Security Issues In Malaysian MyKad
Kad Pengenalan or MyKad is the National identity card for Malaysian citizen. Malaysian became the first country in the world to adopt this technology as the country’s general authentication method. The MyKad incorporates sophisticated technology during its time of issuance. The said plastic card has built in computer chip which stores the card holder’s bio data as well as photos and fingerprint data. Manufactured by IRIS Corporation, which features 64kb storage capacity and operated by MyKad Chip Operating System.
The current system itself already supports Multi-factor authentication where for official use suppose in a bank, the authentication process for money transaction over the counter requires the card’s data to be matched with owner’s fingerprint. For a more robust authentication we could add another alternative biometrics, we proposed iris data because it is the best type of biometrics authentication. Then to increase the security, it could be coupled with a pin number just like the ATM pin number. An example scenario of this authentication process would be withdrawing from the Automated Teller Machine. First, MyKad would be inserted then the pin number is entered and lastly the person just has to look directly to the camera (iris scanner) to complete the authentication process. This combination of what the user has (MyKad), what the user knows (Pin number) and what the user is (iris pattern) is a compatible combo to provide highest degree protection. As it creates a multi-layered defence against unauthorized access. Even if one factor is breached, the attacker still must break the other two before reaching the goal. Therefore Using MyKad alone as an authentication method is not enough because of its nature being easily forged.
With just a laminating machine, rubber stamps, scanners and laptops, two Sri Lankan is able to fake MyKads on 2008. Some just get away by just replacing the picture of the face. Most of the time, business dealing with the usage MyKad, they only check to see the face without using the data inside to verify. One can easily and accidentally lose the card, when this happen, the adversary can easily use the card for identity theft by replacing the photo and the data inside. A security framework relying based on what you have entirely is not enough, therefore must be coupled with what you know and what you are. MyKad has security issues with confidentiality if it is not protected properly. Some of the attacks on MyKad includes, Physical attack as such rewiring circuit of the chip and cutting the wire on the chip and also inserting probe into the chip to observe data. All this can be done to study the encryption algorithm of the chip by damaging part of it to interfere the random number generator.
Furthemore, another type of attack that can be applied is environmentally. This is done by altering the surface temperature, Ultra Violet, or x-ray to induce perturbation where the chip acts different than normal to let the attacker learn about the behaviour or sometimes bypass security. The last type of exploit of MyKad’s vulnerability is using side channel. This is done by using a modded card reader to allow MYKad undergo standard process, the hacker then analyse the amount of time for the MyKad to execute encryption process to infer the length of data.
Simple Power Analysis can also be used to monitor the power consumption and with the usage of statistical technique to divide useful data from the noise. This can be used together with Electromagnetic analysis to gain useful information about cryptographic key from the electromagnetic emanation of the MyKad.
