Like Tree6Likes
  • 1 Post By eightfivetwo
  • 1 Post By alexdown
  • 1 Post By alexdown

Why are HKID card numbers stored as clear text records?!?

Closed Thread
  1. #1

    Join Date
    Dec 2002
    Location
    薄扶林
    Posts
    47,964

    Why are HKID card numbers stored as clear text records?!?

    I don't understand why so many IT centric organisations including banks, telcos etc store ID card information as clear text records which are visible to anyone?

    Would it not make sense to hash them and anyone who wants to verify a customer's ID number would enter that number and receive a verified / not verified response from the backend?

    Chan's convicted of using his company’s computer from July to September last year to obtain a customer's information, and made them public on social media during the protests.

    The information in question included the officer's phone number and Hong Kong ID card number.
    https://news.rthk.hk/rthk/en/compone...0-20201009.htm

  2. #2

    Join Date
    Dec 2002
    Location
    薄扶林
    Posts
    47,964
    Original Post Deleted
    Should not, but they are.

  3. #3
    Original Post Deleted
    Sad that this article was published 10 years ago and the problems listed are still not fixed. For one, the carrying around of a drivers license.
    TheBrit likes this.

  4. #4

    Join Date
    May 2012
    Posts
    1,186
    Quote Originally Posted by shri:
    I don't understand why so many IT centric organisations including banks, telcos etc store ID card information as clear text records which are visible to anyone?
    FWIW - where I work we encrypt everything once and some things (incl. HKID) more than once. we are not allowed to store anything in cleartext
    shri likes this.

  5. #5

    Join Date
    Dec 2002
    Location
    薄扶林
    Posts
    47,964
    Quote Originally Posted by alexdown:
    FWIW - where I work we encrypt everything once and some things (incl. HKID) more than once. we are not allowed to store anything in cleartext
    BUT - is the ID viewable on a screen to an operator - which is what happened at HKT/PCCW.

    What I'm saying is it should not even be stored - a hash of some sort which cannot be decrypted should be stored.

  6. #6

    Join Date
    May 2012
    Posts
    1,186
    Quote Originally Posted by shri:
    What I'm saying is it should not even be stored - a hash of some sort which cannot be decrypted should be stored.
    There are regulatory requirements to store some data points when you provide certain type of services to customers... HKID is one of those.
    PM me if you're interested about the specific use case.
    shri likes this.

  7. #7

    Join Date
    Dec 2002
    Location
    薄扶林
    Posts
    47,964

    Got it and makes perfect sense.


  8. #8