Senate ID Cards Use A Photo Of A Chip Rather Than An Actual Smart Chip
from the security-by-stupidity dept
Our government isn't exactly known for its security chops, but in a letter sent recently from Senator Ron Wyden to two of his colleagues who head the Committee on Rules & Administration, it's noted that (incredibly), the ID cards used by Senate Staffers only appear to have a smart chip in them. Instead of the real thing, some genius just decided to put a photo of a smart chip on each card, rather than an actual smart chip. This isn't security by obscurity, it's... bad security through cheap Photoshopping. From our Senate.
Moreover, in contrast to the executive branch's widespread adoption of PIV cards with a smart chip, most Senate staff ID cards have a photo of a chip printed on them, rather than a real chip. Given the significant investment by the executive branch in smart chip based two-factor authentication, we should strongly consider issuing our staff real chip-based ID cards and then using those chips as a second factor.
We asked the Senate if there was any way we could get a (heavily redacted, obviously) image of a Senate ID with the "photo" smart chip but (not at all surprisingly) that request was rejected. So, instead, we've got this artist's rendering of what something like it might look like, more or less.
Most of the letter (as the last sentence suggests), is about how the Senate barely uses two factor authentication, which is also kind of stunning. These days, two factor authentication is the absolute basic level necessary for anything that you want to keep moderately secure. That the Senate isn't doing this (and that it's faking smart chips) is preposterous. It's great that Senator Wyden is calling out the Senate IT staff for this very basic failing. I don't know for sure, but a lot about this letter makes me suspect that one Chris Soghoian is behind discovering the lack of a real smart chip and highlighting the lack of true two factor authentication (it's possible it's someone else, but it feels like a very Chris Soghoian thing to notice and call out...).
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 2fa, chips, ron wyden, senate, smart card, two factor authentication
Reader Comments
Subscribe: RSS
View by: Time | Thread
Though truth be said it wouldn't be fair towards a few of them like Wyden.
[ link to this | view in chronology ]
Sorry, access denied!
Maybe I am missing something, but when the scanner that is supposed to read the chip, and there is only a photo of the chip, wouldn't that cause the 'system' to reject the presenter? Some staffers cards work, others don't, but they all get in? Astonishing.
[ link to this | view in chronology ]
Re: Sorry, access denied!
[ link to this | view in chronology ]
Re: Re: Sorry, access denied!
[ link to this | view in chronology ]
Re: Sorry, access denied!
[ link to this | view in chronology ]
Re: Sorry, access denied!
[ link to this | view in chronology ]
Re: Sorry, access denied!
[ link to this | view in chronology ]
Re: Sorry, access denied!
It's pictures all the way down
[ link to this | view in chronology ]
Re: Re: Sorry, access denied!
[ link to this | view in chronology ]
Re: Re: Re: Sorry, access denied!
[ link to this | view in chronology ]
LOL, Wrong card number!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
It could be something
It could be that the picture is faking/protecting a contact port, while the NFC/wireless portion would still be working. If I'm not mistaken, contact gives more access than wireless, e.g. writing support.
Just a thought. Or I'm just mistaken, I obviously didn't see the card either, but that's something I could come up with in a given situation...
[ link to this | view in chronology ]
Also, of the two factor methods mentioned, the ID card with a WORKING smart chip as Something you Have is the best. A high percentage of smartphones have malware/spyware installed and a USB device means you have to allow USB devices to be plugged into your secured computer. And USB is a known attack vector.
[ link to this | view in chronology ]
Re:
I have to incorporate that in my daily vocabulary.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
The first 2 things can be accomplished by anyone with pretty basic knowledge and the final one just costs a bit more.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Don't laugh! This shows just what can be done if you 'Hack Harder'.
[ link to this | view in chronology ]
Re: Don't laugh! This shows just what can be done if you 'Hack Harder'.
*Puts on a Deer in the Headlight look*
[ link to this | view in chronology ]
Re: Re: Don't laugh! This shows just what can be done if you 'Hack Harder'.
