MFA website vulnerability puts credit card data at risk

Neville Lahiru
4 Min Read

Sri Lanka’s Ministry of Foreign Affairs (MFA) website could be putting users’ credit card details at risk due to a security vulnerability. The ministry, which offers online consular services, currently processes applications via an unencrypted HTTP connection, potentially leaving sensitive data exposed.

Initially spotted by @nuwnjay on Twitter, the lack of an SSL certificate on the web portal puts credit card details, NIC, phone numbers, and other personal data at risk. The vulnerability was noticed when the user attempted the online document attestation service for O/L and A/L certificates via MFA.

However, the issue isn’t restricted to O/L and A/L document attestation as the entire Electronic Document Attestation System (e-DAS) is seemingly hosted over the same unsecured connection. This means other online consular services such as the recently announced online authentication for birth, marriage, and death certificates also pose the same vulnerability.

MFA and lagging cyber security efforts

SSL-enabled websites have been standard practice for decades. By 2018, Google began flagging all unencrypted HTTP sites as “not secure.” Now, many of these websites are likely to display a red warning with Google sometimes restricting traffic to the site.

However, even as the internet moved to HTTPS web as a default years ago, Sri Lanka continues to lag. In fact, the Ministry of Foreign Affairs is one of several Sri Lankan government websites that operate on unencrypted HTTP connections. Despite the increasing focus on the digitalization of government services, numerous official government websites still run on unsecured connections. It’s a poor reflection of basic cyber security practices, particularly given the ease of acquiring an SSL certificate.

Screenshot of MFA's online consular services requesting users' credit card details. There's also a web browser warning indicating the site is unsecure.

Incidentally, the Ministry of Foreign Affairs itself doesn’t have the best track record when it comes to online services. In 2019, e-DAS lagged so much that the Consular Affairs Division restricted daily visitors to 500. Just three years later, the Document Attestation system broke down completely. At the time, this left hundreds of Sri Lankans who were seeking employment overseas, helpless.

A growing problem

It also doesn’t help that the MFA’s security issue comes to light at a time when online scams and frauds are gaining notoriety. Sri Lanka CERT recently issued a warning on the surge in cybercrime via social media, text messages, fraudulent websites, and other platforms. The past few months have seen malicious actors impersonating legitimate institutions including banks, commercial organizations, and even government bodies like the Sri Lanka Post.

Over the years, Sri Lanka’s government websites and systems have been defaced, taken offline, and data breached. Sometimes entire government email databases have been erased. In 2023 alone, Sri Lanka CERT has recorded 98 scams, 58 financial/email frauds, 44 DoS/DDoS attacks, 31 ransomware attacks, and over 20,000 social media incidents. In reality, the actual numbers are likely much higher.

Many citizens rely on MFA services and as more look to online consular services, an unencrypted HTTP site is only going to balloon these numbers if left unaddressed. The country can ill afford to fall decades behind basic cyber security practices, particularly as more regulations around cyber security and data protection are being pushed.

When will Sri Lanka truly prioritize cyber security? It’s a question that has been asked for well over a decade. If the MFA situation is any indication, it’s that the question is still an afterthought even amid promises of more digitalization in Sri Lanka.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings