German ID Card System Hacking: Security Lessons Learned

The public hacking of the German national ID card system – which is due to be phased in from this November onwards – is almost certainly down to a failure of security being added as an afterthought, rather than integrated from the earliest stages of the development process.

In addition, the fact that it has been cracked so publicly on TV by the Chaos Computer Club, will not help the German government in its cause to extend the card’s usage beyond its national ID beginnings.

The gameplan with this card – which is capable of carrying a wealth of data on German citizens, including their online banking data, personal biometrics and authentication information for use when interacting with online government Web sites – is quite extensive.

But given the fact that the notorious Chaos Computer Club has cracked the card system on a WDR TV programme, it will almost certainly discourage German citizens – or third party institutions – to adopt the technology. It is critical to any new security system that its users have absolute confidence in the platform, if the system is to take off.

The ID card industry was hit badly this year when the UK government scrapped its plans for an ambitious UK national ID card system, so this very public cracking of the German card scheme – weeks before it is due to go live – is not positive on several levels.

On one level there is the public confidence in the security, whilst on another there are the commercial implications for the German ID card system, since third-party organisations will not have been filled with enthusiasm over the TV cracking of the system.

The German Federal Office for Information Security has already admitted to weaknesses in the security of the national ID cards, which has reportedly taken around 24 million euros to develop so far. With all this government money being poured into the German national ID card system, why wasn’t security built into the system from day one? Why weren’t the developers encouraged to produce a system with the very high levels of security that we know can be achieved?

This is a breathtaking example of what can go wrong on the development front when developers don’t `get’ the need for security as a fundamental aspect of an IT project. Yes, the card system is claimed to be more secure than an ID/password combination, but that’s not the issue here. Confidence in the new German ID card programme has been shattered, so the government will have to resolve the situation.

And that resolution is going to cost far more money than it would have cost the Government and its contractors to integrate high levels of security into the development process.

Richard Kirk is currently responsible for all aspects of Fortify's business in Europe, the Middle East and Africa. Richard was formerly VP EMEA for Nominum, the leading vendor of DNS security solutions. During his time at Nominum, Richard grew the EMEA business and organisation, to the point where all major European telecomms companies adopted Nominum’s solutions, as well most major ISPs. Richard has more than 20 years of international sales and marketing experience across all areas of IT, particularly in enterprise, security and mission critical systems for banking, finance and telecomms companies. During this time, Richard has held a number of executive sales, consulting and technical positions and was instrumental in building the scheduling and broadcasting software system for Channel 4 television (UK). He has also lived and worked in several countries throughout the world, and speaks Spanish, French and Italian. Richard holds degrees in mathematics, statistics and computing. He is a chartered mathematician, chartered scientist and a member of the Institute of Mathematics.