Part 8: False prepaid registrations


Consider this a bonus piece from my long thoughts about data breaches. You might the older post before reading this. So let’s dive in.

The telco breach was a giant hairball of issues, and one of the strands in the hairball is false prepaid registrations.

Immediately after releasing sayakenahack, people reported that they were seeing additional numbers linked to their mykad numbers. From TheStar:

Malaysian Communications and Multi­media Commission (MCMC) network security and enforcement sector chief officer Zulkar­nain Mohd Yassin said it would most likely be a case of other people using another person’s identity to register.

“We are serious about this. That’s why you see many compounds issued by the MCMC to service providers in respect of non-compliance with the guidelines of prepaid registrations,” he said.

He’s right, telcos have been issued summons for false registrations every year from 2014 to 2017, withTune Talk chief executive officer Jason Lo telling Digital News Asia (DNA):

…although there are many systems in place to ensure registrations are as accurate as possible, with a network of thousands of dealers, it can be hard to monitor every one

The Malaysian Telco Breach was two issues. One was the chronic problem of false prepaid registration, and two, the breach itself. The former is not a trivial issue, because the Evidence Act in Malaysia states:

A person who is registered with a network service provider as a subscriber…on which any publication originates from is presumed to be the person who published …unless the contrary is proved.

Hence, if a phone number, that is registered to you, is publishing seditious statements on WhatsApp you would be deemed to have published them. And the onus is on YOU, to prove otherwise, a guilty till proven innocent kinda law.

So what do we do?

In I.T we have a saying, if you can’t prevent, at least detect.

So if we can’t prevent false registrations, we should at least allow for victims to check regularly.

But how to check?

Solutions that scale

The Malaysian Reserve, quoted one expert saying that we should all call our mobile providers to find out, the expert added that it took him ‘only’ 20 minutes to do so.

Only 20 minutes? Only??!!

Malaysia has 10 different Telcos, if calling one takes 20 minutes, calling all of them would take 3 hours. That’s too high a price just to check if you’re part of the breach. No wonder nobody has bothered.

The telco breach had millions of records, If we assume that 20 million victims made these 3 hour calls, that’s 60 million man hours spent.

Even if the telco’s collectively dedicate 3000 people, working 8 hour shifts, 24×7. It would take 7 years to inform all the victims. If those 3000 people were paid a monthly salary of RM1000, the cost for labour alone would be RM250 million.

Any solution that requires victims to place phone calls, will fail, because the scale of the breach cannot be solved manually. A solution that would work for 1000 victims may not work for 20 million.

The solution should be, oh, I don’t know….something like a central website, where you type in data, and get a automated response with no human intervention, and maybe it would be able to verify your phone number through a One-Time-Password if the owner had cash.

Final Disclaimer

Some have suggested my data isn’t 100% accurate, and accused me to sharing inaccurate data.

They’re right. Three things though.That hasn’t happened.

One, I’ve never claimed sayakenahack was 100% accurate, I’m just claiming, that I found data online, some of which has your myKad number on it. Whether that data represents accurately what is (or was) in the telco database, is not something I can guarantee.

Two, because of false prepaid registration, nobody can be absolutely sure of all the numbers registered in their name, unless they go to each and every telco physically.

Three, MCMC has promised to resolve the issue of false prepaid registration by 1st December 2017 (yes, that date is past), including requiring MyKad registration for top-ups. I’m not sure if that has happened yet.


Astound us with your intelligence

  • I actually came across while researching about our GMPC (MyKad).

    The white paper for MyKad is here:

    To be honest, I almost find it impressive we pulled off the GMPC project 16 years ago.
    However, if compared to what Estonia has scaled, using similar digital ID system 20 years ago, we are so far behind improving GMPC.

    I do also think the newest eKYC processes introduced by Bank Negara might not be bullet-proof.
    Since we didn’t introduce new security measure to our National ID system……

  • I’ve been wondering if the GMPC (MyKad) has records of our registered mobile number, such that this piece of information is in the centralized database (Government Service Center
    BackOffice – GSCB).


    if it does records, then the same sayakenahack mechanic can be built for each citizen to check. Actually, we ourselves as the owner of our own personal information should have the option to as much view it. Or else no one knows if that piece of information has been altered. (Just what Singapore is doing recently –

    Anyway, while researching about Digital Identity system, I came across
    Surprising to me (GMPC project is almost amazing to me reading the white paper, almost), we actually initiated the MyKad project back in 1997! (Rolled out in 2001). But, it has been 20 years since then, and compared to how Estonia has scaled their national ID system, we basically did nothing since 20 years ago.

    Oh God. And why no one is worried about the recent eKYC processes defined by Bank Negara????????

    – C