As all around the world people are becoming increasingly mobile, new demands are being placed on their technological environment. Modern nomads want to make phone calls, send emails, search the internet for information and conduct their everyday affairs while away on vacation or on business trips. For mobile use of these technologies of convenience, security is the essential requisite. In Germany, the new ID card, with its online function, contributes to protecting data and identity in a digital environment – both at home and on the road. One exciting new application of this ID card is its possibility to use it to withdraw cash at an ATM, as Thomas Löer explains.
Economic benefits and greater efficiency were the two main objectives of introducing the new German ID card in 2010, and gradually numerous potential applications offering greater security and convenience are emerging. One new application which Bundesdruckerei, Bank für Investments und Wertpapiere AG (biw AG) and the IT service provider XCOM AG have jointly developed, caused quite a stir at this year’s CeBIT: the use of the new German ID card to withdraw cash at an ATM. As announced at the fair, the first ever ATM to accept a German ID card for cash withdrawal was commissioned and has now been installed at Bundesdruckerei in Berlin. Company employees, visitors and even passers-by, can use this innovative cash dispensing service in the company foyer to obtain brand-new banknotes.
To withdraw cash at Bundesdruckerei’s ATM, the only two things a user, who has to be at least 18 years of age, requires is his or her ID card with the online ID function activated, and the corresponding six-digit PIN. Customers wishing to use the service have to register once in order to create a user account. During the registration, the user has to grant biw AG permission to debit the withdrawn amount to the specified reference account, but the user does not have to have an account at biw AG. Up to four German bank accounts can be assigned to an individual ID card.
When withdrawing cash, the ATM guides the user through the procedure with simple and easy-to-understand instructions (see figure 1). The ID card does not have to be inserted into a reader; it is read by simply placing it on a designated area. This convenient operation also ensures that the card cannot be confiscated by the ATM. To prevent misuse, the cash withdrawal procedure is aborted as soon as the user removes the document from the reader field.
Subsequently, the ID card is detected and its PIN is verified by Bundesdruckerei’s e-ID service. Users are informed about what information is being read from their ID card and for what purpose it is required. Verification normally takes only a few seconds, after which the requested amount is dispensed and the data forwarded to biw AG, which then directly debits the withdrawn amount to the account specified by the customer. Biw AG has a state-authorised certificate permitting it to use ID card data for cash dispensing services. It can also check that the ID card has not been barred, for instance following loss or theft.This ID card innovation attracted a great deal of interest at CeBIT 2013. In the course of the fair, large amounts of Euros, adding up to a four-digit sum, were paid out to German bank customers in cash. Many of them recognised the advantage of not having to carry around several cards for accounts at different banks and remember their various PINs – after all, most people carry their ID card with them anyway.
An added benefit of using the new ID card to withdraw money is that the sovereign document with its six-digit PIN achieves a higher security level than ordinary debit cards, since the diverse security features and integrated chip make the ID card more difficult to counterfeit. The chip is additionally protected using special encryption methods, making it impossible for the data to be copied onto another card.
Common misuse scenarios such as copying magnetic stripes are a thing of the past with the new German ID card. Moreover, biw AG uses Bundesdruckerei’s e-ID service in its ATM and is thus subject to surveillance by the German Federal Office of Administration (Bundes-verwaltungsamt) as well as being monitored by the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungs-aufsicht or BaFin) and Bundesbank. The entire process that customers at the ATM have to follow has been tested and approved by the Issuing Office for Authorization Certificates (Vergabestelle für Berechtigungszertifikate or VfB) at the Federal Office of Administration. This approval test is carried out in accordance with special guidelines, placing particular importance on process security and economical use of data. The VfB has determined which data the bank, in this case biw AG, is allowed to read from an ID card. The data must be read out in such a way that the customer can be identified beyond doubt, since when the ID card is used to withdraw cash, no advance request is sent to the main data centre of the bank issuing a card, as is the normal procedure for debit cards. The main purpose of this authentication is to hold the customer responsible for any refusal to serve the direct debit request for withdrawals made in their name.
e-ID service guarantees security and data protection
Certification Authorities such as Bundesdruckerei GmbH with its D-TRUST trust centre provide the technical authorisation certificate and offer their e-ID service to interested parties. This service allows organisations providing online services to offer secure registration, login and ordering processes in a high-security environment without having to make major proprietary infrastructure investments. The Bundesdruckerei e-ID service used by biw AG in the ATM controls all communications and checks the data against the latest authorisation certificates and revocation lists whenever data are being exchanged. It identifies and authenticates the parties involved in the transaction and guarantees security and data protection (see figure 2).
