Screenshots

If you have the hardware you need the proper software to run it. And even if you have the system complete with the Poka-Yoke (fail-safe system) you still need the people with the right knowledge and attitude to make it work. But with so much loopholes open for abuse and when even our users have no confidence in it's security, don't expect a foreign government to respect it. It's become a gimmick card. And we're supposed to keep it safe like it's the most valuable possession, yet carry it with us ALL THE TIME wherever we go. And that's a layman's opinion from me. And I wouldn't put my money in it until and unless...

Technology is only as smart as the people operating it....

i can tell... really... the design of the OS in the mykad has some flaws...

Ever heard of putting of everything in one basket?

To prevent SINGLE POINT OF SECURITY FAILURE, it is important NOT TO give the same security contract to SAME COMPANY or any associate company.

Welcome to Bolehland, where politikus rules everything.

The whole thing not only technical issues persisted, another major problem is the legal framework for privacy.

May be MDeC, can assists government to draft the framework , not just talk only

I urge everyone to read this URL :

http://www.austlii.edu.au/au/journals/MULR/2004/15.html

wklim79, do tell...what kinda flaws exists in the MyKad OS? I think that you should enlighten us here so that we are more knowledgeable about the inherent hazards which we could potentially be subjected to wrt ensuring that our most intimate, personal information is safe from predators.

wklim79, be careful with what you claim to know the Mykad is a very sensitive issue because it deals with national security. Because of your good intention it will be taken ohterwise as a threat to national security in which case it means ISA detention.
You see the weaknesses and incompetencies of them who came out with this will not want to be embarrassed.

concern-lah, I think you just killed off any hopes of me culling information out of wklim79-lah :)

Can't really blame Singapore for being wary of our MyCard. We know, but we will not acknowledge, that the information in there may be suspect. what with sikhs being classified Muslim and christians as buddhists and so on. What happens if one such person entering Singapore with such a card were to die in Singapore? Why should they be embroiled in a silly situation that only exists in Malaysia [ DELETED - Infammatory yet Irrelevant ] ?

concern-lah is right about national security issue, in my case, I had to sign OSA in order to get access to a copy of the GMPC technical documents.

I agree with nyc, how great also the technology, if the people who enter the data entered it incorrectly, the information in mykad will be incorrect.

That's the only flaw as far as I can observe, and it is a BIG flaw as far as religion is concerned.

Just like any bank card with a smart chip, I believe the security is there, otherwise I think all bank have to "wary" about the use of smart chip.

We cannot mix operator flaws with security technology flaws, just have to make it clear to our neighbours.

In order to convince our neighbour about its security, why doesn't our Home Ministry explain to them how the data stored in mykad is protected? What kind of encryption is used? Is it a one way or two way encryption? Can it be broken by Brute force attack method? Stuffs like that you know.

That question raised by Singapore gov is irrelevant as far as security is concerned. They should ask the right question like how the data is encripted, what's the probability of being broken instead of what's the content of mykad. Well, as usual lah, name, address, ic no, finger print, photo, religion, sex, etc, etc. Don't tell me they want to know name is stored at what byte location, what is the encoding used, that was just irrelevant to the discussion.

Why such big fuss about religion classification by the Govt...

There's only the Syariah Court, which governs the Muslims... so why can't they just group it as Muslims, and non-Muslims. Easy peasy, lemon squeezy...

They don't care if the Buddhists convert to Christians, and all other permutations, except when Islam is involved. Then why can't they just leave it as that - if they wanna know religion statistics in Malaysia, use the Banci la... haiya ma, get me worked up only...

Frm the Edge :- Iris is the world’s largest supplier of contactless chip inlays for e-passports. It has more than five million e-passports deployed in Malaysia.

Iris also winning deals in Thailand and other places... For those who are optimistic, the sky is the limit and same too for Iris' share prices. But hang on a minute, Brusa had also issue alert or warning on Iris share prices before. Good or bad ? Your guess is as good as mine.

Back to issue with our southern neighbour, they MAY BE ONLY concern with the accuracy of content in the card. Easy :- May be MyCard issue just have to correct the "default" value in the RELIGION field of the MyCard issuer set up by some smart arse...

Lastly, do Singapore have any smart card based passport ? If not.. Well there is an opportunity for Iris again. Good luck.

correct me if I am wrong, if there is a flaw on the My-card, it will show on the passsspsort as well.So you reject the my-card but accept the passsport.Malaysian passssport has an embedded chip too. Looks like we will all be barred from going to singapore soon.

