Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Germany Says iPhones Running iOS 13 Will Be Able to Read NFC Tags in National ID Cards and Passports

AngerDanger said:
I wish my ID photo looked that good.
Click to expand...

New York State is just getting on the Secure ID bandwagon and if I decide to renew my license I'll have to bring them my Passport. Up till now they've been using a 35 year old picture when my beard was black. (It's all grey now") :cool: The next time I fly domestically (almost never) I'll just bring my passport.
 
  • Like
Reactions: alexandr
Great to get confirmation on this. I have tested with several other passports and ID cards but not the German. There are still a lot of rough edges here but this really has the potential to make robust countermeasures against identity theft widely available.
 
chucker23n1 said:
In theory, you can now go to a government website from your iPhone and automatically be signed in.
Click to expand...
It’s bigger than that. Anywhere you are required to show in person to show id or where they want you to submit a photo of an id document you can perform the same operation remote in a privacy oriented and much more secure way.
 
asiga said:
At some point, I suppose people will realize that being fully monitored 24/7 from either governments or businesses is not a good thing. The problem is that when it's too late, people say "we are all controlled by big-bro, there's no escape"... but when there was a chance to escape, they all cheered up and welcomed the full electronic control of their lives.

It's eerie to realize that movies like "1984" or "Gattaca" are not sci-fi anymore.

BTW: Will you also cheer up if the FBI can use this, or is it cool for every government agency but the FBI?
Click to expand...

The notion that you had any privacy for the past 10 years, with the exception of the thoughts inside your head is quaint, if not outmoded.

At least here in the US, if you have a driver's license or passport. Your photograph is all ready in the FBI facial recognition database, with access to millions of data collection points a day. Every time you pass through a toll booth on an interstate, or one of those "pay by plate" toll gantries, they take a picture of the driver. Even if you have EZ Pass or it's equivalent, they still snap your picture. Why? Because they can. Those pictures can be used to track you.

Same thing with the surveillance cameras that are all ready everywhere (both government run, and those run by private entities that partner voluntarily with the government). Go to a professional sporting even, an airport, a mall, often times a park. They got ya.

Documents for crossing national borders have had RFID chips in them for years. What's on the chip is simply a digital representation of the antiquated international encoding standard for the information at the bottom of the photograph page. The document scanned through an optical reader, fed into a database and checked. The only thing different is the collection method. Instead of optical reader, the system is using RFID technology.

Driver's licenses in the US have had bar codes on them that meet a universal standard nationwide for almost 15 years now. When you hand it to a police officer, or other government representative with access to the database, it's scanned via optical reader and the same data that's on the card is passed through the system. Using RFID to pass this information isn't a serious departure from the implementation of the technology as it is used at present. It simply eliminates the need for a stand alone optical scanner and the fixed costs associated with the gathering point of the information.

When it's too late? That ship sailed a long time ago. You use any technology (cell phone, smart phone, credit card/debit card/atm. Make a withdraw at a bank, drive a car with OnStar installed whether it's activated or not, get your paycheck direct deposit), well, they've got you. The machine learning they now use to comb banking records are to the point where they can tell if you like your scotch on the rocks or neat. That's not an exaggeration.

Only way to dodge "the man" these days is to amass about $250,000 in cash, go south of the border with no credit cards, debit cards, or cell phone, buy a burner when you get to Mexico (don't talk on it), crawl across the mountains and buy a shack in Belize under an assumed name. Then live off scorpions and millipedes for the rest of your days.

If you knew the TRUE extent of what's all ready in place as we have this polite exchange, you would probably drop an o-ring or hack up a lung. I've seen it in action first hand, and everything I saw was 5+ years ago. Given the natural progression of technology, everything I've seen is in "buggy whip" territory by now.

Reading the RFID chips in cards is small small potatoes. Worst thing it's gonna do is get you on the airplane a little faster after you endure the Kabuki theater that is a TSA grope....
 
  • Like
Reactions: MacPrince and User 6502
splitpea said:
What about strangers at the airport loading your ID into their phones?
Click to expand...
Not possible. To read an ID or passport you need an access code that is derived from the data on the document itself. That is: they can copy the data in the chip only if they can already optically read that data.
 
  • Like
Reactions: MacPrince
chucker23n1 said:
It’s kind of controversial. Surveillance/privacy concerns vs. fairy limited end user benefits.
Click to expand...
This thing here has nothing to do with privacy...

splitpea said:
What about strangers at the airport loading your ID into their phones?
Click to expand...
It doesn't work like that. A SmartCard is called SmartCard because it's actually smart. Much like an EMV transaction (pay using chip+pin, also most NFC transactions), the SmartCard doesn't just stupidly pass along the data that's stored on it, e.g. your name and birthdate and so on. This is the major difference to using a magstripe. The SmartCard is a small cryptographic processor (much like the SecureElement in an iPhone). It gets a request which it answers with a digitally signed reply.
Example (in a nutshell) based on an EMV transaction:
Terminal: "Please approve payment to Walmart with accountID12345678 in the amount of XXX. Date: xxx"
SmartCard: "I approve payment to Walmart with accountID12345678 in the amount of XXX. Date: xxx + digital signature"
In a secure environment the card will require the PIN to unlock the signing process.

