Jump to content

Malaysia VEP discussion.

Hammerhammer

By Hammerhammer,
in General Car Discussion

 Share

Recommended Posts

Unltd

Unltd

5th Gear
On 10/7/2024 at 10:22 AM, Heartlander said:

I am not sure if Malaysia government has got consensus from our government before they embark on this exercise to collect such a bug database.  I do not see it as same level as travelling overseas as the scale is much smaller and information not as up-to-date as this VEP project. Wait till got security breach at Malaysia server and all the data are up for grab at Github haha. You think this possibility is very remote?

And what information at risks? Actual full name, NRIC, bank card, email address? You think the database is safe with this very capable RM30 capital company TCsens?

It has already happened before (https://www.straitstimes.com/singapore/transport/singaporean-motorists-personal-data-possibly-exposed-in-loophole-on-malaysias), and what consensus does a foreign government need with another? They are asking for details from the individual, if we do not want to give over whatever valid or invalid reasons, that is up to us, we can decide to not go or face possible enforcement actions. 

Why do we need our government to watch out for our actions? We are educated adults who understand what we are going into, for contractual and entry agreements into another country, we also want a nanny state?

↡ Advertisement
  • Praise 4
Link to post
Share on other sites
Heartlander

Heartlander

Turbocharged
On 10/7/2024 at 10:46 AM, Unltd said:

It has already happened before (https://www.straitstimes.com/singapore/transport/singaporean-motorists-personal-data-possibly-exposed-in-loophole-on-malaysias), and what consensus does a foreign government need with another? They are asking for details from the individual, if we do not want to give over whatever valid or invalid reasons, that is up to us, we can decide to not go or face possible enforcement actions. 

Why do we need our government to watch out for our actions? We are educated adults who understand what we are going into, for contractual and entry agreements into another country, we also want a nanny state?

Thanks for the headsup:

 

SINGAPORE - Thousands of foreign motorists, including Singaporeans, run the risk of having their personal information exposed after a recent discovery of a loophole in the Malaysian Road Transportation Department's VEP (Vehicle Entry Permit) website.

Information like a driver's NRIC number, address, contact numbers, passport details and chassis information can be seen on the Transportation Department's website by simply making an alteration to the site's URL.

The data can be viewed in a matter of seconds by a registered VEP holder.

The discovery was made by accident after Singaporean driver Mohammad Hafiz "cut and pasted" the website's URL and sent it to his nephew on Friday morning (April 26) to help him register for his VEP.

Mr Hafiz, 28, told The Straits Times: "When he opened the page, he was surprised he was staring at my own details and not his."

When Mr Hafiz, an IT specialist, made some changes to the URL that showed his VEP account, he was able to see sensitive information of other motorists.

Added Mr Hafiz: "There should have been penetration tests done to the website to make sure that a motorist is looking only at his account and not others. I can't imagine what would happen if somebody had harvested the information that's freely available."

ST alerted the Malaysian authorities to the data loophole at around noon on Friday (April 26). As of 4.30pm on Friday, the ST team was still able to access the website and look at other motorists' details. But at about 5pm, access to the website was blocked, with a message alerting users that maintenance was ongoing.

Malaysia's Transport Ministry had announced on Thursday that the VEP scheme will be enforced in phases. The first phase is for foreign vehicles entering the country from Singapore through the Causeway and Second Link, and will start on Oct 1.

The second phase will involve entry points between Malaysia and Thailand, and the third phase at all entry points to Malaysia from Brunei as well as from Indonesia.

The availability of personal data on the site would come in useful for those in the financial industry or businesses that depend on contacts, said Mr Roger Rajan from JMS Rogers, a debt collection company.

From his understanding, similar information can be bought. Mr Rajan, 48, told ST: "Some business people would be overjoyed to have this type of information for free. With it, background checks can be done. Also, by knowing what type of car a person drives, it can speak volumes about a person's lifestyle, which would make him a target for marketing ploys."

The same information could also be used for shady purposes.

Added Mr Rajan: "If the information falls into the wrong hands, some may fall victim to loan scams and other types of scams. The harassment would continue because people who acquire the information can sell the data to others."

Experts said that it is possible that the data has been accessed by external parties.

