A comprehensive assessment framework for MyKad / Nik Azmi Nik Omar

We have witnessed a quantum leap in information communication technology (ICT). It is now pervasive with our everyday life and this has resulted in recent development of many new applications using ICT. Governments and Private Sectors have capitalized on this technological advancement in a variety of applications. Essentially technology is applied to increase efficiency and effectiveness. In some business entities, it can be used as a competitive advantage. The Malaysian government too has applied technology to gain the benefit and one of these is using multi-application smartcard which included personal identification. This is followed by other governments from various countries that launched a multipurpose identification smartcard. However, at the same time, being in the forefront has its own shortfall especially in the area of ensuring that smartcard is protected from any security breach. MyKad is a multipurpose smartcard which was introduced by the Malaysian government to identify its citizens. It is of paramount importance that the Malaysian government attain the public confidence to ensure that MyKad is 'tampered proof so as the public can accept in using the applications and services affiliated with it. To achieve this, MyKad must be evaluated and pass through an acceptable level of security certification process and be assessed to the various types of possible security breach such as information tampering and the cloning of MyKad. This thesis therefore proposed a new MyKad Testing Strategy model for logical attacks. Furthermore, a comprehensive security assessment framework was proposed in the implementation of the certification of MyKad aligning with the framework of Common Criteria (CC). In view of this, the proposed framework follows the requirements of Vulnerabilities Assessment test (AVA) of ISO/IEC 15408-3 of CC. The objective of this assessment test is to evaluate the potential factors that potentially threaten the security of MyKad. The security assessment test of MyKad includes the aspects of security of information stored and evaluates the mechanism of handling the open data and providing application access to work with MyKad in the secured manner for enabling multiple applications. The security test assessment deployed on MyKad was using the test strategy from Alain Merle (2005) and adopting the common criteria (CC, 2009). Four vulnerabilities have been disclosed from the security assessment of MyKad done in this study. The vulnerabilities are firstly, Application Protocol Data Unit (APDU) can be collected from MyKad; next, open data can be read using the APDU commands; thirdly, the open data can be written to another sample of smartcard by cloning the data in MyKad; and lastly, the assessment has successfully uncover the communication vulnerability of MyKad with Card Acceptance Devices (CAD) towards being tapped. The significance of this research will benefit the government; public and private sector by proposing testing strategy model and security assessment framework for MyKad. As for the future extension of this study, researcher should emphasize on the development of a new generic Software Development Kit (SDK), standards for Card Acceptance Device (CAD) and identification of certification body for CAD and SDK.