This is an insightful comment on the real-world threats to this kind of system. The same is true of the EMV “chip and PIN” cards used by banks and has been a source of significant fraud. Since the bad guys cannot counterfeit the chips on DDA EMV cards, they just counterfeit the magnetic stripe on the back and take a screwdriver to the chip. When the card is inserted into some ATMs, the ATM cannot read the chip so it reads the (fake) stripe instead. Now it looks as if the Malaysian fraudsters have gone the same way.
Why am I curious about this phenomenon? Because it supports our view that a national identity management scheme needs to be a utility in which symmetry is integral: anyone should be able to check the validity of anyone else’s identity “card” (which may, of course, be a phone or a bracelet or whatever) using a device to hand — I’m imagining a phone, obviously — rather than have to take it on trust by look at the printing on the card. In fact, I’m a strong advocate of cards being blank anyway: my identity card should have a picture of my choosing on it (my cat, for example) not a picture of me together with other details of great benefit to identity thieves such as my full name and date of birth. Issuing cards that are going to be validated by the human eye is not a step forward. Issuing cards that can only be validated by a complicated and expensive piece of machinery is not either. And before anyone posts a third way, I’m not sure that entrusting my national identity card PIN to point-of-sale terminals is a way forward either. If I did, then I’m sure that a fraudster would soon find it worthwhile to steal my card and apply for a passport at a kiosk and… well, it’s just not good.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]