One totally insignificant example of how things can go wrong - when they let the wrong Malaysians into the new Casino on the basis of the info in their cards, and prevent the right ones from entering..

If a seamstress in Sabah using a pc and scanner can forge our identity and citizenship documents for her pocketmoney from indons, .....(finish in 10 words or less).

Our IC has been changed, what, four times now. Make it five and then close shop. Another one hundred million gone before the 9MP has even started.

ha x 3.

Regarding the incorrect data, I think the application procedures contributes to the mess as well.

Recently I applied mykid for my new born, they did not print a draft for me to verify and confirm first before printing the real birth cert. They print the real cert straight away. Only after I got the cert then I realised the data, and yes the religion is wrong, but it's too late and they cannot simply cancel that cert because they have tight control on the serial number.

What to do? They told me I can't change that. What's printed is printed.

However, they told me when I get the mykid card for my toddler four months later, I can fill in another form to change it. So? The procedure is still not perfect! Because my toddler's mykid card will have a religion different from the one printed on the birthcert.

I was wondering for a long time, why only the religion? why not other data? Is it done on purpose? What was the agenda behind?

Yeah, Neil,
and don't even talk about encryptions, contactless chips, and whachamacalits in the hardware, if you can't even explain how you can get duplicates and fake cards by the thousands... the question is still how you can handle the serious human software problems.

Lu orang tak tau, kalau sepuloh kali tukar, sepuloh kali masuk la.....Kalau buat "fool proof", satu kali masuk saja......ini macam bila mau beli BMW, Mercedes, Porshe, Audi, Rolls Royce...Rumah 2, 3 million....Beli share ratus-ratus million....Bini 3, 4...Galfriend 5, 6...Gundik 7, 8...Biasalah bang.....

BEKERJALAH BERSAMA-SAMA SAYA......ha ha ha

To check if what's printed on the MyKad corresponded with the chip's content, you may logon to ASTRO's channel 800, wait for 5 seconds, then choose the option to check MyKad. Insert your MyKad into ASTRO decoder's second card slot. Your detail will be shown on the TV.

D15COV3RY;

What an good way for Maxis and ASTRO to collect personal information (not just the subscribers but non-subscribers also) for free.

I do not really concern too much on the exact contents in myCard at present.. Minor mistake could be caused by data entry or data handling error by a fellow human being. Tell me what type of human does not make mistake ? And the minor error can be corrected quite easily with a proper process, provided smart arses put on their thinking hat. They too can become smart alec.. Just do it.

Kamil, I think Maxis or Astro may not get the data so easily..as I know Astro's decoder does not has an satelite uplink..(unless you plug a phone line to it....)

kamil: how do you know that maxis/astro collects personal information via decoder? Any proofs?

i personally think that we need to know what singapore is trying to tell. if worry on the flaws, what flaws? technical? or human-related?

I do not know whether they do it or not but it can be done (Chong318 gave you the clue).

Personally, I always wary for this kind of thing.

Chong318, tell those people who were given sex changes and were 'converted' to Muslims by their MyKad, that it is 'minor' problem. I don't think that they will take your comments as lightly. I think you better check that those nincompoops got your gender correct, at the very least.

Well, I am still what I am (e.g. male, Buddhist), no matter what the content of MyKard says otherwise. No amount of data in the MyKard, be it entered intentionally or by mistake can change that... No amount of action by Govt or some alecs can change that either...

This may be theoritical.. Should we panic if there are some some data entry error, e.g. sex, religion, address, height, weight, eye colour, etc information in MyKard ? Ever ask how improtant are these information in our life or in our dealing with others or authorities. Personally I do not give much damn to authorities anyway (else you will be total slave to them. As I think I am paying enough taxes also, that is "slave" enough already!).

My main point remains :- I think the current process of correcting data error in MyKard should be speeded up. It is so easy to correct it. A small percentage of human mistake should not be allowed to bring down a key nationwide IT project.

How secure can the MyKad be when its content can be read with an Astro decoder and, now, a gadget which will be on sale for about RM30. Next logical question, then, is how easily can it be cloned using a card with some illegal immigrant's photo and someone's legitimate personal data. Can a terrorist organization with better computer expertise clone it to become a carte blanc to enter countries accepting its use in lieu of a passport?

sorry ah, cannot provide any info on the flaws... later kena ISA la...

as for passport, didnt heard about it coz i dont deal with the passport...

