FAQed Up — Article #1
#IDNating lahat.
How a simple copy-paste trumps over the only security feature of the Philippine National ID.
Dearest reader,
This article is for informational and educational purposes only. It contains materials that can be potentially damaging or dangerous. If you plan to use what’s written here for something illegal, leave.
Do not follow what I did.
It was the 20th of April early this year when I revisited one of our company’s pioneer projects for an overhaul. Never have I thought it would be the catalyst of discovering the critical vulnerabilities leading to potential identity theft and fraud from the official national identity card of our country, the Philippine Identification System ID or simply the National ID.
Currently, there are two variations of the National ID considered as official documents by the government: the official PVC Card and its paper counterpart, the ePhilID. Regardless of the difference in materials, the two IDs had adopted QR Codes as its security feature along with a web app that scans the code to verify its authenticity. The same QR becomes its pitfall when passed through the simplest of questions: can I fake it?
Horrifyingly, you can. To test my theory, I began inspecting the data which the QR contains. The two versions of the National ID have different QR code formats. I started my investigation with the PVC version first and the following is what you see if you scan the code with a normal QR code reader, in my case—my camera app’s default.
This is also described in the PhilSys Check Handbook on which the holder’s basic information is plainly shown with the format. At first glance, it would instantly raise eyebrows as to why such sensitive information is openly displayed, complete with the set format used? One could easily create a false identity with the same format, generate a QR and pass it as a real one, but then I stepped back. I hoped at first that it might’ve been protected and yes it was. I’ve created several fictitious QR Codes with the same format from the PVC QRs then have it verified in the PhilSys Check website. As expected, all turned out to be invalid.
The data in the PVC QR is digitally signed. Meaning, the text in it could not be tampered with or modified unless done by the ones that created the QR. Alright, my first method was a bust. So was my second, where I extracted a valid signature and paired it with a fictitious profile. And my third where I attempted to reverse the signature in the QR. Nothing happened and the PVC QR remained uncrackable.
I stared at my father’s PVC National ID beside my laptop and looked back on its extracted QR text I have on my notepad, and turned back to the ID. Switching back and forth from the screen and the printed document in my hand, I stood there dumbfounded. Surely, the vulnerability couldn’t be staring right at me this whole time—because it is. Let’s do a little activity, I want you to grab your PVC National ID and scan the QR in the back with a default QR reader. Check your default camera app if it has the QR reading function applied, if not there are readers available online (do not use the PhilSys Check website for this step). Next, open its extracted text and we’ll be accomplishing a simple connect-the-pair: match the data you see in the extracted text to the one in your printed ID. Here’s what you can do.
Right off the bat, you can clearly see the extracted QR text lacks the data of your address, blood type and marital status while the ID is missing the suffix and the best fingerprint (BF) data. These are not the fields you’ll be focusing on, in fact it’s the one without a label. That’s your photo. Keep that in mind as we proceed, lastly scan your PVC QR code using the PhilSys Check website and what do you find—or rather, what you don’t. Along with the aforementioned missing text data, the verifier does not show the holder’s photograph. Your activity is now complete, now let me explain how all of the components came to be a critical vulnerability.
I’ve recreated my father’s PVC QR Code by first extracting its text from a regular scanner then running it over to an online QR generator. The crucial step lies on copying every detail from the extracted text of the QR into the displayed data in front and in the back of the PVC. In order to differentiate for my test, I entered different details into the address, blood type and marital status fields. Finally, a random photo from a google search is placed into the front-facing photograph of the ID, as a cherry on top. And that my good friends, is how your handy CTRL+C, CTRL+V method results to identity theft.
This goes without saying that if you are going to pick a photo for a counterfeit, make sure to match any visual cues such as age and sex to make it believable. So to begin with, first you need to find a National ID that matches your desired fake persona. And because the details of the PVC QR are exposed, you can easily refer to whatever data to imitate in order to make a convincing fake. Now that I have matching information in the ID’s QR and its printed details, I can have it verified over at the PhilSys Check and it is valid. Why? I haven’t modified the PVC QR in any way whatsoever but instead simply copied it because the QR is valid to begin with.
So how about the physical check? Remember, the checker does not display the holder’s photo. There will be no visual references to confirm the owner’s identity against the data stored in their ID, only the front-facing photograph printed into document which is circling back to where we were a paragraph ago—is fake. In conclusion, I am clear. If ever the imitated identity gets subjected with something illegal, it traces back to the real owner of the ID. I am safe and this is horror.
When I studied the implementation of the National ID’s security features, it was to adopt it as an esteemed standard in the application of data protection in QR Codes that store sensitive personal information. Our company’s main systems has utilized QR technology to communicate and store personal identifiable information in its applications for long now. The overhaul I mentioned in the beginning was to utilize PhilSys ID’s proclaimed countermeasures against fraudulence and identity theft but here I am, pulling my hair out. I decided to report this.
The findings were sent to the Department of Information and Communications Technology — National Computer Emergency Response Team (DICT-NCERT) and the National Privacy Commission (NPC) last April 24 & 27, 2023 respectively. I was confused at first to share the discovery since there isn’t a case of compromised data yet. However, once DICT-NCERT received the email, they’ve regarded it as a critical vulnerability and by the next day, the findings are forwarded to the Philippine Statistics Authority (PSA)—the agency in charge of the management of the Philippine Identification System ID.
