Biometric ID Card security doubts voiced out
Two weeks ago a lot happened around the MNIS project, raising doubts & questions over security and usage of the biometric data collected. While I was hoping that the authorities, in good faith, shall invite members of various groups, for an open discussion, the contrary happened.
Instead of getting invitations to discuss over a cup of coffee, I saw several cartoon pictures on facebook trying sell the "benefits" of a biometric ID Card. I wonder if such tactics were employed in UK when groups opposed the introduction of biometric ID Card.
For that matter, I wrote my concerns to the Hon. Minister of ICT & the MNIS Project Manager. For public consultation, a copy of that letter is available online.
What does the letter contain?
Well, I'm a simple citizen & I ask simple questions. I started by raising a question regarding "account registration" on www.gov.mu. Today anybody in possession of a name & identity card number can create an account. So, what happens if a lot of people who have access to other people's name & ID numbers create accounts for fun? Shouldn't there be some valid verification process in-place?
As example I took the case of 9,000 names & ID Card numbers privacy blunder on a government owned website recently. Somewhere on radio, it was said that a small problem was discovered & fixed. Unfortunately, such things are no more small problems if you're pushing the country towards biometrics.
Wondering how can someone cause you prejudice with your account on Gov Portal?
Say someone logs in with your account, applies to some ministry using forged documents in your name. Ahaaa! Whom will the authorities contact when they find the documents are not genuine but forged? Poor you, you didn't even know you made an application.
Then I brought the topic on DNSSEC. Yup! I had to bring it & let's see why. During my previous observation I noticed & folks in the IT community also found it weird, why a gov-mu.org domain?
My first guess was, maybe because of DNSSEC. As we know .mu isn't signed. Let's see a quick recap how this works.
DNSSEC is a technology that was developed to, among other things, protect against DNS vulnerabilities (allowing attackers to hijack sessions) by digitally ‘signing’ data so you can be assured it is valid. It must be deployed at each step in the lookup from top-level domain to final domain name (from mu through gov till www). Signing the root zone (top-level domain), that is deploying DNSSEC, is a necessary step in this overall process. This process does not encrypt data. It just attests to the validity of the address of the site you visit.
Currently www.gov.mu isn't signed (for various reasons) and although gov-mu.org is DNSSEC signed, does it really solve the security issue? Not really. Domain names similar to gov-mu.org are available for a couple of dollars & it's just a matter of time for phishing experts to buy those and build data mining websites.
Next I raised the issue of email forgery using @mail.gov.mu extension. Currently, authorities have no mechanism in-place to prevent such things. I talked about email forgery in a previous blog post: Debunking fake emails
I gave a scenario how a phishing attack might occur (exploiting the current flaws) to tempt people into revealing their login credentials.
I ended the letter talking of security issues when having a Central Population Database (CPD). The British Government backed-down from its Biometric ID Card project when security groups raised these concerns. Our Government is creating cartoons on facebook to entice people (^^,) when such questions have been raised.
Aww! One more thing, I tossed the topic on the chip used in the ID Card. Hoping to get some answers so I may study more on the security aspects.
ID Theft: blog.carouselchecks.com