In principle, the e-ID process can model all processes that do not explicitly require a written form or a written signature. When used in combination with a qualified electronic signature (QES) or a so-called ‘sign-me certificate’, the process can be used to handle public administration procedures and conclude contracts online.
The e-ID service has two interfaces, an internal and an external one. The internal interface conforms to the e-Card API framework specified in technical guideline TR-03112 issued by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or BSI) and enables information interchange with the ID card. It includes cryptographic protocols as well as PACE (Password Authenticated Connection Establishment) and EAC (Extended Access Control) access control procedures.
The external interface serves to transfer data stored on the new ID card chip to the service provider, using an internationally standardised token to control the process. Currently, the VfB has authorised more than 70 service providers to use the online ID function. Some of these applications are already being tested in reference operations.
There is great potential for other innovative applications involving the new German ID card. Bundesdruckerei has produced around 23 million of these ID cards to date. It is estimated that every third ID card holder has had the online ID function activated. In cities offering a wide range of applications for the new online ID function, for example Münster, the proportion of ‘activated’ ID cards is even higher. By putting the first ATM to use this function into operation, the partners involved in the present
project have proved that use of the new ID card for such applications is technically feasible. This innovative service is bound to establish the ID card as a secure and practical means of identification in banking transactions and will widen its general acceptance. However, those involved are well aware that it will be quite some time before cash can be withdrawn from ATMs all over Germany using the new ID card. For the time being, this option can only supplement established card services. For bank customers, the new ID card is a useful alternative that provides them with greater flexibility in their day-to-day interaction with banks.
Possible further scenarios
Other scenarios in addition to ‘classical’ cash dispensers are conceivable for the future. For example, ATMs with an ID card interface could be installed at citizens’ service offices. Instead of issuing cheques to recipients of social benefits, authorities could use these as a cash dispenser, operating independently of banking networks. In this case, the local authority would have to establish a link in its own system to the beneficiary’s ID card and could then assign cash payments directly to the corresponding card. Both parties would gain from this: the local authority would safeguard its payments and beneficiaries would no longer need to go to a bank to cash their cheque.
Last year, Bundesdruckerei launched a competition called ‘e-IDEA – for the digital handshake’ (e-IDEE – für den digitalen Handschlag’1) to promote further innovative applications for the new ID card. The competition intended to harvest attractive ideas on how the online ID function can be integrated into digital services. In 2012, a total of 123 suggestions were submitted by private persons, companies, public authorities, hospitals and universities. This year the competition runs again. Two further award categories have been added: one for young innovators and another for innovation. Furthermore, this year a public choice award will be presented as well. Suggestions could be submitted up to mid-August and had to cover applications which are not just technically, but also legally feasible. The winning idea should also be suitable for use by as many citizens as possible and provide noticeable advantages to them. The ideas are being discussed at the moment by a jury of top experts. The winner of the main prize, which will be awarded in Berlin in November, can look forward to products and consultancy services worth 10,000 Euros from Bundesdruckerei GmbH.
Documents such as the new German ID card provide improved security for everyone, both in the analogue and the digital world. In times when computer criminals can make millions and an estimated million people fall victim to this type of crime every day, the use of a thoroughly reliable, secure technology is crucial. Digital identity theft in particular has developed into a highly lucrative business. Only absolute proof of identity as achieved by secure e-ID documents can offer protection against such crime. The objective is to protect personal identities and to make transactions and communication processes on the network more secure. User oriented, transparent and effective e-ID applications provide opportunities and potential for revitalizing relationships between citizens, administrations and enterprises, since the future competitiveness and competence of the state, economy and civil society can only be sustainably guaranteed by a successful transition into the digital age.