Dupe Id Smart Cards Snafu

[udon]

from Content Wire,

located at http://www.content-wire.com.

--------------------------------------------------------------

Thailand: Dupe ID Smart Cards Snafu

Bangkok -

More than 100,000 "smart" ID cards which are currently being issued to the public have been found to have duplicate unique serial numbers and as such have been rendered all but useless for the purpose of national identification.

The revelation was made by one of the bidders for the 888-million Baht 12-million card project who is still closely following the case.

The source said that on Tuesday and Wednesday, officials from ST Microelectronics had visited the Bureau of Registration Administration, Ministry of Interior and had conceded that the problem was serious. "What was first numbering in the tens of thousands now seem to be well over a hundred thousand", the source said.

He said that BORA had decided to treat the duplicated cards as defective and would be returning them to the ICT Ministry who is responsible for card procurement to be replaced under warranty.

The source noted that fixing the cards is impossible as the unique serial number can only be programmed into the card once. This has to be done at the factory soon after the chip is completed either by using lasers to physically cut circuits or writing to one-time-writable EEPROM memory, the source noted.

"It was as if someone had reset the counter mid-production leading to countless pairs of cards being created", the source noted.

In his original June 2005 interview, Nectec Director Dr Thaweesak Koanatakool, who was commissioned by the Prime Minister to conduct a fact-finding study into the smart ID card project, claimed that the ICT Ministry and ST Microelectronics had refused to hand over engineering documents which would have shown who had ordered questionable modifications to the card.

Chief of these was the division of memory. The card has 66KB of memory physically present on the card, but as delivered, only has 28KB of memory available to Java Applets which is less than the 32KB minimum stipulated in the terms of reference.

Thaweesak questioned why more memory was not made available to the Java Virtual Machine. Like the serial number, this allocation can only be made once and cannot be changed.

The same engineering documents would show the reason not just for the non-standard memory division, but possibly by whom and when the serial number counter was reset or even why the cards were ordered produced in pairs.

The Nectec report said that the card had failed four parts of the ToR. In addition to having less than the required amount of available memory for Java Card applets, the card had an incomplete implementation of the Java Virtual Machine operating system, lacked security libraries (public key encryption classes) and lacked the ability to securely add and delete applications.

However, despite these objections, the smart ID cards were accepted by the procurement committee on a majority vote. It later emerged that within the 9-person committee, the representatives from Nectec, Bora and the ICT Ministry's internal legal affairs officer had voted against acceptance of the cards.