Japan mandates app to ensure national ID cards aren't forged The Japanese government has released details of of an app that verifies the legitimacy of its troubled My Number Card – a national identity document. Beginning in 2015, every resident of Japan was assigned a 12 digit My Number that paved the way for linking social security, taxation, disaster response and other government …
Yep, there's a big difference between a "Wanna buy a fake authentic ID?" piece of paper that just has to look good because no one has the means to quickly prove that it isn't fake, and the 'non-ID' that instantly drags in gigabytes of data that may, or may not, relate to you, but no one is going to take responsibility for it.
Welcome to the hell of good intentions and overweening irresponsible power.
Yay, 'ID Cards' - the sign of hubris.
I would disagree. ID cards are useful and are not necessarily a sign that your government is veering Big Brother (it is, but not for that reason).
The problem in Japan, as I see it, is that the team drawing up the specifications apparently didn't bother to check with countries that already had ID cards to find out what problems those countries had found and think about how their scheme might be impacted. On top of the other problem that is this is the first time anyone has tried to implement a digital ID scheme based on numbers.
No, wait, Social Security has been based on numbers since forever. Maybe they should have looked into that.
Oh well, I'm sure the Agile team is on it. After all, move fast and break things, right ?
Oh, right. It's already broken.
There's a digital certificate on the smart chip, presumably that prevents (at least intends to prevent) anyone other than the owner of the private signing key creating a valid novel chip. However the anti-cloning tech possibly appears to be merely the PIN, which the card holder knows and needs to use routinely. So if the legitimate owner is willing - under duress or otherwise - to allow cloning maybe it's easy.
Other highlights:
Even when it is lost, impersonation by a third person is not easy.
'Not easy', wow that's reassuring.
Laser engraved letters along with intricate anti-counterfeit patterns make forgery difficult.
That bit has obviously failed already. Honestly if I were a forger the joy of dealing with 'intricate patterns' and engraving would be what got me out of bed in the morning.
Japan has one of the most rapidly aging populations, I have to think the "no problem everyone will use an app" is going to run into some issues with the centenarian crowd. My mom is "only" 86 and she struggles with tech. She has a cell phone but uses it only when away from home or to call long distance, and doesn't use it for ANYTHING else but calling. If she was told every time she goes to the doctor or the bank or the DMV she had to open up an app on her phone she would not be happy.
Now granted the local (MAJOR, not a fly by night outfit) hospital's "authentication" is to provide your name and birthdate, that's it. I can't see anything stopping me from calling up and using someone else's name and birthdate to make an appointment, then showing as "him" and getting some nice expensive elective surgery and sticking him with the bill. You'd think they'd have better authentication - at least asking to see a driver's license or something - given that you could potentially generate hundreds of thousands of dollars in expenses, or create some embarrassing situations. By that I mean, what if a miscreant made an appointment to inquire about sex reassignment surgery under someone else's name? The fact of that inquiry is going to be in their medical records for the rest of their life, which could derail a marriage or career in politics. I mean, I suppose in theory it is possible to have something deleted from your medical records, but I'm guessing it isn't easy and there are no guarantees all traces of it would be gone.
So while I agree that Japan's rollout of ID cards seems to have been somewhat naive, there are some serious issues that can arise from the lack of proper identification/confirmation of identity. I'm kind of surprised what I outlined hasn't happened before (or more often, just because I haven't heard of it being done doesn't mean it hasn't happened a few times at least)
Until wifi calling came in, every time I needed to do a Royal Bank of Scotland transaction online I had to drive up the steep hill outside my stone built house for a bout half a mile, wait for my phone to connect to the signal there, wait for the authentication code to arrive, drive back home and continue. Unfortunately that palaver took about five minutes, which was also the period of validity of the code.
My record was six trip up that damned hill until I managed to get back in time. And yes, on reflection I should have gone up first, left my phone there, come back, started the transaction and then driven back to get the phone and the code. Hindsight, eh?
One of my neighbours lives in a stone built house
I once got asked to quote for a wifi install at a castle. My inital discussions indicated that they were expecting to have one, maybe two APs to cover the whole of the office area (6-7 smallish rooms in the castle keep - all original build..).
I set up an AP in one room then walked next door and showed the site manager the complete loss of signal.
He wasn't convinced to I repeated it with all the other rooms.
Turns out that 3-foot thick stone and rubble walls block 2.4Ghz signals quite effectively (this was before 5Ghz - which would have been even worse!) - who knew?
