Senate ID Cards Use A Photo Of A Chip Rather Than An Actual Smart Chip

from the security-by-stupidity dept

Our government isn’t exactly known for its security chops, but in a letter sent recently from Senator Ron Wyden to two of his colleagues who head the Committee on Rules & Administration, it’s noted that (incredibly), the ID cards used by Senate Staffers only appear to have a smart chip in them. Instead of the real thing, some genius just decided to put a photo of a smart chip on each card, rather than an actual smart chip. This isn’t security by obscurity, it’s… bad security through cheap Photoshopping. From our Senate.

Moreover, in contrast to the executive branch’s widespread adoption of PIV cards with a smart chip, most Senate staff ID cards have a photo of a chip printed on them, rather than a real chip. Given the significant investment by the executive branch in smart chip based two-factor authentication, we should strongly consider issuing our staff real chip-based ID cards and then using those chips as a second factor.

We asked the Senate if there was any way we could get a (heavily redacted, obviously) image of a Senate ID with the “photo” smart chip but (not at all surprisingly) that request was rejected. So, instead, we’ve got this artist’s rendering of what something like it might look like, more or less.

Most of the letter (as the last sentence suggests), is about how the Senate barely uses two factor authentication, which is also kind of stunning. These days, two factor authentication is the absolute basic level necessary for anything that you want to keep moderately secure. That the Senate isn’t doing this (and that it’s faking smart chips) is preposterous. It’s great that Senator Wyden is calling out the Senate IT staff for this very basic failing. I don’t know for sure, but a lot about this letter makes me suspect that one Chris Soghoian is behind discovering the lack of a real smart chip and highlighting the lack of true two factor authentication (it’s possible it’s someone else, but it feels like a very Chris Soghoian thing to notice and call out…).

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Senate ID Cards Use A Photo Of A Chip Rather Than An Actual Smart Chip”

Subscribe: RSS Leave a comment
Anonymous Anonymous Coward (profile) says:

Sorry, access denied!

Moreover, in contrast to the executive branch’s widespread adoption of PIV cards with a smart chip, most Senate staff ID cards have a photo of a chip printed on them, rather than a real chip.

Maybe I am missing something, but when the scanner that is supposed to read the chip, and there is only a photo of the chip, wouldn’t that cause the ‘system’ to reject the presenter? Some staffers cards work, others don’t, but they all get in? Astonishing.

AngelQC (profile) says:

It could be something

I don’t know if someone, versed in SecureID card system, inspected the card closely.

It could be that the picture is faking/protecting a contact port, while the NFC/wireless portion would still be working. If I’m not mistaken, contact gives more access than wireless, e.g. writing support.

Just a thought. Or I’m just mistaken, I obviously didn’t see the card either, but that’s something I could come up with in a given situation…

tom (profile) says:

Sad but not surprising. When I asked my Representative about implementing Cyber Security standards for the average citizen, I got a Deer in the Headlight look, followed by a suggestion to ‘hold a seminar’.

Also, of the two factor methods mentioned, the ID card with a WORKING smart chip as Something you Have is the best. A high percentage of smartphones have malware/spyware installed and a USB device means you have to allow USB devices to be plugged into your secured computer. And USB is a known attack vector.

Anonymous Coward says:

Re: I'm calling bullshit...

I don’t work with smartcards, so you might know better than me, but looking at this generic smartcard cutaway diagram here…

…it looks like the visible part of the chip on the surface of the smartcard (i.e., what you’d see if it were just a sticker), is not just a sticker but a "metal contact" connected to the embedded chip. From that, I’d say that if it were just a sticker (and not the metal contact component actually connected to the chip), it wouldn’t work.

So that, and the fact that Wyden has formally brought up the issue in the first place makes me think that this is probably not a case of, "bullshit".

cpast (profile) says:

Re: I'm calling bullshit...

These cards aren’t used for logging into computers; the executive branch often uses smartcards for login (e.g. the CAC), but the Senate just has username/password. There is an RFID chip inside, but so does my college ID card.

(My guess is that the picture is there because some staff do have actual smartcards for logging into computers, most staff don’t need it so don’t have it, but they get the picture printed so all the IDs look the same).

Berenerd (profile) says:

What scares me is, my company is not a place where security is needed to keep things safe. I mean, some, but we make very large engine parts. (Think cruise ship engines and the like) its not like someone could walk off with something that weighs a ton. Computers and such sure, but most people bring them home with them. Network? That is pretty secure. And yet, to get into the building you need not only an ID to get into the main building but anywhere other than the main lobby takes a security code.

cpast (profile) says:

Re: Re:

Senate office buildings are open to the public. You need an ID to get in the staff entrance, but the staff entrance exists mostly so that staff don’t have to wait in a huge line to get to work. Everyone goes through security (I’m not sure if Members themselves do, but Capitol Police officers know who is and who isn’t a Member). In offices, you have to go by the front desk or use an RFID chip in the card to get in, and the people in a Senate office know who else works in their office.

Oblate (profile) says:

This is genius!

I bet they saved a bunch on the paper mache card readers too! The only remaining question is which congressman got the kickbacks from the security contractor?

Or these are actually just RFID cards, and they printed the fake contacts so people would stop asking why there were no contacts. Most places use RFID only for access. The contacts would only be used for verification when logging on to a computer. If they don’t use that feature (though they should) then having the contacts/chip would be pointless.

Roger Strong (profile) says:

Re: Re: Re: This is genius!

RFID tags in smartcards are powered by the RFID reader’s radio waves. By cranking up the power you can increase the distance to at least a meter.

And that number won’t be random. Only some of the bits are a unique serial number. The rest identify the manufacturer and product ID, the organization that manages the data for the tag and whatnot. Even if that information isn’t published, you can probably analyse the data emanating from the pants of a few known congressmen and use that to identify others.

Rekrul says:

I know this story is about ID cards, but chips are also used in credit cards and I’ve never understood how they’re supposed to make the card holder’s information safer.

If someone with a chipped card uses it at a store and an unscrupulous employees makes a copy of that information and uses it to order stuff online or over the phone, what good does the chip do? Sure it makes the card harder to duplicate, but you don’t need the physical card to order stuff online.

cpast (profile) says:

Re: Re:

A huge portion of credit card theft involves stealing info for card-present transactions. This is pretty easy to do, because you can slap a skimmer on a credit card slot (including unattended card slots). You can’t copy the info on a chip, so it protects against that.

It doesn’t provide perfect security against all forms of attack. It improves security against one of the most common forms of attack. Most attacks do not involve a clerk reading your card number; those are also easier to trace because you can trace lots of fraud back to the store where the clerk works. If you put a skimmer on someone else’s card reader, tracing it back to the reader doesn’t lead authorities to you.

M Hamrick says:

Do we know it's not a contactless smart card?

A bazillion years ago I worked on the security for the CAC card (the spiritual ancestor of the PIV card.) One thing we wrestled with was the security differences between a contactless smart card and a contacted smart card. If the card is to be used exclusively for “badging” applications (like opening doors) then a contactless card is not out of the question.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »