Security breaches in handling of Israeli biometric ID cards

The mechanism that serves to report the loss or theft of an Israeli biometric identification card suffers from significant security faults, reports Ha’aretz (in Hebrew, by Ido Keinan and Johnny Zilber). According to the regulations and procedures of the Israeli Population, Immigration and Border Authority (PIBA) at the Ministry of the Interior, in issuing biometric identity cards, citizens are asked to answer two security questions, to which only they should know the answers. The questions are intended to be used in the future, in order to identify the person wishing to report theft or loss of his or her biometric ID card, via telephone.

According to a security expert, when issuing the card, citizens are prompted to provide the answers to the security questions in the open hall of the PIBA office, and interested parties can listen-in to the conversation between the citizen and PIBA's representative. Another failure lies in the nature of the security questions in use, which include - shoe size, favorite hobby, pet, and color. The questions are characterized by relative ease with which those that are not the ID cardholder can easily conclude the answers to, for example by reviewing the cardholder’s profile on various social networks. In addition, contrary to the regulations, PIBA allows the citizen being issued a biometric identity card to freely choose the security question he or she wishes to use. In this process, nothing prevents that due to lack of awareness, the cardholder would choose a question particularly convenient for him, thus also making it particularly easy for others to unscramble.