Wednesday, September 24, 2008

The farse of BankID

The Swedish Administrative Development Agency (Verva) released has released a report suggesting to expand the concepts of electronic identification in Sweden. IDG writes how your cellphone will be used for e-identification, how e-identification will look in the future, everyone will have eID within two years and how the BankID company is optimistic about the future. What bull.

"BankID is an incompatible ugly hack the Swedish banks threw together to give Persson something to brag about during the EU-chairmanship"
... I quote from a renowned bank security specialist who must remain unnamed. The Swedish BankID really is terrible technology which attempts to fill the void the national ID-card should have, and could have filled long ago. Polisen writes (my emphasis): "På id-kortet finns ett kontaktchipp som i framtiden kan bli bärare av elektronisk information, så kallade eID-tjänster, som till exempel elektronisk legitimation". ("On the ID-card there is a contact-chip which in the future may be the carrier of electronic information, so called eID-services, for example electronic identification") Not only have they got backward what eID-services are and there is no such thing as a "contact-chip" if we are to be picky about device terms (which I think we should), they seem to not have any infrastructure, technical plan or even room to create a functioning hardware electronic identification.

The BankID-service is bad primarily because it is software carried ("BankID på fil") and because it requires service providers to chip in to the business model in a way which is just unfeasible. I have been told service providers avoid providing more services through BankID because the licensing is so expensive, whereas actually everyone could benefit and save money from using it more. Great success... I just realized that clunky BankID client which never works properly probably does embed standard PKCS#12 certificates (X.509) and keys (RSA) but I have not yet to peek into exactly what they are. The fact remains BankID chose to step beside existing infrastructure for hardware, software and protocols existing in browsers and other clients. Also, unless you're communicating with a BankID licensed organization, the BankID you have been issued is worthless. It may not matter much to most people, but principally it is strange not to be able to verify identity without going through a government.

Oh, and this story about Swedish bureucracy is just hilarious, according to
epractice.eu: March 2008 - "Due to the fact that the Swedish Administrative Development Agency (Verva) has no longer been assigned to manage the national eGovernment portal and that no other Government agency was handed this task over, the portal ‘sverige.se’ closes down." Yippie kay-yay...

In contrast, the Estonian ID card implements a regular PKI smart card much like the US DoD CAC. It ties into the OpenID project and anyone can implement services based on it using standard software and the government-provided LDAP directories. Oh and we already have Mobiil-ID using cellphone SIMs (using cellphone to pay for parking is a different but also very elementary thing done in all cities by most car owners for years).

To be fair though, the Estonian ID-card drivers are sometimes also messy to install, non-Estonian language support is failing in some points, the cards are pretty expensive to issue and since two cards have failed for me (I used to sit on my wallet) I've had to experience the failing support organization behind it. Probably Estonia can be said to have benefited from being a small country, not because there are few end-users (above a million is never a small number) but a limited number of market players which are able to cooperate and without too much involvement of Statskontoret framework agreements to stand in the way of pushing sensible technology.

My eToken PRO All this is of course pretty complex things and it cannot be expected of the layman to distinguish what is good or bad technology. Myself I've gotten a proper eToken PRO through Danish it2trust on which my keys are stored, to be able to encrypt, sign and authenticate while knowing that the key can practically (as far as I know) never be stolen unless the physical token is stolen. That feels really good, and even if I don't have that sensitive information myself, at least I know how to do it, and what software is capable or not to do these things properly.

Actually I recently found myself in a war-of-blogs regarding inferior banking security where the pretty large Swedish blogger "TKJ" spreads some confusion on what is the real problem and the cause for credit card frauds persisting. I'd like to say that I don't mind TKJ contributing to the discussion, on the contrary, and he's generously complimented the expert critique he's received. In my opinion also security experts should dare to step up and discuss these things openly, or media and consumers surely won't know where to push the market. So my $0.02 are that the reason swedes are still getting skimmed is the emberassing fact that Swedish banks and payment systems still use primarily copiable magnetic strips instead of the more secure "for electronic use only" smartcards. In the competition between nations for using the greatest technology, this is one area where Sweden is definitely suffering from having to carry it's legacy and being stuck with old solutions.

5 comments:

Johannes said...

Very interesting to hear that Estonia uses OpenID. I've always used them as a good example and this makes them even better.

Carl-Johan Sveningsson said...

Well, they don't use OpenID as such AFAIK, but they tie in there pretty easily for anyone who would want to, is the impression I got anyway. You're some OpenID evangelist yourself, or?

But indeed, things seem to happen much faster in Estonia in several areas at least, and I like that! :-)

Anonymous said...

What about the Norwegian BankID is it the same as the Swedish? It looks like it.

Anonymous said...

Trustbearer can be used with the Finnish, Estonian and Belgian ID's at least (possibly also the Portuguese, but it will depend upon the driver arrangement). Java cards such as the Norwegian BuyPass would not appear to work.

This may be starter at least for tying in government-confirmed identity to OpenID.

Anonymous said...

Anon,

No, there is a difference in the storage and security strategy between the Swedish and the Norwegian BankID's.

The Norwegian BankID is available in much the same way as a smartcard-based EID for mobile phones (not the most common use in Norway), but most use a centrally stored certificate (banklagret BankID, as it is referred to in Norwegian). This has already been hacked at least twice and is, in my expert opinion, not compartmentalized enough from a security standpoint.

The Swedish BankID can be stored in various media on a computer or removable device much like the Austrian Bürgerkart (Austrian EID) was meant to be, offering a form of flexibility. In addition to BankID, there is a smartcard based Qualified Certificate EID in Norway called Buypass (which can be used in the Altinn e-government portal). Both BankID and Buypass are level 4 from a security standpoint.

The Swedish BankID is also considered level 4 and comprises a qualified certificate. As far as I can see, the Swedish BankID cannot be transferred to a Swedis SIS-märkt ID card (but I could be mistaken about this).