87 comments

[ 3.0 ms ] story [ 178 ms ] thread
"Ministry of Interior said its security team discovered that a VPN account assigned to the Ministry of Health was used to query the RENAPER database for 19 photos “in the exact moment in which they were published on the social network Twitter.”"

My guess is that this was slightly afterwards - I know if I had access to the db and saw some information being posted on twitter, I might want to cross-check (well that make more sense, than the poster looking up these people and doxing them instantaneously)

Nah looks like a legit way to get it, probably unintended, for sure Ministry of Health is way less secure than RENAPER. Somebody was looking around, found that and win.
"According to a sample provided by the hacker online, the information they have access to right now includes full names, home addresses, birth dates, gender info, ID card issuance and expiration dates, labor identification codes, Trámite numbers, citizen numbers, and government photo IDs."

And entire country just got doxxed. That's insane.

All this information in one database... Thats the real insanity here. Why would anyone think that this is a good idea? Leave aside security and safeguards for a moment, just compiling this database is neglectful at the very least...
I don't understand how you can seriously think that having two databases instead of one would make it any easier. OK, if we had two databases the overlap would be, let's say, 50% and there would be another 20% in the database A that doesn't exist in database B. Still 70% of information stolen.

That on top of the fact that having two separate databases means twice the probability of different bugs in two different systems.

We must all move away from using PI as passwords, that's all we need to do. Then this problem will go away.

> We must all move away from using PI as passwords, that's all we need to do. Then this problem will go away.

You make it sound like it's an easily solved problem, which it apparently isn't.

I just use password reset every time I have to log in and do enough login fails afterward to lockout my account.
This is a country where when they installed license plate scanners on highways they accompanied them with large screens that show the plate that was just scanned.

So as to... I don't know, brag that you're collecting all this information, that is to be inevitably leaked in a while? To make people feel safe, while clearly indicating the highway exits to avoid if you actually steal a car?

> This is a country where when they installed license plate scanners on highways they accompanied them with large screens that show the plate that was just scanned.

This is done in France when it catches you driving too fast. "ABC 123" you're going too fast! It's a bit jarring your plate up on a screen so it works kind of well against speeding. They don't need to store your plate to use this feature.

Of course plates are being scanned (and probably stored) all over the place now (toll booths, big roads in & out of the cities), not denying that.

In our case its not shaming you for speeding or anything specific, it just displays every plate that it scans to advertise the scanner.

Also in a not very surprising turn of events, a lot of the screens just show a fixed plate these days which makes you wonder which component broke (is it the screen, or the scanner?)

Isn't it like this in practically every European country? We have ID cards with every one of those fields printed on them, including thumbprints. All of that information is probably in one big table somewhere.
Most EU cards also integrate fiscal id numbers and national healthcare id numbers in the chip but arguably do exclude registered address, so only a city/province of residence is available.
Not sure about the rest but Spanish ID card includes full address.
Italian ID cards too, as well as the owner's signature, the fiscal code (an unique identification code similar to the SSN in the USA) and the fingerprints (though these latter are stored in the chip only, not printed on the card).

It's very likely that this data is also stored in some government database, which I hope will never get breached.

Swiss cards not but well Switzerland is not EU...
It’s part of Schengen though. But I confirm, no adresse on our ID cards.
Germany supposedly does not have a central registry, I've been informed.
Because of (political) federation I assume, right?

However are the regional governments supposed to develop their own solutions, or are they using a centrally developed database, just with local unconnected instances?

"Contrary to popular belief, there is no central administration of resident registration in Germany. The exception is the registration of resident aliens (see Central Register of Foreign Nationals). Registration is organized by 5283 local offices throughout Germany.[18] "

https://en.wikipedia.org/wiki/Resident_registration#Germany

I was also told something on identity cards only lives on the cards, but cannot find the source or details on that.

Source? Even the Addresses (Melderegister) are centralized.

edit: Looking it up [0] it looks like there is far more data there, all in a central database since at least 2015 (not sure how it worked before).

[0]: https://de.wikipedia.org/wiki/Melderegister#Deutschland

It's been a little while, so perhaps things have changed, but I was told that quite a bit of the data exists only on the card itself.

From your link it seems i was not entirely misinformed: "Contrary to popular belief, there is no central administration of resident registration in Germany. The exception is the registration of resident aliens (see Central Register of Foreign Nationals). Registration is organized by 5283 local offices throughout Germany.[18] "

I'm unable to find the part about cards. will edit or reply more if i do find it.

