Spy Blog - SpyBlog.org.uk

National identity card to come with PIN number

Ian Morgan
Published: 15/03/2006 - 12:25:39 PM
Press Association

The controversial new national identity card may come with a PIN number like existing bank cards.

The Home Office Minister, Andy Burnham, said a "chip and pin" style code number could be used to verify cardholders' identities in some cases, rather than fingerprints, face and iris scans which will be encoded in the card.

Ministers have previously indicated that government departments, banks and other businesses would verify someone's identity by scanning their "biometrics" or by simply looking at the card.

This would have required huge investment in biometric reading machines, for example at every doctor's surgery and benefits office, but the full cost has never been estimated by the Home Office.

Similarly there is no estimate of the cost of the less secure nut still expensive national network infrastructure of "Chip and PIN" readers either.

There is a network of credit card / debit card "Chip and PIN" readers in shops and banks, but not in doctors's surgeries or Government offices or in employer's personnel departments.

Given that the costs of installing a secure network, infrastructure exceeds the cost of the actual reader devices at the extremities of the network itself, and "intermediate" "Chip and PIN" scheme may not save any money whasoever.

Mr Burnham said: "A PIN number would be a new 'intermediate' way of checking a card was authentic.

"The verification services that could be offered would be applied appropriately according to the business process that was involved," he said.

"It could range from a basic visual check to the use of a PIN number, or in high-value transactions, a biometric verification."

After a speech at a conference in central London organised by the Social Market Foundation the minister said: "In a shop, a bank or somewhere that an organisation does not want to conduct a full biometric check against the national identity register, there are systems we can use where we can verify via a PIN number.

If banks cannot be persuaded to invest in biometric scanners, then why should anyone else pay for them ?

"It is an option we are looking at.

"When we get into the procurement phase we will be interested to see what the private sector says about it.

"There is an intermediate level where people may not want to invest in the biometric equipment but they need a better verification, and the PIN number may be a way of doing that."

What has the Home Office wasted over £ 30 million on consultancy fees etc. up to this point, if they have still not yet produced a detailed specification of the scheme, which will be put out to tender ?

The minister agreed that using one's fingerprints or iris as a means of identification was the "ultimate convenience".

But he added: "Having an intermediate level of verification is probably a sensible thing to do."

Not if the scheme is meant to address the statutory purposes it is not.
.

Asked if the PIN number was being proposed because of the cost implications of biometric readers, the minister said: "It is partly that. It is about giving everybody a level at which they can use the scheme.

"For a pub, I am almost certain they would want a visual check of the card (to verify a person's age).

"Then you have got levels of service depending on the value of product that you are dealing with."

If the level of identity verification is no better than for existing credit cards, then how will this scheme reduce "identity fraud" in any way whatsoever ?

The Identity Cards Bill which will allow the Government to begin building the controversial scheme is nearing the end of its passage through Parliament.

The first biometric passports, which are regarded as a prototype for the technology destined for ID cards, have already been issued. The Government estimates the project will cost up to £3.1 billion, although other organisations have put a far higher figure on the overall cost.

Biometric Passports and Machine readable Travel Documents to the International Civil Aviation Authority standards, which are touted as being one of the main driving forces behind the Identity Cards Scheme controversially use contactless radio interfaces (which are full of their own security and privacy risks).

The "Chip and PIN" systems used for credit card and debit cards etc. deliberately use contact smartcards which you insert into a reader slot.

It is possible to create smartcards which are both "contactless" with antenna loops and to also have electrical contacts on them as well. In that case, the Government's promises of a 10 year lifetime for the ID Card become meaningless, since there are no such systems in widespread use in the world, upon which to base susch estimates on.

The wear and tear on the electrical contacts of a credit card "Chip and PIN" smartcard are one of the limiting factors in its physical lifetime.

The antenna loop needed for a "contacless" / RFID ICAO Passport compatible smart card runs around the periphery of a credit card and so will be at risk of damage due to flexing of the card when it is insereted or extracted from a contact reader. This is exactly why "contactless" cards or passport booklets have been touted as a solution.

To combine both of these technologies on a single card is expensive and unecessary and increases the risk of equipment failures.

No "Chip and PIN" credit card is designed to last 10 years, and this is one of the points upon which both the London School of Exonomics and even KPMG have questioned the Home Office's unpublished cost estimates on.

Remember that the Identity Cards Bill makes it your fault if either the ID Card or the Reader fails, not that of the Government nor the supplier nor any subcontractor operating the scheme.

In the worst case you could be accused of tampering with the ID Card and fined up to £2500.

It is completely unclear who is to blame if a "Chip and PIN" system fails due to negligence or equipment failure - is such an "intermediate verification check" part of the core National Identity Register or not ?

The Home Office says it will cost £584 million a year to run the biometric scheme, most of which will be spent on gathering the fingerprints, iris and face scans of every over-16 in Britain.

Each card will cost £93 to produce, at current estimates, and Home Secretary Charles Clarke has said a "standalone" card which will not function as a passport, will cost £30.

There is a difference between the fee charged to the British resident and the actual cost of the card and enreolment process which may be subsidised or which may involve travel costs and loss of earnings costs, cancelled holidays etc. far in excess of this, due to the inflexible biometric enrollment process requiring a person to queue up at a specified time and place.

Phil Booth, spokesman for the anti-ID card campaign group NO2ID, said: "The Home Office have publicised this whole scheme as being highly secure and based on the magic of biometrics.

"But the reality is that the only scheme they have a practical hope of pulling off is a bog-standard smartcard with a PIN number.

"We have been told that the national ID card is to be the 'gold standard' of identity.

"Now it turns out that it will be nothing more than a four-digit PIN protecting our most private, personal information.

"The Home Office clearly can't deliver its promise on biometrics."

He added: "The network of biometric readers alone would bankrupt the project and that is why they need to rely on a PIN number.

"The PIN number is technology that the criminals and thieves have already compromised."

A separate network of "Chip and PIN" readers is unlikley to be cheap either, and would offer even less security than biometrics.

Remember that the existing retail / banking / credit card "Chip and PIN" online network infrastructure does not extend to Government departments or the National Health Service or to every employer (supposedly to combat illegal immigrant workers) in the country, which is where the scheme is peresumably intended to be used.

If even banks cannot be persuaded of the business case for installing biometric readers, then why would any other business do so ?

There has been previous Home Office kite flying about the retail credit card "Chip and PIN" infrastructures in the pathetic "Regulatory Impact Assessment" in 2004

They refused to make any cost estimates about this, but seemed to somehow expect it all to getupgraded to include compatible biometric readers in the future, for free.

Costs

61.
The ID Cards Programme is working closely with APACS to examine the technical architecture underpinning Chip & PIN and to benefit from lessons learned during the rollout. The dialogue will help to develop considerations of where shared technical opportunities with the Chip & PIN infrastructure might exist in the future. Financial services and retail organisations are already investing heavily in the ‘Chip & PIN’ smartcard reader infrastructure. As of September 2004, 438,000 Chip & PIN tills had been installed (about 50% of the final target). ID cards will be more widely held at the time when these readers will need to be replaced or upgraded. If the replacement readers could also read ID cards, the cost of the ID card reader infrastructure for
organisations which have invested in Chip & PIN could be negligible.

Of course, it is entirely possible that Andy Burnham is technologically ignorant enough to confuse "Chip and PIN" technologies and infrastructures with his Home Office Ministerial colleagues previous security howlers involving "remote authentication" over the internet and PINs.