As such it's impossible to copy a SmartCard, which essentially prevents identity theft.

In comparison: a credit card swiped (or even when used per NFC in some cases) just sends out "My number is 1234 5678 9012 3456, Expiry 02/20, owner: John Doe". Stealing this information is of course very easy...
(If the terminal expects this plaintext reply but the NFC card is set to only reply with a SmartCard-style digitally signed reply, it will reject the transaction. This is one of a few reasons why some European credit cards don't work with old NFC terminals, which are quite common in the US.)

Val-kyrie said:
So where are the safeguards against digital identity theft?
Using NFC scanners to steal information has been a real threat for at least two decades.
Click to expand...
NFC is just the technology to transmit data (like ethernet or WiFi). If your NFC card is just a dumb tag, that sends out a userID (or credit card number), it's insecure as that data can just be copied to another card that sends exactly the same reply.
If the card instead sends one-time passwords, that's more secure, but if OTP is intercepted & re-used in real time, it's not acceptable for high security.
If the card performs a cryptographic process (actual SmartCard) it can be programmed to require a PIN or other kind of approval mechanism. The digital signature as explained above will secure the transaction/login/...
If you don't even trust the reading terminals PIN pad (if PIN would be entered on a non-secure keyboard like on a laptop), best choice would be a card that has an embedded authentication mechanism, like this one: https://directrm.com/da-pin-pad-smart-card/

RosOne said:
Could someone please explain the use case? Why would I want to NFC-read my ID or that of someone else?

I’m clearly missing something here hmm
Click to expand...
Yes, you do. These IDcards can proof your identity and age without human intervention and allow to sign documents electronically (properly, not some shady signing on the touchscreen).
Use case:
Signing of any kind document
Age verification (online)
ID provider (can be used to securely log on to websites without passwords)

In fact, an NFC+PIN SmartCard is the most secure way to log into anything. It would be the ultimate solution to get rid of stupid passwords while maintaining maximum possible security.

I recommend checking out YubiKey website as their device is practically a SmartCard in a different shape.
 
  • Like
Reactions: Val-kyrie, CarlJ, MacPrince and 1 other person
  • Like
Reactions: alexandr, dumell and macguru212
Val-kyrie said:
So where are the safeguards against digital identity theft?

Using NFC scanners to steal information has been a real threat for at least two decades.
Click to expand...
Pickpockets and thugs have been a real threat for at least several centuries. Unlike safeguards against digital identity theft via NFC (a.k.a. tin foil wrapping), only very few people could (and can) afford safeguards against physical theft (including, but not limited to identity).

Besides - your "real threat for at least two decades" claim is (more than) slightly exaggerated: First norming drafts for NFC have been published in 2002, if Wikipedia is to be believed. Consumer products have probably not been available until ten years ago, perhaps even less. So even if _scanners_ have been available for longer, they could not be classified as "threat" if there was nothing they could have been stolen in the first place.
 
Reading is great, but so is writing. When I re-up my transit pass or add funds with my mobile app I can immediately write it back to my card, bypassing any delays in-vehicle terminal updates might have. Apple needs to stop gate keeping NFC so much.
 
I'm from the US, never fly, and never travel out of the country, I feel like this is something I should be excited about but don't really know why. Is it possible something like this could replace the need for a physical driver's license? The one thing I really want my iPhone to do that it hasn't done already is completely replace my need to carry a wallet.
 
RosOne said:
Yea, I understand that. But my question is why would I care that my iPhone can read that?
Click to expand...
This functionality (eID) primarily allows a person to authenticate themselves when using online services, e.g. to access your Social Security information online, or things like opening a new bank account. It's a much safer alternative to knowledge-based authentication, which is commonly used in the US using "secrets" like the SSN etc. This is a very unsafe practice and a main reason why ID theft is so common here.

The way this worked so far is that you had an NFC reader connected to your computer, and you used software to enable communication between the chip in the ID card and the online authentication service. The German "Ausweisapp" is one such software; unfortunately it's really clunky, which is part of the reason why few people are actually using this functionality today. The hope is that by making use of the integrated NFC reader in the phone that everyone already has in their pockets, this will become much easier to use with mobile apps.

Using this for passport control at airports is a different application. Basically, the chip stores some cryptographically protected biometric information (such as the passport photo), which can then be used by a machine to verify that the document matches the person. This is used e.g. in the European EasyPASS system.
 
Last edited:
kilcher said:
I'm from the US, never fly, and never travel out of the country, I feel like this is something I should be excited about but don't really know why. Is it possible something like this could replace the need for a physical driver's license? The one thing I really want my iPhone to do that it hasn't done already is completely replace my need to carry a wallet.
Click to expand...

Probably not. In the US, I think every state makes its own rules with respect to drivers licenses. In NC they just recently introduced a version of a license that conforms to Congress' REAL ID Act, which requires issuers of those licenses to require more forms of identification. You can then use those licenses to get on domestic flights. My license has a bar code and some sort of optical code - but I don't see or feel any RFID. But there's really no reason why there couldn't be an app equivalent on my iPhone - and I've heard that some states do have those.

I've given up my wallet a few years ago. I simply added a little stick-on nylon pouch to the back of the phone (cost less than $10 on Amazon) and carry the license and couple credit cards in it.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back