The eMPF platform reportedly has no technical security vulnerabilities, yet the eKYC (Electronic Know Your Customer) process it utilizes contains operational loopholes that criminals have exploited. What standards can help identify these operational risks at an earlier stage?
🔖 ISO 27005, as the international standard for information security risk management, is specifically designed to provide early insight into and responses to various security threats, including both technical and operational vulnerabilities. The latest ISO 27005:2022 version incorporates an Event-based Approach, recommending simulations focused on specific scenarios such as “identity impersonation” and “account opening fraud.” If developers simulate a fraudster using high-fidelity forged ID cards to bypass eKYC during the development phase, the fragility of a single verification method can be identified in time. Furthermore, regarding vulnerability identification and assessment, ISO 27005 guides organizations to identify weaknesses within “human operations” or “business processes.” For instance, if a system relies solely on third-party eKYC without performing real-time facial recognition against authoritative government databases (such as “iAM Smart”), this would be flagged as a high-risk vulnerability under the ISO 27005 assessment framework.
🔖 Red Teaming and scenario testing also provide proactive measures to prevent such operational loopholes. Rather than just scanning for software bugs, experts act as scammers to attempt account theft from a business logic perspective—for example, by testing whether forged documents can successfully pass the verification process.
Reference:
ISO/IEC 27005:2022 Link
Jason Bartolacci and Dom Bartolacci from Red Team 27 Link
Sing Tao Headline Link
積金易(強積金)平台據報沒有系統保安漏洞,但所用的eKYC存在操作上漏洞,讓不法之徒有機可乘。什麼標準能早一步發現這些操作漏洞?
🔖ISO 27005 作為資訊安全風險管理的國際標準,其設計初衷正是為了提早洞悉並應對各類安全威脅 (包括系統漏洞與操作漏洞)。27005:2022 最新版包含基於事件的風險評估 (Event-based Approach)建議針對「身分冒用」、「開戶欺詐」等具體場景進行模擬。若在開發階段模擬不法之徒使用高仿真身分證繞過電子身分驗證 (eKYC),就能及時發現單一驗證方式的脆弱性。另外, 於脆弱性識別與評估中, ISO 27005 指導組織識別「人為操作」或「業務流程」中的弱點。例如,若系統僅依賴第三方 eKYC 卻未與政府權威數據(如「智方便」)進行實時人臉比對,這在 ISO 27005 的評估框架下會被標註為高風險漏洞。
🔖紅隊演練 (Red Teaming) 與場景測試也具主動性來預防此類操作漏洞:不只是掃描軟體漏洞,而是由專家扮演騙徒,從業務邏輯角度嘗試盜取帳戶(例如測試偽造證件能否通過審核)。
參考資料來源:
ISO/IEC 27005:2022 Link
Jason Bartolacci and Dom Bartolacci from Red Team 27 Link
星島頭條 Link