Note: Update of the issue is posted here.
Interesting read today in the NST on the ID theft:-
The thread running through all these cases are the loss of identity cards — the old version — by the victims. The imposters had used these cards to commit offences or apply for loans. Federal police investigated 43 cases of identity theft this year, 48 last year, about 400 in 2004 and more than 500 in 2003. The MCA Public Services and Complaints Department has so far handled 114 cases of identity theft involving RM5 million. There have been 18 cases this year. It received 38 reports in 2005 and 58 reports in 2004…
Actually ID theft is nothing new and yet, we are exposed to numerous ways where our personal information and identify might be exposed without our knowledge. Missing identification card is not the only we can lose our identity. Updates of personal information over unsecured internet connection is another way. This is what came to my mind when I was surfing on the internet and wanted to change of the account details on the Astro’s website.
To my horror, the page for the update of the personal information (NRIC, Name, Address, Contact Numbers, etc – you name it, it’s there on the open) on the site was not secured. So, I wrote to them on the issue. Nothing happened. So, I wrote again yesterday and copied the email to several senior staff in Astro. The content of my letter was as follows:-
Dear Sir / Madam
I have written to you on this matter several times via your online complaint forms but it is apparent that it has fallen into deaf and stubborn ears. Being someone who is involved in the IT sector, I am actively used the online features of your website to access the Astro programs and to update account details online. It is fast and convenient.
So far, the response time has been good to some extent but the question that begs to be answered is how SECURE is your webpage at www.astro.com.my especially on pages which requires the subscribers to input their NRIC, Astro Account number, Astro smart card numbers and whole other personal details over the internet.
Haven’t your webmaster ever heard of security features such as encrypted Secure Sockets Layer (SSL)? Why SSL or other security features not been deployed on the webpage?
As if want to “add salt to the wound”, your webmaster request complaints / feedback (which I originally used) on the webpage to be sent via an email which is the same as the unsecured online form. This once again requires the input of NRIC and Astro Account number insecurely over the internet. I don’t feel comfortable on this clear lack of steps by Astro to improve security on the webpage.
Clear email addresses as who to forward mails (such as this one) are lacking on the webpage and I even had to “google” out the above email addresses.
Perhaps Astro wants the subscribers to take one step back by complaining over the telephone instead of exposing their account details over the internet and if it is so, please make it clear on your webpage. IT professionals like me can avoid wasting writing up complaints over the net.
I will be expecting a reply on this issue as internet security is not a minor issue and the last thing I want is my personal details to be exposed on the net.
If you need further details, you can call me on my hand phone.
Yes, I was very angry when I drafted the email but toned down (not much) when I actually clicked to send it.
Within couple of hours, I got a reply from Astro stating that they will check on the matter and revert within 5 working days. Let’s see whether they will plug the shortcomings in online security or will once again turn blind on this issue.
2 days more to go and counting…
Del.icio.us Tag: Internet