Mr Aloysius Cheang, Asia-Pacific executive vice-president of the Centre for Strategic Cyberspace + Security Science, a London-based think-tank, said the loss of such details could facilitate fraud, as personal details such as residential addresses can no longer be an effective security measure to verify someone's identity.

He said of the error on the VEP site: "This is a very common programming error, it is a schoolboy mistake... You essentially have access to the entire database."

Mr Andrew Tsonchev, director of technology at cyber-security firm Darktrace, said such vulnerabilities could be introduced during a website update.

He added: "If it's just passwords (that are compromised), you can change that, but with identification numbers and passports there is not much you can change.

"It leaves the people involved quite powerless."

One of the affected motorists contacted, who only wanted to be known as Shahrin, said he had registered for the VEP about two years ago. The bus driver, 37, said: "Now I am worried because people may misuse my particulars, such as giving my details instead of their own when they get fines."

Malaysia-based lawyer Foong Cheng Leong, who specialises in data protection laws, told ST that Malaysia's Personal Data Protection Act would not be applicable in this case as the law does not apply to government agencies.

"There would be no recourse against the Government unless there is a breach of contract. But the data subjects may still sue for negligence," he said.

Mr Lee Wai Mun, the chief executive of the Automobile Association of Singapore, told ST he was surprised that confidential information could be easily accessed.

His advice to motorists is to wait for the Malaysian authorities to sort the matter out before signing up for the VEP. He said: "Most of us visit Malaysia on a social basis, except those who travel there for business. There's plenty of time to register (for the VEP) as the enforcement of registration will only start from October."

  • Haha! 1
Link to post
Share on other sites
Heartlander

Heartlander

Turbocharged

Some points that are worrying for me:

Mr Aloysius Cheang, Asia-Pacific executive vice-president of the Centre for Strategic Cyberspace + Security Science, a London-based think-tank, said the loss of such details could facilitate fraud, as personal details such as residential addresses can no longer be an effective security measure to verify someone's identity.

He said of the error on the VEP site: "This is a very common programming error, it is a schoolboy mistake... You essentially have access to the entire database."

Malaysia-based lawyer Foong Cheng Leong, who specialises in data protection laws, told ST that Malaysia's Personal Data Protection Act would not be applicable in this case as the law does not apply to government agencies.

 

  • Haha! 1
Link to post
Share on other sites
Unltd

Unltd

5th Gear
On 10/7/2024 at 10:22 AM, Heartlander said:

I am not sure if Malaysia government has got consensus from our government before they embark on this exercise to collect such a bug database.  I do not see it as same level as travelling overseas as the scale is much smaller and information not as up-to-date as this VEP project. Wait till got security breach at Malaysia server and all the data are up for grab at Github haha. You think this possibility is very remote?

And what information at risks? Actual full name, NRIC, bank card, email address? You think the database is safe with this very capable RM30 capital company TCsens?

It has already happened before (https://www.straitstimes.com/singapore/transport/singaporean-motorists-personal-data-possibly-exposed-in-loophole-on-malaysias), and what consensus does a foreign government need with another? They are asking for details from the individual, if we do not want to give over whatever valid or invalid reasons, that is up to us, we can decide to not go or face possible enforcement actions. 

Why do we need our government to watch out for our actions? We are educated adults who understand what we are going into, for contractual and entry agreements into another country, we also want a nanny state?

Link to post
Share on other sites
Unltd

Unltd

5th Gear
On 10/7/2024 at 10:22 AM, Heartlander said:

I am not sure if Malaysia government has got consensus from our government before they embark on this exercise to collect such a bug database.  I do not see it as same level as travelling overseas as the scale is much smaller and information not as up-to-date as this VEP project. Wait till got security breach at Malaysia server and all the data are up for grab at Github haha. You think this possibility is very remote?

And what information at risks? Actual full name, NRIC, bank card, email address? You think the database is safe with this very capable RM30 capital company TCsens?

It has already happened before (https://www.straitstimes.com/singapore/transport/singaporean-motorists-personal-data-possibly-exposed-in-loophole-on-malaysias), and what consensus does a foreign government need with another? They are asking for details from the individual, if we do not want to give over whatever valid or invalid reasons, that is up to us, we can decide to not go or face possible enforcement actions. 

Why do we need our government to watch out for our actions? We are educated adults who understand what we are going into, for contractual and entry agreements into another country, we also want a nanny state?

