BlogsRSS

Don Sambandaraksa

Is it time for Thailand to rethink ID security?

At the National Telecommunications and Broadcasting Commission open forum, interestingly titled “stealing online money via the mobile phone”, I asked the delegates a number of questions, none of which got answered.

Much of the conversation revolved around security of the ID card. Everything in Thailand seems to revolve around ID cards. It is a single point of failure. The fact that a citizen now needs to present an ID card when entering buildings or doing something as mundane as sending a package at the post office means that the chances for someone to take the information from the card and clone it happen many times every day.

Is it time, I asked, to rethink the security versus convenience model in light of this threat?

I pointed out two examples. One was the EEstonia system where a government database allows citizens and eCitizens alike to use their ID cards to log into banks and see all their personal data already there even if it is their first time there. The other example was from when I interviewed Telenor Pakistan a while back on the great SIM reregistration drive.

Where the Thai ID card does not have any PIN protection and nearly every use depends simply on an easily forged visual check, Pakistan had long had cards with multiple levels of PIN numbers. Still, that was not enough and despite stringent SIM registration with PINs, bombs were still being set off via untraceable mobile phones. What the Pakistani government did was go full biometric and ordered every SIM verified against existing government fingerprint records by the telco.

Does Thailand need to go down that route?

I pointed out that before becoming a journalist, I was a civil servant at the ICT Ministry. Back in 2003 we (MICT) tried to get the citizen database transferred to the ICT Ministry from the Interior Ministry’s Bureau of Registration Administration.

I still vividly remember the argument, helped formed by my friends at the World Bank, that citizen information must be curated by an agency that does not use it. The MICT would curate it for the highest value of the citizen database whereas the Interior Ministry would curate it only for the benefit of the Interior Ministry. Only by setting it free would a true multi-use, multi-stakeholder smart ID card system take root.

That was the problem here. The system was geared only for the Interior Ministry’s use and could not be opened up to accommodate telcos, banks and customers of the two in a way that made sense.

We (MICT) also argued that the Interior Ministry’s approach to the security versus convenience balance was all wrong. MICT wanted two card issuing places for security, one main and one backup. No more, no less. People would have to wait for their cards but that was part of the security model (along with proper use of PIN codes and a card that actually was not designed to circumvent Java Card security measures which the Thai card was, but that is another matter). The Interior Ministry, however, wanted card issuing stations everywhere, at every district office and at every other shopping center so that people could get their ID cards while they did their shopping, never mind any thought of security as cutting red tape was popular with the electorate.

The cabinet sided with the Interior Ministry, the system remained with them and nothing changed. I told the floor at the NBTC forum that perhaps it is time for change. Perhaps this developments and others like it warrant a rethink of the entire ID system.

“My report from 14 years is probably still on a shelf somewhere in the ICT Ministry. You would do well to find it and read it as it’s still relevant,” I said.

My other question was what was the regulator doing with regards to SS7 hacking. Previously, the representative from tech website Blognone, Wason Liwlompaisarn, spoke of network level vulnerabilities in using SMS for onetime passwords and that things were getting worse, not better.

I pointed out that network-level SS7 hacking that would allow redirection of SMSes has been around for some time and that when I asked the telcos in Thailand what they were doing about it, I only got a reply from one of the telcos, AIS, who pointed out that despite the hoohah surrounding the SS7 hack, what the media reports failed to point out was that SS7 traffic is visible and that anyone with a decent monitoring system can see and block attacks.

What the NBTC could do would be to order SS7 logging and monitoring to at least gain visibility into the prevalence (or not) of such hacks. This is something that is fully within the remit of a telecoms regulator to do and would help stop at least one avenue of attack. Wason thanked me out of band and said that he was trying to avoid using technical terms such as SS7. Judging from the blank faces from my question and lack of any reply, I think he was wise to do so.

The terms Digital Economy and Thailand 4.0 were mentioned many times during the course of the forum. Both need a solid foundation. Building these huge projects such as the new national payment system on an unsound base of broken identity systems and archaic or badly written laws will not end well.