PETALING JAYA: Experts are calling for a strong MyKad verification process to prevent possible misuse when purchasing subsidised RON95.
They said while safeguards are enhanced, the implementation of Budi Madani RON95 (Budi95) should go ahead as planned.
Cybersecurity specialist Fong Choong Fook said that the MyKad system is relatively secure, but it’s not without vulnerabilities.
“To prevent abuses like cloning, the misuse of lost or stolen cards or ‘gaming’ the quota, the government and petrol station operators should ensure every pump or payment point that offers subsidised RON95 has a certified MyKad reader, properly maintained,” he said.
“Not only that, there should be real-time or near real-time verification of MyKad and driving license status, as well as quota used.
“The use of cryptographic protections; making use of digital signatures, revocation and secure authentication, should also be considered.”
He added that petrol station operators and the government should consider adding biometric, one-time passwords (OTPs) or PIN for suspicious usage or to verify cardholder identity.
He claimed the authorities should analyse the usage details to identify any abnormal behaviour.
ALSO READ: Amir Hamzah: Budi95 not heavily based on Padu system
“An example is if a MyKad was used to pump petrol in Puchong, and 30 minutes later the same IC was used in Alor Setar, then this is abnormal and needs to be flagged,” he explained.
Meanwhile, Malaysian Cyber Consumer Association president Siraj Jalil said consumer literacy on this subject was important and the government should provide detailed information about the implementation and concise guidelines to prevent the misuse of personal identification cards.
“Consumers can increase the security (verification) on their mobile phones as some use certain apps to pay for their petrol instead of going to the counter,” he said.
Dr Husin Jazri, a cybersecurity professor, suggested that the card reader at the petrol station should be properly inspected and operating as per specifications to prevent fake card incidents.
“It’s advisable to use biometric authentication, as is the current practice by banks. It is simple and easy to use for MyKad users performing self-authentication at the petrol pump card reader.”
Husin also added that petrol stations should only collect necessary data to verify MyKad use for subsidised RON95.
“They should not collect extra personal or purchasing data, because that could lead to privacy breaches if all stations start storing or misusing this information,” he added.
