Page:Unauthorised Access to Credit Data in the TE Credit Reference System.pdf/8

  consent and authorisation of the borrowers without considering the possibility that certain money lending companies may make use of this loophole to gain unrestrained access to the credit data. This arrangement falls far below the general standard and is highly disappointing, both in terms of compliance with legal requirements and the protection of borrowers' privacy.

Weak Password Management

According to the information provided by Softmedia, the money lending companies can only log in to the TE Credit Reference System via its Loan Management System by inputting a password. Although Softmedia claimed that it has set specific requirements regarding the minimum length and complexity of these passwords, the money lending companies can in fact use a password that is considered weak in terms of length and complexity .

In addition, Softmedia does not set restrictions in its System requiring the money lending companies to regularly change their passwords. The money lending companies can set a password in the System as they wish and the use of the same password over a long period means that employees can potentially obtain the password with ease to enter and access the TE Credit Reference System without authorisation by the companies and continue to do so after leaving the companies, rendering the security function of the password virtually useless.

Conclusion

The investigation revealed that the TE Credit Reference System is akin to an open credit data platform used by licensed money lenders. Licensed money lending companies can have unlimited access to credit data at a very low fee. The passwords of the TE Credit Reference System can be freely set by the money lenders, and it is doubtful whether the TE Credit Reference System can in fact effectively prevent improper or illegal logins.

This situation raises concern, as the TE Credit Reference System contains personal data of about 180,000 borrowers and up to now, the TE Credit Reference System is used by as many as 680 money lending companies. It is therefore a sizeable credit reference database. Credit data is generally 