back to article DVLA denies driving licence processing site is a security 'car crash'

A UK government agency has disputed complaints from security pros that its website involved in the processing of driving licence applications is insecure and otherwise unfit for purpose. Reader Andy, who asked to remain anonymous, alerted us to what he described as a "disgraceful web server configuration" at https://motoring. …

This post has been deleted by its author

Silver badge

PCI-DSS is the credit card industry's security standard. Anyone who handles credit card payments is obliged to comply with its requirement.

Does the DVLA site actually handle credit card payments? My recollection is it hands you off to SagePay or somebody for that process?

1
0
Silver badge

It sends you off to WorldPay, but you still need to be compliant with the PCI-DSS thing.

21
0
Anonymous Coward

PCI-DSS Compliance

PCI-DSS has different levels of compliance requirements that an institution may be required to comply with, even if they don't handle payment details but hand them off to a third party, e.g. WorldPay or Stripe.

If they do handle the details themselves (card number, cv code and expiry date) then that's a whole world more painful so let's not go there.

Anon because of reasons.

10
0

Someone intercepting a card payment is bad. Someone being able to access my DVLA account and issue a new driving licence in my name to another address is terrible. Driving licences are effectively ID cards in the UK. I'm in the process of buying a house and the driving licence is the single piece of ID that ties it all together and is visually confirmed. Everything else I could easily forge.

16
0

Re: PCI-DSS Compliance

It's if you store any CC data. In the theoretical event that I wrote a site that used exclusively a 3rd party to process payments I would never record any of the information locally to get around having to have PCI compliance. You can also hand off the details to a second, more secure storage system that you also write and maintain, then only that needs to be PCI compliant.

This is of course definitely a theoretical situation.

0
0
Anonymous Coward

Re: PCI-DSS Compliance

Nearly correct, it's if you handle an un masked PAN, CVV2 etc. not just storage in the triditional sense.

Equally you can't store the CVV2 number or for that matter a copy of the tracks from the card's magnetic strip.

Equally unless you use clear network segregation other systems could well be within scope of PCI...so if they take payments by phone the web site could easily still be a PCI compliance issue.

This is not by any stretch of the imagination the DVLA's worst security issue in recent times involving piss poor web site security.

Perhaps El Reg may want to submit an FOI request...the response would evidence the quality of the DVLA's incident tracking process if nothing else.

3
0

Re: PCI-DSS Compliance

In my experience of PCI-DSS ( a few years rusty ) If handing off to a 3rd party you would still have to complete the Self Assessment D and ensure that your provider is PCI compliant.

You would also have to answer any queries about MOTO payments (Mail order, Telephone Order) as your "personnel" would potentially be taking details over the phone and plugging them into a MOTO interface of some variety.

If you systems store, transmit or touch card details in any way then you need to comply with higher levels of PCI. It's not enough to just "not store" the details, even having the card details pass through your server in some way before being routed on to a payment provider is enough to warrant higher level PCI compliance with at least quarterly vulnerability scans.

There are some Gov websites which hand off to 3rd parties, and others handle the card payment within their application. The problem I think with PCI compliance is that anyone can stick a PCI compliance logo on their website, and it only becomes an issue if/when there is a leak of information tracked back to that store/site/application.

0
0

Hmm

Blimey! Maybe they have taken notice? Or is that being too generous?

As of a few seconds ago, this is what I get when attempting to connect

https://motoring.direct.gov.uk

"Service not available

Sorry...

The Driving Licence Online service is temporarily unavailable due to system maintenance. If you were in the middle of a transaction, any information you entered was not saved and you will not be charged. Please try again later. DVLA apologise for any inconvenience this may cause."

20
0
Silver badge

Re: Hmm

Probably the vulnerabilities being exploited.

16
0
Anonymous Coward

Re: Hmm

Oops! This is an invalid link

Sorry...

You've selected an invalid URL. Go back to the motoring home page to select the correct service.

