[HN Gopher] Hacker steals government ID database for Argentina's...
___________________________________________________________________
Hacker steals government ID database for Argentina's entire
population
Author : giuliomagnifico
Score : 274 points
Date : 2021-10-19 10:04 UTC (12 hours ago)
(HTM) web link (therecord.media)
(TXT) w3m dump (therecord.media)
| aemreunal wrote:
| Same thing happened some number of years ago with Turkey and its
| ID database.
|
| The Turkish IDs have a "national ID number" (assigned to each
| citizen, is for life and is unchangeable) and a serial number for
| the ID itself. You need the national ID number to do certain
| things, similar to SSNs in the US. Similar to SSNs in the US,
| it's an absolutely horrible form of identity
| verification/authorization.
| adolph wrote:
| Similar thing happened in the US with a government database of
| PII and background check investigations. For a high value
| target its just a matter of when, not if.
|
| _OPM subsequently confirmed that investigators had "a high
| degree of confidence that OPM systems containing information
| related to the background investigations of current, former,
| and prospective federal government employees, to include U.S.
| military personnel, and those for whom a federal background
| investigation was conducted, may have been exfiltrated." The
| Central Intelligence Agency, however, does not use the OPM
| system; therefore, it may not have been affected._
|
| https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
| bobsmooth wrote:
| "According to a sample provided by the hacker online, the
| information they have access to right now includes full names,
| home addresses, birth dates, gender info, ID card issuance and
| expiration dates, labor identification codes, Tramite numbers,
| citizen numbers, and government photo IDs."
|
| And entire country just got doxxed. That's insane.
| richlandlord wrote:
| To be fair this information is already public in argentina.
| There is no secrecy to almost any of this, as ID numbers are
| public, sequential and queryable for tax status, debt status,
| etc.
| maze-le wrote:
| All this information in one database... Thats the real insanity
| here. Why would anyone think that this is a good idea? Leave
| aside security and safeguards for a moment, just compiling this
| database is neglectful at the very least...
| heavenlyblue wrote:
| I don't understand how you can seriously think that having
| two databases instead of one would make it any easier. OK, if
| we had two databases the overlap would be, let's say, 50% and
| there would be another 20% in the database A that doesn't
| exist in database B. Still 70% of information stolen.
|
| That on top of the fact that having two separate databases
| means twice the probability of different bugs in two
| different systems.
|
| We must all move away from using PI as passwords, that's all
| we need to do. Then this problem will go away.
| dewey wrote:
| > We must all move away from using PI as passwords, that's
| all we need to do. Then this problem will go away.
|
| You make it sound like it's an easily solved problem, which
| it apparently isn't.
| adolph wrote:
| I just use password reset every time I have to log in and
| do enough login fails afterward to lockout my account.
| Pxtl wrote:
| Yes, I think it's a good idea for government to have that
| info. Government needs to provide services and manage
| resources, which means knowing who and where people live, and
| have a proper ID number to manage that data.
|
| The alternative is for government to have 90% subsets of the
| same data in a a thousand different databases, one per-
| department, per-jurisdiction.
| Arrath wrote:
| And then Dept A thinks you live here, Dept B thinks you
| live there, Dept C thinks you have a warrant out for your
| arrest, and little municipal dept Y.43 thinks you're dead.
|
| Yeah, I can see a few problems with that.
| gomox wrote:
| This is a country where when they installed license plate
| scanners on highways they accompanied them with large screens
| that show the plate that was just scanned.
|
| So as to... I don't know, brag that you're collecting all
| this information, that is to be inevitably leaked in a while?
| To make people feel safe, while clearly indicating the
| highway exits to avoid if you actually steal a car?
| stef25 wrote:
| > This is a country where when they installed license plate
| scanners on highways they accompanied them with large
| screens that show the plate that was just scanned.
|
| This is done in France when it catches you driving too
| fast. "ABC 123" you're going too fast! It's a bit jarring
| your plate up on a screen so it works kind of well against
| speeding. They don't need to store your plate to use this
| feature.
|
| Of course plates are being scanned (and probably stored)
| all over the place now (toll booths, big roads in & out of
| the cities), not denying that.
| gomox wrote:
| In our case its not shaming you for speeding or anything
| specific, it just displays every plate that it scans to
| advertise the scanner.
|
| Also in a not very surprising turn of events, a lot of
| the screens just show a fixed plate these days which
| makes you wonder which component broke (is it the screen,
| or the scanner?)
| vadfa wrote:
| Isn't it like this in practically every European country? We
| have ID cards with every one of those fields printed on them,
| including thumbprints. All of that information is probably in
| one big table somewhere.
