Friday, December 12, 2008

Strong Authentication, Malay style


I now have a mobile phone (+60 17 354-6249). As a security and surveillance geek, it's always interesting to see how this is done, especially these days.

I went to a mobile phone shop yesterday afternoon, and the nice lady behind the counter pulled out her own mobile phone, asked for my passport, and then proceeded to key in a few details from my ID document. No photocopy of my passport was made, and she gave it back momentarily. After that, my phone was active.

Now, of course, she was no expert on US passports, or canadian, swiss, or german documents. Thus, the issue of mobile phone authentication in Malaysia is rather similar to that of ID checks by bars in the US -- sure, the bartender might be able to spot a fake ID from his state, or even those nearby, but he'll never in his life have seen a Mongolian passport before.

If I did want to buy a mobile phone SIM here, and not have the government track me, the key would be to use a fake passport from another country.

It'd be interesting to find out, of course, if the government had linked the phone registration system to immigration -- that is, they know which foreigners are in the country at the time, and their passport numbers. However, I doubt that such checking is currently done.


With the phone in hand, the next goal was to get online. Kuala Lumpur has free wifi in most of the city, but signing up requires that you have a phone that they can use to send a validation code to (thus, of course, tying your internet activity to your number, which is tied to your identity... sneaky eh?).

Unfortunately, their website sucks, and I couldn't get it to work.... I'll try rebooting to Windows later, and see if it's a Firefox/IE issue.

In the mean time, Starbucks here offers free wifi through the "Time" broadband provider. The only snag is that you need a Malaysian NRIC (social security) number to signup. This proved to be problematic.

Luckily, two geeks sitting nearby helped me out. It seems that no one but the government has the ability to check the validity of a NRIC number, and so service providers (who are required to ask you for it) have no real way of knowing a real from fake number. One of the geeks wrote down a fake, yet authentic looking number down on a napkin... I typed it in, and was soon online.

It seems that the Malaysian NRIC number has all kinds of information embedded into it, including where you were born, your criminal (ex-con) status, dual citizenship, naturalized citizenship, etc. It's rather creepy that so much can be known about someone merely by reading his SSN.

My fake number (as given by the starbucks geeks) is 701010-08-7113.


Mike said...

Surely the ID# doesn't change through time to reflect updates to your state (becoming a felon, for example.)

Moreover, can you identify any information in the Malaysian ID# that isn't available in the public record? Maybe the dual-citizenship item? Is that a binary field?

Anonymous said...

I want to quote your post in my blog. It can?
And you et an account on Twitter?