British biometric ID card system vulnerable to cloning

(11/11/2008)

TSSI has branded the Government proposal by Home Secretary Jacqui Smith to ask companies such as the Post Office to collect biometric data as irresponsible. It said that such a system that allowed private companies to gain ownership of public identity data could be vulnerable to abuse.

“Handing over the keys to public identity data to organisations such as Royal Mail will open up a whole new can of worms. It seems preposterous to put public data into the hands of a third party when data loss is as commonplace as it is,” said Stewart Hefferman, COO, TSSI Systems Ltd. “It’s clear now that the government has intended to link the ID card scheme into its other services. I’ve been concerned about such an extension of ID card use since they were very first announced.”

“The big concern with ID verification is impersonation. Unfortunately, the Government’s ID card scheme does not go far enough to address this problem – and by opening up a photo kiosk style fingerprinting service at a post office with data made accessible to various employees – will further exacerbate the problem.”

“The two main weaknesses are firstly, an over-reliance on biometric security, and secondly, the preference for centralised data storage. Together these leave the ID card system vulnerable to cloning.”

“Stronger verification technology needs to be in place. Biometric technology alone does not suffice to prevent fraud – despite strong encryption, the Dutch biometric passports were cracked soon after launching. Unfortunately, there is no such thing as a 100% secure solution – and saying you’ve got one is an open invitation to hackers! All you can do is minimise the risk as far as possible.”

“What’s needed if the ID card scheme is to work, is a belt and braces approach. Storing the biometric data as an algorithmic encryption makes it impossible for even the most sophisticated fraudster to read or substitute. Even authorised personnel – and therefore any successful hackers or corrupt employees - would only be able to view binary code, and not the finger, iris or facial data itself. They would also be unable to replicate the algorithm to clone the card.”

“The way the information is stored and structured needs to be carefully implemented to avoid sowing the seeds of disaster. Storing this data centrally and then linking this into a variety of databases is a security concern. Other countries such as France and Italy have stipulated that biometric information is stored only on the cards themselves – thus still within the possession of the individual.”

"If it is stored centrally, then the biometric data must be stored separately from any other personal data. This would make it harder for any hacker to join up the dots and steal someone’s identity or clone a card. I also strongly advise that back-end systems enable an audit trail of those personnel who have accessed individual records on those back end systems.”

Related topics:  Data management and data security   Encryption   Eye biometrics   Fingerprint biometrics   ID card 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources