ID theft made easy
April 11th, 2006In case you think traces of data on your hard disk is an unlikely source of ID theft here’s a couple of easy ways NIR information can be gathered with minimal effort (and therefore maximum profit!!!!). And remember because NIR information will be ‘valid’ in perpetuity it can be traded long after the information is stolen (and even if it is encrypted it will be just like futures options on the stock exchange, people will be willing to bet on whether the encryption can be readily broken or bypassed).
Scenario 1:
You’re 21 looking 18.
You’re at the off license.
You have an NIR linked ID card.
You have a credit card.
You let your card be verified against the NIR, he asks you to take a fingerprint scan
The retailer has a recorder box between the RFID scanner and the NIR connection and skims the RFID & fingerprint data, he has also put some thin film on the fingerprint scanner which now has your fingerprint on it.
You pay with your credit card
The retailer skims your credit card information
You get your beer
The retailer gets the information transmitted by your ID card, the NIR ready data from your fingerprint, a valid fingerprint for the ID card, your credit card details – he can use these directly or sell this information to someone else (or both)
—
Scenario 2:
You are at a restaurant
You leave your coat with the waiter
Your wallet is in your coat
Your ID & credit cards are in your wallet
The waiter skims all your cards with a stand alone reader while you are at your table
You are handed a laminated menu
You leave your fingerprints all over the menu, the waiter takes care to only touch the top edge of the menu
You go home having a nice meal
The waiter lifts your prints off the menu and sells this with your card information
—
Although card skimming can be done now it is simple to invalidate your current credit card number and get a new one.
You cannot get new fingerprints, and you cannot invalidate them if access to public services and your own money depends on them.
April 11th, 2006 at 2:36 pm
The first method you outline is called a replay attack. They wont need the plastic copy of your fingerprint, just the data passing down the reader to the NIR. Sensibly, this connection should be encrypted, but that wont stop the attack, because between your thumb the reader and the moment before encryption, the data is accessible and recordable.
April 11th, 2006 at 3:03 pm
They might want your print to do a gummy and sell it with a dupe card. They also get a full analogue key from your print whereas NIR information will be dependent on the scan resolution of the reader (and for cost reasons readers for retail use will likely be at lower quaity than those used by IPS for capturing the info – although if this is true it begs the question how accurate will a falsified request need to be, hmm)
April 11th, 2006 at 3:38 pm
Here’s another:
You are a youthful MP with a desire for certain sexual exploits ‘away from home’.
You visit a prostitute who vaguely recognises you
He/she takes your prints from a glass of whisky and passes them on to a police friend who looks up your NIR record.
Blackmail ensues followed (years later) by press revelations and your resignation.