Please use the link below to return to GOV.UK

Return to the motoring home page

3
0
Silver badge

Re: Hmm

Now you simply get a "Oops! This is an invalid link", but it looks like Capita the developer is still learning to code html.

0
0
Anonymous Coward

Suspect they finally noticed...

Service not available

Sorry...

The Driving Licence Online service is temporarily unavailable due to system maintenance. If you were in the middle of a transaction, any information you entered was not saved and you will not be charged. Please try again later. DVLA apologise for any inconvenience this may cause.

Please use the link below to return to GOV.UK

Return to the motoring home page

3
0
Silver badge
Joke

Would this lead to...

...Drive by attacks to the browser?

35
0
Anonymous Coward

Re: Would this lead to...

ROFL open goal ha ha

0
0

cool expires 10th Jan 2020. see you back here when theres a renewal failure :)

10
0
Anonymous Coward

Could be sooner if it was issued by Symantec....

1
0
Silver badge

The security certificates of all of our websites meet industry standards and we use recognised industry best practice methods to ensure that all our URLs are secure. The security of our customers' data is always paramount and we constantly review our websites to ensure they are fit for purpose.

Instead of just dismissing everything why don't you work with the security professionals to look into the potential issues and fix them.

29
0
Silver badge
Windows

That requires that they listen and take criticism that they've got it wrong...instead of say... claiming everything is fine and works with secure certificates because certificates just work don't they?

There are times were ignorance needs pointing out and arrogance shone a light on it's short comings. Especially with something with as much value as a UK driving licence (id card, permission to drive in busy about every country in the world, nothing much. Just generally an identity thiefs wet dream,)

I'd be more than happy to be wrong, it's just your comment is the management equivalent of 'thoughts and prayers '. They can just ignore it until the other party loses interest and tree problem goes away.

And I'm sorry if that sounds hyper critical of your comment but I've seen how these things can go.

That said after been shown up like this, I'd guess that the DVLA won't be so lapse again anytime soon once they've brought the site back after fixing the issues raised here. So.... in a way they have worked with them to get it fixed. (Nice touch having the article in a Friday though. Well played El reg)

7
0
Silver badge

"The security certificates of all of our websites meet industry standards and we use recognised industry best practice methods to ensure that all our URLs are secure. The security of our customers' data is always paramount and we constantly review our websites to ensure they are fit for purpose."

Translation: "I work in PR. Understanding what you said isn't in my job description. Here's some boiler-plate."

13
0
Silver badge
Facepalm

Funny Story about their ruddy Driving Licence website

When I moved house a few years ago I had to do all the address change stuff which included my driving licence. Normally I would have put my new address on the back of the paper license* and send it to them in the post; job done. This time I thought I'd be clever** and use the DVLA website so it would all be sorted online to minimise the paperwork. I had to go through all sorts of steps including entering all my personal details, (IIRC) my NI number*** and my passport details. But it all went through, they accepted my new address and promised to issue updated documents.

Then on the last screen it said: You're obliged by law to return both parts of your old licence in the post so we can cancel it. So it was a complete waste of time for me (but not for them as it handily linked my passport to my driving licence and NI number). Sigh - icon ->

* It was back when the licence consisted of both a photo card and paper part

** Yes, I know!

*** Social security number for Left Pondian types. The DVLA isn't quite as bad as the DMV is reported to be, but I think the promised trade deal with your current small handed incumbent may include completing the job of dragging the DVLA down to DMV levels.

16
0
Anonymous Coward

Re: Funny Story about their ruddy Driving Licence website

Depends what sates you are in PaulF . In California almost all forms are on line and you can renew online. To change address you mail in a form. Alabama you must doing every thing in person. Oh and customer service changes from DMV office to office. When I went into get my DL in Alabama they guy took 45 minutes(appointment so no waiting in line for me)and constantly had to ask for help. Took my photo and was like finally I'm done. Nop he did not complete it on his end so I had to come back take another photo and then I got my DL in 4 weeks. Funny thing is I had a valid paper DL.

