Japan Mandates App To Ensure National ID Cards Aren't Forged (theregister.com) 34
The Japanese government has released details of an app that verifies the legitimacy of its troubled My Number Card -- a national identity document. From a report: Beginning in 2015, every resident of Japan was assigned a 12 digit My Number that paved the way for linking social security, taxation, disaster response and other government services to both the number itself and a smartcard. The plan was to banish bureaucracy and improve public service delivery -- but that didn't happen.
My Number Card ran afoul of data breaches, reports of malfunctioning card readers, and database snafus that linked cards to other citizens' bank accounts. Public trust in the scheme fell, and adoption stalled. Now, according to Japan's Digital Ministry, counterfeit cards are proliferating to help miscreant purchase goods -- particularly mobile phones -- under fake identities. Digital minister Taro Kono yesterday presented his solution to the counterfeits: a soon to be mandatory app that confirms the legitimacy of the card. The app uses the camera on a smartphone to read information printed on the card -- like date of birth and name. It compares those details to what it reads from info stored in the smartcard's resident chip, and confirms the data match without the user ever needing to enter their four-digit PIN.
My Number Card ran afoul of data breaches, reports of malfunctioning card readers, and database snafus that linked cards to other citizens' bank accounts. Public trust in the scheme fell, and adoption stalled. Now, according to Japan's Digital Ministry, counterfeit cards are proliferating to help miscreant purchase goods -- particularly mobile phones -- under fake identities. Digital minister Taro Kono yesterday presented his solution to the counterfeits: a soon to be mandatory app that confirms the legitimacy of the card. The app uses the camera on a smartphone to read information printed on the card -- like date of birth and name. It compares those details to what it reads from info stored in the smartcard's resident chip, and confirms the data match without the user ever needing to enter their four-digit PIN.
ridiculous (Score:2, Insightful)
Not sure how much this helps (Score:3)
Re: (Score:3, Interesting)
According to Japanese news https://mainichi.jp/english/ar... [mainichi.jp] the ID chip was (in a first phase) successful in eliminating driver licence fraud (police officers check the chip data), which means fraudsters are unable to reprogram the data in the chip. So my guess is fraudsters use blanks or stolen cards and just reprint the name and number to that of a rich target for which the ID numbers can be found on the internet.
In one instance, the forged card was used to SIM swap a politician, then use the mobile phon
Re: (Score:2)
How can a counterfeiter place false identity data on the chip .. unless they can crack digital signatures? With present day tech they possibly could, with some sophisticated equipment, clone an existing card of someone who looks the same as they do (I assume their image is stored on chip too) .. but that's not scalable. I think the best solution is this chip in combination with online verification. The chip data can be used if there is a communications issue .. but otherwise it can use online verification.
Re: (Score:2)
With present day tech they possibly could, with some sophisticated equipment, clone an existing card of someone who looks the same as they do
Could you? Presumably they've at least had the sense to look at the protocol used by credit/debit cards and implemented something at least as secure. As far as I'm aware no one has figured out how to clone the chips in those smartcards.
Re: (Score:2)
The data are probably cryptographically signed using a private key known only to the government. This could then be verified by an app using only a public key. Or it's probably more complex to avoid the leak of a single private key compromising the whole system.
Re: (Score:2)
PKI enables an easy fix for that: embed a private key on the card, reading it is done by sending a nonce that gets concatenated with the ID data, and the card returns a signature for that pair plus a different-signed certificate for its key. You can query as many times as you want, but it won't help you clone the card unless you have a quantum computer that can crack the signature algorithm.
Re: (Score:2)
Remember when we almost had a totalitarian society dominated and controlled through QR codes on an app?
Fun times.
It failed, thankfully, but not because of exploits and shortcomings of the QR codes. They would've been absolutely enough to subjugate us all. It was - or is - certainly enough to control a few billion Chinese mainlanders.
In reality, you'd pretty like end up with a photo or other biometric recogniton data embedded and verified through the digital signature, because nothing else can prevent all fo
Re: (Score:2)
Japan pioneered secure stored value cards for public transport and shopping. They remain secure to this day - nobody has figured out how to give themselves free money on their Suica or Passmo cards, or how to clone them.
The tech was developed by Sony. The actual account balance is stored on the card itself, so any failure of its security would be catastrophic.
They do at least know how to make a secure card that can't be cloned or forged.
and apple will be forced to allow this app and it (Score:2)
and apple will be forced to allow this app and it can't be removed?
Re: (Score:2)
Even in the extremely unlikely even that Apple permanently bans an official government app, it would not be a major problem. It's not the card holders that need the app, only the people checking them, which will generally be businesses, government agencies, etc. If they need to go out and buy a cheap Android phone then that's a pretty small cost of doing business.
