CBR's NTN verification service is full of security holes

CBR's NTN verification service is full of security holes

Electronic government initiatives are excellent, in general. They increase efficiency, make information more accessible to the public, prevent people from standing in long lines and wasting their entire day with the most mundane of things, and generally lead to a happier populace. But when they aren’t thought through properly, they can also result in some really disastrous outcomes.

This case in point was brought to our attention by a watchful reader, Shehzad A. Shehzad came across the online NTN verification service deployed by the CBR (Central Board of Revenue) and immediately pointed it out as a not-so-well thought out initiative. And we agree!

What the service does is that it allows you to enter any Pakistani national’s name or National identity card number (NIC) and get back the individual’s Tax ID, full address and some other information. This in of itself wouldn’t have been all that bad… after all, the NIC is not quite like the US SSN because you can’t exactly use it to apply for a credit card online and then rip someone off. And even in places like the US where privacy watchdogs have been on the prowl for a long time, Tax records are public information and can be searched online. In fact, as long as you know the country of residence of any individual, you can easily get their full address information on a variety of county websites.

So, it’s not just the information that’s the issue… it’s the fact that too much of it is being revealed, and it is not being protected from automated attacks/database replication attempts. For example, why give out the NIC information when the service is expressly an tax number verification service? Is full address information necessary to verify someone’s NTN? What about just giving the city, or how about even the street without the house number?

Since there is no use of Captcha or other robot avoidance mechanisms, a simple scripted robot could easily pull information from this database by using random NIC numbers or names. What’s more, since the service doesn’t prevent a single IP from accessing it over and over, you could have a robot do this for weeks or months and pull down hundreds of thousands or millions of records. Whoever does this would essentially be replicating NADRA’s database, minus the biometrics. Not good.

I think the Central Board of Revenue really needs to look at this immediately and add security features like Captcha, prevention of unlimited queries from a single address and paring down the information returned. The government is entrusted with citizen’s private information under a contract of trust. It should go to lengths to uphold its responsibilities.

No related content found.

Share this:
Share this page via Email Share this page via Stumble Upon Share this page via Digg this Share this page via Facebook Share this page via Twitter