Tag Archives: Technology

Stolen National ID Data ~ Questioning The New Vision’s Agenda

Posted on June 25, 2017 | 2 comments

The headline on the front page of the Sunday Vision screamed, PANIC AS NATIONAL ID DATA IS STOLEN. I dropped all I was doing to quickly get myself a copy of the news paper. Being one of those people that have continuously cautioned our government over its handling of electronic data, I was only too eager to see what had been done wrong this time round.

vision_headline

The screaming Sunday Vision Headline

The title of the article gives one the impression that the folks at the National Identification and Registration Authority (NIRA) were caught napping on duty.

In the article, a one Norbert Kamwebaze was allegedly paid twice for work he did for Roko Construction with the second payment being dished out to an imposter who presented an ID card to Roko that had all his details save for a difference in the face.

The article starts off with a clear indication of the agenda the authors had; “Panic has gripped members of the public after it emerged that confidential data that Ugandans submitted to NIRA could have landed in wrong hands….” Using a very basic example, we have had forgery of permits for a long time in this country where someone lifts all the information of a legitimate permit and only changes the face to reflect his. Why has there never been any doubt cast on Face Technologies over our data? I was irked by the quick conclusion being insinuated in the article yet the details of the story indicate that suspicion should first be cast elsewhere.

Let us look at the issues raised so far and what they mean;

  • Mr. Kamwebaze was contracted by Roko construction to do a job for UGX 51 Million Shillings

  • Upon completion of the job, he was paid in full but not before producing proof of his identity by presenting a National ID which was duly photocopied.

  • Mr. Kamwebaze proceeded to bank the cheque on his account in Barclays bank and it was cleared.

  • A few days later, another person bearing a similar ID appeared at Roko for payment and was issued a cheque for payment.

This is where the story gets an interesting twist. Roko as a company has decent accounting systems in place with well set processes and procedures. I have done work for them before and know that the point persons one deals with when it comes to finances are limited and they usually know even off head who has been paid. The issuance of cheques follows some fairly lengthy procedures and this makes me wonder how a second cheque could have been issued without internal connivance. Is it possible that by coincidence all those who handled the first payment issued were never available when the impostor turned up?

  • The double payment was discovered by the Roko top management.

This is already a pointer that the lower level staff have some serious questions to answer.

  • The impostor opened up an account with the same bank, Barclays using the same bio data as Mr. Kamwesigye, went ahead to ensure the account had the same bank balance as that of the legitimate Kamwesigye and two days later, deposited the cheque of 51 Million. Upon maturity, he withdrew all the money.

This raises some interesting questions. They are:

  1. Could it be that the banking software used by Barclays has no ability to detect duplicates? How could two accounts with similar bio data exist yet having different photographs? Shouldn’t a flag have been raised internally at least first with the Systems Security team?

  2. How did the impostor get to know the details on the legitimate Kamwesigye’s account including bank balance? Was he working with an insider in Barclays? Could there have been collusion between Mr Kamwesigye and this alleged impostor?

Back to the National ID, no where in the article does it indicate the trail to NIRA. There is a presumption that the NIRA database could have been hacked to get this information but this does not appear to hold much water considering that there are still many other ways one would have accessed this ID information. Based on my assessment, these are the first areas of suspicion before casting NIRA in bad light:

  • The impostor could have worked with staff at Roko who availed him the ID information since they already had a photocopy and considering that he picked his money after the real claimant had already got his.

  • The real Mr. Kamwebaze could have connived with the impostor and come up with the new ID that the impostor used.

  • The impostor could have tracked Mr. Kamwebaze and been able to get access to his National ID without his knowledge. Thereafter, he hatched out his plan.

At this point, unless further information is availed showing complicity by NIRA, I am inclined to believe that this was more of social engineering than hacking into the National ID Database.

It is on this note that I would like to register my disappointment with the New Vision for falling prey to the sensationalist headline approach typical of the reckless Ugandan tabloids.

One positive though the article brings out is the need for our public institutions to guard against data pilferage. Remember, the weakest link in any IT systems is the human being. Employ professionals who know what they are doing and are willing to stand by a pre-set code of ethics. We shall minimise the likely occurrence of such.

Eid Mubarak to my Muslim brothers and sisters.

James Wire is a Technology and Small Business Consultant based in Kampala, Uganda

Follow @wirejames on Twitter.