I presented them a quote that consisted of 1 AP per room plus extra ethernet cabling (only 1 cable per room at the time with cheap 10/100 switches on the end of them) plus an on-site controller plus installation of said equipment and cabling (keeping in mind that the castle was a grade-1* listed building so needed installers capable of doing the installs within the rules).
Unsurprisingly, they took one look at the cost and deferred the project.
I would imagine it's the person verifying your identity that needs the app, not the bearer of the card. Presumably the bearer of the card already knows who they are and whether the card is legitimate.
Otherwise, as well as a market for a fake card you've now got a message for a fake app too...!
... for the verification app to access the card issuee's on-chip data?! Hard-coded credentials? A magic certificate?
These are all things bad people can extract from the card-verification app and use within their malware app to steal a card-issuee's critical personal data from their card.
They just have to convince the card-issuee to stick their ID card into an ID card reader which is under the control of the malware gang -- a low hurdle.
Not forgetting, or course, the horrible inconvenience of statistical reality.
Your digital ID hardware/system is 99.9%* accurate in terms of reliability of hardware and data - whoopee!
* this number is made from idealistic naivety.
Your population is 70 million IDs/people.
At any given time 70,000 people's lives/livlihoods are up shit creek. Quite possibly without any reasonable hope of a paddle.
And that doesn't begin to account for the people deliberately subverting and abusing the system for criminal gain and/or bureaucratic expediency and callousness.
Wow, you're quite the fuckwit, aren't you? Digital ID is a leftist's wet dream as it puts all your information under the gummit's thumb, where the gummit can <clickety click>unperson you. Normal people don't like the idea of all your personal information being in one place for one-stop thieving by the local malware gang.
"It has nothing to do with left vs right. "
The votes here say otherwise, as the post claiming the right aims to authoritarianism gets voted up, the one thar says the left does gets voted down. In the US I only see one party trying to weld a collar around our collective necks. From bans on everything to higher and higher taxes and more and more services "provided" by the government, only the leftists are authoritarians here. I don't see right wingers trying to control what kind of stove I can have in my kitchen or what kind of car, if any, I can have.
Did they at any time stop to think that they had mis-framed the original question?
If people are forging ID documents to buy phones, then the solution is not more ID documents, it's removing the need for ID documents.
The UK is not perfect but as an example, I can walk into a shop and buy an Iphone on contract without any ID because they can ask me questions that only I know and pay with a card that the bank have already verified that on it's own proves my identity. Yes there's a very small amount of fraud, but adding new forms of ID cards to the mix just makes it even more likely that someone will think a fake ID is real as it only adds to the confusion. Then having to verify that with an app will lead to fake apps and you've created a war of attrition that only benefits the fraudsters.
Adding an ID card adds nothing to this but opens up more opportunities for fraud. Needing an app to verifiy the ID card then just proves the point.
https://xkcd.com/927/
Sure but you can turn it the other way round.
If there is an id card then you don’t have to rely on 3rd parties or even have a credit card to be able to go about your business.
Denmark as an example has a CVR number for every citizen without which you cannot interact with the state and most of society.
The UK already has an ID system called an NI number
It just refuses to formalise it or make it more secure.
"The UK already has an ID system called an NI number. It just refuses to formalise it or make it more secure."
You also have an NHS number. And many of us here have a Unique Taxpayer Reference.
But an ID number can never be secure in and of itself. That number has to be shared, legitimately, with many people. Knowing it doesn't prove or authorise anything - as we proved with credit card numbers. In pre-internet days, commercial institutions could tolerate the losses from such a crude system (as well forcing some of the losses onto customers where they could get away with it). You don't have those options with an ID system. Stopping the losses (i.e. the criminals) is the whole reason for the ID system, otherwise you've added a layer of bureaucracy to the life of ordinary people for no gain.
And these days banks cards have a PIN ,for in person purchases, and 2FA for online purchases. "Making it secure" means introducing a similar infrastructure. The unique number is the least important bit. It's not an ID number, but an ID system.
So now, every man, woman child (and quote possibly pets) must own a several-hundred-to-over-a-thousand dollar (in yen) smartphone just to be a citizen of the Empire. Great!! Is the Empire going to pay for these things? Didn't think so....
Isn't it ironic that something as notoriously insecure as a smartphone is somehow going to correct the insecurities in the nation ID system. Oh, and don't let that that Precious get stolen, damaged or destroyed. Dumbasses are Dumbasses, no matter what continent they live on. And when they get into power...Hoo-boy!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