Like most obedient citizens, I applied for my MyKad within the stipulated timeframe, but when those who applied at the same time got theirs, but I didn't get mine, I went to see the Registration Department. Reason? Problems with fingerprints. So I said "why not we cancel the old one, and do a new one?" The reply "don't worry, it'll be sorted out". I've been waiting for 6 months now, and I bet someone out there is using my fingerprints and a dummy name to make all sorts of commitments.

I think I gotta get a lawyer to put the government on notice that I will hold them responsible for any losses suffered as a result of this lack of security.

Folks, Singapore is right to reject the use of MyKad. No kidding, based on my personal predicament.

Chong318,

//Should we panic if there are some some data entry error, e.g. sex, religion, address, height, weight, eye colour, etc information in MyKard ? Ever ask how improtant are these information in our life or in our dealing with others or authorities. Personally I do not give much damn to authorities anyway.//

MyKad used to be known by another name (well many other names actually). Primarily it is an IC - Identity Card. Maybe we SHOULD panic if our IDENTITY is wrong. I'd be very annoyed to be put down as a female 40 year old Malay Muslim living in Tanjung Malim.

I can also anticipate problems such as: You are asked to show your MyKad to a policeman. He looks at it, scans it, reads ALL your personal info, and then says "That ain't you. You're a 20 year old Chinese male, and if you live in Tanjung Malim what the hell are you doing in Mersing, Johor at 3 o'clock at night?" Things like that you know.

And accuracy of personal information is EXTREMELY important if MyKad is to be used to cross borders. I don't want to ter-kantoi as a terrorist by Singapore and kena lokap for 30 years.

To me, simple works best. And not putting your eggs into one basket seems to me the fundamental principle in both the share market and in personal security.

Haha .. for information that can be read for free on Astro decoders, didn't the press report a few days back that the government/country would be saving millions because they could get a company to develop Mycard readers for government agencies and the public at a fraction of another quote which went into hundreds of ringgit ?

Wa.. Malaysia memang boleh !

Dear hann, Pls and pls la be resonable and sensible...pls do not scare off people la.. How often do you expect an ordinary Malaysian citizen being questioned, checked and scanned by police and what not in Malaysia ? What is the probability and % ? My guess it may be 0.001% (i.e. 1 in 100,000).

As for the % of data error, may be 0.005% (1 in 100,000 )also. Hence, for the 0.001% problematic citizen to meet up with the 0.001% with problematic IC, we are talking about a very very small chance here.. As for the 0.001% to be questioned by a foreign law enforcement dept, the probabilty will certainly be reduced further...I hope my logic is correct.

As for those data in our MyKard, as I know some data are readily readable for common applications like automatic form filling, etc. Key data however are securely locked and not changable or altered by unauthorised parties. MyKard is not like a floppy disk or USB flash RAM memory stick la.. Kawan.

Let's look at the positive side of things : Smart card based products like MyKard and e-passport could be a tested, proven and useful product that comes out from Malaysia's MSC. It could be a world class product.

Frequent visitors to Singapore may apply for Access Cards (pay SGD30) which use fingerprint identification to enter Singapore. The use of this card is easy and fast.

We are trying to propose MyKad to Singapore which ourselves are not totally confident of, otherwise, we would not have proposed another Frequent Traveller Card. How many high tech cards do we need?

I went to a bank to open a FD account recently. The official photocopy both sides of my MyKad. She then insert the card into a card reader, then place the display of the card reader on the photocopy machine and start making copy of the information displayed.

I asked the official why and she said, there are frauds, the bank need to be sure what was printed on the card was the same as what was stored inside the chip.

My 17+ years old son has to bring along his original birth certificate, his photo copies of the MyKad and Birth Certificate and photocopies of my certificate to the Immigration Office to apply his International Passport. I have to be present as well. I asked the officer why we have to submit all these papers when he can get from MyKad. He said " ini procedure'.
When I applied for my MyKad in Kedah, the officer told me that he could not enter my Passport and other particulars in MyKad. The machine & system in that small town did not have such facility.
If you buy or sell a car, you have to submit photocopies of your lisence and MyKad signed my Commissioner of Oath.
Reading between the lines and with all those reported mistakes in MyKad, I wonder how Smart actually is my MyKad!

