

I never believe the government when it reassures me that a document is “unforgeable”, or that publicly-held information about me is absolutely secure. Even if the technical specs of a secure ID system are state-of-the-art — which is no guarantee in itself — there are other ways to obtain the hidden data. All governmental bureaucracies, even those that handle top-secret sensitive information, are staffed by ordinary people who earn relatively modest salaries. Among them there will always be unscrupulous or desperate employees who are willing to sell their skills and access for the right price.

The only way to protect the privacy of citizens is to have as little information as possible in government hands. Unfortunately, in its zeal to do what’s best for us in ever more efficient ways, our government believes just the opposite. No matter how many laptops full of payroll data get left on the train, the bureaucrats charged with our well-being want us to believe that our secrets are safe with them.

In the USA we’ve got a version of this hi-tech identity-theft problem: our new passports. If you leave your new passport open just a crack inside your purse, your full identity can be read within a radius of about fifty feet by anyone having the right equipment.

In the UK it’s the shiny new national ID card which will come into use at the beginning of next year. But don’t worry! It can’t possibly be forged or stolen, you know, so your secrets are safe with Her Majesty’s appointed authorities.

According to The Daily Mail:

New ID cards are supposed to be ‘unforgeable’ — but it took our expert 12 minutes to clone one, and programme it with false data

Adam Laurie is no ordinary hacker. In the world of computing, he is considered a genius — a man whose talents are used by government departments and blue-chip companies to guard against terrorists and cyber-criminals.

But even by his standards, what he is about to demonstrate is mind-boggling — and deeply disturbing.

Laurie is holding one of 51,000 ID cards issued by the Home Office to foreign nationals currently working or studying in Britain.

It is similar to the ID card for British citizens unveiled last week by Alan Johnson, the Home Secretary, as part of the Government’s ongoing National Identity Scheme.

Embedded inside the card for foreigners is a microchip with the details of its bearer held in electronic form: name, date of birth, physical characteristics, fingerprints and so on, together with other information such as immigration status and whether the holder is entitled to State benefits.

This chip is the vital security measure that, so the Government believes, will make identity cards ‘unforgeable’.

But as I watch, Laurie picks up a mobile phone and, using just the handset and a laptop computer, electronically copies the ID card microchip and all its information in a matter of minutes.

- - - - - - - - -

He then creates a cloned card, and with a little help from another technology expert, he changes all the information the card contains — the physical details of the bearer, name, fingerprints and so on. And he doesn’t stop there.

With a few more keystrokes on his computer, Laurie changes the cloned card so that whereas the original card holder was not entitled to benefits, the cloned chip now reads ‘Entitled to benefits’.

As a chilling twist, he adds a message that would be visible to any police officer or security official who scanned the card: ‘I am a terrorist — shoot on sight.’

And all of this has been done in such a way as to fool the electronic readers intended to check the ID card’s authenticity. It is, quite simply, a terrifying achievement.

For the implications of what he has demonstrated could scarcely be more serious. Laurie’s fake card could be used to fool banks, commit fraud and maybe even illegally claim benefits or free NHS care.

More disturbing still, it could be used to cover the tracks of terrorists planning atrocities on British or foreign soil. By any sensible measure, his demonstration, as part of a special Mail investigation, should be the final nail in the coffin of the Government’s £5.4-billion ID scheme.

The card unveiled by the Home Secretary will not hit the streets until the end of this year, so Laurie has not had the chance to test the precise design.

But according to the UK Identity And Passport Service, it is essentially the same and potentially just as vulnerable as the Home Office’s ‘foreign nationals’ card we tested.

‘It is the same technology,’ a spokesman told me. ‘We’re not running two different systems. It is just the facade that is different.’

This does not augur well for the reputation of the supposedly fail-safe ID card. The Government says the scheme will be rolled out only on a ‘voluntary’ basis, beginning with a trial run in Manchester in November.

But if Labour wins the next General Election and continues with its current policy, the scheme will be expanded nationwide by 2012.

And, as many banks, businesses and public service providers start to require an ID card as part of routine identity checks, Labour hopes the public will feel it has little option other than to ‘opt in’ to carrying a card, if only to make life simpler.