| ogogmad wrote:
| Not in the UK (which is in Europe but no longer in the EU).
| Was planned before 2010 and then got scrapped by the
| subsequent government. What's in the works now?
| DoingIsLearning wrote:
| Most EU cards also integrate fiscal id numbers and national
| healthcare id numbers in the chip but arguably do exclude
| registered address, so only a city/province of residence is
| available.
| soco wrote:
| Swiss cards not but well Switzerland is not EU...
| dgellow wrote:
| It's part of Schengen though. But I confirm, no adresse
| on our ID cards.
| vadfa wrote:
| Not sure about the rest but Spanish ID card includes full
| address.
| N19PEDL2 wrote:
| Italian ID cards too, as well as the owner's signature,
| the fiscal code (an unique identification code similar to
| the SSN in the USA) and the fingerprints (though these
| latter are stored in the chip only, not printed on the
| card).
|
| It's very likely that this data is also stored in some
| government database, which I hope will never get
| breached.
| CaciaraAsAServi wrote:
| Nitpick (as you well know) - codice fiscale in Italy
| differs from USA SSN in that, for once, it has never had
| AFAIK any semblance of secrecy at all, as you can easily
| construct it starting from name, surname, place and date
| of birth [1] Funnily enough, this sometimes results in
| two individuals computing to the same code [2]
|
| [1] https://en.wikipedia.org/wiki/Italian_fiscal_code
|
| [2] https://it.wikipedia.org/wiki/Omocodia
| inter_netuser wrote:
| Germany supposedly does not have a central registry, I've
| been informed.
| Semaphor wrote:
| Source? Even the Addresses (Melderegister) are
| centralized.
|
| edit: Looking it up [0] it looks like there is far more
| data there, all in a central database since at least 2015
| (not sure how it worked before).
|
| [0]:
| https://de.wikipedia.org/wiki/Melderegister#Deutschland
| germanier wrote:
| There is no central database, even after the changes of
| 2015. It is still hosted by each individual municipality
| (which is exactly what your link states).
|
| However, there here is a standard API which allows some
| entities to query all those decentralized registers. It
| is designed to make it hard to siphon out all data at
| once (which hopefully trips audit systems in enough
| places that someone cares to look into).
|
| The only centralized database of that kind is the one at
| BZSt, which contains far less data. For the moment access
| is limited to tax-related issues but it will be soon
| expanded to a centralized base data registry
| (Registermodernisierung).
| inter_netuser wrote:
| It's been a little while, so perhaps things have changed,
| but I was told that quite a bit of the data exists only
| on the card itself.
|
| From your link it seems i was not entirely misinformed:
| "Contrary to popular belief, there is no central
| administration of resident registration in Germany. The
| exception is the registration of resident aliens (see
| Central Register of Foreign Nationals). Registration is
| organized by 5283 local offices throughout Germany.[18] "
|
| I'm unable to find the part about cards. will edit or
| reply more if i do find it.
| MonkeyClub wrote:
| Because of (political) federation I assume, right?
|
| However are the regional governments supposed to develop
| their own solutions, or are they using a centrally
| developed database, just with local unconnected
| instances?
| germanier wrote:
| Each municipality is free to choose their own solution to
| the legal requirements (which includes a standardized
| API). For the moment, there are eight different software
| solutions on the market (developed by both public and
| private entities), see
| https://www1.osci.de/meldewesen/xmeld/registrierte-
| herstelle...
| inter_netuser wrote:
| "Contrary to popular belief, there is no central
| administration of resident registration in Germany. The
| exception is the registration of resident aliens (see
| Central Register of Foreign Nationals). Registration is
| organized by 5283 local offices throughout Germany.[18] "
|
| https://en.wikipedia.org/wiki/Resident_registration#Germa
| ny
|
| I was also told something on identity cards only lives on
| the cards, but cannot find the source or details on that.
| roenxi wrote:
| Everyone does it is not actually a persuasive argument that
| something is a good idea. It was an uphill struggle back in
| the day to get everyone washing their hands.
|
| This is a predictable outcome of a government creating then
| storing long term secrets in a database. Governments are
| not good at keeping secrets. The data will leak.
| vadfa wrote:
| I don't remember justifying it. Your comment seems a
| cheap karma grab.
| Aeolun wrote:
| To be fair, The security around the digital system in the
| Netherlands, is almost painful.
|
| Japan is really good in this, they store everything on
| paper and fax it around.
|
| They're also starting with a national ID now though.