Looking into it again, it appears the residential registration is indeed decentralized, but most of that data seems to still be saved in a central database thanks to Abgabenordnung § 139b [0].

There is something about sharing that information, but I can’t say I understand the legalese ;)

[0]: https://www.gesetze-im-internet.de/ao_1977/__139b.html

There is no central database, even after the changes of 2015. It is still hosted by each individual municipality (which is exactly what your link states).

However, there here is a standard API which allows some entities to query all those decentralized registers. It is designed to make it hard to siphon out all data at once (which hopefully trips audit systems in enough places that someone cares to look into).

The only centralized database of that kind is the one at BZSt, which contains far less data. For the moment access is limited to tax-related issues but it will be soon expanded to a centralized base data registry (Registermodernisierung).

To be fair, The security around the digital system in the Netherlands, is almost painful.

Japan is really good in this, they store everything on paper and fax it around.

They’re also starting with a national ID now though.

Everyone does it is not actually a persuasive argument that something is a good idea. It was an uphill struggle back in the day to get everyone washing their hands.

This is a predictable outcome of a government creating then storing long term secrets in a database. Governments are not good at keeping secrets. The data will leak.

I don't remember justifying it. Your comment seems a cheap karma grab.
Not in the UK (which is in Europe but no longer in the EU). Was planned before 2010 and then got scrapped by the subsequent government. What's in the works now?
I think so, but it doesn't mean that it is a good idea... Every bit that creates an official identity should be handled with great care.
The horse left the barn before you were born.

All of this information is in multiple single databases maintained by insurance companies in the US. And that data is in turn linked to all sorts of behavioral and affinity data. GEICO knows more about you than DMV.

(comment deleted)
What? How do you imagine that could work? Only paper records, and any interaction with any public administration thing takes a few months? It's generally a good idea to have the tax office, the healthcare ministry/insurance people, police, etc. know who the people of the country are and how to identify them. It's the norm in the EU, and works fine as long as security is taken seriously (which obviously wasn't in Argentina).
Yes, I think it's a good idea for government to have that info. Government needs to provide services and manage resources, which means knowing who and where people live, and have a proper ID number to manage that data.

The alternative is for government to have 90% subsets of the same data in a a thousand different databases, one per-department, per-jurisdiction.

And then Dept A thinks you live here, Dept B thinks you live there, Dept C thinks you have a warrant out for your arrest, and little municipal dept Y.43 thinks you're dead.

Yeah, I can see a few problems with that.

That's a basic citizen database.

The only non-obvious information is the labor identification code. Except for that, it's just "who exists and how do we call them?"

To be fair this information is already public in argentina. There is no secrecy to almost any of this, as ID numbers are public, sequential and queryable for tax status, debt status, etc.
What are the fallback plans here in case of a hack like this? Assign new numbers, somehow? Require all financial activities be done in person? The implications all seem awful
The "right" solution is to not use person info as "passwords".

Instead, give everyone a digital certificate with the private key stored in smartcards that don't allow anyone to copy the key, only to use it.

Those are problematic as well, because they're very costly. One country that implemented authentication and signing this way (I think it was Estonia?) had to recall and replace every single smart card after someone discovered a way to clone the RSA chip on them. With some bad luck, you're replacing these multiple times per year because smart card vendors often overstate the security of their products.

You could, of course, use real passwords, like every single service out there on the internet. Force some level of 2FA for security as well and you should be fine security wise.

Incremental plaintext numbers are not passwords, though. European countries have solved this problem in a variety of ways (that have been made cross-compatible and federated, even) and none of them use numbers on identification as a security number.

The only real fix is not to have central databases at all (Germany does that to a large extent), and keep only necessary things on electronic media (Lawyers and psychiatrists still do that today).

It can be done. Not everything must be electronic, and not everything must be centralized.

Here in Belgium we have smart card IDs. You assign a 4 digit pin as password and then use a smart card reader to access various govt websites.

Only problem is you have to install a browser plugin that has to be compatible with your browser version and some non-technical people get confused. Apart from that it's actually a pretty good system.

It's now being replaced with a smartphone app, one that uses servers in the USA which poses all kinds of GDPR / privacy issues.

Yeah, in Germany too - ID card containing RFID chip, so you can access government websites if you first buy a contactless card reader and manage to install the browser plugin. And guess what? These cards have been issued since 2010, so all the cards in circulation now theoretically support this feature (if the person didn't opt out), but almost noone actually uses it...
Many modern smartphones function as a reader (by installing the AusweisApp2) for many years now, see https://www.ausweisapp.bund.de/mobile-geraete/ for the compatibility list. No need to buy any additional hardware beyond what a lot of people already own nor is installing the app actually hard.
EID readers are notorious difficult to get working properly, especially on non-standard platforms like linux/mac.