The heads of Japan and Apple recently announced [japantimes.co.jp] an upcoming, separate Apple app that will be able to be used by the public in place of the id ca
win for the consumer (Score:1)
Sometimes (Score:2)
"Mandating an app" is probably illegal? (Score:4, Insightful)
Re: (Score:2, Interesting)
Mandating an app would in effect mandate that citizens contract with Google, Apple or Microsoft
And that's a problem because .... ?
Our town recently switched to a (privately contracted) parking management service. They take GPay, Apple Pay and a few others. Point your smart phone with app at the parking sign and click. Don't have a smart phone or want to download the app? Get out of our town!
Re: (Score:2)
Don't have a smart phone or want to download the app? Get out of our town!
Assuming you're in the USA, the dollar bills that circulate in that town say "This note is legal tender for all debts, public and private". Your privately contracted parking management service may not want to take cash for your debt until they come into contact with their first retired person with a jar full of quarters and the time on their hands to take the ticket to the state supreme court to determine whether a town can mandate that state-funded roads can have metered parking which does not allow for ca
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
a guy who tried to pay his federal income taxes in cash....Same would happen with the parking meters, months of effort, multiple visits to various town government offices, eventual payment of the parking, or possibly parking violation ticket, in quarters will be achieved.
More what my thought was, was the possibility of the parking meters would be rendered toothless. Typically with parking tickets, is that they go on your driving record and they boot/tow/impound your car. A committed busybody could take still photos of themselves next to the parking meter, holding up the correct amount of cash for the park, complete with a time/date stamp, then refusing to pay the ticket. Once the "or else what" element comes into play (a private company may not be able to impound cars or h
Re: (Score:2)
Re: (Score:2)
It is not clear if it is mandatory as in being "an offence of not having it", or as in "you can't to certain things if you choose to refuse". If we accept the second interpretation, it means the app is only compulsory if you plan to own a smartphone (and actually use it for more than voice calls). If you only pay cash and only purchase items that do not require ID verification, and only use a dumb phone to make phone calls, then you can live an entire life without contracting with Google/Apple/Microsoft.
Ano
Re: (Score:2)
Re: (Score:2)
This is no different to government demanding a car-owner having insurance, they don't demand owners buy from one corporation. For phones and general-compu
Re: (Score:2)
Mandating an app would in effect mandate that citizens contract with Google, Apple or Microsoft
No, this is an app for verifying that IDs presented by citizens are valid. It's not an app that citizens will use unless they're working for a business or government agency and checking IDs. You'd expect that the phones used for this purpose would generally not be the employees' personal devices.
There is already an Android app, and an iPhone app has been announced, that citizens can use instead of the ID card if they want. Or they're free to continue to use the physical ID card instead.
And then ... (Score:3)
Japan Mandates App To Ensure National ID Cards Aren't Forged
They'll need another app to verify that app ... it'll be Turtles all the way down. [wikipedia.org].
Musing... My favorite analogy like this is from Better Off Ted [wikipedia.org], Racial Sensitivity [fandom.com] (s1e4) when the company replaces the building's automation sensors with ones that work by "detecting light reflected off the skin" and it fails to detect black employees. [While working on it Management reminds employees, to "celebrate the fact that it does see Hispanics, Asians, Pacific Islanders -- and Jews.]
They try hiring white people to simply follow black employees and activate things for them, but HR says that's racist, so they then hire black people to follow those white people, and then more white people to follow those black people ... They finally convince Management, who are loath to be "wrong", to switch back to the old sensors with a presentation using a money argument (with charts and graphs), excerpted below:
And so, if the company keeps hiring white people to follow black people to follow white people to follow black people, by -- Thursday, June 27, 2013 -- every person on Earth will be working for us. And we don't have the parking for that.
Now let's take a look at how this would affect health care costs. [The graph is off the scale.]
Re: (Score:2)
They'll need another app to verify that app ... it'll be Turtles all the way down.
I think you're reading this as being an app that a citizen would use to prove their identity. It's not. It's to be used by the entity requesting that a citizen present an ID card to confirm that the card is legitimate. Download the app from an official source and job done.
SSI (Score:2)
They could follow the lead of Bhutan and the EU by implementing Self-Sovereign ID instead.
Re: (Score:2)
What a good way to reveal a total lack of understanding
No more half measures (Score:2)
Under-the-skin implanted chips are the way forward. Loaded with all your biometric data and DNA info. With self-destruct capabilities in case of suspected fraud.
It worked for dogs, should work for humans too.
Re: (Score:2)
Mod parent funny. At least I think that was your intention.
I wish I had seen the story before it was so close to expired. Already about to fall off the page, but I have had one of these things for some years... Not worth the effort of a substantive comment now.