0
0

Certificate chain

If there's a problem with the certificate chain how come only Firefox is complaining about it and not all browsers?

3
1

Re: Certificate chain

Most likely because Firefox maintains its own set of trusted certificates, whereas IE and Chrome (for example) use the operating systems. It's quite likely the operating system has (or has at least cached) the intermediate certificates needed to complete the chain...

8
0

Re: Certificate chain

"If there's a problem with the certificate chain how come only Firefox is complaining about it and not all browsers?"

Because every browser is different. Even different Chromium based browsers are different than Chrome itself.

Firefox is a very different beast than Chrome or from Safari. Firefox complains more about things like broken certificate chains vs. Chrome. Chrome complains different things like requiring SAN entries instead of depending on cn= in the X.509 cert.

Thus if you run a web app, best to check it in all the major browsers..

7
0

Re: Certificate chain

"Thus if you run a web app, best to check it in all the major browsers.."

True but primarily for application issues.

For HTTPS configuration, running a test for that specifically (eg Qualys server SSL test) and actually understanding its results is best.

In both cases, if you follow standards, there is a good chance you won't have any problem.

Clearly, the DVLA (or subcontracted entity) didn't do this, which is a big fail.

7
0
Silver badge

Re: Certificate chain

Thus if you run a web app, best to check it in all the major browsers.

Once upon a time there was just HTML. The marketing wonks wanted control over layout and it all went downhill from there. Just make your site work without stupidities such as loading stacks of executable stuff from sites over which you've no control and guessing at what browsers the punter might actually have available. KISS

8
0

Re: Certificate chain

And stupid esoteric stuff like the need for IP SANs to also be included as DNSname SANs so Chrome understands them. Certificates are getting quite complicated. No wonder ukgov's IT bods can't even check they have it working in all browsers and old insecure server settings disabled, they probably don't even know what a chain cert is.

0
0
Anonymous Coward

Contractors innit

I believe Serco are responsible for the DVLA website. The DVLA binned their in-house programmers some years ago. Whether or not the work is being undertaken in the UK is open to question.

Nonnymouse 'cos I worked there.

11
0
Anonymous Coward

Actually just noticed it can use TLS 1.0 with TLS_RSA_WITH_3DES_EDE_CBC_SHA ... cool!!!

Triple DES someone should have taken it round the back of the shed long ago and shot it...

3
0
Anonymous Coward

How about it the DVLA being a usability car crash generally?

I just had to renew my photocard license. If you don't have a passport, then you have to do it offline through a properly equipped post office, which you can find by <URL that 404's> or <telephone number that's disconnected>. Rolling my eyes and just turning up at my local post office I discovered that they couldn't do it as their post office franshisee didn't want to pay many thousand quid for a machine with a non existant return on investment.

After visiting five seperate post offices in two seperate towns and encountering the same problem, the girl behind the counter at the last one suggested them doing a passport photo and then sending it off via the old paper form, which they did have.

It then transpires that the DVLA requires payment via cheque, which my bank is doing it's best to phase out so hasn't provided me with a cheque book. My bank also won't print single cheques and won't provide a bankers draft but can provide me with a cheque book in a "few weeks" at additional cost. (note that time taken to print and deliver cheque book is longer than the deadline from the DVLA for submitting the application) You can't post cash to the DVLA as their staff aren't trustworthy enough, and they won't do credit cards for a paper application.

Happily, my employer does have a cheque book for the business and was happy to write me one, so I got around it that way, but... FFS DVLA?! Could you make a simple job any more difficult?

28
0
Anonymous Coward

Can your read?

Renewal by post is explained on the notice you were sent and on the DVLA website. Renewal notices are sent out a month before the licence expires, so there's no excuse for being a dick.

2
28
Silver badge

"Could you make a simple job any more difficult?"

