IDs have become a joke. People have been handing them out for copying to hotels, websites and apps like candy.
We need to replace IDs with chips that do not give away their secret key but only sign stuff you throw at them.
So when a website or hotel wants to know "Hey, are you really Joe Doe?" it sends this message to the "ID" and the "ID" sends it back with "yes" and signed.
This way we can identify ourselfes without giving the other party the ability to identify as us from now on.
Most newly issued identity cards in Europe work that way. They have a private key stored in the chip, that can be used to prove identity, without giving the ability to the other party to impersonate the citizen.
Unfortunately most places still check these type of cards visually, but I hope that electronic verification will become more common in a few years.
For example these cards can be checked very easily simply using an NFC Android phone and the right app.
In US for something similar you can look at ICAO passports and Enhanced driver's license,
For a lot of things I have to send photos of passports around, in wechat, whatsapp, line and whatever other BS other people request. The other day I was requested to give a new copy of my updated passport to a local telco with abysmal security, just to be able to return a SIM card to get my security deposit back. WHY?
It's infuriating. Governments still use a 100 year old system of stamping each others documents in overseas missions to confirm the authenticity of a document that is based in an era where there was neither telephone nor internet. The whole world runs on a bad joke.
The thing that's different about the three baltics is that their crypto is open source and has had many iterations. They even sued Gemalto for an insecure revision IIRC. All of the signing code is open source on top of that.
The way Germany works is that they design something in a committee for 20 years in private, then they push it out to public. Then the CCC finds security issues in there, then the government ignores it and changes the law to force you to use it anyway. One thing I will give the Germans is that in legal interaction with their official institutions they will allow you to blacken out PII from the identity card. But no private institution does that so it's kinda pointless.
Yes it will be a long time until we are able to change this old habits.
But you can put it another way: if someone commit am identity fraud using a picture of your ID, you can defend yourself showing that you were required by many different entities to send a copy of your ID. So there are many parties that could have leaked your ID and a picture of you ID cannot be considered a prove that you authorized or allowed anything.
Unfortunately no, when people commit identity fraud using your ID, you're the one that needs to prove your innocence. In the US for example it's so easy to commit identity fraud, but really hard to get out of the damage someone else may have done to you.
"Identity fraud" or worse, "identity theft" are BS terms made up by the organizations responsible for the actual underlying crime. Example: a criminal gets credit cards issued in your name and your bank screams "Identity Theft!" when this is just good ol' fashioned fraud enabled by their crappy process and antiquated security. The difference is the former is your problem while the latter is all theirs. Plus they get the chance to sell you another service to protect you from their mess. $PROFIT !!!
You mentioned the burden of proof being on the victim of identity theft. Is that applicable to anything besides ones credit report?
If creditors want to get a judgement to garnish wages or seize assets they have to go to court. I wonder if the burden of proof is any different there, or if the parent's defence (everybody has a copy of my identification!) could work at that point?
The damage of identify theft is the damaged credit report, and the fact you now have to explain to every entity you do business with what happened - and hope they believe you. Many won't because it isn't worth the risk to them.
Garnished wages are pretty rare from what I've heard, and yes it rarely gets to that point. It's still a nightmare for many people with real world consequences if it happens to you.
I understand the impact a problem on a credit report can have for most people.
Over the years I've been trying to minimize my dependence on credit reports. It's been frozen for most of a couple decades, and I'd like to keep it that way. I've paid cash for vehicles, use secured credit cards, put down a deposit for my utility service, have a pay as you go phone, rent from people I know, and hope to remain self-employed, or work for people who know me enough to know that I can be trusted. I'd rather not deal with BigCorp. I realize that not everyone wants to or can do these things.
But that left me wondering about what would happen in a trial to get a judgement if someone was able to fraudulently open a line of credit in my name. I'm hoping that a judge would require more than a forged signature to seize my wages/assets. Personally this is what I worry about, not so much my credit report.
