Due to sheer coincidence a huge security leak has been discovered in the Dutch government's internet user authentication meganism DigiD: A random person logged into one of the government's websites to file a felony claim. He owns a petrol station, and someone drove off without paying.
When he was logged into the system, it turns out he accidentally got into someone else's account. In this system he can do whatever he wants. Change personal details, file emigration details, stop or request all kind of welfare or child support, etcetera. He has full access to everything the government knows about this other person.
The response from the Department of National Affairs responds with "Coincidence exists. This never happened before." But is it really such a coincidence that will otherwise never happen, as they try to make it seem?
Ofcourse not. Such a high-profile system should have the highest security imaginable. And the designers of the security of this system made a very big mistake, that is not even allowed in simple internet fora or webpages for which you need to create a free account in order to participate: They allow users with the same username.
The effect of this is that you can only distinguish the different users by their passwords. That means the users must have different passwords. But what if they don't? Then the system can not distinguish the user, and will just open the account for whichever user is found first in the system.
How this system made it into production without anybody realizing this security flaw, is a miracle, and let's hope it will be fixed immediately. There is a reason why bank's use complex logon systems with dual codes and hardware devices according to the 'knowledge & possession' principle.
But no matter what: be most careful with your personal details online.
TrackBack URL for this entry:
http://www.stanzilieri.com/mt/trackback/391