This evening, I received an email from a concerned PTPTN loan defaulter, sharing his experience over the online statement facility provided.
He was first impressed by the service before the security issue reduced him into cautious mode. Excerpt:
I was shocked to find out that, after providing the PTPTN staff with my IC number, the staff was able to provide me my PIN number on the spot, through the phone!
From: Not A Security Expert
To: skthew@gmail.com
Date: Tue, 27 Jun 2006 10:42:29 +0100 (BST)
Subject: PTPTN: Security? What Security?I wish to bring attention to you the following matter regarding our beloved PTPTN. As a loan defaulter, I rely on the Internet and telephone to transact and confirm my monthly payment, as well as other miscellaneous communications with the body, as I was being told to change my lifestyle to rely less on transport to the bank or PTPTN.Being involved in the IT industry, I think I have come to realize a bit too late that PTPTN actually does offer an online statement facility for its defaulters’ reference, available at http://www.emoe.gov.my/ptptn/. After being informed by my housemate, I am delighted for PTPTN to made such a progress, as well as to provide a greater convenience for the defaulters like me, as I travel out of the country rather frequently for work, and I have gone to seek on how to get access to my own online statement.From the web site of PTPTN (http://www.ptptn.gov.my), it appears that one has to register via snail-mail (from an online PDF form) first in order to obtain a PIN number to access his/her online statement. Being confused by the lack of information on how to proceed after completing the form, I made a call to PTPTN to seek clarification.Guess what, I was devastated. Not because that the system is down. Not because that no one picked up the phone (in fact, the person who answered was rather friendly and helpful). Not because that my records are not found.I was shocked to find out that, after providing the PTPTN staff with my IC number, the staff was able to provide me my PIN number on the spot, through the phone!If you are not familiar with security fencing for Internet transaction-based applications (especially financial related ones!), sensitive data such as passwords are not supposed to be provided verbally through the phone, due to loop-hole related reasons such as social engineering. And, such data are usually encrypted, and not viewable by anyone except those with privileged access like higher level managers for accountability. Think about it, when was the last time you receive a password from MayBank or HSBC from a person through the phone? Wouldn’t it scare you that that person on the other side of the phone, as a call center employee probably, have access to you and the rest of the banks’ customer’s banking records?The Malaysian IC number is not hard to figure out either, three questions, and probably I am well on my way:
- What is your date of birth?
- Where were you born?
- Are you a male/female? (Duh!)
Or, it could be better by just saying "Congratulations, you have just won an iPod from XXX Contest by YYY Corporation. Can I have your IC number for verification?" (Prepare to hang-up upon getting IC number).Then on second thought, maybe I could change my PIN number as soon as I logon… If any of your friends else happen to find out where to click to access the "Change PIN" function, please let me know. Thank you.OK, big deal, what’s there to view in your PTPTN online statement that is so secretive? (Then why the PIN in the first place? Duh!) Not that I can transact your money to mine. For starters, I know where you live. I know how much you owe PTPTN. I know how much you have paid the last month. And, I can definitely view your transaction behaviour, and your cash flow trends, as well as methods of transaction. If you do not think such a thing is scary pertaining privacy, I rest my case.Well done to PTPTN for such improvement on providing an online services, but then, don’t you think that financial data deserves a little more security and privacy than this?
Related posts:
So, SK, what’s your IC number?
Funny.. the person who wrote the letter obviously wasn’t thinking much..
If some people really know his/her IC.. they can send the snail mail and get the PIN anyway. I would be glad if the officers can just give me my PIN when I called last time.
And BTW.. someone must be dumb enough to simply give away their IC after being told they won a lottery of some sort.. and who said IC number is easy to guess?
I don’t think changing the PIN does anything, they can just call PTPN again n get ur PIN again.
Most people are dumb enough to give out their IC no. n IC no. is easy to guess. It’s not like people keep their IC no. secret or anything, they usually thought, what’s the harm anyway? IC no. is not designed to be secretive or private.
hhm… i think the pin nomber will remains the same and u cant change it. Because if im not mistaken this pin number is actually your referal number whereby it was stated in your ptptn document i mean the agreement document..
sudah 3 hari saya tidak login ptptn utk buat pemohonan pinjaman dan sudah banyak kali saya call ptptn?saya juga sudah bagi no ic,nama dan no telefon dan pegawai ptptn asyik menyuruh saya cuba sampai dapat.disini saya mengemukakan nama,no ic,no telefon (muhammad zaini rizal b, harris fadilah.no ic 871011115297 dan no telefon 0129303470