| marcosdumay wrote:
| That's a basic citizen database.
|
| The only non-obvious information is the labor identification
| code. Except for that, it's just "who exists and how do we
| call them?"
| Spooky23 wrote:
| The horse left the barn before you were born.
|
| All of this information is in multiple single databases
| maintained by insurance companies in the US. And that data is
| in turn linked to all sorts of behavioral and affinity data.
| GEICO knows more about you than DMV.
| [deleted]
| sofixa wrote:
| What? How do you imagine that could work? Only paper records,
| and any interaction with any public administration thing
| takes a few months? It's generally a good idea to have the
| tax office, the healthcare ministry/insurance people, police,
| etc. know who the people of the country are and how to
| identify them. It's the norm in the EU, and works fine as
| long as security is taken seriously (which obviously wasn't
| in Argentina).
| taurath wrote:
| What are the fallback plans here in case of a hack like this?
| Assign new numbers, somehow? Require all financial activities be
| done in person? The implications all seem awful
| sudoaza wrote:
| For taxes there is a different identification system that
| requires you to go to an office in person and give them a
| password.
| gjvnq wrote:
| The "right" solution is to not use person info as "passwords".
|
| Instead, give everyone a digital certificate with the private
| key stored in smartcards that don't allow anyone to copy the
| key, only to use it.
| sofixa wrote:
| Personal info isn't used as a password generally ( apparently
| it somewhat is in Argentina) in countries with national ID
| cards and databases. The card and its associated number are
| used to identify you and prove you are you in specific
| scenarios ( e.g. post office, police, bank account, etc.) but
| isn't used as a password in any way. The number ( or a
| tax/social security/citizen one) is sometimes used as the
| account login on some systems (e.g. French tax authority or
| social security system), but you still have a regular
| password alongside it.
|
| And btw ID cards in the EU have chips with all the basic
| information on it as well, for use at airports and similar,
| and there are plans to use e.g. an app which reads from the
| chip to confirm possession of the card, and compare the photo
| on it with a selfie you take and confirm your identity
| digitally.
| marcosdumay wrote:
| Looks like Argentina was using an incidental id leaked
| together with the data as a global government password.
|
| With any luck, the leak forces them to abandon it. But
| given people reporting on other comments that the leak was
| already denied, I'm not holding my breath.
| jeroenhd wrote:
| Those are problematic as well, because they're very costly.
| One country that implemented authentication and signing this
| way (I think it was Estonia?) had to recall and replace every
| single smart card after someone discovered a way to clone the
| RSA chip on them. With some bad luck, you're replacing these
| multiple times per year because smart card vendors often
| overstate the security of their products.
|
| You could, of course, use real passwords, like every single
| service out there on the internet. Force some level of 2FA
| for security as well and you should be fine security wise.
|
| Incremental plaintext numbers are not passwords, though.
| European countries have solved this problem in a variety of
| ways (that have been made cross-compatible and federated,
| even) and none of them use numbers on identification as a
| security number.
| inter_netuser wrote:
| The only real fix is not to have central databases at all
| (Germany does that to a large extent), and keep only
| necessary things on electronic media (Lawyers and
| psychiatrists still do that today).
|
| It can be done. Not everything must be electronic, and not
| everything must be centralized.
| stef25 wrote:
| Here in Belgium we have smart card IDs. You assign a 4
| digit pin as password and then use a smart card reader to
| access various govt websites.
|
| Only problem is you have to install a browser plugin that
| has to be compatible with your browser version and some
| non-technical people get confused. Apart from that it's
| actually a pretty good system.
|
| It's now being replaced with a smartphone app, one that
| uses servers in the USA which poses all kinds of GDPR /
| privacy issues.
| rob74 wrote:
| Yeah, in Germany too - ID card containing RFID chip, so
| you can access government websites if you first buy a
| contactless card reader and manage to install the browser
| plugin. And guess what? These cards have been issued
| since 2010, so all the cards in circulation now
| theoretically support this feature (if the person didn't
| opt out), but almost noone actually uses it...
| germanier wrote:
| Many modern smartphones function as a reader (by
| installing the AusweisApp2) for many years now, see
| https://www.ausweisapp.bund.de/mobile-geraete/ for the
| compatibility list. No need to buy any additional
| hardware beyond what a lot of people already own nor is
| installing the app actually hard.
| cynusx wrote:
| EID readers are notorious difficult to get working
| properly, especially on non-standard platforms like
| linux/mac.
|
| The smartphone app has significantly improved the user
| experience and can rely on biometric functionality, SMS
| and other verifications.