  • Praise 1
Link to post
Share on other sites
Unltd

Unltd

5th Gear

Sorry about the multiple posts, seems like there is a bug when internet connection is no good, resulting in repeated postings. Mods, please help to clear, my apologies 

  • Praise 1
Link to post
Share on other sites
Beregond

Beregond

Supersonic
On 10/7/2024 at 11:33 AM, Unltd said:

Sorry about the multiple posts, seems like there is a bug when internet connection is no good, resulting in repeated postings. Mods, please help to clear, my apologies 

It's our choice to go over.  And it's their choice to collect whatever data they seem fit.

We as adults just need to balance the advantages and disadvantage and decide if its worth the risk to go over.

你情我愿。  nothing to complain about even data leak overseas.

  • Praise 4
Link to post
Share on other sites
teomingern

teomingern

6th Gear
On 10/7/2024 at 10:22 AM, Heartlander said:

I am not sure if Malaysia government has got consensus from our government before they embark on this exercise to collect such a bug database.  I do not see it as same level as travelling overseas as the scale is much smaller and information not as up-to-date as this VEP project. Wait till got security breach at Malaysia server and all the data are up for grab at Github haha. You think this possibility is very remote?

And what information at risks? Actual full name, NRIC, bank card, email address? You think the database is safe with this very capable RM30 capital company TCsens?

Definitely not saying they're caable... but their country their rules... as I keep saying, you go overseas all your data also pulled from your passport, you apply visa or eta also need credit card data to pay, payment and data storage is usually always outsourced... not much difference lor... you can take this VEP as a form of eta lor... for security mah... 

  • Praise 1
Link to post
Share on other sites
teomingern

teomingern

6th Gear
(edited)
On 10/7/2024 at 10:22 AM, Heartlander said:

I am not sure if Malaysia government has got consensus from our government before they embark on this exercise to collect such a bug database.  I do not see it as same level as travelling overseas as the scale is much smaller and information not as up-to-date as this VEP project. Wait till got security breach at Malaysia server and all the data are up for grab at Github haha. You think this possibility is very remote?

And what information at risks? Actual full name, NRIC, bank card, email address? You think the database is safe with this very capable RM30 capital company TCsens?

Definitely not saying they're caable... but their country their rules... as I keep saying, you go overseas all your data also pulled from your passport, you apply visa or eta also need credit card data to pay, payment and data storage is usually always outsourced... not much difference lor... you can take this VEP as a form of eta lor... for security mah... 

Anyway each country decides to do what they want... since when must consult Singapore government one? We implement biometrics entry and exit, implement QR code entry at land checkpoint also just do mah... where got consult Malaysia?

Edited by teomingern
  • Praise 3
Link to post
Share on other sites
Wt_know

Wt_know

Supersonic
(edited)
On 10/7/2024 at 11:59 AM, teomingern said:

Definitely not saying they're caable... but their country their rules... as I keep saying, you go overseas all your data also pulled from your passport, you apply visa or eta also need credit card data to pay, payment and data storage is usually always outsourced... not much difference lor... you can take this VEP as a form of eta lor... for security mah... 

Anyway each country decides to do what they want... since when must consult Singapore government one? We implement biometrics entry and exit, implement QR code entry at land checkpoint also just do mah... where got consult Malaysia?

fully agreed ... i think sporean kaypoh because the website cannot make it ... no confident 

company called TCSens macam want to sound like Tencent ... but actually it's a lao hong company

Edited by Wt_know
  • Haha! 2
Link to post
Share on other sites
L23

L23

6th Gear
On 10/7/2024 at 10:22 AM, Heartlander said:

I am not sure if Malaysia government has got consensus from our government before they embark on this exercise to collect such a bug database.  I do not see it as same level as travelling overseas as the scale is much smaller and information not as up-to-date as this VEP project. Wait till got security breach at Malaysia server and all the data are up for grab at Github haha. You think this possibility is very remote?

And what information at risks? Actual full name, NRIC, bank card, email address? You think the database is safe with this very capable RM30 capital company TCsens?

Simple rule and a very straightforward reply - You go people house, you follow their rule.

If you are not happy, you can choose not to go.

Same as Singapore, like other have mentioned, we have implemented tons of things for foreigner to follow too.

