December 22, 1998
Dear Dr. Chia,
Security implications of library automation
While I have expressed reservations about certain aspects of the library's automation project, I should say that apart from that, it has actually been implemented quite well. The acceptance of identity cards in lieu of library cards, in particular, has been beneficial to users as it reduces the number of cards they have to carry around. Unfortunately, this convenience appears to have a security trade-off.
While physical identity cards are relatively difficult to forge, barcoded NRIC numbers are extremely easy to produce. And so long as the barcode scans correctly, library self-check terminals do not appear to have any means of authenticating "identity cards" presented to them. As Singaporeans freely give out their identity card numbers to all and sundry, it would not be difficult for an ill-intentioned person to generate barcodes for the purpose of playing a prank on somebody or for outright theft of library materials. The library web-site even provides a means by which one can check whether a particular NRIC number has a library membership attached to it.
For example, the enclosed homebrew library card was generated by printing my NRIC number on a Brother PT-330 label printer using the Code 39 protocol and sticking the label on a credit-card sized object. I have tried this out and it does work. The only oddity I noticed was that whereas with a genuine NRIC, one can place the card in position first then select the language to be used, with my homebrew card I had to select the language first and then place the card in position. Minor difficulty, but it was possible to check out a library book using this scheme.
In a Straits Times interview published on November 27, you noted that photo identification has to be shown to borrow library materials. While this may have been true when counter staff manually scanned cards with a hand-held wand, it is no longer true today. The convenience of simply scanning an IC appears to have become a security risk.
Conceivably, you could station people at every self-service checkout area to verify patrons cards, but that would defeat the whole purpose of automating the checkout procedure. A false bar code pasted on top of the bar code on a genuine NRIC would be very hard to spot with a cursory inspection, too.
Unfortunately, I cannot think of any easy technological fixes to the problem. Just verifying that a genuine identity card has been placed on the card recess would not be sufficient because a false barcode could be pasted on top of a genuine identity card. Simple optical character recognition (OCR) of the IC number printed on the front face of an identity card could easily be defeated with a colour printer and a graphics program too. The only approach which might work would be a two-camera system that makes use of the different images, including the NRIC number, seen when looking at the lion head hologram from different angles.
I really appreciate the convenience afforded by being able to use my identity card as a library card so I'm ambivalent towards advocating that this feature be eliminated solely to plug up each and every security hole. Back in the days of paper library cards, it was certainly possible to forge library cards too if one had access to printing facilities. Lost library cards were another potential avenue for abuse even after they had been declared lost since it was impractical to check the serial numbers on traditional library cards. Given that libraries have always been predicated on a great deal of trust on all sides, I suppose those risks were considered to be acceptable risks.
But what of the high tech risk I have described ? Is that an acceptable risk, also ? Is it insignificant compared to other means of theft such as just walking out of the library without checking out materials at all ? From the users point of view, one difference is that it if someone does forge my library card and steals books or videos with it, it would be almost impossible to prove my innocence. If the NLB follows the LTAs example of refusing to admit even the possibility of errors in the ERP system, it is quite likely that the NLB would insist that the system shows that I checked out a book and never returned it. Whereas in the days of paper library cards, the cost of thefts made with a forged library card would have been borne by the library, with forged NRIC bar codes, the cost would be transferred to individual users.
School registers are a rich source of NRIC/birth certificate numbers and teenagers being what they are, I expect that this would be the greatest area of vulnerability. But NRIC numbers are easily available elsewhere, too. Glancing through the legal notices published on 16 December 1998, we find one of the creditors, a {Redacted}> Simon, NRIC number {Redacted}>. Surfing on to the NLBs loan status web interface, http://www.lib.gov.sg/services/loanstatus/loanstatus.html, we enter his NRIC number and find that he is a library member. Unfortunately, he has used up his entire loan quota so we would have to go on to somebody else if we were trying to check out books with false NRIC bar codes.
Using this web site, however, one could pare down a list of NRIC numbers and identify both which NRIC numbers have library accounts, and of these accounts, which accounts have available loan quotas. Instead of having to walk up to a library terminal and behaving suspiciously by trying out a stack of forged cards, a cracker could prevalidate his target NRIC numbers by using the web interface.
The loan status interface itself raises some privacy concerns as well. Unlike in some other jurisdictions, the NLB is not required by law to keep member records confidential. But I have to ask whether it is good public policy to make an individual members records available to the whole wide world. Even if one argues that Singaporeans dont care about privacy (less true today than in the past), the fact that an NRIC lookup can be used to select NRIC numbers for forging should give one pause.
All of the risks associated with forged NRIC barcodes apply also to the barcodes on library membership cards, but as far as I know, there is no publicly available list of membership numbers, and the checksum algorithm used for verifying membership numbers is not publicly known. If either of these assumptions are false, however, a forged white membership card with blue lettering and a bar code would be impossible to distinguish from the real thing.
I am afraid that in the NLBs headlong rush to implement new technologies, it may have forgotten to think about the implications that follow from using these technologies.
Yours sincerely,
Ngiam Shih Tung