It has happened, it is rare though. Also know of a few cases of folks selling peoples houses out from under them by fooling the title company when they were on a long vacation. Realistically, most thieves are far too lazy, and it’s real (and risky) work doing that compared to doing a bunch of credit card fraud.
New fancy integration, digital signatures, etc are still protecting a process that’s unreliable fundamentally. It’s all anchored to your birth certificate, and in the US that’s controlled by thousands of jurisdictions with varying competence.
The most secure scenarios (cleared employees), tie your credentials to biometrics, and vet your origin as a control for fraud. Everything else increases the risk of fraud as a trade off for convenience or privacy. (Your cellphone carrier doesn’t need to vet where you went to elementary school)
It works for the requirements of the people who are running it, not necessarily those who use it.
The differentiator is that when an incompetent jurisdiction gives away your ID, it's your loss, not theirs. When hackers spoof a business with your credentials to perform industrial espionage or plant ransomware, it's the business that loses, not you. An incompetent jurisdiction can continue operation indefinitely, they just have unhappy, powerless citizens. An incompetent business will suffer financial losses and fail.
The village clerk in some Indian reservation in South Dakota probably doesn’t have a process that looks like the NYC department of Health for vital records. But people live for a long time, and errors and omissions do too.
The point is, you can establish identity, but it’s a pain in the ass. I need to provide a drivers license to open a savings account, but anyone with my SSN can open a credit card.
Any day now Equifax is going down. The real difference is that humans have some institutional power over political jurisdictions and how they are run and exactly none over how (large enough) businesses are.
Yep. All European Union countries are eventually going to use electronic IDs (eID) with Smartchips that can be read by a Smart Card reader.
A number of governments already use eIDs, and have elaborate databases for citizens, such as Croatia. See: https://gov.hr/en
There are also other forms of government facilitated authentication (e.g. electronic signatures or citizen services), and depending on the level of security needed.
It’s amazing that the United States does not have this functionality, which would be useful moving from state to state.
I guess the US passport card is the closest example, but it is useless except as identification.
> It’s amazing that the United States does not have this functionality, which would be useful moving from state to state.
The US does have it, used in both passports and “Enhanced Driver's Licenses” meeting the federal requirements for that label. I think only a couple states currently issue EDLs.
> I guess the US passport card is the closest example, but it is useless except as identification.
Almost any place that requires government ID, IME, accepts passports; they aren't at all useless as ID.
The point I was trying to make is that in many countries in Europe, we can use our electronic IDs to do a lot of things in everyday life that cannot be done online in the US. You can see all of the services we can access in Croatia here: https://gov.hr/en/catalogue-of-services/10
The eIDs also require a biometric picture of your face and 2 fingerprints, which are encoded into the card, as required by European Union regulation.
When I am ready to I can even apply for my European Engineer license online on that portal, with my eID using a Smartcard reader on PC (highest level of security for authentication of credentials).
>In US for something similar you can look at ICAO passports and Enhanced driver's license,
I'm not sure what you mean be "Enhanced driver's license", but my RealId driver's license doesn't seem to have a chip in it, just an excess of holographic overlays.
Only 4 states at Canadian Border issue them, & they are acceptable by CBP at airports or borders if you are coming from Mexico or Canada. Only citizens can get them.
Real IDs are only for Domestic Travel, from May 2023. Is available to anybody with a legal status.
Most of the ID verification systems use "What you know"(PIN or password), "What you have"(ID Card or Phone),"Who you are"(biometrics, i.e. finger print hash), using 1 factor or combination of 2 factors. For verification, storing hash on server is good enough.
If we use safely stored finger print hash in ID cards/Passports/Phones (Iris is better but expensive), the stolen IDs from server have less value to hackers. ICAO standard already includes secure storage of the biometrics data long time ago but not many countries implement yet. Finger print sensor is widely adopted in mobile phones. Anyway the technology exists. Maybe some identity theft incidents will push the government and the industry to implement the solutions
Unfortunately Germany deliberately borked the encryption ecosystem so it’s useless there. And many of the the smaller countries have trouble building out the infrastructure with everything else on their plate (Estonia being a significant exception).
