By Gemma Simpson, 25 October 2007 15:26
NEWS
The Home Office has defended the UK ID cards scheme after security expert Frank Abagnale - a one-time confidence trickster made famous by the Steven Spielberg film, Catch Me If You Can - said the scheme should be scrapped if the government cannot ensure it is secure.
Abagnale, now a security consultant, criticised the ID cards scheme and said: "You can develop all of the best security systems in the world, the most sophisticated software in the world [yet] all it takes is one weak link that is one person in the system to screw the entire system up."
Speaking at the RSA Conference Europe 2007, Abagnale added: "So the identity card system only takes one civil servant to ruin the entire system, so if you don't have the things in place to keep that from happening then you have no business in going there anyway."
silicon.com's A to Z of ID cards
Click on the links below to find out everything you ever needed to know about the government's plans for identity cards...
A is for Act
B is for Biometrics
C is for Compulsory
D is for Data privacy worries
E is for EDS
F is for Forgery
G is for Government IT
H is for Home Office
I is for Identity and Passport Service
J is for Jury
K is for Hong Kong
L is for London School of Economics
M is for Money
N is for National Identity Register
O is for Other cards
P is for Passports
Q is for Quarter
R is for Refuseniks
S is for Self-destruct
T is for Terrorist
U is for Utility bill
V is for Verification
W is for When
X is for Xenophobia
Y is for Young people
Z is for London Zoo
But a Home Office spokesman told silicon.com: "Systems will be put in place to ensure that one person couldn't either change information on the NIR (National Identity Register) or could break down the security measures surrounding it."
Such security systems mean any request for NIR information will have to pass through a number of intermediate systems and filters to make sure only authenticated and authorised requests can get through and the number of people who could see a whole of a person's identity or make changes to it will be limited and fully vetted, the Home Office said.
In terms of the penalties for abuse of access, the Identity Cards Act contains a number of criminal offences to tackle attempts to compromise the NIR internally, and any attempt to tamper (physically or technically) with the NIR can lead to a sentence of up to 10 years. Any unauthorised disclosure of information from the NIR by internal staff can lead to a sentence of up to two years on indictment, it said.
The Home Office spokesman added: "No one is saying the scheme will be a panacea but by linking unique biometric information - initially face, fingerprint and possibly in future iris too - to one set of biographical information will make the use of multiple identities, and the various nefarious activities that enables, very much harder."
Abagnale also disagreed with the more general use of biometrics as an identification tool and said: "I support biometrics for entry to buildings, access to buildings and access to computers [but] I do not support biometrics as a device which should be on an ATM machine."
He added: "Once you've lost your DNA, you've lost your identity forever."
However, Abagnale did give his support to data breach disclosure laws, adding: "There should be laws in Great Britain that if there is a breach you have to notify the potential victim that they could be a victim. That's just fair."
Data breach legislation is the subject of silicon.com's Full Disclosure campaign.
Comments
There are 13 comments. Join the discussion
1. anonymous
There is and always will be one major flaw in the ID Card Scheme, the point at which the biometric record is generated.
There is no method by which to can prove 100% method of proving you are who you say you are. If some one has stolen your identity already, if they are the first to get the link made between biometric and biographic data, as Abagnale say you have lost your identity forever.
The system is (hopefully) only going to allow on biometric identity per biographic entry, but will it check the other way to ensure that people are not attempting to get multiple biographic identities?
2. George
Following details show that these ID cards will make bad problems worse and hence should not be implemented at any cost.
These biometric ID cards will not be effective where there is no reading equipment and hence they will
Like Chip and PIN system divert fraud to other sectors and
Provide fraudsters option to use fakes of these cards as IDs. So rather than deterring these cards will boost more identity fraud.
3. Karen Challinor
as I keep asking when my biometric id is compromised where do I get a new one ?
4. Graham Coles
As secure as the encrypted details on your passport?
You know, all that personal data that can be read wirelessly through the tamper evident packaging and decrypted with the key they have conveniently stored unencrypted on the same chip.
How is anyone to believe that ID cards will be secure when your passport is now a security and identity theft liability?
As the passport was supposed to be an integral part of the ID Card fiasco, it seems fair to assume that the same security used to protect ID cards would have been implemented in Passports, in which case I suggest the ID system be scrapped because they provably are NOT secure.
Seems that Adi Shamir's first law of security stated back in 2002 still doesn't seem to be sinking in ... Absolute secure systems do not exist. Perhaps someone should tell the Home Office, because they seem to be under the delusion they do.
5. Karen Challinor
"the Identity Cards Act contains a number of criminal offences to tackle attempts to compromise the NIR internally"
yes this will stop people trying won't it
make something a criminal offence and the problem will go away
thats why our jails are empty
6. Roger Huffadine
I defy the government to commission a system that has had every line of code verified - together with every line of code in the compiler and link system.
If you want to plant a trapdoor then you need not go for the obvious lines of code in the source code - stick it in the compiler, or simpler still the link routine - nobody, repeat nobody is going to find it until after the event.
Forget trying to stop employees hacking the system that's too obvious.
As for the cards the failure rate is going to kill the system within 12 months of going fully live.
A huge waste of money.
7. Tim
Ask fraudsters since they do obtain new identity all the time.
8. Charles Wood
Remind me to coy that DVD about security systems tomorrow will you please.
Is it copy protected with loads of laws around the world against me doing it. Oh Dear.
I don't mind the laws against doing it , I am a proffessional criminal.
Ta
Ahmed
9. Simon
So, the systems will be secure because there'll be penalties for anyone attempting to subvert it.
Or put another way, illegal acts will be prevented by adding further offences making illegal acts illegal.
Or put yet another way, we are expected to believe that the system will be secure because criminals won't want to commit crimes in order to break it.
Hmm.
10. Tim Jackson
For how long?
11. GALLEY SLAVE#41
I SECOND ALL OF THE ABOVE
12. Radical Meldrew
A compromised ID card system will instantly become worthless. Has this cold fact ever been considered before millions of pounds of public money is invested?
13. anonymous
Is this the same Home Office that was declared to be 'unfit for purpose' last year by John Reid. So we can certainly believe what they say can't we?