The smartphone app has significantly improved the user experience and can rely on biometric functionality, SMS and other verifications.

Overall, I think it's worth the risk if it's sufficiently defended cyber-security wise

Personal info isn't used as a password generally ( apparently it somewhat is in Argentina) in countries with national ID cards and databases. The card and its associated number are used to identify you and prove you are you in specific scenarios ( e.g. post office, police, bank account, etc.) but isn't used as a password in any way. The number ( or a tax/social security/citizen one) is sometimes used as the account login on some systems (e.g. French tax authority or social security system), but you still have a regular password alongside it.

And btw ID cards in the EU have chips with all the basic information on it as well, for use at airports and similar, and there are plans to use e.g. an app which reads from the chip to confirm possession of the card, and compare the photo on it with a selfie you take and confirm your identity digitally.

Looks like Argentina was using an incidental id leaked together with the data as a global government password.

With any luck, the leak forces them to abandon it. But given people reporting on other comments that the leak was already denied, I'm not holding my breath.

For taxes there is a different identification system that requires you to go to an office in person and give them a password.
The "tramite number" mentioned in the article is quite funny. "Tramite number" translates loosely to "filing number".

When national IDs were issued each one got a "tramite number" that I'm guessing was sequentially assigned when the physical ID cards where issued.

Because this number is vaguely random and is printed on the actual physical ID card, it was used as a password on government apps (for example, for getting authorization to move around during covid). To log into the app, you enter your national ID number and then the "tramite number" that is printed on your physical ID card.

Of course, the number can't be changed, and is stored in plaintext in a large database somewhere. It therefore makes for a horrible password.

The database in question just got stolen, and the aforementioned apps now include all sorts of sensitive PII.

Same problem happened with SSN in the US. It was too convenient of a unique, quasi-secret identifier so it became a password too.
I never understood the SSN-as-quasi-secret bit: isn't it widely dispersed anytime you need some medical stuff?
No, it's typically used for credit services, however.
I've been asked for it by my health insurance companies, providers, and when donating blood. On the latter I saw they had a policy of issuing a different ID number to you on request, but it was a royal pain in the ass and a supervisor came out to ask me what my problem was
Interesting, I've never been asked that when donating blood or going to a clinic, but yes, my insurance plan did (as that is a financial service). It's worth noting that medical clinics will service people without social security numbers just fine.
Yes. It even used to say on the card "not to be used for identification", but various agencies at all levels of government ask for it all the time.
Aside from the obvious problem that this message appears to merely be a suggestion rather than a requirement with legal penalties attached, it doesn't seem to be an actionable instruction.

If you are asked to provide your SSN and you ask "For what purpose?" and the requester lies and says "So I can choose my lottery numbers", it's not clear that you have broken the rule by revealing your SSN. However, perhaps the requester is breaking the rule (and perhaps they should know the rule, assuming they have a card themselves) in this scenario, but it's also not clear what action they would have to carry out with the SSN in order to have used it "for identification".

For example, if a system designer uses SSNs as a primary key in a database, they can claim that's just for simple indexing, and that they are still using name and address or photo to identify someone. A system designer could also claim that they were only using the SSN as a (weak) "something you know" factor (among many other factors) in authentication, which may not amount to using it "for identification". Asking someone their date of birth (to be checked against another source, or on a later interaction) doesn't mean that your date of birth identifies you, since millions of humans share the same birthday.

No I wasn't under the impression it was a rule with legal penalties attached, but I mostly hear this as "can you confirm the last 4 numbers to verify your identity". It's a pretty clear cut case of using it for authentication. And rule or not - it's effectively a 4-digit PIN that probably half the services I have to call into re-use, so it's just plain stupid.
Yeah, and people within earshot are not the issue, it’s the place that has thousands of SSNs getting hacked that the issue, so there is no reason to be secret about it.
To add to this, prior to the internet it really wasn't that bad of a "password". Once upon a time vacuuming up batches of SSNs for nefarious purposes wasn't a realistic attack scenario, let alone a "just assume every criminal has your SSN" one.
They were always a terrible password.

https://www.usrecordsearch.com/ssn.htm

It's mostly a terrible password because it's immutable if it weren't it's a quasi random 9 digit code that's hard to map from a person's current information back to what their SSN is.
If you know when and where someone was born you can figure out the first 5 digits.
Yes, as well as applying for jobs (or at minimum when hired), renting an apartment, and lots of financial things including any type of KYC crypto exchange or investment accounts. I've also had utility companies ask for it.

