| View previous topic :: View next topic |
| Author |
Message |
John Welford
C-List
Joined: 07 Oct 2005
Posts: 612
Location: Edinburgh
|
 Posted: Tue, 10 Mar 2009 17:06:57 +0000 Post subject: Scottish Daily Mail: Security fears over ID cards ... |
 |
|
Security fears over ID cards Executive wants us all to have
by Graham Grant and Mark Howarth
Not online
'BIG Brother' ID cards that store personal details are being introduced in Scotland despite a security blunder that puts millions at risk of identity fraud. About 1.4 million Scots have already been issued with the microchipped National Entitlement Card, which carries their name and photograph ...
The cards are being introduced despite evidence that they can be ‘cloned’, allowing fraudsters to steal identities ...
Last night, Ross Anderson, professor of security engineering at Cambridge University, said: 'It is irresponsible for [Scottish Government] ministers to introduce a system they know to be insecure and use it as a framework for sharing people's private information.'
The Scottish Daily Mail has found that the cards were branded a 'risk' four months ago when it emerged they can be reproduced in just two minutes. But ministers chose not to warn the public and, in January, a report announced the system was watertight ...
Last night, Executive officials insisted the passes have ‘additional security encoding to ensure citizens' data is secure'.
_________________
John
http://www.jwelford.demon.co.uk/ |
|
| Back to top |
|
 |
John Welford
C-List
Joined: 07 Oct 2005
Posts: 612
Location: Edinburgh
|
| Posted: Tue, 10 Mar 2009 17:13:52 +0000 Post subject: |
|
|
Although the Scottish Daily Mail has not put the above article online, Mark Howarth has kindly given his permission for the whole piece, as he submitted it, to be reproduced here.
MORE than a million Scots – including tens of thousands of children – are at risk of identity fraud after [Scottish Government] ministers kept quiet about a massive data protection flaw, the Daily Mail can reveal.
The Executive’s National Entitlement Card (NEC) scheme was officially branded a “risk” four months ago following the discovery that two German students had picked apart its security code. Research has confirmed that defences on the microchipped passes are so flimsy that one can be cloned in less than two minutes.
But ministers, who have known since last year about the alert, chose not to warn the public of the danger and, in January, even published a report claiming that the system was watertight. The Executive is under contract to buy three million of the compromised cards and the databank behind the project is due to go live in the next few days allowing citizens’ data to be swapped and monitored across the public sector.
Last night, critics denounced the Executive’s actions as “inexcusable”. Ross Anderson, Professor of Security Engineering at Cambridge University, said: “It is completely irresponsible for ministers to introduce a system that they know from the word go to be insecure and use it as a framework for sharing people’s private information.
“It will be dead easy to copy these cards and become even easier all the time which means bad people will have every opportunity to spend your money and get into buildings that the card entitles you get into. These cards are basically a con. They’re a front for a government running databases that will share your information unnecessarily and probably unlawfully.
“It’s just a mess. Scottish ministers have at least said no to ID cards - for them to welcome a cheap and nasty version of the ID card in through the back door as the entitlement card is careless. It's time to stop and think, or better still 'think - then stop'.”
NECs were introduced by the Executive in 2006 as high-tech bus passes for pensioners. But the scheme has since been extended to include other services such as libraries, leisure centres and – with its ‘electronic purse’ function - cashless catering for pupils.
There are also plans to use the cards as security passes in schools. Around 1.4 million have been issued including 250,000 to 11-to-26-year-olds as Young Scot Cards and ministers want every citizen to eventually use them when dealing with local authorities.
Each one contains a microchip on which is stored personal details including name, address, date of birth and a Unique Citizen Reference Number (UCRN). The card enables local authorities to log its dealings with the public on computers. But later this month, all those disparate databases will be effectively linked up when the Executive’s Citizen’s Account Service (CAS) goes live. Using the UCRN, the CAS will allow an individual’s data to be tracked across the public sector including, eventually, the NHS and emergency services.
The SNP is opposed to ID cards but campaigners believe the NEC system will allow unprecedented surveillance of people's activities as more and more databanks are fed into the central structure.
In 2006, the Executive signed a three-year deal for three million of the Mifare Classic brand of smartcard from East Kilbride company Ecebs. But in December 2007, two German research students, Karsten Nohl and Henryk Plotz, caused ripples in the industry by claiming to have unravelled its security code.
Now it has emerged that the UK body which regulates entitlement card standards withdrew its blessing from the brand four months ago because of the “risk posed by Mifare Classic security issues”. ITSO – whose members include government agencies including Transport Scotland – stated that “it is now possible to crack the ... cryptography within two minutes and clone the card onto an emulator built using standard components available over the internet”.
But the low-key website message nevertheless insisted that the passes should continue to be issued to unsuspecting Scots until December 2009. The compromised entitlement cards – including a further 7.7 million in England and Wales - will then be phased out over the next seven years. Last night, the Executive insisted that the passes have “additional security encoding to ensure citizens’ data is secure” - though a spokesman said no more details could be given out for “security reasons.”
However, Dr Geraint Bevan of campaign group NO2ID said: “Extra encryption will not stop the cards being cloned and once a card is cloned, its security is significantly weakened. It will only be a matter of time before a determined fraudster can retrieve the personal data.”
He added: “It is inexcusable for the Executive to have kept quiet about this - people have a right to know that the card in their pocket has been compromised. If your card is cloned, you have no way of knowing - it can be done by the bloke sitting next to you on the bus with a laptop.
“Money can then be duplicated or stolen from the ‘electronic purse’. If the cloner is involved in a crime you may be implicated and have to explain to the police why you shouldn’t be the chief suspect. Anywhere which relies on the cards for door security – government buildings or schools - will be left wide open. But the most likely motive for cloning the card would be to steal your personal data. Name, address, date of birth – those are the details that identity thieves and credit fraudsters look for.
“Yet there’s absolutely no need for all this information to be on the cards in the first place. The Executive should remove all personal data from them. It should alert the public to the risk and offer to replace them with a type that has not yet been compromised."
The card’s weaknesses also undermine ministers’ new crackdown on underage drinking. Their flagship alcohol strategy, unveiled last week, states: “We will ... further promote the Young Scot National Entitlement Card and to bolster its use and recognition as a proof of age card."
This month, the cornerstone database of the NEC project – the Citizen’s Account Service (CAS) - goes live. In 2007, MSPs demanded that ministers investigate whether the CAS would protect Scots’ right to data protection. Its report, published in January, made no mention of the ITSO ruling. And it concluded that “security and ... data protection controls within the programme are thorough and do appear to provide a robust technical security solution”.
Reproduced with the permission of Mark Howarth.
_________________
John
http://www.jwelford.demon.co.uk/ |
|
| Back to top |
|
|
Andrew Watson
Moderator
Joined: 09 Jan 2005
Posts: 6283
Location: Cambridge
|
|
| Back to top |
|
|
John Welford
C-List
Joined: 07 Oct 2005
Posts: 612
Location: Edinburgh
|
| Posted: Tue, 10 Mar 2009 18:39:05 +0000 Post subject: |
|
|
Thanks, Andrew, and thanks also for the two useful Mifare links.
Just to say that the Mail's printed version of the article has a picture of a Young Scot card. Always a good eye-catcher!
_________________
John
http://www.jwelford.demon.co.uk/ |
|
| Back to top |
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
