Friday, September 3, 2010

German gov downplays biometric ID card hack

Nicht ein biggie [TheRegister.co.uk]
German hackers successfully used off-the-shelf kit to extract personal data from the federal government's supposedly secure ID cards, but the government has downplayed the significance of the attack.
This is one of those "compared to what" situations.

No security regimen is perfect.
Wise adopters of biometric ID management solutions will:
  • Complete an honest assessment of the security of their current solution
  • Tally the costs associated with the current solution
  • Compare these data to the value proposition of a contemplated improved solution
  • Compare any gains in security to the change in the costs associated with the solution.
In other words, the guiding principle should be Return on Investment (ROI), not distance from perfect.

It is often possible to save money and improve security at the same time.

The German government appears to be of the opinion that the new system, even if imperfect, is more secure than the old system. I'll accept that as a given.

One thing Germany might consider: Would it be better to put a template generated by the fingerprint on the card rather than an image of the fingerprint itself?

There are good reasons for wanting the entire fingerprint, but storing it on the card itself reduces the security of the information and will probably lead to a larger opt-out rate than would be the case if the card only held the template.

Another article on this story can be read at TheLocal.de.