  • Praise 2
Link to post
Share on other sites
teomingern

teomingern

6th Gear
On 10/7/2024 at 11:02 AM, Heartlander said:

Thanks for the headsup:

 

SINGAPORE - Thousands of foreign motorists, including Singaporeans, run the risk of having their personal information exposed after a recent discovery of a loophole in the Malaysian Road Transportation Department's VEP (Vehicle Entry Permit) website.

Information like a driver's NRIC number, address, contact numbers, passport details and chassis information can be seen on the Transportation Department's website by simply making an alteration to the site's URL.

The data can be viewed in a matter of seconds by a registered VEP holder.

The discovery was made by accident after Singaporean driver Mohammad Hafiz "cut and pasted" the website's URL and sent it to his nephew on Friday morning (April 26) to help him register for his VEP.

Mr Hafiz, 28, told The Straits Times: "When he opened the page, he was surprised he was staring at my own details and not his."

When Mr Hafiz, an IT specialist, made some changes to the URL that showed his VEP account, he was able to see sensitive information of other motorists.

Added Mr Hafiz: "There should have been penetration tests done to the website to make sure that a motorist is looking only at his account and not others. I can't imagine what would happen if somebody had harvested the information that's freely available."

ST alerted the Malaysian authorities to the data loophole at around noon on Friday (April 26). As of 4.30pm on Friday, the ST team was still able to access the website and look at other motorists' details. But at about 5pm, access to the website was blocked, with a message alerting users that maintenance was ongoing.

Malaysia's Transport Ministry had announced on Thursday that the VEP scheme will be enforced in phases. The first phase is for foreign vehicles entering the country from Singapore through the Causeway and Second Link, and will start on Oct 1.

The second phase will involve entry points between Malaysia and Thailand, and the third phase at all entry points to Malaysia from Brunei as well as from Indonesia.

The availability of personal data on the site would come in useful for those in the financial industry or businesses that depend on contacts, said Mr Roger Rajan from JMS Rogers, a debt collection company.

From his understanding, similar information can be bought. Mr Rajan, 48, told ST: "Some business people would be overjoyed to have this type of information for free. With it, background checks can be done. Also, by knowing what type of car a person drives, it can speak volumes about a person's lifestyle, which would make him a target for marketing ploys."

The same information could also be used for shady purposes.

Added Mr Rajan: "If the information falls into the wrong hands, some may fall victim to loan scams and other types of scams. The harassment would continue because people who acquire the information can sell the data to others."

Experts said that it is possible that the data has been accessed by external parties.

Mr Aloysius Cheang, Asia-Pacific executive vice-president of the Centre for Strategic Cyberspace + Security Science, a London-based think-tank, said the loss of such details could facilitate fraud, as personal details such as residential addresses can no longer be an effective security measure to verify someone's identity.

He said of the error on the VEP site: "This is a very common programming error, it is a schoolboy mistake... You essentially have access to the entire database."

Mr Andrew Tsonchev, director of technology at cyber-security firm Darktrace, said such vulnerabilities could be introduced during a website update.

He added: "If it's just passwords (that are compromised), you can change that, but with identification numbers and passports there is not much you can change.

"It leaves the people involved quite powerless."

One of the affected motorists contacted, who only wanted to be known as Shahrin, said he had registered for the VEP about two years ago. The bus driver, 37, said: "Now I am worried because people may misuse my particulars, such as giving my details instead of their own when they get fines."

Malaysia-based lawyer Foong Cheng Leong, who specialises in data protection laws, told ST that Malaysia's Personal Data Protection Act would not be applicable in this case as the law does not apply to government agencies.

"There would be no recourse against the Government unless there is a breach of contract. But the data subjects may still sue for negligence," he said.

Mr Lee Wai Mun, the chief executive of the Automobile Association of Singapore, told ST he was surprised that confidential information could be easily accessed.

His advice to motorists is to wait for the Malaysian authorities to sort the matter out before signing up for the VEP. He said: "Most of us visit Malaysia on a social basis, except those who travel there for business. There's plenty of time to register (for the VEP) as the enforcement of registration will only start from October."

Aiyoh... you look at the website design and the bugs in the functions... this is not surprising lor...

