This is an amazing piece of investigative journalism that shows how the Indians with their mountains of talent could not prevent one of their critical national databases from being compromised.
This raises concerns about the integrity of the BVN database and to be honest, the systems run by many in the payment industry, who hide behind the meaningless term “PCI-DSS compliance” as some sort of proxy for security, but internally they know about the many skeletons and duck tape patches in their systems.
For example, one of the principal claims that is usually made about the BVN system is that no single individual cannot register twice. Claims are there to be refuted and I’ll like NIBSS to back that assertion up by creating a program that encourages security researchers to test those claims. We cannot continue to conflate obscurity with security.
I’ll also like to encourage Nigerian fin-tech companies to setup public, paid bug bounty programs as a way to expose new vulnerabilities. It will also go a long way to instill more confidence. A situation whereby a bunch of boys are defrauding the system to the tune of billions by exploiting a client-side, man-in-the-middle script hack is intellectually insulting. You all know who you are.
TLDR; Please establish and publish the guidelines for your bug bounty programs. If you are scared about what may be revealed, note this - it will get out anyway and it is far worse for your economic wellbeing if you can’t control how it gets out.