Email lunghabo [at] gmail [dot] com

2 Comments

Posted in Technology

Tagged , , , , , ,

The disregard for Data Privacy in Uganda

Posted on April 6, 2017 | 1 comment

In the late 90s, as a Systems Administrator for Starcom, one of the pioneer Internet Service Providers in Uganda, I had the privilege of managing the Email server and in the process got to know which email accounts were used by StateHouse as well as the Kabaka of Buganda. Out of pure professional ethics, not even once did I snoop to find out what kind of communication they were undertaking. As the overall administrator of the server, I had unlimited privileges that I could have chosen to abuse at will or in exchange for a few pieces of silver. That was then.

Close to eight years ago, I got to learn about this couple. They were so much in love with one another until the entry of the other girl turned things around. Rita couldn’t stomach it any longer and quit the relationship. Meanwhile, her boyfriend had other ideas. After failing to convince her to reverse her decision, he turned to stalking her. Philip had friends who worked for the Telecom company that his ex girlfriend was subscribed to. With their help, he tracked down her phone interactions in a manner that eventually proved disastrous to her new relationship. To-date, these scenarios are still common with telecom employees willfully playing the role of Judas. I have been told that for as little as UGX 50,000/= one can get phone records for any person of interest without needing a Police or Court order.

When it comes to the banks, someone I will call Mark has had banking records involving his credit cards and other transactions given to his wife without his approval. How she accesses the information is still a mystery to him. The bank in question is a leading international bank whose professionalism you would ordinarily not put to question. He is now scared because if his wife can easily get such information, then what happens in the event that someone who has ill motives makes a move for the same?

The case of Bank connivance in the death of an Eritrean Businessman in Uganda is very telling. The Inspector General of Police came out decrying the presence of a Mafia Network in the banking system. Airtel was recently too accused of abetting number plate theft. These are matters not to be taken lightly.

There has been a fresh demand by the Uganda Communications Commission to ensure that sim card registration is adhered to. In a recent press release, the to-do list had among others a requirement that, database reconciliation/verification to be done by operators in liaison with NIRA (National Identification and Registration Authority). This has caused a lot of concern. The depth of information that NIRA has about individuals is so much and if shared carelessly with other providers whose lackluster approach to confidentiality is well known, the threat on individuals is likely to be made worse. Whereas thugs have always had only phone records to contend with, now they are likely to have residential information, next of kin thereby making it easier for them to plan kidnaps for ransom.

I have a bone to pick with UCC for the haphazard manner in which some interventions are undertaken. After huffing and puffing about sim registration and fines to Telcos that do not comply, many of us were under the impression that this matter had been settled as far back as 2015. It is a shame (a very big one) to realise that it had to take the death of a high profile individual for the same institution to bring this matter to a close. I cant shake my head enough to show my disappointment. However, that is a story for another day.

Now that private data is being aggregated with the potential for sharing it with providers in future, what should be done to ensure that we minimise its abuse?

  • Enact a Data Protection law

This is a law that prohibits the disclosure or misuse of information held on private individuals. The cases cited in this article can easily be pursued legally once the appropriate laws are in place. The Data Protection and Privacy Bill 2014 already has the desired provisions. These include;

Section 27 Unlawful obtaining and disclosure of personal data

(1) A person shall not knowingly or recklessly –

(a) obtain or disclose personal data of the information held or processed by a data controller; or

(b) procure the disclosure to another person of the information contained in personal data.

(2) A person who contravenes this section commits an offence and is liable on conviction to a fine not exceeding one hundred and twenty currency points  or imprisonment not exceeding five years or both.

Section 28 Sale of personal data

(1) A person shall not sell or offer for sale personal data of any person.

(2) A person who contravenes subsection (1) commits an offence and is liable on conviction to a fine not exceeding one hundred and twenty currency points or imprisonment not exceeding five years or both.

NB: Please note that One Currency Point is equivalent to UGX 20,000/=

  • Limit the amount of information shared with third parties

UCC should ensure that going forward, NIRA does not share all users’ information with the Telcos or any other third parties. This can be made possible through the use of software interfaces which limit the kind of access one can have to the National ID database. This is something within the means of NIRA to achieve in a short a time as one week.

Other than that, I look forward to the day when employees as well as companies whose staff are involved in illegal use of private consumer data are made accountable for their ill deeds. Many are suffering out there silently having been victims of this unprofessional conduct. Others have had to pay for it with their lives. We cannot afford to wait any longer.

James Wire is a Small Business and Technology Consultant based in Kampala, Uganda

Follow @wirejames on Twitter.

Email lunghabo [at] gmail [dot] com

Other articles of interest:

1 Comment

Posted in Technology

Tagged , , , , , , ,