In the past years, there have been several issues battling with the security of systems and networks. The Aadhaar card of India is a 12-digit unique identity number that can be obtained voluntarily by residents, or passport holders of India, based on their biometric and demographic data. Due to the lack of security and carelessness of the developers of the system, millions of Indian citizens' data were put at risk. This article is meant to explain the data risk and security of the new Ghana voters' ID card.
How cyber-attack affect our lives
As the world evolves, our lives get inter-connected through the Internet. This increases the rate of cybercriminals using sophisticated tools and techniques into compromising systems and networks. Cybercriminals advance their social engineering skills. Social engineering is the use of manipulation into disclosing private information of individuals. As cybercriminals evolve with their tactics and techniques, so do the tactics and techniques of cyber experts also get more sophisticated.
What is a vulnerability in a system?
Vulnerability is a flaw or loophole in the architectural design of a system or network. With the increase in science and technology, the degree of system updates also increases rapidly. Designers don’t realize the vulnerabilities in their designs. Some lawbreakers take advantage of these vulnerabilities, avoid security strategies, and destroy computer systems. As it is said, no system is 100% safe.
Analysis of the Ghana Voters ID card
A few days back, I came across the new Ghana voters ID card on twitter, which was posted by a television network company trying to show how the new ID looked. Showing the ID card and trying best to hide the identity of the citizen was not still the best. Keeping a copy and looking further into it to see the risk involved. Researching into it revealed how data was being transmitted unencrypted through the QR-code on the ID card. No security measures are put in place for the safety and security of the citizen. Information of the citizen could be extracted fully through the exposed QR-code. Details such as surname, first name, sex, date of birth, polling station code, date of registration, and voter identification number.
Analysis of Voter ID cards from Estonia
First of all, let's take a look at Estonia’s ID card. Estonia has by far the most highly developed national ID-card system in the world. Considerably more than a legitimate personal ID, the required ID card additionally gives digital access to all of Estonia’s secure e-services.
The chip on the card carries embedded files and using 384-bit ECC public-key encryption (Elliptic-curve cryptography), it tends to be utilized as complete evidence of ID in an electronic domain. The card plays multiple purposes such as using it for I-voting, health checks, proof of identity. Citizens have the right to vote simply but securely anywhere from the Internet. During the pre-voting process, voters log into the system using an ID-card or mobile-ID, to cast their vote. The identity of the voter is removed before getting to the national electoral commission for counting, thereby ensuring anonymity. The secrecy of the vote is guaranteed as with the early-voting procedure by mail – the vote is signed and encrypted with the voter’s own certificates and placed within a double e-envelope for protection. The encrypted votes are collected, but their content will not appear outside of the cryptograms. Only after voting has closed will a device be activated by the electoral unit, which can open up the votes. The necessary security is ensured by precise organizational measures. The server software is public; observers are welcome. In brief, in order to conceal and securely transmit the vote, the voting system uses cryptography, which ensures the same voter identity for the certificates in the document. After the vote, it is possible to use a QR code with a mobile phone, to verify the accuracy of your vote through a different communication channel
Risk in lack of security of the Ghana Voters ID card
The lack of security in the QR code on the Ghana voters ID card can result in the clone of the card. Impersonators can make a fake copy of the card for malicious activities such as using the card to register for a new sim card in someone else’s name, registration of mobile money, bank account, and even impersonation of high government profiles during the recruitment process. This will increase the practice of voter card racketeering.
Control measures for the Voters’ ID card
Cryptographic mechanisms are necessary for the encryption, and control of access to QR code data content. Adopting this mechanism provides confidentiality and access control for the encoded contents so that only the authorized personnel can have access to the encoded information.
Government, industry, academia, and civil society must bear in mind that security is not a myth. We cannot have 100% secure systems but can have almost perfect systems when we keep security at the back of our minds in everything we do. Together we stand, and together we can build safe cyberspace for our country Ghana.
Author: Blay Abu Safian – (Founder/CEO Inveteck Global & Security Researcher | Member, Institute of ICT Professionals Ghana)
For comments, contact author [email protected]; +233 (20)236-6048