News: 1722578407

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Japan mandates app to ensure national ID cards aren't forged

(2024/08/02)


The Japanese government has released details of of an app that verifies the legitimacy of its troubled My Number Card – a national identity document.

Beginning in 2015, every resident of Japan was assigned a 12 digit My Number that paved the way for linking social security, taxation, disaster response and other government services to both the number itself and a smartcard.

The plan was to banish bureaucracy and improve public service delivery – but that didn't happen. My Number Card ran afoul of [1]data breaches , reports of malfunctioning card readers, and database snafus that [2]linked cards to other citizens' bank accounts . Public trust in the scheme fell, and adoption stalled.

[3]

Now, according to [4]Japan's Digital Ministry , counterfeit cards are proliferating to help miscreant purchase goods – particularly mobile phones – under fake identities.

[5]

[6]

Digital minister Taro Kono yesterday presented his solution to the counterfeits: a soon to be mandatory app that confirms the legitimacy of the card.

[7]Japan to change laws that require use of floppy disks

[8]Japan's digital minister surrenders salary to say sorry for data leaks

[9]China ponders creating a national 'cyberspace ID'

[10]Indian authorities issue conflicting advice about biometric ID card security

The app uses the camera on a smartphone to read information printed on the card – like date of birth and name. It compares those details to what it reads from info stored in the smartcard's resident chip, and confirms the data match without the user ever needing to enter their four-digit PIN.

The app stores the date and time of confirmation as a record of the transaction, but personal information of the user is not stored, according to [11]documentation [PDF] released by the ministry.

If all goes according to plan, the app should be ready for general release in late August.

[12]

The app's developers – from the ministry and the private sector – have already consulted with businesses and institutional authorities, defined requirements and come up with a working product. It still needs to e tested and verified before rollout.

Japan has [13]struggled with getting the general population to adopt the optional card. Prime minister Fumio Kishida directed ministers to "make every effort to promote" the use of the card in mid-2022 – when uptake was stalled at less than 50 percent over six years after its debut. By the end of fiscal 2022, the number of applicants for the card had jumped to 76.3 percent.

The country needs high adoption for several reasons, not least of which is a plan to [14]replace health insurance cards with the My Number ID cards this year. ®

Get our [15]Tech Resources



[1] https://www.theregister.com/2023/08/17/japanese_minister_offers_up_salary/

[2] https://www.asahi.com/ajw/articles/14926142

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZqyuSOw@hKS-jz6zf6tn3QAAAA8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://www.digital.go.jp/news/a472c77a-a50d-457c-99c9-c5866d36dd67

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqyuSOw@hKS-jz6zf6tn3QAAAA8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZqyuSOw@hKS-jz6zf6tn3QAAAA8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2022/08/31/japan_floppy_disk_ban/

[8] https://www.theregister.com/2023/08/17/japanese_minister_offers_up_salary/

[9] https://www.theregister.com/2024/07/29/china_cyberspace_id_proposal/

[10] https://www.theregister.com/2022/05/30/indian_authorities_conflicting_aadhaar_advice/

[11] https://www.digital.go.jp/assets/contents/node/information/field_ref_resources/a472c77a-a50d-457c-99c9-c5866d36dd67/07c0c936/20240801_news_mynumber_outline_01.pdf

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZqyuSOw@hKS-jz6zf6tn3QAAAA8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[13] https://japannews.yomiuri.co.jp/politics/politics-government/20220923-60121/

[14] https://english.kyodonews.net/news/2023/08/2d8870c94e49-breaking-news-japan-to-scrap-health-insurance-cards-in-2024-as-planned.html

[15] https://whitepapers.theregister.com/



Adair

Yep, there's a big difference between a "Wanna buy a fake authentic ID?" piece of paper that just has to look good because no one has the means to quickly prove that it isn't fake, and the 'non-ID' that instantly drags in gigabytes of data that may, or may not, relate to you, but no one is going to take responsibility for it.

Welcome to the hell of good intentions and overweening irresponsible power.

Yay, 'ID Cards' - the sign of hubris.

Re: the sign of hubris

Pascal Monett

I would disagree. ID cards are useful and are not necessarily a sign that your government is veering Big Brother (it is, but not for that reason).

The problem in Japan, as I see it, is that the team drawing up the specifications apparently didn't bother to check with countries that already had ID cards to find out what problems those countries had found and think about how their scheme might be impacted. On top of the other problem that is this is the first time anyone has tried to implement a digital ID scheme based on numbers.

No, wait, Social Security has been based on numbers since forever. Maybe they should have looked into that.

Oh well, I'm sure the Agile team is on it. After all, move fast and break things, right ?

Oh, right. It's already broken.

Re: the sign of hubris

Adair

Nothing intrinsically wrong with 'ID Cards'—they have their proper time and place.

The problem with 'ID Cards' is the human institutions and individuals wielding the power, as has been demonstrated time and time again.

Ian Johnston

So counterfeit cards will need to store the same information on a full as they have printed on them? Is that very difficult? I had a work ID card which did that fifteen years ago, and it was made for me in five minutes by a bloke in security.

gryphon

Remember that the private key of the great god certification will no doubt be protecting the details on the chip on the card.

Blazde

There's a digital certificate on the smart chip, presumably that prevents (at least intends to prevent) anyone other than the owner of the private signing key creating a valid novel chip. However the anti-cloning tech possibly appears to be merely the PIN, which the card holder knows and needs to use routinely. So if the legitimate owner is willing - under duress or otherwise - to allow cloning maybe it's easy.

Other highlights:

Even when it is lost, impersonation by a third person is not easy.

'Not easy', wow that's reassuring.

Laser engraved letters along with intricate anti-counterfeit patterns make forgery difficult.

That bit has obviously failed already. Honestly if I were a forger the joy of dealing with 'intricate patterns' and engraving would be what got me out of bed in the morning.

Lest we forget ...

Mike 137

it's a myth that "everyone has an iPhone". There are large numbers of perfectly respectable folks who don't have (or can't use) a smartphone (or even access to a computer). Are they to be written off by the technocrats?

No PIN Required

An_Old_Dog

... for the verification app to access the card issuee's on-chip data?! Hard-coded credentials? A magic certificate?

These are all things bad people can extract from the card-verification app and use within their malware app to steal a card-issuee's critical personal data from their card.

They just have to convince the card-issuee to stick their ID card into an ID card reader which is under the control of the malware gang -- a low hurdle.

In his book, Mr. DePree tells the story of how designer George Nelson urged
that the company also take on Charles Eames in the late 1940s. Max's father,
J. DePree, co-founder of the company with herman Miller in 1923, asked Mr.
Nelson if he really wanted to share the limited opportunities of a then-small
company with another designer. "George's response was something like this:
'Charles Eames is an unusual talent. He is very different from me. The
company needs us both. I want very much to have Charles Eames share in
whatever potential there is.'"
-- Max DePree, chairman and CEO of Herman Miller Inc., "Herman Miller's
Secrets of Corporate Creativity", The Wall Street Journal, May 3, 1988