|
| Overall, I think it's worth the risk if it's sufficiently
| defended cyber-security wise
| forinti wrote:
| It's not hard at all to get your hands on a Brazilian CPF (Fiscal
| ID) database. You can buy it on DVD.
| gomox wrote:
| The "tramite number" mentioned in the article is quite funny.
| "Tramite number" translates loosely to "filing number".
|
| When national IDs were issued each one got a "tramite number"
| that I'm guessing was sequentially assigned when the physical ID
| cards where issued.
|
| Because this number is vaguely random and is printed on the
| actual physical ID card, it was used as a password on government
| apps (for example, for getting authorization to move around
| during covid). To log into the app, you enter your national ID
| number and then the "tramite number" that is printed on your
| physical ID card.
|
| Of course, the number can't be changed, and is stored in
| plaintext in a large database somewhere. It therefore makes for a
| horrible password.
|
| The database in question just got stolen, and the aforementioned
| apps now include all sorts of sensitive PII.
| rtkwe wrote:
| Same problem happened with SSN in the US. It was too convenient
| of a unique, quasi-secret identifier so it became a password
| too.
| riffraff wrote:
| I never understood the SSN-as-quasi-secret bit: isn't it
| widely dispersed anytime you need some medical stuff?
| vmception wrote:
| Yeah, and people within earshot are not the issue, it's the
| place that has thousands of SSNs getting hacked that the
| issue, so there is no reason to be secret about it.
| puglr wrote:
| To add to this, prior to the internet it really wasn't
| that bad of a "password". Once upon a time vacuuming up
| batches of SSNs for nefarious purposes wasn't a realistic
| attack scenario, let alone a "just assume every criminal
| has your SSN" one.
| throaway46546 wrote:
| They were always a terrible password.
|
| https://www.usrecordsearch.com/ssn.htm
| smsm42 wrote:
| Or financial stuff. Or job stuff. Or getting a cell phone
| or cable subscription stuff. It's pretty much as much of a
| secret as your middle name in the US - it's not like
| _everybody_ knows it, but it 's not very hard to find out.
| penagwin wrote:
| Yes, as well as applying for jobs (or at minimum when
| hired), renting an apartment, and lots of financial things
| including any type of KYC crypto exchange or investment
| accounts. I've also had utility companies ask for it.
|
| These are in no way secret, I have no idea how people are
| okay with this. You can easily social engineer so many
| critical services if you know somebody's SSN.
| chrisco255 wrote:
| No, it's typically used for credit services, however.
| macksd wrote:
| I've been asked for it by my health insurance companies,
| providers, and when donating blood. On the latter I saw
| they had a policy of issuing a different ID number to you
| on request, but it was a royal pain in the ass and a
| supervisor came out to ask me what my problem was
| chrisco255 wrote:
| Interesting, I've never been asked that when donating
| blood or going to a clinic, but yes, my insurance plan
| did (as that is a financial service). It's worth noting
| that medical clinics will service people without social
| security numbers just fine.
| macksd wrote:
| Yes. It even used to say on the card "not to be used for
| identification", but various agencies at all levels of
| government ask for it all the time.
| dane-pgp wrote:
| Aside from the obvious problem that this message appears
| to merely be a suggestion rather than a requirement with
| legal penalties attached, it doesn't seem to be an
| actionable instruction.
|
| If you are asked to provide your SSN and you ask "For
| what purpose?" and the requester lies and says "So I can
| choose my lottery numbers", it's not clear that you have
| broken the rule by revealing your SSN. However, perhaps
| the requester is breaking the rule (and perhaps they
| should know the rule, assuming they have a card
| themselves) in this scenario, but it's also not clear
| what action they would have to carry out with the SSN in
| order to have used it "for identification".
|
| For example, if a system designer uses SSNs as a primary
| key in a database, they can claim that's just for simple
| indexing, and that they are still using name and address
| or photo to identify someone. A system designer could
| also claim that they were only using the SSN as a (weak)
| "something you know" factor (among many other factors) in
| authentication, which may not amount to using it "for
| identification". Asking someone their date of birth (to
| be checked against another source, or on a later
| interaction) doesn't mean that your date of birth
| identifies you, since millions of humans share the same
| birthday.
| macksd wrote:
| No I wasn't under the impression it was a rule with legal
| penalties attached, but I mostly hear this as "can you
| confirm the last 4 numbers to verify your identity". It's
| a pretty clear cut case of using it for authentication.
| And rule or not - it's effectively a 4-digit PIN that
| probably half the services I have to call into re-use, so
| it's just plain stupid.
