|
|
http://www.klas-tv.com/Global/story.asp?S=6090641
By Mark Sayre
Investigative Reporter
Feb 15, 2007
Anyone who wants a driver's license must hand over their personal
information as a requirement at the Department of Motor Vehicles. And
when you hand over your personal information to the DMV, you expect it
to be safe and secure.
But an audit conducted by the state shows that DMV computer systems have
serious flaws that could jeopardize your privacy. The I-Team has been
looking into the problem and found many of these problems are not new,
some go back as far as 2002.
The state audit is highly critical of the DMV's computer security,
saying even the most basic security steps have not been taken. For its
part, the DMV says it is taking quick action to fix the flaws.
"Just renewing my stickers. A very easy plan -- English, registration
vehicle renewal," Kathy Doyle said as she stepped up to an automated DMV
kiosk.
And like many customers, she chose to pay by credit card. Until now,
she's never had any concern about handing over her personal information
to the state.
But the 29-page legislative audit may give Doyle pause. It states the
Department of Motor Vehicles uses encryption standards for your credit
card data that are not up to industry standards.
At least one computer system had no encryption at all.
As many as 31 former DMV employees had active accounts on the DMV's
computer network and background checks could not be verified on thirteen
members of the department's information technology staff.
DMV spokesman Kevin Malone said, "So we welcome a third set of eyes if
you will look at this."
Malone characterized the findings as an adjustment. "What the audit says
is that we have the proper controls in place, and we did at the time,
they just needed to be tightened some."
Malone downplayed any risk to customers. "And it pointed out
vulnerabilities. There hasn't actually been any data breaches or real
problems that this has turned into for anyone. "
Another audit finding takes aim at the driver's license process. A
computer also captures your name, social security number and birthday --
information that is supposed to be deleted each day.
The I-Team read the rest of the findings to DMV customer Anthony Dow.
"However, we, the auditors, found various computer disks and two laptop
computers with this data as far back as 2002."
"Wow," replied Dow.
I-Team Reporter Mark Sayre" What do you make of that?"
Anthony Dow: "Kind of glad that I am only now becoming a Nevada state
resident so it is not on there!"
The I-Team asked Kevin Malone why the DMV needed a legislative auditor
to tell them.
Malone replied, "Well, it's a complicated system that is full of human
beings. So, things slip by [and] get through the cracks. Things like our
password security is not as good as it could have been. The security on
the web site could be a little bit better."
DMV customer Theresa Rogers is concerned. "You know, it seems like every
time you turn around someone has all of your information and you think
you maybe want to give up credit card use, computer use and everything
else anymore."
And while Kathy Doyle collected her new registration, in the end she
says this audit is not going to scare her away. "They probably could do
better, but it's okay," she stated.
Some of the audit's other findings relate to password security.
At the time of the audit, department computers allowed six unsuccessful
login attempts before it would lock out a user. The state standard is
three.
The DMV told the I-Team Wednesday it hopes to have all of the issues
raised in this audit completely fixed by mid-March.
The audit did not point fingers at things that cost money.
Changing the number of login attempts is a simple programming step,
which, for whatever reason, was simply not done.
All content Copyright 2000 - 2007 WorldNow and KLAS.
______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss