EID, omerta and propaganda (no security)

First let us agree about something. Security means that something is certified, controlled and can be adapted and secured afterwards and that this done and rechecked by a transparent, frequently updated and outsourced process run by professionals and independent securityresearchers.

Secondly there is nobody that says that the EID an sich as to be abolished. The problem is that the card - because of its increasing importance - needs to have that public and transparant securityprocess. This is not the same as making your source Opensource. It is not because your source is opensource that 'automatically' your code and process (ex incident handling and patching) is secure an sich. It doesn't even mean that your code has been revised by the most stringent standards by the community. In Belgium this last thing is absolutely NOT the case becuase the community has been blackmailed into silence by the very vague and dangerous cybercriminality law (and a total lack of other independent places where you can deposit this information safely without risk for your career or name in this small country of ours). For the record we have already shown that we know how to protect our informers and how to get information to the right persons in the right places without publicizing it immediately.

Thirdly you don't have to shoot the pianist but you have to listen to the music and forget the pianist even if he or the band has no name. Discussions should be about the facts not the persons who are posing the questions.

Some facts

* Since the vulnerability that has been published last year a patch has been published 6 months later but that shows some conceptual errors that can pose problems for your security of your data on that card. Meanwhile a browserversion of the EID Middleware has been published - even if the banks are going from browserbased authentification to application/cardreader based double authentification. Securityresearchers and hackers can download the code and test or adapt it at will. There is no certification of your code and how secure your implimentation is.....

* We have published last year that taxonweb (the online tax service that has been used by over a million people) can easily be phished. Forgive us if we are wrong, but we don't see much difference since than.

* there are no public norms or standards, there is a private book with some best of practices from some years ago, but if you are looking how to implement this securily and how to let it be certified as safe you are looking at the wrong place.

* there is no securitycertification of the readers that could be used. Some of those failed some securitytests that were done last year by some amateurs. I am holding my breath if real securityresearch is done against them.

* And so I can go on and on.... and on and on...

And yesterday I was between astonishment and anger when I saw on television that they want to use it for .... safe shopping. This card can't be used for safe shopping. In fact this card can't be used for anything webbased if you want to implement normal securitystandards for banking, shopping or real authentification.

The card IS safe if you use within a secured network or on internally secured machines (like machines to print administrative forms) at the present time. This changes totally if you use it on the web for anything more than stupid things. (except if you use VPN links or highly secured specified connections).

My astonishment with using this card for shopping is that now the card becomes really interesting for IDtheft. As long as it was only an administrative authentification for administrative procedures intercepting the information was only useful for espionage and blackmail and getting more information to bypass anti social engineering questions for example where do you live etc...). Once you can use it for financial transactions and payments the card itself and its digital information on that card become more than interesting. And even more as its security is that like those of the bank and creditcards (and even those are broken or intercepted on an unprecedented scale).

It is even more astonishing as our greatest fear in the beginning of last year was that hackers or digital mobbers would constitute crime databases in which they would regroup the stolen financial information, the email passwords, the passwords for ebay or online shopping portals and so on. Apart this information is only worth pennies, but if you could re-organize it by person and profile it it is much more worth. Some first examples of such databases (although primitive) were found online last year. It shows that ecrime is becoming to look more and more like a normal ITProcess (done by professional ITpeople) and handled as normal commercial datasale processes.

For those databases EID information has now become much more worth.

Before you attack the wild wild west with a new secure solution you should be sure that your castle is secure. Otherwise you will be out on the wild wild west with no secure castle to return to because it has been broken into and taken over.

The comments are closed.