Sure. The key is "ecosystem". A technical flaw notwithstanding, the PKI itself seems fine (Estonia also had a technical problem in this regard).
However the cards were simply rolled out: essentially the only practical difference for anyone between the old cards and the new was that there was a chip in it. But there was no surrounding infrastructure: government didn't take it, banks didn't take it -- there was no practical benefit. There were no mandates for use, no examples or or incentives. The country made greater provision for spelling reform than they did for the E-ID. There was a lot of unease about the idea of all that tracking...yet the card itself already leaks lots of unnecessary personal info (e.g. address) to anyone who glances at it.
Compare this to countries like Estonia who made a point of using the card as the easiest way to unlock government services and made it easy for companies to do the same.
Don't know what he means, but there were a couple of security vulnerabilities in the past. The German gvt. didn't really address how it was improved, but gave a security certification award to it.
Their problem with the German ID was that cheap readers did not have a keypad, so you'd have to enter your PIN on the PC, which could be infected with a trojan.
It's sad that this myth that "eID is insecure" has stuck around, because it's just not true. Their problems have all been with auxiliary devices or software, not the eID itself.
The funny thing is, Estonia already has this feature in their ID cards (although, as I'm not Estonian, I'm not sure how often people actually use this feature).
Their ID cards can cryptographically sign documents/anything using a PIN that only the user should know, so even if the ID card is stolen, it still can't be used to sign documents/messages.
The problem is, the certificate (public key) purposely contains the full-name/public personal ID code, so that people can prove who (and which ID card) signed the message.
I'm unsure if making the photograph public was purposeful;, the Wikipedia article is quite vague (it says that "personal data" is publicly associated with your certificate, but I can't find whether photos are included under "personal data" on the English language government site).
Since the Estonian ID-card infrastructure has been around almost 20 years (didn't even realize it's been this long already), it's used literally everywhere. Every time you interact with the government or a bank, utilities or even loyalty programs at stores, you'll use your digital ID.
These days, you also have the option of signing with Mobile-ID (using a secure SIM application provided by your phone carrier) or SmartID (a regular Android/iPhone app) are probably more convenient since you don't need the smart card reader.
I can't remember the last time I had to physically sign something in Estonia, only when dealing with foreign companies, where you need to pretend to print, sign & scan the document. They don't seem to mind copy-pasted PDF signatures though...
Oddly enough both of my leases in Estonia have wanted a hand-signed copy (though both times I also did the digital PDF signature). No clue why, but I can't remember anything else that ever has...
Estonian ID-cards contain 2 key pairs: authentication and signature. Certificates’ DN contain both: owner’s full name and Personal Code. Personal Code contains your sex and birth date. Also, there’s data file on chip containing all textual data seen on the card, no image. So it’s easy to use ID-card in both, physical stores (reads data file for Personal Code) and e-shops (reads certificate after auth). This document image service was just a convenience service to download your document image. Problem causing the issue was that auth certificate path was not verified during authentication, so you could impersonate by generating fake auth certificates.
AFAICT the photo service is a convenience feature for the user itself. When I use the ID-card desktop utility or the national web service it offers to show me my own photo. It may be used by govt agencies internally (and obv for issuing it) but I have yet to see an actual use case beyond showing it to myself.
I literally just went to a well known department store in my city and in order to get an advertised discount, I was asked to become a member. This required a SSN rather than just email. I don’t trust them with this info and with the SSN alone you can call the bank and identify yourself, the police, and the tax authorities. You can even identify yourself over the phone to healthcare authorites
Damm - In the UK I remember being read the riot act that any misuse of NI numbers out side of a small number tiny permitted uses was a disciplinary offence.
You know, that was the original idea with indian "Aadhar". I am talking about keeping up with its news on tech magazines back in 2007 when it was lauded as a FOSS achievement.
The idea from what I can recall now was "yinput your id, you put your finger on.the reader and the backend sends a "yes/no" with a hash of the authentication. Thats it"
Over subsequent years, politics fucked it up bad. They made it "compulsory". Then people started asking for photocopies. Then scans. Then people would keep and then buy and sell these scans in bulk.