| op00to wrote:
| Oh it's better than that. For those born before a certain
| year, it is trivial to guess their social security number
| if you know their general date of birth and location as
| they were assigned sequentially.
| matheusmoreira wrote:
| Similar situation here in Brazil. People use these IDs as
| passwords. When system administrators set up accounts for
| users, there's a good chance the default password will be the
| user's ID and that it will never be changed. Every school I've
| ever attended did this for school portals, wifi logins. It's
| insane. There used to be a website where I could look up
| anybody's ID number by name, that's how public these things
| were. With this ID number, I could perpetrate all sorts of
| electronic crimes under the cover of somebody else's identity.
| I could dox anyone by consulting services such as credit score
| databases.
| mparnisari wrote:
| I wish the article explained what the hacker can do with this
| data. The most I can think of is that it allows people to take
| loans on behalf of others.
| cptaj wrote:
| Probably not. In latin america, government ID is pretty public
| and you share it for a lot of trivial stuff. It isnt considered
| a secret
| javipas wrote:
| It seems the hack has been denied by Argentina's government
| officials
|
| https://www-lanacion-com-ar.translate.goog/sociedad/tras-un-...
| (via Google Translate)
| lukas238 wrote:
| From Argentina here. Government launched a web site were one can
| change his own "tramite number" (aka application number). Thad
| said, this is garbage. Government security is a joke here. Few
| years back, another security break happened because a police data
| base was publicly accesible. The fix was to "block" international
| access by editing national DNS.... I want to cry.
| the_svd_doctor wrote:
| How do you authenticate to change your tramite number? With the
| previous number?
| madmulita wrote:
| Welcome to Peronistan.
| HeckFeck wrote:
| There are many reasons to oppose government ID schemes on
| principle.
|
| Consequences like these just demonstrate the case.
| standardUser wrote:
| "Government ID" sounds redundant. What other form of ID would
| make sense? Either we live in a world without IDs (and other
| information inevitably fills that void and becomes a de facto
| ID), or we allow for-profit enterprise to manage personal
| identification.
| supertrope wrote:
| Facebook login /s
| supertrope wrote:
| IAM is a tough problem. We need solid technical
| underpinnings, scalable and consistent new ID issuance
| procedures, revocation and reiussance workflows,
| accommodation for those on the wrong side of the digital
| divide, fraud resistance, and of course this has to be at
| very low cost for equity reasons and good stewardship of tax
| money.
| otrahuevada wrote:
| Hacker has been discovered to be a random disgruntled employee
| looking for a quick buck.
|
| Hope he serves as a lesson of how to not behave as a public
| servant.
| ByThyGrace wrote:
| Source?
| otrahuevada wrote:
| https://www.lanacion.com.ar/sociedad/tras-un-confuso-
| episodi...
|
| IT talked to Twitter and found a very narrow amount of people
| with the ability to do this.
| ByThyGrace wrote:
| But that was before what the OP article is claiming.
|
| > However, The Record contacted the individual who was
| renting access to the RENAPER database on hacking forums.
|
| > In a conversation earlier today, the hacker said they
| have a copy of the RENAPER data, contradicting the
| government's official statement.
|
| > The individual proved their statement by providing the
| personal details, including the highly sensitive Tramite
| number, of an Argentinian citizen of our choosing.
| otrahuevada wrote:
| "Breach" in this case would imply this was an external
| attacker and not an inside job; from all the info that is
| available at the moment, what appears to have happened is
| some guy with continous access to an entirely legitimate
| system but malicious intent basically managed to craft
| his own dump of all the records.
|
| Based solely on the exposed field names those are not
| typical for government databases either, so this might
| have been reconstructed from a report or something.
|
| It also looks like the underlying permissions scheme is
| garbage, as there is literally no reason for this volume
| of data to be exportable by a random -even authorized!-
| user at the reported location.
| goldcd wrote:
| "Ministry of Interior said its security team discovered that a
| VPN account assigned to the Ministry of Health was used to query
| the RENAPER database for 19 photos "in the exact moment in which
| they were published on the social network Twitter.""
|
| My guess is that this was slightly afterwards - I know if I had
| access to the db and saw some information being posted on
| twitter, I might want to cross-check (well that make more sense,
| than the poster looking up these people and doxing them
| instantaneously)
| sudoaza wrote:
| Nah looks like a legit way to get it, probably unintended, for
| sure Ministry of Health is way less secure than RENAPER.
| Somebody was looking around, found that and win.
___________________________________________________________________
(page generated 2021-10-19 23:02 UTC)