But would you volunteer for one? The Government insists the technology is totally secure. This investigation shows that the very opposite is true.

Our inquiries began last December, when Adam Laurie and I approached the Home Office with our suspicions that ID cards for foreign nationals, issued for the first time just one month earlier, were potentially flawed.

Officials agreed to meet us to discuss our concerns — then cancelled at the last minute. So we decided to test the system for ourselves. It took us several months to persuade a foreign student to lend us his card to examine. But when we got one, even we were shocked by what we found.

Within 12 minutes of laying his hands on it, Laurie had made a clone. I’ll explain what he did next, but first some background.

The Identity Cards Act introduced by Labour in 2006 states that the National Identity Register, which is the backbone of the scheme, may contain 50 separate categories of information about you.

These range from ‘biometric data’ — your physical characteristics, fingerprints, facial image and so on — to your current and previous addresses, your immigration status, your National Insurance, passport and driving licence numbers.

And, once registered for the scheme, if you fail to inform the Identity And Passport Service of any changes of address, you can be fined up to £1,000.

Contrary to common belief, only two sections of the community were ever to have been forced to have ID cards: foreign nationals from outside the EU wishing to reside in the UK and workers at airports. Now, following an outcry by the unions, only foreign nationals will be compelled to have them.

Even so, it is a huge project. By the end of this year, it is expected that 75,000 cards will have been issued, forming the basis of tougher immigration controls.

For our investigation we borrowed one of these cards from a foreign student whom we shall call Albert (he has asked that we do not use his true name).

About the size of a credit card, it displays his photograph, as well as printed details of his name, date of birth and so on. Embedded inside the plastic, however, is a computer chip that contains an additional digital record of all of these details, together with a copy of Albert’s fingerprints.

This is called a Radio Frequency Identification (RFID) chip. It features a tiny antenna that allows the card to bounce back information when contacted by a special electronic ‘reader’ device.

And it is this which was supposed to be the ‘unbreakable’ security measure that would ensure ID cards could never be cloned or faked.

We set out to prove whether this was indeed the case, using technology that is freely available on the High Street. We have deliberately withheld some details of our procedure, so as not to encourage criminals. But at its simplest, this is how it works.

To create his ‘clone’, Adam Laurie studied the card to locate a particular set of numbers that are printed on it. (These provide a key to cracking the encryption on the chip but, for security reasons, we will not reveal where they are).

Laurie then inputted these numbers into a standard Nokia mobile phone, which comes pre-equipped with chip-scanning software.

In seconds, the phone was able to read and copy the readable digital information contained in the chip.

Laurie then held the phone against a blank plastic smart card, of the sort routinely used in office buildings for electronic entry systems or for Transport for London’s Oyster cards, all of which contain similar RFID chips.

He was then able to download Albert’s ID chip details on to the blank smart card, creating a perfect copy or ‘clone’. So far, so extraordinary. But there is more.

Would we also be able to alter the cloned card, changing the details to match another person’s data? In other words, would we be able to make an ID chip that was not only a copy of a genuine one, but was a tailor-made fake — the sort that would be much sought-after by any criminal or terrorist seeking the ultimate false proof of identity?

This was a more complex process because the ID chips are supposed to be tamper-proof. Each chip stores its holder’s personal data in 16 separate files, known as ‘datagroups’.

So, for example, Number 1 datagroup has details of Albert’s name, date of birth and so on. Number 2 holds a digital version of his photograph, Number 3 his fingerprints right through to Number 13, which holds details of his immigration status, and Number 14 which is reserved for future use — possibly iris scan data.

Each one of these files is supposed to be protected with a special digital key, so that if anyone attempts to change it, the card would be identifiable as a fake to any official with a digital chip reader.

To get round this hurdle, we recruited the help of another technology expert, Jeroen van Beek, an Amsterdam-based computer consultant who advises many top companies on digital security.

Drawing on the work of renowned New Zealand computer scientist Peter Gutmann, our team was able to alter the contents of each datagroup and then ‘relock’ them, so that the card would be accepted as genuine.

We had created a perfect fake chip. The Government’s ‘fail-safe’ security had failed.

