MT:
This means there are no technical people who are competent at NIMC.

How did XpressVerify API interface with the national data which suppose to require authentication and authorization before access will be allowed.

Only God knows what they have been able to do with people's data.

Head suppose to roll with NIMC technical drivers and hard questions need to be asked.

Competent hands and robust infrastructure suppose to man sensitive data as such. I am so scared there would have been lot of identity thefts already

Old men always claiming they know best.

See the result

ALL THE NIMC ARE DOING IS BASICALLY MEANINGLESS AND USELESS TO EVERYBODY!

Na him Elsie wey dey nairalsnd dey charge 50k.ole

MT:
This means there are no technical people who are competent at NIMC.

How did XpressVerify API interface with the national data which suppose to require authentication and authorization before access will be allowed.

Only God knows what they have been able to do with people's data.

Head suppose to roll with NIMC technical drivers and hard questions need to be asked.

Competent hands and robust infrastructure suppose to man sensitive data as such. I am so scared there would have been lot of identity thefts already

It's an inside job. This who have access the back granted access to XpressVerify, except the structure is weak and can easily be bypassed but I doubt this..

MT:
This means there are no technical people who are competent at NIMC.

How did XpressVerify API interface with the national data which suppose to require authentication and authorization before access will be allowed.

Only God knows what they have been able to do with people's data.

Head suppose to roll with NIMC technical drivers and hard questions need to be asked.

Competent hands and robust infrastructure suppose to man sensitive data as such. I am so scared there would have been lot of identity thefts already

It simply means the APIs of NIMC are exposed and without authorization requirement. Simple adding /api after the website name could have even exposed it. I'm sure they won't tell the public that part.

Kukutente23:

I guess you're one of the operators of the site

Wait till govt catches you

Oga getout, you and your useless government .

Let them give you basic amenities first before you worry about your NIN

bhella10:
All you can do is shout Yorubanization all year round. Yoruba owns your ass for another 7+ years. We must collect your data.

LoL. Dey whine yourself. You think Tinubu will be lucky to have the kind of support he had that enabled him win the first term election in some areas while rigging in other areas? Tinubu can only win the 2nd term through a daring and mind-boggling rigging and manipulation that will most likely spark nationwide protests.

Even his yoruba people who voted for him but are going through serious hardship now as a result of his policies are bitterly regretting voting for him. Only the mentally sick ones among them will still go ahead and vote for him despite what they are going through.

xpressverify is a domain name it is not the name of a company.

The company behind xpressverify is a licensed partner that offers NIN verification services.

There is nothing here to investigate.

The only breach here is that the domain should be available to agents that engage in NIN enrolment - not the general public.

An unlicensed 3rd party is offering NIN verification and they are still tell us that our data is safe, are this people stupid or they take us as stupid. How on earth are you saying that peoples data is safe when anybody can put your NIN on their platform and all your info is there for the person to see

bitbillionaire:


LoL. Dey whine yourself. You think Tinubu will be lucky to have the kind of support he had that enabled him win the first term election in some areas while rigging in other areas? Tinubu can only win the 2nd term through a daring and mind-boggling rigging and manipulation that will most likely spark nationwide protests.

Even his yoruba people who voted for him but are going through serious hardship now as a result of his policies are bitterly regretting voting for him. Only the mentally sick ones among them will still go ahead and vote for him despite what they are going through.

7 more years of Yorubanization save your salaye

MT:


1. I doubt the fact that a bona fide licensee can share the authentication credentials with them knowing fully well they are competitors.

2. I doubt that MITM attack can be responsible as the credentials are encrypted over the wire, and if it is tampered with, the authentication will not go through.

3. The credentials (especially the key) on prod environments are always known to one or two persons. They need to conduct rigrorous investigation to pin it on someone

Nothing you've said makes it impossible.

If 1 holds true, how then did they perpetrate the act as they're not licensed or authorized and therefore should have had no auth keys?

There are payment aggregators, especially in the electricity payments industry, who chain their primary auth by allowing sub-aggregators to connect via another API. The sub sends their request and their private key is authenticated, and the prime aggregator uses their own privileges to complete the transaction and relays response back to the sub. The sub never holds the main private auth keys. Happens all the time.

For 2, MITM exploits vulnerabilities and no system is 100% safe from exploitable chinks in the armor.

Someone somewhere dropped the ball whatever the scenario is, and that's the key takeaway

classicfrank4u:
They should not waste tax payers money investigating any nonsense, useless NIN that can't be used to track ordinary kidnappers.

Think before you comment. Such breaches happen even in advanced countries. So the first thing is to investigate to unravel the cause. Many of you people are shallow in reasoning and internet is not helpful at all. You lack critical thinking ability