The Self Registration SIM App was released for the second stage of Ghana’s SIM registration exercise using the Ghana Card. After the subscriber has received a Unique Code from *404#, the app can be used to finalize the SIM card registration. This initiative is to reduce massive congestions at the various service providers as far as the biometric SIM registration is concerned. Yayra Koku, a cybersecurity consultant and systems analyst, has made an unbiased assessment of the Self Registration SIM system.
To begin with, he stressed on the fact that developers should never test their own systems by themselves to eliminate any prejudice associated with testing something you have created by yourself. That is, third party developers taking a look at the systems to critique it would be more objective and in the end produce better outcomes.
“In some cases, developers are left alone to do the job, and when they finish, they test it themselves. Developers are bad system testers when testing their systems because testing something they created may bring unconscious or unintentional bias into the testing process. This sometimes makes it impossible for them to unearth critical functional mistakes. Developers, therefore, lack the objectivity to be able to test their work.”
Also, he stated that the app hasn’t been able to perform the purpose for which it was designed for due to its approach to authentication. The basic explanation to the layman is the fact that the method used by the app for authentication of the fingerprint against the Ghana Card creates some loopholes in the systems and as such malicious people can use someone else’s Ghana Card to register and commit crimes on the person’s behalf.
“The App does not do instant matching or authentication of fingerprints against the Ghana Card. That is one-to-one matching (1:1) or one-to-many (1:N) against the NIA database. Instead, it matches ONLY the PIN in the NIA database. Matching a PIN to the NIA system does not establish one’s identity.”
“It only establishes whether the PIN is verified in the NIA database, which anyone can do. This means malicious actors can get hold of anyone’s Ghana Card, buy a new SIM card and use it to register for a new SIM and use it to commit a crime without the knowledge of the Ghana card owner because during the registration, there was no establishment of identity through a one to one matching (1:1). “
“Dont forget that many people have lost their Ghana Card and have gone for replacement. Imagine such cards find their way into a bad person’s hand. Though NIA deactivates a missing card, they DONT deactivate the unique PIN.”
He further iterated that any biometric system developed to register people without establishing one’s identity through a biometric authentication (either 1:1 or 1:N) is bound to fail. One to One matching here means matching the fingerprint captured by the applicant against the one stored on the Ghana Card. One to many here means matching the fingerprint captured against the NIA database. “Do applicants go through any of these? The answer is a BIG NO, Yayra answered.”
Finally, he quizzed why the user has to make payment before starting the registration process as app crashes may occur or other issues may prevent some users from being able to use the app.
What is the way forward?
So what is the way forward? It wouldn’t be a good assessment without providing recommended fixes and alternatives, would it?
One important recommendation he mentioned is NFC. NFC stands for Near Field Communication. It is a technology that allows wireless data transmission over short distances using radio waves. It is available in most smartphones and wearables today. Yayra was expecting the developers to incorporate NFC technology into the app.
“I was expecting the developers to incorporate Near-field communication (NFC) connectivity technology into the App, first to read the Ghana Card of an applicant and ask them to authenticate their fingerprint against what is stored on the Ghana card to establish an IDENTITY OF THE PERSON (1:1 matching). If it is successful, the data stored on the Ghana Card is pushed into the App for the rest of the process to continue. That is by entering the GPS Post Code, phone number and other relevant data.”
This, Yayra believes, would have prevented anyone from using other Ghana Card to register for a new SIM.
He further urged the Ministry of Communication and NCA to consult NIA for the best solution in authenticating the Ghana Card.
Source: Yayra Koku, Systems Analyst/Cybersecurity Consultant
