SIM card registration app is not fit for purpose – Yayra Koku
A Systems Analyst/Cybersecurity Consultant has revealed that upon assessing the Ghana self-SIM registration Application developed by the Ministry of Communications for the ongoing SIM card registration exercise, the App is problematic and unfit for purpose.
He said in developing any application or system one thing developers do is to prevent loopholes for applicants to bypass and that is why developers should not be allowed to test their own systems, which is the opposite of what the Ministry of Communication did with the SIM card registration App.
In explaining why the self SIM card registration APP is unfit for the purpose he said “the App does not do instant matching or authentication of fingerprints against the Ghana Card. That is one-to-one matching (1:1) or one-to-many (1:N) against the NIA database. Instead, it matches ONLY the PIN in the NIA database. Matching a PIN to the NIA system does not establish one’s identity. It only establishes whether the PIN is verified in the NIA database, which anyone can do. This means malicious actors can get hold of anyone’s Ghana Card, buy a new SIM card and use it to register for a new SIM and use it to commit a crime without the knowledge of the Ghana card owner because during the registration; there was no establishment of identity through a one to one matching (1:1).
“Don’t forget that many people have lost their Ghana Card and have gone for replacement. Imagine such cards find their way into a bad person’s hand. Though NIA deactivates a missing card, they DONT deactivate the unique PIN,” Yayra Koku said.
He concluded that “any biometric system developed to register people without establishing one’s identity through a biometric authentication (either 1:1 or 1:N) is bound to fail”.
Read his full verdict on the APP below
My Assessment of the Self Registration SIM APP
In developing any system for specific usage, one important thing developers try to do based on the system’s functionality is to prevent loopholes for applicants to bypass. That is why developers SHOULD NOT test their systems.
Unfortunately, in some cases, developers are left alone to do the job, and when they finish, they test it themselves. Developers are bad system testers when testing their systems because testing something they created may bring unconscious or unintentional bias into the testing process. This sometimes makes it impossible for them to unearth critical functional mistakes. Developers, therefore, lack the objectivity to be able to test their work.
The question is; Is the SIM Registration App well designed to achieve the purpose?
Answer: NO.
Reason:
The App does not do instant matching or authentication of fingerprints against the Ghana Card. That is one-to-one matching (1:1) or one-to-many (1:N) against the NIA database. Instead, it matches ONLY the PIN in the NIA database. Matching a PIN to the NIA system does not establish one’s identity. It only establishes whether the PIN is verified in the NIA database, which anyone can do. This means malicious actors can get hold of anyone’s Ghana Card, buy a new SIM card and use it to register for a new SIM and use it to commit a crime without the knowledge of the Ghana card owner because during the registration; there was no establishment of identity through a one to one matching (1:1). Dont forgets that many people have lost their Ghana Card and have gone for replacement. Imagine such cards find their way into a bad person’s hand. Though NIA deactivates a missing card, they DONT deactivate the unique PIN.
Any biometric system developed to register people without establishing one’s identity through a biometric authentication (either 1:1 or 1:N) is bound to fail. One to One matching here means matching the fingerprint captured by the applicant against the one stored on the Ghana Card. One to many here means matching the fingerprint captured against the NIA database. Do applicants go through any of these? The answer is a BIG NO.
Again the structural design of the Ghana SIM SELF REG system is problematic. The developers are more interested in collecting the money than ensuring the system’s full functionality. Payment should be the last option before you submit. But the system has been designed for applicants to pay before they start the process. What happens if the App crashes in the process after paying? Will my application account be credited? Was there a need to create an account before? Are they trying to collect data from applications by asking for emails?
Question: What should be the way forward
Answer:
As stated, “Any biometric system developed to register people without establishing one’s identity through a biometric authentication (either 1:1 or 1:N) is bound to fail.”
Working closely with NIA, I was expecting the developers to incorporate Near-field communication (NFC) connectivity technology into the App, first to read the Ghana Card of an applicant and ask them to authenticate their fingerprint against what is stored on the Ghana card to establish an IDENTITY OF THE PERSON (1:1 matching). If it is successful, the data stored on the Ghana Card is pushed into the App for the rest of the process to continue. That is by entering the GPS Post Code, phone number and other relevant data. Then the last option will be to enter a phone number to make the payment.
This would have prevented anyone from using other Ghana Card to register for a new SIM. It is not too late. The App was launched yesterday, and they can redesign it for better functionality.
Ministry of Communication and NCA should consult NIA for the best solution in authenticating the Ghana Card. As for the security features in the App, I will talk about them in my next write-up.
Yayra Koku
Systems Analyst/Cybersecurity Consultant
By: Agaatorne Douglas Asaah | myactiveonline.com