 

Link to post
Share on other sites
Unfazed

Unfazed

6th Gear

Please do not feed some IB with unnecessary info.

Since this IB loves his party so much, this VEP subject is of no relevance to him at all mah. 

Love party so much so all the more shouldn't be thinking of going up north to spend cheap cheap cheap spendings mah hor.

Should all the more stay put help own economy one. What personal info leak lah. Concern over what useless nonsense lah.

Talk crap lah. Go one big round trying to hint something about the VEP. 

Simple, it's free for all to choose. You want to go but scared, then do sui sui. If they slow, don't come here kpkb.

If want to go but mai do VEP, go then mai kpkb what warning shit.

If VEP do up liao, diam diam just go. Got sticker got letter can cover your own backside.

Link to post
Share on other sites
Heartlander

Heartlander

Turbocharged
(edited)
On 10/7/2024 at 4:43 PM, L23 said:

Simple rule and a very straightforward reply - You go people house, you follow their rule.

If you are not happy, you can choose not to go.

Same as Singapore, like other have mentioned, we have implemented tons of things for foreigner to follow too.

For passport biometrics, all countries are free to join certain international organisation to ensure system compatibility sort of like 4G/5G and bluettoth and wifi standards. We can roll out so fast because we joined the body very fast, should be among the pioneer members.

https://en.wikipedia.org/wiki/Biometric_passport

https://www.icao.int/Security/FAL/PKD/Pages/ePassport-Basics.aspx

https://www.icao.int/Security/FAL/PKD/Pages/ICAO-PKDParticipants.aspx

We did implement but we do not collect these sensitive information, and we would definitely put in enough security measures to protect the data.

I am certainly putting the VEP thingy on hold for the time being after getting to know about its history. 

Edited by Heartlander
Link to post
Share on other sites
L23

L23

6th Gear
On 10/7/2024 at 4:58 PM, Heartlander said:

For passport biometrics, all countries are free to join certain international organisation to ensure system compatibility sort of like 4G/5G and bluettoth and wifi standards. We can roll out so fast because we joined the body very fast, should be among the pioneer members.

https://www.icao.int/Security/FAL/PKD/Pages/ePassport-Basics.aspx

https://www.icao.int/Security/FAL/PKD/Pages/ICAO-PKDParticipants.aspx

We did implement but we do not collect these sensitive information, and we would definitely put in enough security measures to protect the data.

I am certainly putting the VEP thingy on hold for the time being after getting to know about its history. 

1. Do you mean MY do not put in enough security measures to protect the data?

2. For the biometrics part, this is for the country to decide to implement or not. 

3. If our system is so good and fast, what happen to Simply GO, ERP 2.0 and many failed projects?

 

You sound like my friend... Keep saying MY milk powder is poison. Only SG milk is the best..

If MY milk got problem, do you know how many Top Management in Singapore is employed from MY ma? 

 

I suggest you walk out of the country more before thinking SG is the better than MY...

Link to post
Share on other sites
L23

L23

6th Gear
(edited)
On 10/7/2024 at 4:58 PM, Heartlander said:

For passport biometrics, all countries are free to join certain international organisation to ensure system compatibility sort of like 4G/5G and bluettoth and wifi standards. We can roll out so fast because we joined the body very fast, should be among the pioneer members.

https://en.wikipedia.org/wiki/Biometric_passport

https://www.icao.int/Security/FAL/PKD/Pages/ePassport-Basics.aspx

https://www.icao.int/Security/FAL/PKD/Pages/ICAO-PKDParticipants.aspx

We did implement but we do not collect these sensitive information, and we would definitely put in enough security measures to protect the data.

I am certainly putting the VEP thingy on hold for the time being after getting to know about its history. 

Suggest you read this article https://www.channelnewsasia.com/singapore/amir-hamza-bangladeshi-preacher-singapore-border-security-shanmugam-4595216

2 points to share with you:

1. We do COLLECT AND STORE sensitive information: Moving forward, he will be detected if he tries to re-enter Singapore again, regardless of what passport or name he goes under, as his biometrics are now registered, said Mr Shanmugam.

2. Our system is not as good as what you think of. Many people with some backgrounds have managed to come in and out of Singapore. Remember our best swimmer that did not get invited to Olympics but went across to MY without a VEP?

Edited by L23
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...