These are in no way secret, I have no idea how people are okay with this. You can easily social engineer so many critical services if you know somebody's SSN.

Or financial stuff. Or job stuff. Or getting a cell phone or cable subscription stuff. It's pretty much as much of a secret as your middle name in the US - it's not like everybody knows it, but it's not very hard to find out.
Oh it’s better than that. For those born before a certain year, it is trivial to guess their social security number if you know their general date of birth and location as they were assigned sequentially.
Similar situation here in Brazil. People use these IDs as passwords. When system administrators set up accounts for users, there's a good chance the default password will be the user's ID and that it will never be changed. Every school I've ever attended did this for school portals, wifi logins. It's insane. There used to be a website where I could look up anybody's ID number by name, that's how public these things were. With this ID number, I could perpetrate all sorts of electronic crimes under the cover of somebody else's identity. I could dox anyone by consulting services such as credit score databases.
From Argentina here. Government launched a web site were one can change his own "trámite number" (aka application number). Thad said, this is garbage. Government security is a joke here. Few years back, another security break happened because a police data base was publicly accesible. The fix was to "block" international access by editing national DNS.... I want to cry.
How do you authenticate to change your tramite number? With the previous number?
There are many reasons to oppose government ID schemes on principle.

Consequences like these just demonstrate the case.

"Government ID" sounds redundant. What other form of ID would make sense? Either we live in a world without IDs (and other information inevitably fills that void and becomes a de facto ID), or we allow for-profit enterprise to manage personal identification.
IAM is a tough problem. We need solid technical underpinnings, scalable and consistent new ID issuance procedures, revocation and reiussance workflows, accommodation for those on the wrong side of the digital divide, fraud resistance, and of course this has to be at very low cost for equity reasons and good stewardship of tax money.
Hacker has been discovered to be a random disgruntled employee looking for a quick buck.

Hope he serves as a lesson of how to not behave as a public servant.

Source?
https://www.lanacion.com.ar/sociedad/tras-un-confuso-episodi...

IT talked to Twitter and found a very narrow amount of people with the ability to do this.

But that was before what the OP article is claiming.

> However, The Record contacted the individual who was renting access to the RENAPER database on hacking forums.

> In a conversation earlier today, the hacker said they have a copy of the RENAPER data, contradicting the government’s official statement.

> The individual proved their statement by providing the personal details, including the highly sensitive Trámite number, of an Argentinian citizen of our choosing.

"Breach" in this case would imply this was an external attacker and not an inside job; from all the info that is available at the moment, what appears to have happened is some guy with continous access to an entirely legitimate system but malicious intent basically managed to craft his own dump of all the records.

Based solely on the exposed field names those are not typical for government databases either, so this might have been reconstructed from a report or something.

It also looks like the underlying permissions scheme is garbage, as there is literally no reason for this volume of data to be exportable by a random -even authorized!- user at the reported location.

Nobleza obliga, latest news indicate the guy extricated a whole lot of records and it would appear authorities are nowhere near as close to unequivocally identifying him as was originally said.
Same thing happened some number of years ago with Turkey and its ID database.

The Turkish IDs have a "national ID number" (assigned to each citizen, is for life and is unchangeable) and a serial number for the ID itself. You need the national ID number to do certain things, similar to SSNs in the US. Similar to SSNs in the US, it's an absolutely horrible form of identity verification/authorization.

Similar thing happened in the US with a government database of PII and background check investigations. For a high value target its just a matter of when, not if.

OPM subsequently confirmed that investigators had "a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective federal government employees, to include U.S. military personnel, and those for whom a federal background investigation was conducted, may have been exfiltrated." The Central Intelligence Agency, however, does not use the OPM system; therefore, it may not have been affected.

https://en.wikipedia.org/wiki/Office_of_Personnel_Management...

It's not hard at all to get your hands on a Brazilian CPF (Fiscal ID) database. You can buy it on DVD.
I wish the article explained what the hacker can do with this data. The most I can think of is that it allows people to take loans on behalf of others.
Probably not. In latin america, government ID is pretty public and you share it for a lot of trivial stuff. It isnt considered a secret
This is why, in Futurama, the government still uses paper docs.