The web portals of government services don’t have the best track record when it comes to security. They’re almost comically easy to hack and even in places where you’d think they’d take security seriously they still manage to bungle basic, commonsense things, like encrypting usernames and passwords so that they don’t get read in the event of a hack – like what happened with the Commission of Elections’ voter database.
They Allegedly Didn’t Even Implement the Easy Stuff
Unfortunately, it doesn’t seem that the government has learned its lesson – take the case of the Social Security System. Brian Baquiran, Senior Director at Rising Tide Mobile Entertainment found that the SSS website did not implement several easy-to-do, best-practice security measures, like hashing and salting usernames and passwords. In laymans terms, the website stores your username and password in plain text. That means in an event of a hack (which is probably easy to do given SSS’ lack of security), hackers will be able to grab your username and password and read them without any difficulty.
What’s worse is that they also store previous passwords that you’ve used on the site as well. If you recycle any of those passwords at all, we strongly suggest that you change it, now, just in case the SSS is hit hacked.
The SSS site also does not allow special characters in passwords, making it easier for attackers to guess your password. The site also requires you to dsiable your securty settings and allow execution of insecure scripts/content for you to be able to view member information like contributions, loan status and the like. Finally, the site sends out your passwords via unecrypted mail in the even that you change your password.
That’s a lot of security flaws, especially for an insutition that handles a hell of a lot of money of citizens for social services.
You can do something about it though – you can complain about the SSS’ lack of basic cybersecurity at the National Privacy Comission, here: http://privacy.gov.ph/contact-us/.