Most newly issued identity cards in Europe work that way. They have a private key stored in the chip, that can be used to prove identity, without giving the ability to the other party to impersonate the citizen.
Unfortunately most places still check these type of cards visually, but I hope that electronic verification will become more common in a few years.
For example these cards can be checked very easily simply using an NFC Android phone and the right app.
In US for something similar you can look at ICAO passports and Enhanced driver's license,
For a lot of things I have to send photos of passports around, in wechat, whatsapp, line and whatever other BS other people request. The other day I was requested to give a new copy of my updated passport to a local telco with abysmal security, just to be able to return a SIM card to get my security deposit back. WHY?
It's infuriating. Governments still use a 100 year old system of stamping each others documents in overseas missions to confirm the authenticity of a document that is based in an era where there was neither telephone nor internet. The whole world runs on a bad joke.
The thing that's different about the three baltics is that their crypto is open source and has had many iterations. They even sued Gemalto for an insecure revision IIRC. All of the signing code is open source on top of that.
The way Germany works is that they design something in a committee for 20 years in private, then they push it out to public. Then the CCC finds security issues in there, then the government ignores it and changes the law to force you to use it anyway. One thing I will give the Germans is that in legal interaction with their official institutions they will allow you to blacken out PII from the identity card. But no private institution does that so it's kinda pointless.
Yes it will be a long time until we are able to change this old habits.
But you can put it another way: if someone commit am identity fraud using a picture of your ID, you can defend yourself showing that you were required by many different entities to send a copy of your ID. So there are many parties that could have leaked your ID and a picture of you ID cannot be considered a prove that you authorized or allowed anything.
Unfortunately no, when people commit identity fraud using your ID, you're the one that needs to prove your innocence. In the US for example it's so easy to commit identity fraud, but really hard to get out of the damage someone else may have done to you.
"Identity fraud" or worse, "identity theft" are BS terms made up by the organizations responsible for the actual underlying crime. Example: a criminal gets credit cards issued in your name and your bank screams "Identity Theft!" when this is just good ol' fashioned fraud enabled by their crappy process and antiquated security. The difference is the former is your problem while the latter is all theirs. Plus they get the chance to sell you another service to protect you from their mess. $PROFIT !!!
You mentioned the burden of proof being on the victim of identity theft. Is that applicable to anything besides ones credit report?
If creditors want to get a judgement to garnish wages or seize assets they have to go to court. I wonder if the burden of proof is any different there, or if the parent's defence (everybody has a copy of my identification!) could work at that point?
The damage of identify theft is the damaged credit report, and the fact you now have to explain to every entity you do business with what happened - and hope they believe you. Many won't because it isn't worth the risk to them.
Garnished wages are pretty rare from what I've heard, and yes it rarely gets to that point. It's still a nightmare for many people with real world consequences if it happens to you.
I understand the impact a problem on a credit report can have for most people.
Over the years I've been trying to minimize my dependence on credit reports. It's been frozen for most of a couple decades, and I'd like to keep it that way. I've paid cash for vehicles, use secured credit cards, put down a deposit for my utility service, have a pay as you go phone, rent from people I know, and hope to remain self-employed, or work for people who know me enough to know that I can be trusted. I'd rather not deal with BigCorp. I realize that not everyone wants to or can do these things.
But that left me wondering about what would happen in a trial to get a judgement if someone was able to fraudulently open a line of credit in my name. I'm hoping that a judge would require more than a forged signature to seize my wages/assets. Personally this is what I worry about, not so much my credit report.
It has happened, it is rare though. Also know of a few cases of folks selling peoples houses out from under them by fooling the title company when they were on a long vacation. Realistically, most thieves are far too lazy, and it’s real (and risky) work doing that compared to doing a bunch of credit card fraud.
New fancy integration, digital signatures, etc are still protecting a process that’s unreliable fundamentally. It’s all anchored to your birth certificate, and in the US that’s controlled by thousands of jurisdictions with varying competence.
The most secure scenarios (cleared employees), tie your credentials to biometrics, and vet your origin as a control for fraud. Everything else increases the risk of fraud as a trade off for convenience or privacy. (Your cellphone carrier doesn’t need to vet where you went to elementary school)
It works for the requirements of the people who are running it, not necessarily those who use it.
The differentiator is that when an incompetent jurisdiction gives away your ID, it's your loss, not theirs. When hackers spoof a business with your credentials to perform industrial espionage or plant ransomware, it's the business that loses, not you. An incompetent jurisdiction can continue operation indefinitely, they just have unhappy, powerless citizens. An incompetent business will suffer financial losses and fail.
