It appears that the official identity data of many Germans was online readable for over three month... including religion and sometimes a photo.
How did this happen? Well, a software company that had successfully sold its eGovernment software to many German communities published the username and password of a demo version of their software on the internet. BUT this username and password happened to be the preinstalled standard username and password of the real application too. Ouch!
You don't need much fantasy to guess what some of the administrators of the sold software had failed to do...
I don't blame the administrators alone. Sure they probably violated the security policy of their organization but the bad security design of the application takes at least a quarter of the blame. Wait, let's put some blame on the German electronic signature laws too. The system of electronic signatures is so secure and expensive that nobody is willing to pay the price in Euros for it; not even or especially not the community and the government that made the laws.
This would not have happened had they used Information Cards.
Well, on the other hand it is not so complicated to use Information Cards in a way that is really stupid e.g. let anybody access the sensible data who presents a security token with the claim emailaddress == geheim@city.bund.de.
OpenID Federation Session at April 2024 IIW
17 hours ago
No comments:
Post a Comment