The Independent Electoral Commission (IEC) recently launched a new online voter registration portal, and a user quickly identified a security flaw in the system.
The portal is intended to allow South Africans to amend their voter details.
“Since the Constitutional Court ruling in June 2016 that we must update and rectify the voter’s roll by June 2018, we have been hard at work on this,” said the IEC.
The system allows anyone with Internet access to create accounts and potentially manipulate voter records of anyone who has not yet created their profile, however.
To create a voter profile on the IEC’s new portal, you provide an ID number, and a cellphone number or email address. The system does not appear to check whether the address comes from a throw-away service.
You are then sent a link to set up the password for your profile, add an additional email address, and create a username.
Users are then taken to a page that shows the residential address details the IEC has on file for the ID number you provided.
With massive leaks like the Master Deeds incident taking place, unauthorised access to South Africans’ ID numbers is a real possibility.
The IEC told MyBroadband the way its online voter registration system functions was a design consideration from the beginning, and was accepted as a manageable risk that is mitigated.
“We accepted the existence of a risk that some people can use online disposable email facilities including popular sites such as Gmail, Yahoo, Hotmail, etc. By so doing, abusing the facility because they are accessible and freely available,” said the IEC.
“The IEC, however, did not want to restrict usage by implementing verification or confirmation processes that will require persons to be verified in person.”
It said the risk is mitigated as follows:
- On registration, the system will send an email to the profile creator for confirmation. The profile will not be activated until the user has confirmed by responding to the email.
- The same applies if the user registers using a cellphone number. The number is verified using an SMS OTP.
- Every email address and cellphone number may only be linked to one identity number. A user can’t use one email or cellphone number for multiple voters.
The IEC said it is aware of tools for checking disposable email addresses, but the tools are limited in their ability and will not fully mitigate the risk.
It is monitoring updates made to voter details using the system, and encourages voters to check their registration details and status – and alert the IEC if there are discrepancies.
Voters may use the IEC contact centre, website, SMS, or visit one of its local offices to report discrepancies.
“We are continuously reviewing the situation and will take the necessary remedial actions should the need arise.”
“Central to this facility is ease of access and usage, by allowing registered voters to access the portal anytime from anywhere, without the need to come to our offices.”