Friday, March 13, 2020

Secure Identity using myGovID Flawed

This seems like an extremely flawed and insecure system. First there is the arrogant view that it would be irresponsible not to update phone to new purported more secure system. But if security is an issue, then the requirement for the irresponsible behaviour of  scanning identity documents and uploading them to be stored on some organisations servers, voids the benefit of the improved phone security. The system is not acceptable.

In the traditional approach people took their identity documents to an agency and an officer viewed the real documents. The identity documents are typically on non-standard paper sizes, in colour and are embossed or have water marks. The documents were photocopied in black and white, typically producing a copy surrounded by waste paper, or a document split onto two sheets of paper. The copy was stamped with a red stamp with the word "COPY", it was signed and dated by the officer witnessing the real documents. The copy was in no way a substitute for the original, but it was token evidence that such original documents had been presented to an officer of the agency.

With the introduction of colour photocopiers with memory store, it became increasingly viable to produce a replica document which could be used as a substitute for the original if not closely scrutinised. With scanners, wireless networking and roll form printers, preventing the creation of a substitute document became less and less viable. All the witnessing organisation requires is token evidence of having viewed the real documents: no colour photocopy/scan of the whole document is needed.

The system we have here with myGovID, is that a substitute document is used as proof of identity, and that is definitely not acceptable. Just needs someone to steal the substitute documents from say Paypal servers and upload to the ATO servers.  Not a problem right, its secure. These systems are so secure that we have to upgrade our phones on a regular basis, because the secure systems are not as secure as they are purported to be. The systems are perfectly secure until the suppliers wish to sell the next piece of electronic junk.

From memory the Australian population opposed the introduction of national identity number and photographic identity card, and the drivers license is only supposed to be used for traffic management.  Same population goes out buys mobile phone (personal identity number), with GPS tracking and camera, plasters their identity all over the internet, and complains about privacy and theft of identity. So maybe the government could assume the population is naive and gullible. However, one phone one identity is not valid, as some families just have the one mobile phone. The phone is carried by who ever is away from home, so they can contact home.

To get the phone need to provide name and address, at the very minimum so that can be billed for regular use. I don't recollect any need to provide proof of identity to buy. However suppose  impose one phone one identity, then the proof of identity needs to occur at the point of sale. Sales people and retailers become responsible for verifying identities: seems an onerous imposition.

If the MyGovID uses a scanned file uploaded to their servers, then just need to identify where the file is taken from and push the appropriate file into the transfer system. That is hacker steals identity documents from say Paypal, and pushes them to the ATO servers.  However, supposing when scan an identity document  with a mobile phone that no file is created on the phone and a data stream is sent direct to the ATO servers, where a file is created. So now the phones camera/scanner has to receive a document. Still don't need the original documents, only need the substitute documents which are seen at the other end of the communication channel. And if every naive organisation is requesting upload of identity documents then there is going to be plenty of servers to hack, from which to retrieve substitute documents. And identity is thus not secured.

I don't have an issue with Australia Post offices which issue passports checking identity documents, but once again they should not be permitted to scan and retain substitute documents. Putting the word "COPY" on the scanned document is also not acceptable, as no means of knowing if that is simply a screen display or actual change to a file. Even if it is a change to a file, it can be applied in a way that is easy to remove. Even if part of a bitmap, it may obliterate the underlying text, but it is still viable to develop an algorithm which finds the word COPY and removes, then other algorithms can attempt to fill in the missing image. Whilst probably not good enough to restore the document, such would depend on where the word "COPY" is written. If placed over standard stuff then relatively easy to restore, if over signatures then less viable to restore: But if signatures are obscured then the copy possibly of limited use.

So basically need to have witnessed the full original document, but only be permitted to partially scan the document, such as the signature strip. But then the signature strip could be easily used to create a new set of documents. So no copies or scanning permitted. Scanning is probably not necessary anyway as most of the documents have registration numbers of some description. So witness the original documents and record the relevant details. If make an error in some of the registration numbers then the documents won't reconcile with official records and relevant agency can request to check the original documents again. For certain can have the numbers without having the original documents. The issue however is having enough numbers from enough documents, that the identity is demonstrated to have been used consistently for a long time by the same person.

So not a secure system and requires releasing documents which place identity at even greater risk of being stolen. To not have an alternative system in place seems unreasonable.


Related Posts

Revisions:
[13/03/2020] : Original