The village clerk in some Indian reservation in South Dakota probably doesn’t have a process that looks like the NYC department of Health for vital records. But people live for a long time, and errors and omissions do too.
The point is, you can establish identity, but it’s a pain in the ass. I need to provide a drivers license to open a savings account, but anyone with my SSN can open a credit card.
Any day now Equifax is going down. The real difference is that humans have some institutional power over political jurisdictions and how they are run and exactly none over how (large enough) businesses are.
Yep. All European Union countries are eventually going to use electronic IDs (eID) with Smartchips that can be read by a Smart Card reader.
A number of governments already use eIDs, and have elaborate databases for citizens, such as Croatia. See: https://gov.hr/en
There are also other forms of government facilitated authentication (e.g. electronic signatures or citizen services), and depending on the level of security needed.
It’s amazing that the United States does not have this functionality, which would be useful moving from state to state.
I guess the US passport card is the closest example, but it is useless except as identification.
> It’s amazing that the United States does not have this functionality, which would be useful moving from state to state.
The US does have it, used in both passports and “Enhanced Driver's Licenses” meeting the federal requirements for that label. I think only a couple states currently issue EDLs.
> I guess the US passport card is the closest example, but it is useless except as identification.
Almost any place that requires government ID, IME, accepts passports; they aren't at all useless as ID.
The point I was trying to make is that in many countries in Europe, we can use our electronic IDs to do a lot of things in everyday life that cannot be done online in the US. You can see all of the services we can access in Croatia here: https://gov.hr/en/catalogue-of-services/10
The eIDs also require a biometric picture of your face and 2 fingerprints, which are encoded into the card, as required by European Union regulation.
When I am ready to I can even apply for my European Engineer license online on that portal, with my eID using a Smartcard reader on PC (highest level of security for authentication of credentials).
>In US for something similar you can look at ICAO passports and Enhanced driver's license,
I'm not sure what you mean be "Enhanced driver's license", but my RealId driver's license doesn't seem to have a chip in it, just an excess of holographic overlays.
Only 4 states at Canadian Border issue them, & they are acceptable by CBP at airports or borders if you are coming from Mexico or Canada. Only citizens can get them.
Real IDs are only for Domestic Travel, from May 2023. Is available to anybody with a legal status.
Most of the ID verification systems use "What you know"(PIN or password), "What you have"(ID Card or Phone),"Who you are"(biometrics, i.e. finger print hash), using 1 factor or combination of 2 factors. For verification, storing hash on server is good enough.
If we use safely stored finger print hash in ID cards/Passports/Phones (Iris is better but expensive), the stolen IDs from server have less value to hackers. ICAO standard already includes secure storage of the biometrics data long time ago but not many countries implement yet. Finger print sensor is widely adopted in mobile phones. Anyway the technology exists. Maybe some identity theft incidents will push the government and the industry to implement the solutions
Unfortunately Germany deliberately borked the encryption ecosystem so it’s useless there. And many of the the smaller countries have trouble building out the infrastructure with everything else on their plate (Estonia being a significant exception).
Sure. The key is "ecosystem". A technical flaw notwithstanding, the PKI itself seems fine (Estonia also had a technical problem in this regard).
However the cards were simply rolled out: essentially the only practical difference for anyone between the old cards and the new was that there was a chip in it. But there was no surrounding infrastructure: government didn't take it, banks didn't take it -- there was no practical benefit. There were no mandates for use, no examples or or incentives. The country made greater provision for spelling reform than they did for the E-ID. There was a lot of unease about the idea of all that tracking...yet the card itself already leaks lots of unnecessary personal info (e.g. address) to anyone who glances at it.
Compare this to countries like Estonia who made a point of using the card as the easiest way to unlock government services and made it easy for companies to do the same.
Don't know what he means, but there were a couple of security vulnerabilities in the past. The German gvt. didn't really address how it was improved, but gave a security certification award to it.
Their problem with the German ID was that cheap readers did not have a keypad, so you'd have to enter your PIN on the PC, which could be infected with a trojan.
It's sad that this myth that "eID is insecure" has stuck around, because it's just not true. Their problems have all been with auxiliary devices or software, not the eID itself.
Unfortunately most places still check these type of cards visually, but I hope that electronic verification will become more common in a few years.
For example these cards can be checked very easily simply using an NFC Android phone and the right app.
In US for something similar you can look at ICAO passports and Enhanced driver's license,