[ISN] I-Team Investigation: DMV Security Risk

From: InfoSec News (alerts@private)
Date: Mon Feb 19 2007 - 01:29:07 PST


http://www.klas-tv.com/Global/story.asp?S=6090641

By Mark Sayre
Investigative Reporter
Feb 15, 2007

Anyone who wants a driver's license must hand over their personal 
information as a requirement at the Department of Motor Vehicles. And 
when you hand over your personal information to the DMV, you expect it 
to be safe and secure.

But an audit conducted by the state shows that DMV computer systems have 
serious flaws that could jeopardize your privacy. The I-Team has been 
looking into the problem and found many of these problems are not new, 
some go back as far as 2002. 

The state audit is highly critical of the DMV's computer security, 
saying even the most basic security steps have not been taken. For its 
part, the DMV says it is taking quick action to fix the flaws.

"Just renewing my stickers. A very easy plan -- English, registration 
vehicle renewal," Kathy Doyle said as she stepped up to an automated DMV 
kiosk.

And like many customers, she chose to pay by credit card. Until now, 
she's never had any concern about handing over her personal information 
to the state.

But the 29-page legislative audit may give Doyle pause. It states the 
Department of Motor Vehicles uses encryption standards for your credit 
card data that are not up to industry standards.

At least one computer system had no encryption at all.

As many as 31 former DMV employees had active accounts on the DMV's 
computer network and background checks could not be verified on thirteen 
members of the department's information technology staff.

DMV spokesman Kevin Malone said, "So we welcome a third set of eyes if 
you will look at this."

Malone characterized the findings as an adjustment. "What the audit says 
is that we have the proper controls in place, and we did at the time, 
they just needed to be tightened some."

Malone downplayed any risk to customers. "And it pointed out 
vulnerabilities. There hasn't actually been any data breaches or real 
problems that this has turned into for anyone. "

Another audit finding takes aim at the driver's license process. A 
computer also captures your name, social security number and birthday -- 
information that is supposed to be deleted each day.

The I-Team read the rest of the findings to DMV customer Anthony Dow. 
"However, we, the auditors, found various computer disks and two laptop 
computers with this data as far back as 2002."

"Wow," replied Dow.

I-Team Reporter Mark Sayre" What do you make of that?"

Anthony Dow: "Kind of glad that I am only now becoming a Nevada state 
resident so it is not on there!"

The I-Team asked Kevin Malone why the DMV needed a legislative auditor 
to tell them.

Malone replied, "Well, it's a complicated system that is full of human 
beings. So, things slip by [and] get through the cracks. Things like our 
password security is not as good as it could have been. The security on 
the web site could be a little bit better."

DMV customer Theresa Rogers is concerned. "You know, it seems like every 
time you turn around someone has all of your information and you think 
you maybe want to give up credit card use, computer use and everything 
else anymore."

And while Kathy Doyle collected her new registration, in the end she 
says this audit is not going to scare her away. "They probably could do 
better, but it's okay," she stated.

Some of the audit's other findings relate to password security.

At the time of the audit, department computers allowed six unsuccessful 
login attempts before it would lock out a user. The state standard is 
three.

The DMV told the I-Team Wednesday it hopes to have all of the issues 
raised in this audit completely fixed by mid-March.

The audit did not point fingers at things that cost money.

Changing the number of login attempts is a simple programming step, 
which, for whatever reason, was simply not done. 

All content Copyright 2000 - 2007 WorldNow and KLAS.


______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Mon Feb 19 2007 - 01:37:32 PST