Do not attempt to violate the law with what you’ve learned here. I am responsible for everything I wrote in this article but not for your illegal actions. The most important thing for you to do after reading this is do not share your PVC National ID unless it is clear what the receiving party plans to do with it. This is especially directed to those who posted their ID cards in social media, particularly in photos where their QRs are crisp clear that a regular scanner can read it. Take visual note of all the photos I shared here where portions of the QR are obscured to prevent it from being scanned.
6th of June 2023, Philippine Statistics Authority responded.
Just after breakfast, I received an email from DICT-NCERT forwarding the official letter response from PSA regarding their actions taken on the reported vulnerabilities. What the authority countered concerning the cloning method for identity theft has left me puzzled. Quoted from the letter,
Issue #1: Identity Theft with Cloning
The PSA designed the PhilID such that the content of the QR Code is not encrypted to enable convenient sharing of the demographic information to relying parties (RP). This is more of an intended feature rather than a security vulnerability.
What.
Compromising personal data for the sake of convenience—ha, no. They’ve protected the PVC QR against tampering, that is a security feature therefore if the information can be stolen by a simple copy-paste, it is a vulnerability. Whereas if the person’s data is hidden in the first place, perpetrators won’t be able to copy AND modify it without ruining the data thus their attempts become useless.
Now about convenient data sharing—don’t. They are only able to argue that if they’ve maximized all technology can do to protect the data. They have not. It’s default that the ID’s owner is responsible as to where they utilize the document but what is PSA’s responsibility here if not to prevent trouble before it happens. To be proactive.
Republic Act 11055, Section VII, C.1
…The PhilID shall contain QR Code which contains some fingerprint information and other security features as safeguards for data privacy and security, and prevention against the proliferation of fraudulent or falsified identification cards.
How hard is it to employ encryption? Digital signing and encryption both use keys, both need a tool to parse and validate text and they accomplished this with the PhilSys Check. The difference? Encrypted data is hidden. None other than the official PhilSys platform gets to read and authenticate so unauthorized parties are kicked out of access. It’s convenient, it’s protected, why isn’t it implemented? Moving on.
Granting that fraudsters can try cloning a PhilID, the PhilSys Check can authenticate the digital signature in the QR Code and ensure that the demographic information cannot be tampered with.
“I haven’t modified the PVC QR in any way whatsoever but instead simply copied it because the QR is valid to begin with.” So as I was saying—since when did cloning function similar to tampering? The PhilSys Check will rule the cloned QR Code as valid because it wasn’t modified whatsoever, it is still the original QR. Only on a different ID, with a different photo, address and marital status printed in the card itself. Copy-pasting is not editing, I don’t understand what PSA is trying to say here.
Also, the PhilID has some security features that the RP can examine physically which are difficult to counterfeit or duplicate. The RP can check the overt and covert features (see Figure 1) of the PhilID to validate the authenticity of the presented PhilID.
To minimize the victims of such identity theft through the cloning of PhilID, the PSA is committed to advocate the abovementioned details to its stakeholders.
Everything that the human eye is able to see, can be replicated. The QR was their only chance here and yet failed to do so. More importantly, every single visual security feature embedded into the ID is built to protect the plastic card not the data on it. Here’s a use case, if I were to use my National ID in the Sim Card registration, how should I give them my information? It couldn’t be that I mail them my PVC National ID card for them to check shiny print on it—no. I have to upload a photo.
And how would they check its authenticity? Correct, by the scanning the QR in the back of the ID through the PhilSys Check website. So yes, every littlest nano-prints they’ve described as “security features” are all ignored when everything turned digital.
A little insight, these security features are frequently used in items which its value is indicated on the face. The most common application of such features can be seen in money bills because its value is what’s printed on the paper, so naturally it has to be protected. The value of an ID is in the identity of its holder. The only protection it can have is confidentiality.
Republic Act 11055, Section II
…a resilient digital system shall be deployed to secure the data collected and ensure that the people’s right to privacy, confidentiality and other basic rights are at all times upheld and protected.
This made me think of some things such that these embedded security features have a price tag on them—design, printing, material used and all. Meanwhile, the basic application of encryption is actually free. Anyhow, Philippine Statistics Authority responded but the issue is still not resolved so please be wary of your PVC National ID cards and keep it safe for the time being.
Before I end this spiel, I’ll spoil the fun of everything you just read. The paper version of the National ID has a different QR Code and guess what they did? The holder’s information is hidden.
This documentation isn’t done yet. Before I’ve submitted the initial findings of the vulnerabilities of the PVC QR, I turned to inspect the other version of the National ID. No, I have not forgotten about the document’s paper equivalent and its investigation is way more longer than what I had to do with the PVC. Yes, it’s still about the QR Code because the ePhilID is another story and worse.
It’s not identity theft, but fraud.
If you need me, I’ll be in the next entry.
ㅤ
ㅤ
ㅤ
Kind regards,
Syrah.
This article is part of the FAQed Up series. A collection of fact finding and investigation reports that studies technology systems and applications implemented and developed in the Philippines. The entries are all accomplished and investigated by Syrah Aldana, Chief Technology Officer of ARKITEK Inc, a startup company. The series is part of the company’s initiative to empower proper use of technology in upholding data privacy and security in the rising digital age of the country.
