Saturday, November 11, 2006

Tech: EU Declares Biometric ID Cards Privacy Hazard

shows some real difficult problems, including:

  • Biometrics in MRTDs (biometric Machine Readable Travel Documents) currently cannot be revoked. Since they use biometric features of the users such as fingerprints, and "stolen" biometrics can be abused for a long period of time.
  • Insufficient key management with BAC.
  • The current MRTD is remotely readable at a distance of 2-10 metres {6-30feet}, and that current security simply isn't good enough to protect it.
  • There is "risk of ubiquitous, unobserved authentication to MRTD data by authorized or unauthorized third parties, enabling tracking of people carrying a passport"
  • Cloning of RFID tags in MRTDs
  • Abuse of the remote readability of RFID tags in passports, for e.g. person sensitive ignition of ‘smart bombs’
The proposed short-term damage-control measures should be of particular interest to those who - like, say, the UK Home Office - propose to use ICAO standard biometric travel ID more broadly, both in the public and private sectors.

Don't, says FIDIS.
Use of MRTDs should be confined to its defined purpose of "authentication of international travellers" and they should "not be extendable to authentication in the private sector."
Scary, from a Yank.

But I've been anti RFID for ages!

mark in NJ

No comments: