Senate ID Cards Use A Photo Of A Chip Rather Than An Actual Smart Chip

from the security-by-stupidity dept

Our government isn't exactly known for its security chops, but in a letter sent recently from Senator Ron Wyden to two of his colleagues who head the Committee on Rules & Administration, it's noted that (incredibly), the ID cards used by Senate Staffers only appear to have a smart chip in them. Instead of the real thing, some genius just decided to put a photo of a smart chip on each card, rather than an actual smart chip. This isn't security by obscurity, it's... bad security through cheap Photoshopping. From our Senate.

Moreover, in contrast to the executive branch's widespread adoption of PIV cards with a smart chip, most Senate staff ID cards have a photo of a chip printed on them, rather than a real chip. Given the significant investment by the executive branch in smart chip based two-factor authentication, we should strongly consider issuing our staff real chip-based ID cards and then using those chips as a second factor.

We asked the Senate if there was any way we could get a (heavily redacted, obviously) image of a Senate ID with the "photo" smart chip but (not at all surprisingly) that request was rejected. So, instead, we've got this artist's rendering of what something like it might look like, more or less.

Most of the letter (as the last sentence suggests), is about how the Senate barely uses two factor authentication, which is also kind of stunning. These days, two factor authentication is the absolute basic level necessary for anything that you want to keep moderately secure. That the Senate isn't doing this (and that it's faking smart chips) is preposterous. It's great that Senator Wyden is calling out the Senate IT staff for this very basic failing. I don't know for sure, but a lot about this letter makes me suspect that one Chris Soghoian is behind discovering the lack of a real smart chip and highlighting the lack of true two factor authentication (it's possible it's someone else, but it feels like a very Chris Soghoian thing to notice and call out...).

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 2fa, chips, ron wyden, senate, smart card, two factor authentication


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 25 Apr 2017 @ 8:02am

    I'm afraid that artistic depiction of the card is not accurate. For better accuracy I'd go with graphical descriptions of crimes, corruption or our plain old uncle Lucifer (or the equivalent devil in any religion). That would be more fitting.

    Though truth be said it wouldn't be fair towards a few of them like Wyden.

    link to this | view in thread ]

  2. icon
    Anonymous Anonymous Coward (profile), 25 Apr 2017 @ 8:50am

    Sorry, access denied!

    Moreover, in contrast to the executive branch's widespread adoption of PIV cards with a smart chip, most Senate staff ID cards have a photo of a chip printed on them, rather than a real chip.

    Maybe I am missing something, but when the scanner that is supposed to read the chip, and there is only a photo of the chip, wouldn't that cause the 'system' to reject the presenter? Some staffers cards work, others don't, but they all get in? Astonishing.

    link to this | view in thread ]

  3. identicon
    Christenson, 25 Apr 2017 @ 9:20am

    LOL, Wrong card number!

    If you're gonna put regular numbers on that card, why not one that's easy to remember? 1234 5678 9012 3456!

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 25 Apr 2017 @ 9:20am

    That's ok, they only have a photo of the card reader at entrances anyway. That's the new TSA contractor's collaboration with the legislative branch: Rapi-Pic. Rapi-Scan actually involved working parts and was too expensive.

    link to this | view in thread ]

  5. identicon
    dsh, 25 Apr 2017 @ 9:23am

    Re: Sorry, access denied!

    What scanner?

    link to this | view in thread ]

  6. icon
    AngelQC (profile), 25 Apr 2017 @ 9:25am

    It could be something

    I don't know if someone, versed in SecureID card system, inspected the card closely.

    It could be that the picture is faking/protecting a contact port, while the NFC/wireless portion would still be working. If I'm not mistaken, contact gives more access than wireless, e.g. writing support.

    Just a thought. Or I'm just mistaken, I obviously didn't see the card either, but that's something I could come up with in a given situation...

    link to this | view in thread ]

  7. icon
    tom (profile), 25 Apr 2017 @ 9:37am

    Sad but not surprising. When I asked my Representative about implementing Cyber Security standards for the average citizen, I got a Deer in the Headlight look, followed by a suggestion to 'hold a seminar'.

    Also, of the two factor methods mentioned, the ID card with a WORKING smart chip as Something you Have is the best. A high percentage of smartphones have malware/spyware installed and a USB device means you have to allow USB devices to be plugged into your secured computer. And USB is a known attack vector.

    link to this | view in thread ]

  8. icon
    ThaumaTechnician (profile), 25 Apr 2017 @ 9:41am

    Don't laugh! This shows just what can be done if you 'Hack Harder'.

    The card uses the same technology as does the unbreakable, magic back doors that law enforcement wants deployed for encryption.

    link to this | view in thread ]

  9. icon
    TheResidentSkeptic (profile), 25 Apr 2017 @ 9:44am

    Just business as usual

    This is what you get when you buy security devices from the lowest bidder. They knew they didn't need to actually spend the money on real chip cards - just print it on, and PROFIT.

    link to this | view in thread ]

  10. identicon
    Regret, 25 Apr 2017 @ 9:48am

    #fakewho's

    Rumor is that they were issued cards with smart chips, but sold them to the Russians.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 25 Apr 2017 @ 9:50am

    Re: Sorry, access denied!

    Its all just security theater, they can wave a card when they need to show that they take security seriously, but to actually use it for security would be an imposition, and a waste of their precious time.

    link to this | view in thread ]

  12. identicon
    Jason, 25 Apr 2017 @ 9:51am

    I'm calling bullshit...

    I've worked with SmartCard cards for login authentication. There is a picture of a chip on the card but its just a picture. The actual hardware is inside the card between two layers of plastic. Look at any RFID access card, this is how they work.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 25 Apr 2017 @ 9:52am

    You got the correct picture

    Trump thought this was a picture taken up his asshole, they weren't allowed to use anything else.

    link to this | view in thread ]

  14. icon
    Ninja (profile), 25 Apr 2017 @ 9:53am

    Re:

    "I got a Deer in the Headlight look"

    I have to incorporate that in my daily vocabulary.

    link to this | view in thread ]

  15. icon
    Berenerd (profile), 25 Apr 2017 @ 9:53am

    What scares me is, my company is not a place where security is needed to keep things safe. I mean, some, but we make very large engine parts. (Think cruise ship engines and the like) its not like someone could walk off with something that weighs a ton. Computers and such sure, but most people bring them home with them. Network? That is pretty secure. And yet, to get into the building you need not only an ID to get into the main building but anywhere other than the main lobby takes a security code.

    link to this | view in thread ]

  16. icon
    Oblate (profile), 25 Apr 2017 @ 9:59am

    This is genius!

    I bet they saved a bunch on the paper mache card readers too! The only remaining question is which congressman got the kickbacks from the security contractor?

    Or these are actually just RFID cards, and they printed the fake contacts so people would stop asking why there were no contacts. Most places use RFID only for access. The contacts would only be used for verification when logging on to a computer. If they don't use that feature (though they should) then having the contacts/chip would be pointless.

    link to this | view in thread ]

  17. icon
    Ninja (profile), 25 Apr 2017 @ 10:00am

    Re: Don't laugh! This shows just what can be done if you 'Hack Harder'.

    So it's a magic chip (TM). Gotcha.

    *Puts on a Deer in the Headlight look*

    link to this | view in thread ]

  18. icon
    compujas (profile), 25 Apr 2017 @ 10:04am

    Re: I'm calling bullshit...

    For contactless cards, sure, but many are still contact-based chip cards. The DoD uses contact-based SmartCards. Also, aren't contactless cards inherently less secure due to the fact that you don't actually need to make physical contact with the card?

    link to this | view in thread ]

  19. icon
    compujas (profile), 25 Apr 2017 @ 10:05am

    Re:

    Is USB still a weak point if you disable USB Mass Storage? I know that non-storage USB devices can still work even if you disable the ability to use thumbdrives and the like.

    link to this | view in thread ]

  20. icon
    compujas (profile), 25 Apr 2017 @ 10:08am

    Re:

    My guess would be industrial espionage. They're less concerned about employees stealing anything than someone walking in off the street and stealing data/designs/process/etc.

    link to this | view in thread ]

  21. identicon
    Baron von Robber, 25 Apr 2017 @ 10:09am

    So the chip on the card is a genuine as the person carrying it.

    link to this | view in thread ]

  22. icon
    Roger Strong (profile), 25 Apr 2017 @ 10:17am

    Re: This is genius!

    Every congressman and staffer may be carrying an RFID chip identifying them as such?

    (Imagines the devices one could create - connected to an RFID reader - that activate when one of them walks past.)

    link to this | view in thread ]

  23. icon
    orbitalinsertion (profile), 25 Apr 2017 @ 10:23am

    Re: Re: I'm calling bullshit...

    Actually, I am a little puzzled by the whole thing. When did chips become secure and well-implemented in the first place? I think i missed that day of class in the last 10 years or so when "smart chips" actually kinda sorta started living up to the theory behind them.

    link to this | view in thread ]

  24. identicon
    kallethen, 25 Apr 2017 @ 10:41am

    Re: Sorry, access denied!

    No, see, you have a model of a scanner that reads the photo of a chip. Operated by a guy who plays a security guard on tv.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 25 Apr 2017 @ 10:44am

    Re: Re:

    Mass storage is not the security risk with USB, so long as auto play is disabled, it is the ability to emulate a keyboard and a NIC that really open up security holes.

    link to this | view in thread ]

  26. identicon
    FFS, 25 Apr 2017 @ 10:58am

    Re: Re: Don't laugh! This shows just what can be done if you 'Hack Harder'.

    It's "deer in the headlights". Or do you think we all operate mopeds??

    link to this | view in thread ]

  27. icon
    ECA (profile), 25 Apr 2017 @ 11:20am

    uMM aH???

    To all that are reading this..

    HOW MUCH DID/DO we pay for these cards??
    The Standard is that If Citizens pay %6, the Gov pays $60-600..

    link to this | view in thread ]

  28. identicon
    Baron von Robber, 25 Apr 2017 @ 11:48am

    Re: uMM aH???

    Let us assume $600 per.
    100 Senators.
    Say 5 staff each
    500x$600=$300,000
    or 12% of 1 Mar-a-Lago trip (low balling, 2.5 million a trip)

    link to this | view in thread ]

  29. identicon
    Baron von Robber, 25 Apr 2017 @ 11:52am

    Re: Re: uMM aH???

    Whoops. Forgot to keep the Senators inclusive.
    $360,000 for the cards. 14.4% of a Mar-a-Lago trip.

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 25 Apr 2017 @ 12:14pm

    That chip is the mark of the beast. Those people know it and are hoping that after they command the rest of the nation to accept that chip, they will still have a chance to be saved. Imagine.

    link to this | view in thread ]

  31. icon
    orbitalinsertion (profile), 25 Apr 2017 @ 12:46pm

    Re:

    IKR? The UPC is so old-hat now.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 25 Apr 2017 @ 1:05pm

    Re: Just business as usual

    "This is what you get when you buy security devices from the highest briber, er highest paying lobbyist. They knew they didn't need to actually spend the money on real chip cards - just print it on, and PROFIT."

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 25 Apr 2017 @ 1:53pm

    Re: Re: Re: Don't laugh! This shows just what can be done if you 'Hack Harder'.

    In Wisconsin, we go shining for deer on our Harleys.

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 25 Apr 2017 @ 2:14pm

    Re: Re: Re:

    Well it is not that hard to lock down a usb port to a single device. You shouldn't leave the USB port physically available either. There are secure USB devices too.
    The first 2 things can be accomplished by anyone with pretty basic knowledge and the final one just costs a bit more.

    link to this | view in thread ]

  35. identicon
    Anonymous Coward, 25 Apr 2017 @ 2:26pm

    Re: Re: This is genius!

    A RFID card just provides a number, not actual identifiable information. They also have very short range, they need to be almost flush with the reader to work. So you may have to rethink your evil plans!

    link to this | view in thread ]

  36. identicon
    tracyanne, 25 Apr 2017 @ 2:41pm

    I whish my Credic Card came whith a photo of a Smart Chip

    Because then I wouldn't have to ram a screwdriver though it.

    link to this | view in thread ]

  37. icon
    Roger Strong (profile), 25 Apr 2017 @ 2:50pm

    Re: Re: Re: This is genius!

    RFID tags in smartcards are powered by the RFID reader's radio waves. By cranking up the power you can increase the distance to at least a meter.

    And that number won't be random. Only some of the bits are a unique serial number. The rest identify the manufacturer and product ID, the organization that manages the data for the tag and whatnot. Even if that information isn't published, you can probably analyse the data emanating from the pants of a few known congressmen and use that to identify others.

    link to this | view in thread ]

  38. identicon
    Anonymous Coward, 25 Apr 2017 @ 3:10pm

    Re: I'm calling bullshit...

    I don't work with smartcards, so you might know better than me, but looking at this generic smartcard cutaway diagram here...

    https://en.wikipedia.org/wiki/File:Smartcard_chip_structure_and_packaging_EN.svg

    ...it looks like the visible part of the chip on the surface of the smartcard (i.e., what you'd see if it were just a sticker), is not just a sticker but a "metal contact" connected to the embedded chip. From that, I'd say that if it were just a sticker (and not the metal contact component actually connected to the chip), it wouldn't work.

    So that, and the fact that Wyden has formally brought up the issue in the first place makes me think that this is probably not a case of, "bullshit".

    link to this | view in thread ]

  39. identicon
    Rekrul, 25 Apr 2017 @ 3:19pm

    I know this story is about ID cards, but chips are also used in credit cards and I've never understood how they're supposed to make the card holder's information safer.

    If someone with a chipped card uses it at a store and an unscrupulous employees makes a copy of that information and uses it to order stuff online or over the phone, what good does the chip do? Sure it makes the card harder to duplicate, but you don't need the physical card to order stuff online.

    link to this | view in thread ]

  40. identicon
    Wendy Cockcroft, 26 Apr 2017 @ 5:49am

    Re: Re: Sorry, access denied!

    [Sad but True]

    link to this | view in thread ]

  41. identicon
    Wendy Cockcroft, 26 Apr 2017 @ 5:52am

    Re: #fakewho's

    After discovering they had been made in China.

    link to this | view in thread ]

  42. icon
    TRX (profile), 26 Apr 2017 @ 5:56am

    Mostly, I'm astonished that Senators would need an ID card at all.

    link to this | view in thread ]

  43. icon
    cpast (profile), 26 Apr 2017 @ 6:49am

    Re: I'm calling bullshit...

    These cards aren't used for logging into computers; the executive branch often uses smartcards for login (e.g. the CAC), but the Senate just has username/password. There is an RFID chip inside, but so does my college ID card.

    (My guess is that the picture is there because *some* staff do have actual smartcards for logging into computers, most staff don't need it so don't have it, but they get the picture printed so all the IDs look the same).

    link to this | view in thread ]

  44. icon
    cpast (profile), 26 Apr 2017 @ 6:53am

    Re: This is genius!

    Most staff don't use them for logging in to computers, although for all I know some might. If I had to guess, I'd say that it's probably a few who have actual login smartcards, and the rest have the picture of a chip so that all the IDs look the same.

    link to this | view in thread ]

  45. icon
    cpast (profile), 26 Apr 2017 @ 6:57am

    Re:

    A huge portion of credit card theft involves stealing info for card-present transactions. This is pretty easy to do, because you can slap a skimmer on a credit card slot (including unattended card slots). You can't copy the info on a chip, so it protects against that.

    It doesn't provide perfect security against all forms of attack. It improves security against one of the most common forms of attack. Most attacks do not involve a clerk reading your card number; those are also easier to trace because you can trace lots of fraud back to the store where the clerk works. If you put a skimmer on someone else's card reader, tracing it back to the reader doesn't lead authorities to you.

    link to this | view in thread ]

  46. icon
    cpast (profile), 26 Apr 2017 @ 6:59am

    Re:

    Senators don't need them so much; the Capitol Police can recognize them (and they have lapel pins to identify them, so the police know to think "is this a Senator"). Staff are another story.

    link to this | view in thread ]

  47. icon
    cpast (profile), 26 Apr 2017 @ 7:07am

    Re:

    Senate office buildings are open to the public. You need an ID to get in the staff entrance, but the staff entrance exists mostly so that staff don't have to wait in a huge line to get to work. Everyone goes through security (I'm not sure if Members themselves do, but Capitol Police officers know who is and who isn't a Member). In offices, you have to go by the front desk or use an RFID chip in the card to get in, and the people in a Senate office know who else works in their office.

    link to this | view in thread ]

  48. icon
    cpast (profile), 26 Apr 2017 @ 7:09am

    Re: Sorry, access denied!

    You don't need an ID to enter a Senate office building; they're open to the public (you do need one to go through the staff line, but that's just so that staff have a shorter line). For access control to offices, there's an RFID chip.

    link to this | view in thread ]

  49. identicon
    Blink, 26 Apr 2017 @ 10:15am

    Re: Sorry, access denied!

    The scanner is actually just a picture of a scanner.

    It's pictures all the way down

    link to this | view in thread ]

  50. identicon
    Anonymous Coward, 26 Apr 2017 @ 3:20pm

    Re: Re: Sorry, access denied!

    In addition, senators have to make the scanning sound effect with their mouths to complete their security procedures.

    link to this | view in thread ]

  51. identicon
    Chris, 27 Apr 2017 @ 2:25am

    Re: Re: Re: Sorry, access denied!

    They can't; they're only pictures of Senators.

    link to this | view in thread ]

  52. icon
    compujas (profile), 27 Apr 2017 @ 5:22am

    Re: Re: Re:

    Mass storage can be a security risk if you're bringing personal files in that have viruses and then opening them on government machines.

    link to this | view in thread ]

  53. identicon
    M Hamrick, 27 Apr 2017 @ 7:40am

    Do we know it's not a contactless smart card?

    A bazillion years ago I worked on the security for the CAC card (the spiritual ancestor of the PIV card.) One thing we wrestled with was the security differences between a contactless smart card and a contacted smart card. If the card is to be used exclusively for "badging" applications (like opening doors) then a contactless card is not out of the question.

    link to this | view in thread ]

  54. identicon
    Thorsten, 28 Apr 2017 @ 9:08am

    Photo of a badge

    There's a photo of a badge online here:

    https://drpence.wordpress.com/2013/01/28/credentials/

    (by Dr. Laura Pence, Professor of Chemistry at the University of Hartford, currently spending a sabbatical year as a Congressional Fellow in Washington)

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.