[ link to this | view in chronology ]
Re: Re: Re: Don't laugh! This shows just what can be done if you 'Hack Harder'.
[ link to this | view in chronology ]
Just business as usual
[ link to this | view in chronology ]
Re: Just business as usual
[ link to this | view in chronology ]
#fakewho's
Rumor is that they were issued cards with smart chips, but sold them to the Russians.
[ link to this | view in chronology ]
Re: #fakewho's
[ link to this | view in chronology ]
I'm calling bullshit...
[ link to this | view in chronology ]
Re: I'm calling bullshit...
[ link to this | view in chronology ]
Re: Re: I'm calling bullshit...
[ link to this | view in chronology ]
Re: I'm calling bullshit...
I don't work with smartcards, so you might know better than me, but looking at this generic smartcard cutaway diagram here...
https://en.wikipedia.org/wiki/File:Smartcard_chip_structure_and_packaging_EN.svg
...it looks like the visible part of the chip on the surface of the smartcard (i.e., what you'd see if it were just a sticker), is not just a sticker but a "metal contact" connected to the embedded chip. From that, I'd say that if it were just a sticker (and not the metal contact component actually connected to the chip), it wouldn't work.
So that, and the fact that Wyden has formally brought up the issue in the first place makes me think that this is probably not a case of, "bullshit".
[ link to this | view in chronology ]
Re: I'm calling bullshit...
(My guess is that the picture is there because *some* staff do have actual smartcards for logging into computers, most staff don't need it so don't have it, but they get the picture printed so all the IDs look the same).
[ link to this | view in chronology ]
You got the correct picture
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
This is genius!
Or these are actually just RFID cards, and they printed the fake contacts so people would stop asking why there were no contacts. Most places use RFID only for access. The contacts would only be used for verification when logging on to a computer. If they don't use that feature (though they should) then having the contacts/chip would be pointless.
[ link to this | view in chronology ]
Re: This is genius!
(Imagines the devices one could create - connected to an RFID reader - that activate when one of them walks past.)
[ link to this | view in chronology ]
Re: Re: This is genius!
[ link to this | view in chronology ]
Re: Re: Re: This is genius!
And that number won't be random. Only some of the bits are a unique serial number. The rest identify the manufacturer and product ID, the organization that manages the data for the tag and whatnot. Even if that information isn't published, you can probably analyse the data emanating from the pants of a few known congressmen and use that to identify others.
[ link to this | view in chronology ]
Re: This is genius!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
uMM aH???
HOW MUCH DID/DO we pay for these cards??
The Standard is that If Citizens pay %6, the Gov pays $60-600..
[ link to this | view in chronology ]
Re: uMM aH???
100 Senators.
Say 5 staff each
500x$600=$300,000
or 12% of 1 Mar-a-Lago trip (low balling, 2.5 million a trip)
[ link to this | view in chronology ]
Re: Re: uMM aH???
$360,000 for the cards. 14.4% of a Mar-a-Lago trip.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I whish my Credic Card came whith a photo of a Smart Chip
[ link to this | view in chronology ]
If someone with a chipped card uses it at a store and an unscrupulous employees makes a copy of that information and uses it to order stuff online or over the phone, what good does the chip do? Sure it makes the card harder to duplicate, but you don't need the physical card to order stuff online.
[ link to this | view in chronology ]
Re:
It doesn't provide perfect security against all forms of attack. It improves security against one of the most common forms of attack. Most attacks do not involve a clerk reading your card number; those are also easier to trace because you can trace lots of fraud back to the store where the clerk works. If you put a skimmer on someone else's card reader, tracing it back to the reader doesn't lead authorities to you.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Do we know it's not a contactless smart card?
[ link to this | view in chronology ]
Photo of a badge
https://drpence.wordpress.com/2013/01/28/credentials/
(by Dr. Laura Pence, Professor of Chemistry at the University of Hartford, currently spending a sabbatical year as a Congressional Fellow in Washington)
[ link to this | view in chronology ]