Your details are store on this chip. The chip was programmed by someone with information supplied by you.
Problem 1. You could have easily supplied the wrong information.
The information was keyed in by someone.
Problem 2. This person could have keyed in the wrong info.
Classifications or the lack of – religion, race, gender.
Problem 3. We already know the outcome of this problem.
Card Readers. These are available for RM10 to RM 20 at Jalan Pasar. These are designed to read some information on the card.
Problem 4. How soon before some one hacks it and turns it into a Card Recorder? In this scenario we have Joe 1 with a MyKad information of Joe 1 and a Central Government Server with the same information of Joe 1. If Joe 1 hacks the card and change his info to Joe 2 and he is stopped by the police with a portable reader, the MyKad will read Joe 2 and not Joe 1. If Joe 1 was a wanted man he would have been able to get away. If Joe 1 was crossing the Causeway to Singapore with Joe 2 information on his MyKad, the Singapore’s Immigration Card Reader will read him as Joe 2 and not Joe 1, again, Joe 1 would have ‘escaped’.
If the Malaysian and Singaporean computers were ‘talking to each other’ so that information on the Card is current with the information on the Server, Joe 1 would not be able to escape. This now leads us to another problem –
Problem 5, how much access should they have to all our information? If Malaysia is so willing to share all these information with Singapore, then Singapore will have all the details of everyone in Malaysia. Now, let just say Malaysia was smart and will only share the ‘relevant’ information similar to those already on our passport, why would Singapore want to invest in this technology when they can stick to status quo….

To Chong318,

If you are thinking that there is little harm with wrong info being keyed in into our myKAD, you are wrong. Imagine if your myKAD were to claim that you are a Muslim, a lot of serious implications would arise upon your demise.

Are you aware that non-Muslims have no rights to inherit anything from a Muslim? Hence, if your spouse is a muslim and he/she passes away, you and your family/children would stand to inherit nothing. Every asset owned by the converted spouse and in the event of no Muslim next of kin, the assets concerned will be transferred to Baitumal, the Islamic Trust. It has happened to a Chinese convert in Malacca several years ago. The person concern was a fireman who converted to Islam. However, he passed away during the course of his duty and his family being non-Muslims inherited nothing , not even the house the family was staying until much pleading by MCA to the Malacca State Govt.

And, of course, the most recent case involving a former Indian athlete who was claimed to have converted to Islam without the family knowledge. There was also a case many years ago whereby the Religious Authorities actually claim the body of a 14 year old boy from a Chinese funeral claiming he was a Muslim. You can imagine the distress the family was going through.

In short, wrong information being keyed in your MYKad can indeed be a matter of life and death.

Chong318, actuall it does has satellite uplink on channel 800. That's why it's called "Astro-Interactive". You slot your credit card, request for some TV programs, the information on your credit card is uploaded to the bank and charged accordingly. However, whether Astro collect the data is another question only Astro can answer.

The banks can implement smart chip so successfully across the country. In US and Europe, smart card has been used so extensively without problems like this. I think they are the same type of technology.

I think Singapore did not concern about the security issue but human error like this will make mykad void as an entry pass.

Since this is an identification card / cross border entry permit, it must be 100% accurate.

With the "tidak apa" attitude, where accuracy is not a concern, give us the most advanced technology also no use.

Is MyKad deploying something called PKI - Public Key Infrastructure? It sounds like it. You can see from Digicert web site (www.digicert.com.my). If it so, be worried.

Currently in the PKI technology, a digital certificate (in this case, MyKad) has a validity period. The reason being that, it is possible, if not very difficult, to regenerate the signing authority key. Meaning, someone "else" can make themselves "Malaysia Government" and produce their version of MyKad. It is like "cloned". The validity of one-year period is to enforce replacement of the MyKad that you have. Well, this is NOT implemented in our system. Flaw 1.

Next, every MyKad that is stolen or "compromised" or known to be invalid must be recorded and "publish". It is called Revocation List. But in our system, it is NOT. We can't verify this list of invalid card. For example, if you lost your MyKad or stolen, and you use this card to travel to other country, like Brunei. How does Brunei government reject your card? How quickly the Revocation list being announced to Brunei government? Online or offline? Now, imagine we have 10,000 millons missing each year... how extensive is this "database" being shared among countries? Just the "shoppers" in Malaysia that accept MyKad will have problem to access this Revocation List... Flaw 2.

And when you publish this lost card to other country, do you only publish the unique ID of the card or you also include other information such as DOB, Address, Religion and many many more. Is this a "leak" of your citizen info to other people? Flaw 3.

And finally on the Certificate Authority. In this case, our government. Normally a Certificate Authority should regenerate their key once every 20 years. Don't tell me all Malaysian need to replace the MyKad every 20 years... Flaw 4.

You must know the reason we hold IC in our wallet all the time is because of the case about communist last time - to effectively filter out communists from our country. Yes, it succeed. Now look at other country, like USA and Australia. They don't carry IC around, nor passport. Only driver license. Well, there are some issues over there too, but we don't know about it since we are not living in that kind of environment. Perhaps a study of history and understand why things is like that today is a good start.