Then people started putting phones with multiple cards, like entire villages would be one computer operator who would keep his own phone for "otp". That operator would then sell access which would be bought for buying Sim cards, shit and frauds.
Then you have the political appiontees who run this Aadhar system, those pompous assholes claim they are unhackable. Come on.
Sadly they built a Pandoras box now with 1.3 billion almost demographic data, biometric data and that is scary.
This is already possible with the German ID card (nPA). It can also verify if you are over a certain age without giving out your data. You also cannot read the nPA without a PIN code. It even includes a pseudonymity function where every service you authenticate with receives a different pseudonym so tracking isn't (easily) possible.
This is not entirely correct. The eID can be read without the PIN. There is a six digit CAN (card access number) printed on the front that can be used to read the card online, but legally only for cases where an agent checks your identity instead. It's more of an easy way to copy most of the data that is printed on the card (some information such as sex, eye color, height is not digitally available to online services). It's mostly a way to prevent mistakes from copying and to check validity.
I'm a recently naturalized German citizen, could you say more about how I can use my Perso this way. It seems nobody uses the "smart" features.
So far, it seems like a "mini passport" and an enormous risk to carry around literally everything someone needs to know to rob and/or impersonate me, but yet we're legally required to do so.
Germany deliberately set up the authentication ecosystem around private actors it appears pretty much to ensure this would not ever happen. I use my Estonian ID to sign certs from time to time, but my kid has never even bothered to open the envelope with the codes (PUK etc) for his German Ausweis.
You’re not legally require to carry your ID around, only to have an ID. You can leave it at home without worry, although there may be situations where that is inconvenient.
As to how to use the smart features: not knowing how to use them is really what makes you German. Welcome onboard!
Adoption of the online ID function has been incredibly slow. I haven't had a need for it yet. Some online banks allow you to open an account using it. You can also file taxes with it. Most applications require a NFC reader of some kind. But there is also an official app for iOS and Android which can be used to read the ID with your smartphone.
There is an online portal where you can read more about it:
Why are you scared of sharing SSN? In Estonia it’s called Personal Code and it doesn’t have any special status, just your unique digital name. We have left these days behind dozen years ago when banks used asking Personal Code as a security measure.
SSN is used by many, many entities as a 'secret security code' essentially. Including (still) many banks, government offices, etc.
It's also used for things like tracking of tax liabilities - so if someone has your SSN, with some minor fudging of other data there have been historic issues like claiming tax overpayments and getting checks from the government.
It's incredibly dumb, but it is what it is (mostly still).
At least most of the big players aren't quite as dumb about it as they used to be.
Estionian Personal Code number works just as a unique identifying number.
American Social Security Number work both as an unique identifying number AND as a verification of identity. Basically its similar to estonian ID number, but instead of PIN1 and PIN2 you have just the SSN.
SSN is not a Personal Code. It’s just a number. Add or subtract one, and you get the a valid number for the people in your home town who were born nearest to your birthdate. There are no checks and it’s very difficult to change. Some people in the USA would like a better system, but we can’t have it because national IDs and vaccines are tyranny.
SSNs used as IDs is terrible, but it’s a little glib to say we don’t have national ID cards because they’re “tyranny.” There are very real problems, like discrimination and degradation of privacy: https://www.aclu.org/other/national-identification-cards-why...
I don’t know how copies of my ID being made turns it into a joke? There isn’t anything secret on my ID, and just knowing the information and having a picture is to impersonating me as putting on running shoes is to drawing an owl.
Fwiw some countries, including Japan, require the hotel to keep a record of a copy of your passport/residence card (for non citizens at least) to meet regulatory requirements. It's not up to the hotel to choose to collect it or not.
It will still have your name and face on it, and they will still stick it in an optical scanner when you hand it over to them for use, and the scan will still get stolen from an unprotected S3 bucket with millions of others.