So how could we prove that our fake card would work in everyday use? Well, according to the Home Office’s Identity And Passport Service (IPS) and the Government’s Directgov website, there will be three methods used to verify ID cards as they slowly become more commonplace.

The first method is simply a visual check. You would present your ID card to a shopkeeper, bank worker, police officer or whoever and they would scrutinise the printed details on the card to confirm you were indeed the rightful holder.

The second would be an onsite check where your face or fingerprints would be compared with those held in the card chip. The third would be an electronic comparison of your face or fingerprints with those lodged on the National Identity Register when you applied for your card.

As for the first check, we have allowed ourselves the luxury of assuming that, in common with all official documents, the facade of the ID card will be faked at some point, in spite of some impressive security features.

Either that, or blank cards will be stolen to order. Last year, for example, 3,000 blank UK passports were spirited away while in transit.

Obviously, having changed the details on the chip, ours would fail the third check, the one against the information on the National Identity Register.

But the Identity And Passport Service doesn’t expect most transactions to involve a check with the register, because it is likely to involve a charge to the user of about £2.

The most important check, therefore, and the one experts believe will be most commonplace, is the second one — the one where an electronic reader at a shop, bank, supermarket and so on would compare your fingerprints or facial image with that contained on your card’s chip.

So would our ‘fake’ card pass this test? Incredibly, even though more than 51,000 ID cards have already been issued, there are no official electronic readers to check them against, except at UK borders, where foreigners’ ID cards have replaced old-style paper visas.

There, the readers must comply with standards set down by the International Civil Aviation Organization, a branch of the United Nations.

Its card and passport-checking software, called Golden Reader Tool, is designed to spot faked chips and will almost certainly be the system implemented in the next phase of the ID card scheme.

So we downloaded the latest version of Golden Reader and used it to test our cloned card. The card passed. We had created a perfect electronic forgery — one that could be used for any number of illegal activities.

This, however, was not enough to ring alarm bells at the Home Office.

When told of our investigation, a spokesman said: ‘We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened.

‘The identity card includes a number of design and security features that are extremely difficult to replicate.

‘We remain confident that the identity card is one of the most secure of its kind, fully meeting rigorous international standards.

That view is not shared by Ian Angell, professor of information systems at the London School of Economics. He said: ‘This has put a huge nail in the coffin of the National Identity Scheme. The Government can no longer say ID cards will protect us from identity theft. You have proved that they won’t.’

So what does all this mean? Well, technological fixes may eventually be available for all our hacks and fiddles.

Nevertheless, we have demonstrated that there are serious questions to be answered about the security of the whole project.

‘If the Government is serious about preventing identity theft, then it really has to do better than this,’ says Adam Laurie.

‘My real concern is that if someone falls victim to an identity theft of the type we have demonstrated, it is going to be very hard for them to prove their innocence if that forged card is subsequently used to commit a crime.

‘After all, the Government claims that the technology is foolproof.’

Even if we set aside such security concerns, it would appear that the whole ID scheme is in a shambolic state.

The Identity And Passport Service is currently issuing about 10,000 ID cards a month, but in the absence of any digital readers, any organisation that wants to check a card’s authenticity is in for a shock.

The Home Office advises calling the UK Border Agency Card Verification Helpline. So I did just that. It took 19 minutes for someone to answer the phone.

Posing as a businessman, I said I had recently been shown a new ID card by a customer as proof of his identity and was uncertain whether I could rely on it. I was told to ask my customer for a ‘second proof of identity’.

In other words, even the official ID card helpline says it’s best to rely on other forms of identity. In which case, why bother having the cards at all?

So, the theory is flawed, the technology is flawed, and the checks on ID cards are either non-existent or woefully insufficient.

When we told Chris Huhne, the Liberal Democrat Shadow Home Secretary, about our findings, he was appalled.

‘The Daily Mail’s investigation has blown such a huge hole in the Government’s ill-fated ID card scheme that it is now sinking beneath the waves,’ he said.

‘Surely it can only be a matter of time before Home Secretary Alan Johnson recognises the folly of continuing with this expensive and misguided intrusion into our privacy.’

How much more proof does the Government need before it bows to the inevitable and scraps this useless and nonsensical enterprise — and saves us £5 billion into the bargain?

Hat tip: Gaia.