It is never too late to stop MyKad just like the way we stop crooked bridge... :p

Well, personally I welcome the idea of MyKad. But I think the citizen aren't being well briefed about the benefits of MyKad from all perspectives: usage, support, replacement, cost, security, feature, maintenance, legality, environment and interoperatity. Only 'feature' is mentioned. Nothing else.

I just checked on the information on my MyKad and my parents' MyKads. Will someone help me through this identity crisis? I appear to be an unnamed teenager in Malaysia while my Buddhist mother is a without a religion or a system of belief. This out of three cards!

So what was that about the chances of having a flawed MyKad being at 0.005% my friend Chong318? More like 66.67%

I too don't give a damn about the Malaysian government, but I'll be damned if i let them do anything that sits badly with me.

(Mimes Hamlet dying)

God/Allah help Malaysia, if he cares or sees at all.

Singapore ICA has responded to inaccurate reporting by NST. Checked that STAR and SUN do not report the same.

http://www.channelnewsasia.com/stories/singaporelocalnews/print/210979/1/.html

ICA did not request scrapping of Malaysian Restricted Passports

29 May 2006 2329 hrs (SST

SINGAPORE : Singapore's Immigration and Checkpoints Authority has responded on the issue of Malaysian Restricted Passports (MRP), saying it did not request that Malaysia do away with such passports.

The response comes after the Malaysian media had quoted its Home Affairs Minister Radzi Sheikh Ahmad as saying, "Malaysia had agreed to Singapore's request in 2004 to scrap the restricted passport system."

ICA says Malaysia had on its own accord stopped issuing and renewing the restricted passports from January 1 last year and announced they would not be valid for travel after December 31 this year.

Singapore's ICA also wrote to the Malaysian Immigration to say that it would formally cease accepting MRPs as a valid travel document to Singapore with effect from July 1 this year, six months before the deadline announced by the Malaysian authorities.

Currently, ICA has an electronic card-based automated clearance system, which has been open for use by Singaporeans, Permanent Residents and long-term pass holders since December 1997. - CNA /ct

http://www.singapore-window.org/sw06/060406ns.htm

Singapore rejects use of MyKad

New Straits Times
April 6, 2006
PUTRAJAYA, Malaysia

SINGAPORE has rejected Malaysia’s proposal to allow MyKad instead of passports to travel across the Causeway.

Home Affairs Minister Datuk Seri Radzi Sheikh Ahmad said Singapore’s reasons for the rejection was that it was uncertain of the smart card’s security features.

The more than 100,000 Malaysians who travel to Singapore for work every day will have to continue to use international passports.

Radzi said Malaysia agreed to Singapore’s request in 2004 to scrap the restricted passport system, although there were objections from many people in Johor at that time.

After a two-year discussion, it was reported last year that Malaysia and Singapore had agreed in principle to introduce the smart card system for frequent travellers, and that it would be operational once card readers had been installed at the Causeway and the Second Link CIQ checkpoints.

Radzi acknowledged that the decision by Singapore would affect Malaysian workers there, as international passports cost more.

The frequent stamping of their international passports, he noted, would mean that the workers would have to replace their five-year passports at RM300 (32 pages) or RM600 (64 pages), compared to RM150 for restricted passports.

However, Radzi said he would revive negotiations to convince the republic of the MyKad’s security, and if that failed, he would propose that Singapore implement a mechanism to enable the use of Malaysia’s e-passport system.

Radzi was speaking at a Press conference after meeting his Brunei counterpart, Datuk Adanan Mohd Yusof, at his office here yesterday

http://www.sun2surf.com/article.cfm?id=13818

S'pore wary of flaws in MyKad

Terence Fernandez

.........
.........
Malaysia had cancelled issuing restricted passports in favour of the MyKad last year. Among others, many MyKad applicants have complained of wrong race and religion in their card.
.........
.........

http://thestar.com.my/news/story.asp?file=/2006/4/6/nation/13884219&sec=nation

Thursday April 6, 2006

Singapore ‘no’ to MyKad

By MAZWIN NIK ANIS

.........
.........
Radzi said Malaysia had agreed to do away with the Restricted Passport because it did not contain security features and was not internationally recognised.

He said come July 1, Singapore would no longer recognise the document.

“If need be, I will visit the republic and meet with my counterpart to settle the issue,” he said. “We also hope Singapore can do something about this because it has benefited from having our people work on the island.”
.........
.........