The headline on the front page of the Sunday Vision screamed, PANIC AS NATIONAL ID DATA IS STOLEN. I dropped all I was doing to quickly get myself a copy of the news paper. Being one of those people that have continuously cautioned our government over its handling of electronic data, I was only too eager to see what had been done wrong this time round.
The title of the article gives one the impression that the folks at the National Identification and Registration Authority (NIRA) were caught napping on duty.
In the article, a one Norbert Kamwebaze was allegedly paid twice for work he did for Roko Construction with the second payment being dished out to an imposter who presented an ID card to Roko that had all his details save for a difference in the face.
The article starts off with a clear indication of the agenda the authors had; “Panic has gripped members of the public after it emerged that confidential data that Ugandans submitted to NIRA could have landed in wrong hands….” Using a very basic example, we have had forgery of permits for a long time in this country where someone lifts all the information of a legitimate permit and only changes the face to reflect his. Why has there never been any doubt cast on Face Technologies over our data? I was irked by the quick conclusion being insinuated in the article yet the details of the story indicate that suspicion should first be cast elsewhere.
Let us look at the issues raised so far and what they mean;
Mr. Kamwebaze was contracted by Roko construction to do a job for UGX 51 Million Shillings
Upon completion of the job, he was paid in full but not before producing proof of his identity by presenting a National ID which was duly photocopied.
Mr. Kamwebaze proceeded to bank the cheque on his account in Barclays bank and it was cleared.
A few days later, another person bearing a similar ID appeared at Roko for payment and was issued a cheque for payment.
This is where the story gets an interesting twist. Roko as a company has decent accounting systems in place with well set processes and procedures. I have done work for them before and know that the point persons one deals with when it comes to finances are limited and they usually know even off head who has been paid. The issuance of cheques follows some fairly lengthy procedures and this makes me wonder how a second cheque could have been issued without internal connivance. Is it possible that by coincidence all those who handled the first payment issued were never available when the impostor turned up?
The double payment was discovered by the Roko top management.
This is already a pointer that the lower level staff have some serious questions to answer.
The impostor opened up an account with the same bank, Barclays using the same bio data as Mr. Kamwesigye, went ahead to ensure the account had the same bank balance as that of the legitimate Kamwesigye and two days later, deposited the cheque of 51 Million. Upon maturity, he withdrew all the money.
This raises some interesting questions. They are:
Could it be that the banking software used by Barclays has no ability to detect duplicates? How could two accounts with similar bio data exist yet having different photographs? Shouldn’t a flag have been raised internally at least first with the Systems Security team?
How did the impostor get to know the details on the legitimate Kamwesigye’s account including bank balance? Was he working with an insider in Barclays? Could there have been collusion between Mr Kamwesigye and this alleged impostor?
Back to the National ID, no where in the article does it indicate the trail to NIRA. There is a presumption that the NIRA database could have been hacked to get this information but this does not appear to hold much water considering that there are still many other ways one would have accessed this ID information. Based on my assessment, these are the first areas of suspicion before casting NIRA in bad light:
The impostor could have worked with staff at Roko who availed him the ID information since they already had a photocopy and considering that he picked his money after the real claimant had already got his.
The real Mr. Kamwebaze could have connived with the impostor and come up with the new ID that the impostor used.
The impostor could have tracked Mr. Kamwebaze and been able to get access to his National ID without his knowledge. Thereafter, he hatched out his plan.
At this point, unless further information is availed showing complicity by NIRA, I am inclined to believe that this was more of social engineering than hacking into the National ID Database.
It is on this note that I would like to register my disappointment with the New Vision for falling prey to the sensationalist headline approach typical of the reckless Ugandan tabloids.
One positive though the article brings out is the need for our public institutions to guard against data pilferage. Remember, the weakest link in any IT systems is the human being. Employ professionals who know what they are doing and are willing to stand by a pre-set code of ethics. We shall minimise the likely occurrence of such.
Eid Mubarak to my Muslim brothers and sisters.
James Wire is a Technology and Small Business Consultant based in Kampala, Uganda
Follow @wirejames on Twitter.
Email lunghabo [at] gmail [dot] com
Pingback: Are you really safe online? | kevejoanne
CLARIFICATION ON ISSUES RAISED IN THE “STORY PANIC AS NATIONAL ID DATA IS STOLEN”
Reference is made to the lead story in the Sunday Vision of June 25, 2017 titled Panic as National ID Data is Stolen, which further says that confidential data submitted to and in possession of the National Identification and registration Authority (NIRA) could have landed into wrong hands.
The article is premised on a case currently under investigation by the Criminal Investigation Directorate (CID) of the Police in which a city businessman is alleged to have lost 51m shillings through a fraudulent payment to a one Norbert Kamwebaze.
Whereas the article refers to an on-going investigation, NIRA notes that the headline to the story is not only incorrect, but is misleading and has serious implications for national security if not immediately corrected. In addition we note that the most of the adduced supporting information in the article is not only inaccurate, but also a serious misrepresentation and reflects lack of understanding of how the national ID data is gathered, stored, shared and managed. We believe the authors of the article could have obtained the right information and informed the public better if they had good intentions.
NIRA therefore wishes to clarify on some of the issues raised in the article as follows:
The National Identification Number (NIN) CM8605210PADGW mentioned in the story does not exist at all in the National ID Register (NIR). This is therefore a clear case of forgery and does not amount to identity theft as is suggested in the article.
A search of the National ID Register has been done to establish the right NIN of the mentioned Norbert Kamwebaze. Whereas the name indeed exists, his right NIN is different from the one quoted in the article.
NIRA also wishes to make it clear that access to data in the National ID Register is strictly regulated and guided by procedures laid down in the Registration of Persons Act 2015 contrary to what is alleged in the article. The established procedures restrict access to data to specific offices at NIRA and no persons other than those stated in the law can access data. The process of establishment of the national ID register envisaged risk to data security, hence the establishment of stringent technical and legal controls on data access.
“No NIRA staff other than those designated by internal control procedures and policies can access data in the NIR. It is therefore erroneous to suggest that the information could have been leaked by a NIRA official”
On allegations that next of kin are required to sign NIRA documents, we wish to state categorically that there is no provision for next of kin to sign anywhere on any NIRA documents. NIRA does not use next of kin or anybody other than the applicants for national IDs to obtain information on identities of persons.
We also wish to re-state that no data from the National ID Register has been shared with the telecom companies during the on-going SIM Card validation exercise as alleged in the article.
“The procedure for SIM card validation is such that the telecom companies submit their subscriber details to UCC which is later submitted to NIRA for verification. This information is then compared against the national ID data by NIRA and a simple YES/NO report is generated confirming whether a subscriber is registered and his or her NIN and names correspond to information in the NIR or not. The report is then sent to UCC for action.”
The information verified during the SIM card validation is strictly that which appears on the face of the ID card.
On allegations of people using others NINs to validate their SIM cards, we wish to inform the public that such cases existed a NO response will be sent to UCC and their SIM cards will be deactivated.
NIRA wishes to reassure the public that the national ID data is secure to the highest security levels and access to that data is strictly according to the Registration of Persons Act 2015 and regulations. Whereas this appears to be a clear case of forgery, Due diligence by ROKO could have established the authenticity of the identity card before making the payment. We wish to re-state our commitment to cooperate with and support the Police and other law enforcement agencies in investigating and prosecuting and cases of forgery or theft of identity documents and data
FOR GOD AND MY COUNTRY