Japan mandates app to ensure national ID cards aren't forged
- Reference: 1722578407
- News link: https://www.theregister.co.uk/2024/08/02/japan_smartcard_verification_app/
- Source link:
Beginning in 2015, every resident of Japan was assigned a 12 digit My Number that paved the way for linking social security, taxation, disaster response and other government services to both the number itself and a smartcard.
The plan was to banish bureaucracy and improve public service delivery – but that didn't happen. My Number Card ran afoul of [1]data breaches , reports of malfunctioning card readers, and database snafus that [2]linked cards to other citizens' bank accounts . Public trust in the scheme fell, and adoption stalled.
[3]
Now, according to [4]Japan's Digital Ministry , counterfeit cards are proliferating to help miscreant purchase goods – particularly mobile phones – under fake identities.
[5]
[6]
Digital minister Taro Kono yesterday presented his solution to the counterfeits: a soon to be mandatory app that confirms the legitimacy of the card.
[7]Japan to change laws that require use of floppy disks
[8]Japan's digital minister surrenders salary to say sorry for data leaks
[9]China ponders creating a national 'cyberspace ID'
[10]Indian authorities issue conflicting advice about biometric ID card security
The app uses the camera on a smartphone to read information printed on the card – like date of birth and name. It compares those details to what it reads from info stored in the smartcard's resident chip, and confirms the data match without the user ever needing to enter their four-digit PIN.
The app stores the date and time of confirmation as a record of the transaction, but personal information of the user is not stored, according to [11]documentation [PDF] released by the ministry.
If all goes according to plan, the app should be ready for general release in late August.
[12]
The app's developers – from the ministry and the private sector – have already consulted with businesses and institutional authorities, defined requirements and come up with a working product. It still needs to e tested and verified before rollout.
Japan has [13]struggled with getting the general population to adopt the optional card. Prime minister Fumio Kishida directed ministers to "make every effort to promote" the use of the card in mid-2022 – when uptake was stalled at less than 50 percent over six years after its debut. By the end of fiscal 2022, the number of applicants for the card had jumped to 76.3 percent.
The country needs high adoption for several reasons, not least of which is a plan to [14]replace health insurance cards with the My Number ID cards this year. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2023/08/17/japanese_minister_offers_up_salary/
[2] https://www.asahi.com/ajw/articles/14926142
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZqyuSOw@hKS-jz6zf6tn3QAAAA8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.digital.go.jp/news/a472c77a-a50d-457c-99c9-c5866d36dd67
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqyuSOw@hKS-jz6zf6tn3QAAAA8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqyuSOw@hKS-jz6zf6tn3QAAAA8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2022/08/31/japan_floppy_disk_ban/
[8] https://www.theregister.com/2023/08/17/japanese_minister_offers_up_salary/
[9] https://www.theregister.com/2024/07/29/china_cyberspace_id_proposal/
[10] https://www.theregister.com/2022/05/30/indian_authorities_conflicting_aadhaar_advice/
[11] https://www.digital.go.jp/assets/contents/node/information/field_ref_resources/a472c77a-a50d-457c-99c9-c5866d36dd67/07c0c936/20240801_news_mynumber_outline_01.pdf
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqyuSOw@hKS-jz6zf6tn3QAAAA8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://japannews.yomiuri.co.jp/politics/politics-government/20220923-60121/
[14] https://english.kyodonews.net/news/2023/08/2d8870c94e49-breaking-news-japan-to-scrap-health-insurance-cards-in-2024-as-planned.html
[15] https://whitepapers.theregister.com/
Re: the sign of hubris
I would disagree. ID cards are useful and are not necessarily a sign that your government is veering Big Brother (it is, but not for that reason).
The problem in Japan, as I see it, is that the team drawing up the specifications apparently didn't bother to check with countries that already had ID cards to find out what problems those countries had found and think about how their scheme might be impacted. On top of the other problem that is this is the first time anyone has tried to implement a digital ID scheme based on numbers.
No, wait, Social Security has been based on numbers since forever. Maybe they should have looked into that.
Oh well, I'm sure the Agile team is on it. After all, move fast and break things, right ?
Oh, right. It's already broken.
Re: the sign of hubris
Nothing intrinsically wrong with 'ID Cards'—they have their proper time and place.
The problem with 'ID Cards' is the human institutions and individuals wielding the power, as has been demonstrated time and time again.
So counterfeit cards will need to store the same information on a full as they have printed on them? Is that very difficult? I had a work ID card which did that fifteen years ago, and it was made for me in five minutes by a bloke in security.
Remember that the private key of the great god certification will no doubt be protecting the details on the chip on the card.
There's a digital certificate on the smart chip, presumably that prevents (at least intends to prevent) anyone other than the owner of the private signing key creating a valid novel chip. However the anti-cloning tech possibly appears to be merely the PIN, which the card holder knows and needs to use routinely. So if the legitimate owner is willing - under duress or otherwise - to allow cloning maybe it's easy.
Other highlights:
Even when it is lost, impersonation by a third person is not easy.
'Not easy', wow that's reassuring.
Laser engraved letters along with intricate anti-counterfeit patterns make forgery difficult.
That bit has obviously failed already. Honestly if I were a forger the joy of dealing with 'intricate patterns' and engraving would be what got me out of bed in the morning.
Lest we forget ...
it's a myth that "everyone has an iPhone". There are large numbers of perfectly respectable folks who don't have (or can't use) a smartphone (or even access to a computer). Are they to be written off by the technocrats?
No PIN Required
... for the verification app to access the card issuee's on-chip data?! Hard-coded credentials? A magic certificate?
These are all things bad people can extract from the card-verification app and use within their malware app to steal a card-issuee's critical personal data from their card.
They just have to convince the card-issuee to stick their ID card into an ID card reader which is under the control of the malware gang -- a low hurdle.
Yep, there's a big difference between a "Wanna buy a fake authentic ID?" piece of paper that just has to look good because no one has the means to quickly prove that it isn't fake, and the 'non-ID' that instantly drags in gigabytes of data that may, or may not, relate to you, but no one is going to take responsibility for it.
Welcome to the hell of good intentions and overweening irresponsible power.
Yay, 'ID Cards' - the sign of hubris.