Smart phone app Idezy to help clubbers prove their age

“If this scaled out of Cheltenham it will get hacked or brute forced and then there will be utter chaos. There are all sorts of problems here and I don't expect you to broadcast your AES crypto layer design or how you're using diversified keys etc but here's the thing....

You are putting all the data required to set up a fake IDezy website (authentic images of registered kids, their QR code and the encryption key) in the possession of the bouncers phone app. This is a fundamental flaw - any information flowing in/out of a mobile device can be compromised, cached or mirrored as another has already stressed.

For example (and this is just one) - a doorman's phone could be brute forced to enable him to spend a few months accumulating a database of registered users assets as he works the door at his local nightclub. Once these have been sold on to a fraudulent website selling 'fake Idezy' for a tenner running out of eastern europe - the underage kids can then select a registered user that looks like them and they get sent the associated QR image.

Really not trying to be too critical and good on you for having a go, but this approach is unfortunately wide open to an attack(s) and you need to know what you're towards here.

(If it scaled, you couldn't push all the pictures of all the registered kids nationally out to every bouncer's phone in the country and sync update daily, as you're intending for the trial in Cheltenham - it would have to go realtime query via wifi, 3/4G).

(It is really rather naive to suggest the disabling of screenshots provides even modest protection).”

“@Dre, a bit out of context considering that's on the PASS website, what's wrong with a driving license ? that's cheaper and most have that ?

Really think you're going to find it interesting when the bars and clubs get bored of the idea as potentially not many will use it and they'll go back to driving license/passport.

You'd be amazed what gets cached, not just low level, that was just to stop you trying to quote random statements as fact (such as nothing is ever cached)”

“You can find the following quote "[Association of Chief Police Officers] advises against the practice of carrying valuable ID such as passports for alcohol related purchases..." at http://tinyurl.com/cqqo6ap

We have spoken with the Information Commisioner's Office who have said that the system does not infringe the DPA.

With regards to caching, I was refering to the application cache, not such low level caching that is not readily accessible.”

“Also "he Police advise against carrying Passports and Driving Licences on a night out," do they ? care to show any evidence of this quote ?

Regardless of whether it's encrypted DPA is still there.”

“@Dre, your knoweldge of phones and security worries me, EVERYTHING caches at some point. Heck to get it out of main memory it'll get loaded into L3, L2 and then L1 memory for the CPU.”

“@tishwash the data is not cached, when the screen with your ID on is gone, all of the data is deleted. The venue's app is only available on Android, on which you can prevent screenshots.
The encrypted data is stored locally on the venue's phone which is synced everyday. They can use the mobile network of WiFi to sync. If the WiFi and mobile networks are both down (extremely unlikely), they can still use details previously synced. Plus your details are synced a day before you can actually use it giving a 24 hour window for them to sync.
At this early stage we will be on hand with back up phones if their's breaks. Going forward, venues will have spare phones.

@TIMONLINE2010 The venues get the data from us and we get it from VALIDATE UK, a national PASS proof of age scheme. They do all of the security checks regarding your date of birth, photo etc.

@TimMessanger I agree with the costs, I just don't understand the comparison. I don't see why using your phone to prove your age would increase the chance of you losing it.
People use their phone in public multiple times a day anyway.
The system is built in such a way as to minimise the chance of infringing the DPA. All of the details are encrypted so even if they are lost, they are useless.

@geraint2010 The Police advise against carrying Passports and Driving Licences on a night out, we wanted to give people that don't want to risk losing important documents another option that is still as certain of acceptance as Passports or Driving Licences (participating venues are listed in app so you know exactly where it is accepted).”

“Bit low-tech I guess, but why not simply slip your driving licence in your back pocket or purse?”

“@dre_pilipczuk

It would be really nice if you read your own article published on this web site...

"The idea is the brainchild of Ben Pearson, who was left frustrated by losing his passport on a night out and left with an £80 bill to replace it."

£80 bill to replace your pass port
£500 to replace an iPhone or you might even lose your life!
"a young man in the prime of his life was left to die on a cold back street, all for the sake of a mobile phone" - http://tinyurl.com/8ttbdwj

WHO SAYS YOU WILL LOSE YOUR PASSPORT?

I also take it that all the venues will have the correct registration under the DPA and that they are aware of the penalties if they lose this data!”

“So where do the venues get your details from in the first place?”

“even worse, what happens if the internet is down like O2 recently, then they can't get your ID downloaded ? or the venues phone is broken ? or they haven't sync'd recently ?”