Remember that well known training programme on all things relating to HMG administration, Yes Minister. Being sent to the DVLA was one of the ultimate threats for a Civil Servant (the other was RAF Lossimouth). They're all trying to exhibit their red tape credentials in hope of being posted back to London.

7
0
Silver badge

The site...

...appears to now be dead.

3
0
Anonymous Coward

Re: The site...

"...appears to now be dead." If only the same could be said of many government agencies. I bet the DVLA have one of those Chief Digital Officers in charge too because the old CIO said it was a dumb idea and they couldn't do it because of rules n stuff.

13
0
Silver badge
Trollface

Re: The site...

If you can't access it, then niether can the hackers. Very secure now surely?

14
0
Anonymous Coward

Chain

They fixed the chain issue about half hour ago..

Looks as though somebody took some notice..

1
0
Silver badge

Re: Chain

Now I have the Formula 1 theme tune in my head.

5
0
Anonymous Coward

DVLA - resons to strafe Swansea

A while ago I worked for a local authority and had to set up an interface to get enhanced ownership information on cars that had got a parking ticket. The old ISDN based system was being phased out for a "new" system based round the Government Secure network that had been set up in the wake of some data breach.

The whole process was simply agonising at every stage and I was actively looking for a suitable plane to do the strafing. I gather that their offices are a good way outside Swansea itself so loss of innocent life would have been minimal

AC for obvious reasons, not least that I have a driving license.

8
0
Silver badge

Re: DVLA - resons to strafe Swansea

Not only outside central Swansea, but a very prominent (and gawd awful building as well)

0
0
Anonymous Coward

Re: DVLA - resons to strafe Swansea

According to the Daily Red Tops, none of the nasty parking companies who are fleecing lazy parkers don't have a problem getting that info.

5
0
Silver badge

Re: DVLA - resons to strafe Swansea

Reasons to strafe Swansea - the lesser known hit by Ian Dury and the Blockheads.

0
0
Bronze badge

Why are there so many chumps and why do they all work in government departments?

I wonder if it's a prerequisite in the interview process

4
0

As someone said further up the thread, the DVLA site is contracted out so it's a private chump rather than a public one that has screwed up.

0
0
Silver badge
FAIL

I wondered

why I could'nt renew my vehicle tax on my secured linux laptop using firefox.

kept coming up with certificate chain not secure and blocking the site

Its a web server ffs......... cant DVLA read "websites for dummies"....

5
0
FAIL

theregister.co.uk gets an F at securityheaders.io

stones, glass houses et al.

6
5
Silver badge
Holmes

Re: theregister.co.uk gets an F at securityheaders.io

Whilst actually true, it really missed the point. Namely that the register isn't taking credit card payments through their website and the only details they have on me are minimal details that can garnered anyway from other websites given a little time (I'm thinking professional communities here). Woohoo nothing that's particularly worth securing.

Or do you know something the rest of us don't?

9
1
Silver badge
Meh

Re: theregister.co.uk gets an F at securityheaders.io

Whilst actually true, it really missed the point. Namely that the register isn't taking credit card payments through their website and the only details they have on me are minimal details that can garnered anyway from other websites given a little time (I'm thinking professional communities here).

I take your point but out of curiosity I pointed the test at my personal web server's front end. I got capped at a B rating because 'This server accepts RC4 cipher, but only with older protocols.'.

So that's a web server running in my spare bedroom using a low-cost Windows solution (VPOP3 for anyone interested). All I did was buy a certificate and install it.

Yes, The Register doesn't know much about me (only a disposable email address) but still. It's a technical site that loves to pick apart technology and gloat over its failings.

10
2
Bronze badge

Another vicious unprovoked attack on the motorist

British Cycling is located on Stuart Street, Manchester M11 4DQ. Just sayin'

0
7
Silver badge
FAIL

Just a reminder

These were the people who in the 1970s managed to lose a huge number of driving license records. Their answer when you wanted a renewal was that you should get a reference from a 'professional person' stating that you previously had one.

Clearly they are maintaining standards.

7
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018