This is new and you won’t see it reported anywhere else, yet.

My friend and former colleague Rob wrote me on AIM:

I just got back from getting my new “Digital Drivers License”… it’s supposed to serve as a definitive form of ID, as good as a passport…

They have a point system for authenticating yourself… Valid passport is 4 points, old drivers license is 1 point, etc…. you need 6 points to authenticate…

So I go to the facility, got pre-screened to make sure I had enough identification, then was told to wait in a line. When I got to the front, I presented my identification, paid for my renewal, got everything back, and was told to sit and wait for my name to be called…

(I bet you can tell what happens next)

My name was called, went up to another window, had my picture taken and was presented with my new ID.

So much for homeland security. I don’t know if it’s because I’m used to spotting holes or not, but this just seems too easy.

Did you spot the problem in the above? In security circles it’s called a “TOCTOU” bug; the acronym means Time Of Check to Time Of Use[1] – viz: there is no linkage, no guarantee that the person who had their identity checked is the same person as has their photograph taken.

That would kinda defeat the intent of the identity card, dontcha think?

Update: Rob adds:

Heh, just talked to the Directors office at the Motor Vehicle Commission:

“Oh, that’s not a problem… the person that told you to wait to be called would have noticed that another person went up to get their picture taken”

There were at least 200 people there, and about 10 windows processing renewals and new licenses

—
[1] sometimes also TOTTTOU, “time of test…”