More standardised approaches to user identification and authentication are needed.
According to a new position paper on authentication risks with European eID Cards by the EU's 'cyber security' agency ENISA (the European network and information security agency), as more and more internet applications requiring some kind of authentication are gaining popularity, more standardised and harmonised approaches to user identification and authentication are needed.
It claimed that while a universally applicable eID card is technologically feasible, it would be ‘advantageous for the business case if the reader infrastructure (including drivers and middleware) is largely rolled out in parallel or even before national eID cards are issued'.
It also said that ideally, all new mobile and desktop devices would already be equipped with the required readers and software components to allow immediate deployment and use of a national eID card without the need to install any additional software or hardware.
A recommendation said that every citizen should be able to either receive an electronic ID card immediately or be enabled to employ another credential, which could be an industry-issued smartcard, in order to use a web application.
Also, it said that ‘electronic identity cards bring new opportunities to increase the security level of already existing internet applications', but security and privacy issues still remain to be considered and mitigating these risks may require changes in legislation.
A recommendation was for European governments to define privacy requirements for electronic identity cards, a particularly difficult task because the approaches to privacy in the member states vary fundamentally and requirements vary between applications.
With regard to privacy concerns, it said that the risk of identity theft is not necessarily higher in the case of a universally applicable eID card than in the case of several cards. Finally, it called for cooperation between banks and governments and security requirements and guidelines have to be in place in order to use national ID cards for banking purposes.
Executive director of ENISA, Dr
Mel Morris, CEO of Prevx, said: “ENISA is right to point out the risks associated with eID cards. Another important consideration is that this is an expensive solution, which can impact a user's experience of online banking and potentially turn them off using these services.
“In addition, while current fraud techniques have yet to compromise the solution, the sheer volume of criminal intelligence being harvested by man-in-the-browser and information stealing Trojans represent a massive latent threat.
“Banks, e-commerce and government sites should encourage users to augment their PC security by adding protection against browser-based attacks such as keylogging, screen-grabbing, cache rifling, man-in-the-browser and phishing.”
Meanwhile the national identity register is ‘up and running' according to the government's independent identity commissioner.
Sir Joseph Pilling has said that 538 people were on the database when he checked last week and all but one were UK nationals. Speaking to the home affairs committee, he claimed that as the ID cards contained fingerprints and other security measures, they would be difficult to forge.
Pilling also said that he had agreed to do the job for an initial period of 18 months, with his future role depending on the outcome of a general election. However both the Conservatives and the Liberal Democrats have said they will scrap the ID card scheme if they win power.
According to BBC News, he has promised to look into concerns that because the scheme is voluntary - rather than compulsory as originally planned - it would be possible for people to register for ID cards using false identities.
However those opposed said that it is the identity register - rather than the ID cards themselves - that pose the biggest threat to privacy and security of personal information.