Information Card Foundation

Using a Information Card is great! I am pretty sure it will simplify life and solve a lot of problems.

But the name “Information Card” used here is a deception - behind it’s veil it is only a piece of Software, not any Card in your hands at all! And everybody knows meanwhile what can be done with Software!

Information Cards will only be secure if there are real cards in use:

Not only passwords, every security measure running directly on a PC only is vulnerable, and virtual ID-Cards (which are only data stored on your computer), are an invitation to pishers! They only have to upload this ID-Card from your Computer, and pishers get everything they like to have!

Why? There is a not curable flaw:

Everything running directly on a PC (specially with MS-Software) can be faked or spied on.

The only thing which helps is an external ID (Card or USB-Dongle) with embedded Microprocessor which handles all the login communication with embedded cryptography and

refuses to be spied on.

And even if you trust your computer software and think that nobody can get your data, you have to give your essential personal identity data to the company which is issuing the ID-Card - there is another vulnerability. These Companies have all your data and the possibility to access all your WEB-based connections. Who is supervising these Companies?

Who is securing the security of your identity there?

I worked with the European eEurope Smart Card Initiative in 2000 and we discussed all the security problems - there is only one solution for real security: a device outside the computer, communicating with, but not affected by the Computer and/or the Internet!

It is a myth that data on your computer are safe, even if big companies are involved and say so.

Keith,

Thanks for your response! Of course there are applications where you do not need the highest level of security. But in this case it is okay to stay with a password! I have seen with my own eyes that even heads of security departments are not aware how their precious passwords are processed - seeing their secret password on my monitor-screen made them freak out.

And I am pretty sure the Information-Card Login-Procedure can be monitored, too.

You wrote "the level of authentication depends on the issuer" -just this what People should know . People should know the limits and drawbacks of security. Otherwise a new circle of Insecurities and Security Breaches and even lost of personal identity Data may follow.

If there is a possibility to have a physical ID-Card with embedded cryptography as I wrote earlier using the PC only as a "dumb terminal" to establish a connection, this will be secure. But there is a  vulnerability for identity-theft as soon as there are identifying data and/or is software on the PC doing all this.

And there is yet another point of vulnerability:

Even if you trust your computer software and think that nobody can get your data, you have to give your essential personal identity data to the company which is issuing the ID-Card - there is another vulnerability. These Companies have all your data and the possibility to access all your WEB-based connections. Who is supervising these Companies?

Who is securing the security of your identity there?