http://www.klas-tv.com/Global/story.asp?S=6090641 By Mark Sayre Investigative Reporter Feb 15, 2007 Anyone who wants a driver's license must hand over their personal information as a requirement at the Department of Motor Vehicles. And when you hand over your personal information to the DMV, you expect it to be safe and secure. But an audit conducted by the state shows that DMV computer systems have serious flaws that could jeopardize your privacy. The I-Team has been looking into the problem and found many of these problems are not new, some go back as far as 2002. The state audit is highly critical of the DMV's computer security, saying even the most basic security steps have not been taken. For its part, the DMV says it is taking quick action to fix the flaws. "Just renewing my stickers. A very easy plan -- English, registration vehicle renewal," Kathy Doyle said as she stepped up to an automated DMV kiosk. And like many customers, she chose to pay by credit card. Until now, she's never had any concern about handing over her personal information to the state. But the 29-page legislative audit may give Doyle pause. It states the Department of Motor Vehicles uses encryption standards for your credit card data that are not up to industry standards. At least one computer system had no encryption at all. As many as 31 former DMV employees had active accounts on the DMV's computer network and background checks could not be verified on thirteen members of the department's information technology staff. DMV spokesman Kevin Malone said, "So we welcome a third set of eyes if you will look at this." Malone characterized the findings as an adjustment. "What the audit says is that we have the proper controls in place, and we did at the time, they just needed to be tightened some." Malone downplayed any risk to customers. "And it pointed out vulnerabilities. There hasn't actually been any data breaches or real problems that this has turned into for anyone. " Another audit finding takes aim at the driver's license process. A computer also captures your name, social security number and birthday -- information that is supposed to be deleted each day. The I-Team read the rest of the findings to DMV customer Anthony Dow. "However, we, the auditors, found various computer disks and two laptop computers with this data as far back as 2002." "Wow," replied Dow. I-Team Reporter Mark Sayre" What do you make of that?" Anthony Dow: "Kind of glad that I am only now becoming a Nevada state resident so it is not on there!" The I-Team asked Kevin Malone why the DMV needed a legislative auditor to tell them. Malone replied, "Well, it's a complicated system that is full of human beings. So, things slip by [and] get through the cracks. Things like our password security is not as good as it could have been. The security on the web site could be a little bit better." DMV customer Theresa Rogers is concerned. "You know, it seems like every time you turn around someone has all of your information and you think you maybe want to give up credit card use, computer use and everything else anymore." And while Kathy Doyle collected her new registration, in the end she says this audit is not going to scare her away. "They probably could do better, but it's okay," she stated. Some of the audit's other findings relate to password security. At the time of the audit, department computers allowed six unsuccessful login attempts before it would lock out a user. The state standard is three. The DMV told the I-Team Wednesday it hopes to have all of the issues raised in this audit completely fixed by mid-March. The audit did not point fingers at things that cost money. Changing the number of login attempts is a simple programming step, which, for whatever reason, was simply not done. All content Copyright 2000 - 2007 WorldNow and KLAS. ______________________________________ Subscribe to the InfoSec News RSS Feed http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Mon Feb 19 2007 - 01:37:32 PST