Authentication and digital signatures (like for signing contracts) are usually kept separate on electronic cards. There are already standards for that.
It was a oversight in picture program. Basically you can always request your own photo and the hacker already had names and ID codes and was able to use legimate access to download photos. He did use botnet, with many computers so it seemed legimate traffic. And was apprehended literally the next day.
Stolen pictures were not forwarded, so they even got the leaked data back.
Dunno, not a big deal.
Only thing was he was downloading pictures en masse. Names and ID codes got from elsewhere beforehand. ID code is not a secret here either, you can reconstruct it with high accuracy just by knowing persons birthday and city he lives.
Tho I think this triggered a fast lane for upgrading some legacy stuff that was to be updated soon. So good scare I think.
Estonia's government is exceptionally forward-thinking when it comes to embracing technology (they've had internet voting since 2005, for example), but ultimately they're still a smaller nation and it sucks to see them get burned.
Appearance of forward-thinking and actual boots-on-the-ground situation can vary widely. Especially with governments - you might be suprised how many things are just held on stilts behind the scenes. When it comes to security, I have zero trust in the government ID programs.
Last year my government (Eastern Europe) started requiring some extra documentation to be submitted by companies, yearly, after it passed a law to do so. It being a strange time in human history they had to twist themselves in all sorts of knots to try and make that possible so they gave in and - I assume - they put out a giant government contract searching for an IT company to make that happen. And make it happen they did, through usual nefarious means or otherwise, that much is unknown but they created a portal. You could enter your details and it would return you a document to download and sign and hand off to the nearest government agency that was officially supposed to handle these. And so my friend got to work… first thing he noticed: the whole thing was insanely slow and then he took a look at the URL and found that it was basically someone’s Windows PC, just serving the entire C:/ drive on a public URL. Even worse, all the documents generated (which contained all data, private and public related to the company owner - even ID data) were named in an incremental fashion. Meaning that you could’ve, were you a bad actor, dump pretty much the entire country’s privately owned business owners’ details with a simple bash script.
So he took it upon himself and called the specific government branch…
… and within an hour the whole portal was offline and the deadlines ended up being extended. This year was the earliest time I needed to submit said paperwork.
Handling stuff online is not easy and sometimes goes very wrong. That being said, for most general company admin things you need to do here you can buy a hardware cert and avoid this entire risk and they’re supposed to be rolling out IDs with similar features and a similar promise in August. Though as to how that will function, I have no idea as I couldn’t find any info on it.
Multiple reasons, just like CBP in the US can pull up your photo to make sure the one on the ID and standing in front of them is actually the person the system says it is.
They also compared my old ID photo with the new photo I was submitting when I renewed it recently for the same reason.
Though I've never had this particular problem, I believe the police will also do the same thing to verify they're arresting or ticketing the right person.
Also keep in mind that Estonia is the size of a (quite) small state in the US, so they're storing things like a driver's license photo just like your state would. You actually don't need a physical driver's license with you in Estonia as long as it's linked to your ID card, so it's really an "all your eggs in one basket" kind of system.
The UK isn't technically in Europe any more (except geographically), but there are no city or state (county) level photo IDs here. Everything is national and managed by the central government.
And even within the EU I’d still wager that there are many different systems in different countries. Almost like it’s a block of diverse individual nations and not just a single entity that you can make lazy comparisons with.
Source for what, it's so common knowledge that you should list countries that don't do centralized id besides USA in the developed world. Search for voting id laws is probably a good start.
The centralization proposal the person you are replying to was done because that API access you are talking about apparently hasn't been implemented in a wide spread manner. So now each Bundesland can create their own database.
They do now. There was a time when you could go to the DMV and switch places with your friend right before the photo for the ID was taken. If you were under 21 and your friend was older, you had a real fake ID made for you by the state. At least in Illinois that was the case when I was still underage.
Now they do see the older photo come up when renewing a license, presumably to prevent swapping.
The old license is not effectively invalidated in any way. Almost nobody you presented the license to would know that another one has been issued, besides possibly a police officer. It would be fairly easy to tell them that you got a replacement and then found the old one.
