The public hacking of the German national ID card system – which is due to be phased in from this November onwards – is almost certainly down to a failure of security being added as an afterthought, rather than integrated from the earliest stages of the development process.
In addition, the fact that it has been cracked so publicly on TV by the Chaos Computer Club, will not help the German government in its cause to extend the card’s usage beyond its national ID beginnings.
The gameplan with this card – which is capable of carrying a wealth of data on German citizens, including their online banking data, personal biometrics and authentication information for use when interacting with online government Web sites – is quite extensive.
But given the fact that the notorious Chaos Computer Club has cracked the card system on a WDR TV programme, it will almost certainly discourage German citizens – or third party institutions – to adopt the technology. It is critical to any new security system that its users have absolute confidence in the platform, if the system is to take off.
The ID card industry was hit badly this year when the UK government scrapped its plans for an ambitious UK national ID card system, so this very public cracking of the German card scheme – weeks before it is due to go live – is not positive on several levels.
On one level there is the public confidence in the security, whilst on another there are the commercial implications for the German ID card system, since third-party organisations will not have been filled with enthusiasm over the TV cracking of the system.
The German Federal Office for Information Security has already admitted to weaknesses in the security of the national ID cards, which has reportedly taken around 24 million euros to develop so far. With all this government money being poured into the German national ID card system, why wasn’t security built into the system from day one? Why weren’t the developers encouraged to produce a system with the very high levels of security that we know can be achieved?
This is a breathtaking example of what can go wrong on the development front when developers don’t `get’ the need for security as a fundamental aspect of an IT project. Yes, the card system is claimed to be more secure than an ID/password combination, but that’s not the issue here. Confidence in the new German ID card programme has been shattered, so the government will have to resolve the situation.
And that resolution is going to cost far more money than it would have cost the Government and its contractors to integrate high levels of security into the development process.