Philippines National ID system for foreigner residents as well

Recommended Posts

Jollygoodfellow
Posted
Posted

Interesting. So do you get a choice?

This week, the Philippine Statistics Authority, the agency responsible for the Philippine Identification System or PhilSys, announced the online registration for the National ID System. Philsys aims to establish a single national identification system for all citizens and resident foreigners of the country.

https://mb.com.ph/2021/04/29/critical-vulnerability-in-ph-national-id-system-fixed/

Critical vulnerability in PH National ID System fixed

A data privacy leak of massive proportion that could potentially put to shame the COMELeak, LTO, AFP, and all other local breaches put together was waiting to happen as PhilSys was about to put online the registration for the country’s National ID System.

This week, the Philippine Statistics Authority, the agency responsible for the Philippine Identification System or PhilSys, announced the online registration for the National ID System. Philsys aims to establish a single national identification system for all citizens and resident foreigners of the country.

The Philippine Identification System or PhilSys is the government’s central identification platform for all Filipino citizens and resident aliens of the Philippines. (Photo from https://atom.hackstreetboys.ph/)
To ensure the system’s smooth operation, PhilSys put up a User Acceptance Testing environment or UAT. It is a production-like setup, a final step before making the system available to the public.

When Secuna co-founder AJ Dumanhug noticed the PSA announcement, he immediately checked the PhilSys subdomains for possible security problems that could arise when the system is up for public use.

“As a security researcher and concerned data subject, I quickly checked the available subdomains of philsys.gov.ph using an online website and discovered the subdomain named register.philsys.gov.ph,” Dumanhug said in his post.

Using the information from previous vulnerabilities he reported and promptly fixed by PhilSys, he found out that there is a new critical vulnerability in the final phase of the testing environment of the National ID System. By merely checking passively, he found out sensitive information that could be exposed if not fixed immediately.

“I discovered some domains, IP addresses, Database IP, ports used, GitHub repository link, and other information. I also found sensitive information such as secret keys and passwords. The worst is that I found critical information that malicious individuals could exploit, such as authorization token of users who registered for PhilSys, their IP address, the system’s IP address, cookies, and user’s PhilSys registration ID.” AJ Dumanhug said in an interview with MB Technews.

“The latest vulnerability could allow malicious users to access sensitive system information and retriever personally identifiable information of PhilSys users,” he added. Since PhilSys aims to give all citizens and resident aliens a national ID, the potential of the data breach victims, if not fixed, could be millions.

AJ Dumanhug then informed PhilSys about his findings, and PhilSys immediately fixed the vulnerability. We could now expect a more secure PhilSys system once people start to register online.

AJ Dumanhug, Secuna co-founder and one of the country’s top cybersecurity practitioners, once again proves that private companies and government agencies would benefit more if they would have responsible disclosure programs. It is a process that allows security researchers to report to the company or agency found vulnerabilities in their systems, networks, or services.

Here are some of his recommendation to PhilSys:

1) Change the secret keys and password 2) Check for sensitive folders and files or open services and remove or close them before deploying online.

AJ Dumanhug was also responsible for exposing unauthorized access of malicious users to the LTO’s database. While LTO denied a breach and that the data are unnecessary, the National Privacy Commission investigated the agency for the leak and ordered the intern

  • Like 2
  • Sad 1
  • Hmm thinking 1
Link to comment
Share on other sites

BrettGC
Posted
Posted

Hrmmm, risk vs benefits too heavily weighted on the wrong side for my liking as things stand in the above....

Github alone raises my eyebrows, there's a lot of great stuff on there but also a tonne of malicious as well.  There's a couple of instances a year of phishing, malware etc to be found on there to exploit the unwary.  

  • Like 3
  • Thanks 1
Link to comment
Share on other sites

  • Forum Support
scott h
Posted
Posted

Dont know anything about the online registration. But we did have a lady from city hall drop by, put our names, phone #, email, and address into a tablet (no sensitive info asked for.....yet lol) and said we would get our national ID cards in awhile. 

  • Like 2
Link to comment
Share on other sites

  • Forum Support
Mike J
Posted
Posted

We are already required to report once a year and obtain/carry an ACR card.  I do not really see that this would be of any additional use to the either the government or the expat.  Now if it took the place of annual and ACR, then maybe it would make sense.   Hopefully their security will improve. 

  • Like 4
Link to comment
Share on other sites

  • Forum Support
scott h
Posted
Posted
45 minutes ago, Mike J said:

I do not really see that this would be of any additional use

It will be of great use,,,now I can leave this at the guard shack when I enter a subdivision and not my drivers license which I really need :hystery:

  • Like 1
  • Haha 3
Link to comment
Share on other sites

hk blues
Posted
Posted

Whilst it may not be compulsory, it may be required for certain transaction (ACR/Annual Report/Philhealth etc)  - that's the way it's being marketed, without it you'll find it difficult to transact with government departments - Let's see.  Interestingly, for citizens it's a one-time application but foreigners will be required to renew annually.  Confirmed free to citizens but nothing confirmed for foreigners - make of that what you will!  

Our area has started the 1st stage of the process - they advised me foreigners cannot start the process until they've been 6 months in the country as of 1st Jan so 1st July.  Who knows how accurate this is.  

  • Like 1
Link to comment
Share on other sites

hk blues
Posted
Posted
8 hours ago, scott h said:

Dont know anything about the online registration. But we did have a lady from city hall drop by, put our names, phone #, email, and address into a tablet (no sensitive info asked for.....yet lol) and said we would get our national ID cards in awhile. 

That sounds like Stage 1 only - photo/fingerprint?/Iris capture are all required as Stage 2 before any card is issued. 

Link to comment
Share on other sites

Gator
Posted
Posted (edited)
8 hours ago, hk blues said:

before any card is issued. 

Good concept, but........Doesn’t matter anyhow because you know that after waiting several hours on line all you’re going to hear is: “Sorry po, no stock, come back next month”. Rinse and repeat and by the time you do get it, it’ll be expired anyhow. 🤣

Edited by Gator
Link to comment
Share on other sites

BC57
Posted
Posted
On 4/29/2021 at 8:15 PM, Jollygoodfellow said:

Interesting. So do you get a choice?

This week, the Philippine Statistics Authority, the agency responsible for the Philippine Identification System or PhilSys, announced the online registration for the National ID System. Philsys aims to establish a single national identification system for all citizens and resident foreigners of the country.

 

Since most of us have an ACR card I see no benefit or reason to sign up. Just my opinion of course.:smile:

  • Like 1
  • Hmm thinking 1
Link to comment
Share on other sites

  • Forum Support
Tommy T.
Posted
Posted

From what I have read online, the ID is not compulsory for foreigners, but strongly recommended to make dealing with various government and other institutions (such as banks) easier. Supposedly, only one ID would need to ever be produced for transactions or business dealings. Of course, talk is cheap.

I was informed by the local Purok leader that I needed to pre-register for the ID - which I then did - and that in February the final step would happen. That pre-registration was simply answering questions like marital status, birthdate and other standard type info. I just received notification that I need to show up on June 6 for the final step which is supposed to be recording the biometrics - full fingerprint set and photo(s).

The whole thing is supposed to be free for everyone, including the annual renewal for foreigners. Certainly adds to all the red tape I already have to deal with, but that is standard procedure in many countries I have visited so... I attempt to grin and bear it.

  • Like 4
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...