> The old license is not effectively invalidated in any way. Almost nobody you presented the license to would know that another one has been issued
That’s strange. Where I live, if you get a new ID you have to turn in your old one. You can keep a passport if you want (some people like to if they have a ot of stamps from their travels) but in that case they punch a couple of big holes through the entire booklet before returning it to you (basically, it removes the chip and some other security measures).
If you lost it you have to go to the police and report it lost. Then you need to hand over the police report when you request a new one. Reporting it lost or stolen also invalidates your drivers license meaning you can’t drive while you wait for your new license.
I see. In what region are you referring to? I have never lived in a state with any sort of concept of rendering your license invalid because you lost a physical license, nor have I been told to file a police report.
I looked it up for my state and they said you only must file a police report if you believe your license has been stolen, not lost, and you desire a new number. I’m sure policies differ among states.
I picked Michigan at random. Their website merely warns that the old license will be invalidated electronically and cannot be used for border crossing while encouraging use of online replacement services.
> rendering your license invalid because you lost a physical license
If you lost it, you can't drive anyway. Why would you not invalidate a lost license ? To clarify: the physical license is invalidated, and since you need to have a physical license on you to be allowed to drive, you can not drive until you get a new physical license.
If you fraudulently report your license as stolen, it is invalidated and you can no longer drive using that physical license. If you get a new one with someone else's photo on it, that basically means you can no longer drive a car.
I see. In the US, I've been stopped before when I didn't have my license with me and the officer looked it up on his computer. Of course you're expected to have the card with you, but that's a relatively minor requirement compared to having a valid license in the system. Forgetting your wallet at home isn't on the same level as being unlicensed.
I noted this earlier: " Almost nobody you presented the license to would know that another one has been issued, besides possibly a police officer." So the usefulness is for situations that are not driving and don't involve police. One could still definitely use the 'lost' license to get into bars or concerts, start accounts, and purchase alcohol or cigarettes.
That example was addressing whether it's legal/forgivable to drive without a physical license in your possession in the US. In my experience, it is, and also there's not an issue with insurance because you are legally licensed to drive.
As for the example of the fraudulent license holder, yes, the officer would probably be able to tell, which is what I've been saying this whole time - one would not want to present the old or the new license to the police.
Sure, an illegal license holder presumably either doesn't care or isn't prepared to deal with an auto accident, in which they would have to pretend to be the person on the license and it would go on that other person's record.
Someone I know did this with his brothers documents without his brother being involved. He took the documents to the DMV and said he lost his license. Pretty much all they had to go on was basic appearance metrics and questions like where you got your license last time. This was in the 90s so it’s possible it might not be as easy now.
A distant acquaintance did that in the early 90s, only that person asked for a new drivers license. The clerk attempted to offer a duplicate instead of a new license and the nervous license getter refused until the clerk said, "look I'm trying to save you some money, we still take your picture and give you the license today!"
In my state, and I assume most/all(?) others, it's all electronic. When I had to replace a lost license a few years back, it was very easy. Go to a website and pay $25 or whatever. But there's no new photo involved.
For the most recent state I lived in, IDs are issues for four years. If lost during that time, they give you an identical replacement if in the first 2 years but require a new picture if replaced in the second half.
From what I recall, in a fairly recent traffic stop in my home state the police officer had access to all of my license information including the photo.
Well, is not it simply because the rest of us living outside of the US are frequently exposed to US politics via mainstream media? Since there is 160+ countries in the world, this exposure can be hardly symmetrical.
Having the photo AND the connection to the true identity is the important part. Photos are everywhere. The identities are everywhere. The link between is worth a lot.
We need to replace IDs with chips that do not give away their secret key but only sign stuff you throw at them.
So when a website or hotel wants to know "Hey, are you really Joe Doe?" it sends this message to the "ID" and the "ID" sends it back with "yes" and signed.
This way we can identify ourselfes without giving the other party the ability to identify as us from now on.