Who Has Your Vote?

Identity theft is on the increase, but it’s not only your bank account and private life you have to worry about, what about your vote?

Jungwoo Ryoo of The Pennsylvania State University-Altoona, and colleagues explain that as governments gradually migrate to web-based electronic systems for voting, lobbying, and interacting with politicians, criminals and those seeking to subvert such systems will begin to find ways to steal your vote.

Writing in a forthcoming issue of the aptly named journal Electronic Government, Ryoo and colleagues point out that federal, state and local governments are apparently taking steps to adopt the best possible safeguards to prevent identity theft on their websites.

However, despite the enthusiasm of the people behind these sites, governmental organizations lack any threat-specific and systematic way of assessing the safeguards they are putting in place. Ryoo and his colleagues have now proposed a system for testing the readiness of e-gov systems for preventing identity thefts.

Of course, not every piece of information provided by e-government websites is worthy of hacker attention. But, there are many resources that are susceptible to harassment, the team says. For instance, many e-gov sites handle sensitive personal information such as government-issued numbers, including social security number (SSN), driver’s license information, medical history, birth certificate details.

The team points out that once stolen (or acquired from an abandoned/lost/stolen government CD-ROM, laptop, or USB thumbdrive!) criminals can use this information for general identity theft, subversion of voting systems, and even terrorism. The fact that e-gov content is now available on mobile wireless devices simply exacerbates the problem.

As with any internet system, in e-gov systems, there are two sides to a given transaction, whether that’s an email sent or received, a file uploaded or downloaded, or a form filled on a website – the client (that’s you and me sitting at our PCs or using our iPhones) and the server-side (that’s them, with their hardware, servers, and databases). Security vulnerabilities that can compromise the system and you can exist or be created on both sides of the equation.

However, given that those who seek to make subversive use of the server side are usually launching their attacks from the client side, Ryoo and colleagues have concentrated on the web interfaces to e-gov system.

The team points out that there is a wide range of ways a system might be compromised on the client side: Pure social engineering (basically conning you into handing over login details or other data), phishing (using a false email, a fraudulent web address lookup file (hosts) or system (DNS server) to do the same), password cracking or keylogging coupled with Trojan malware to forward logins to a 3rd party without you knowing. (More details on these various identity theft factors are outlined in a separate post on identity theft protection).

The team’s assessment framework outlined in their research paper (details below) will allow agencies to assess the inherent security of their systems from the client-side point of view and so tighten up security measures, such as encryption, and login protocols to reduce the risk of anyone subverting e-gov via the web.

Jungwoo Ryoo, Tae Hwan Oh, Seungjae Shin, Young B. Choi (2009). A comprehensive readiness assessment framework for identity theft safeguards in web-based electronic government systems Electronic Government, An International Journal, 6 (1), 19-40