Vehicle owners' info easily accessible to others on new Kansas site
Kansans' personal vehicle registration information is easily accessible to others on a new state website, raising security concerns.
The state uses the site — called iKan — to perform vehicle registration renewals and plans to expand it to include vital records and voter registration in the coming months.
On the site, launched last month, individuals can quickly look up others’ registration information by entering PIN numbers slightly different than their own. That’s because the personal identification numbers given to vehicle owners appear to be sequential, and not random.
When a PIN is entered, the website pulls up the vehicle’s plate number, the plate type, the amount owed and the due date. Confirm the information is correct, and you see the registrant’s insurance company and policy number.
Confirm again the information is correct, and the site asks if you want to purchase a wildlife and parks pass along with your registration renewal and whether you want to enter your contact information.
The ability to access the information was first disclosed on Reddit. A user called CitizenofKansas said they accidentally entered the wrong PIN while trying to renew their vehicle registration, bringing up someone else’s information.
The user wrote that “after playing around I found (out) the PIN is not random and sequential.” The user contacted someone at the DMV, who said iKan was a vendor site and that the user should contact the vendor.
“I tried but never could get a live person so sent an email (on 4/5) but no response. I started to experiment and it allows you to try forever and doesn't seem to care if you are just browsing the pin numbers,” the user wrote.
Another Reddit user who accessed the site said the PIN issue could be easily fixed.
“Seems like a sloppy oversight if they intend it to be secure, though I can't say for sure whether that's the case,” the user wrote.
Kansas rolled out the iKan site on March 29. The site’s layout mimics a text message conversation and allows individuals to renew vehicle registrations on their phone.
“The Department appreciates alerts from the media detailing the attempt to breach the new vehicle registration application, iKan. It is illegal to use a pin belonging to someone else to try to access information in the vehicle registration system," said Rachel Whitten, a spokeswoman for the Kansas Department of Revenue.
"Fortunately, there is no privileged personal information to be accessed, even with the illegal use of a pin number. State authorities are investigating the attempted breach.”
Whitten added that someone's tag numbers, insurance company and policy number are not classified as personal information, and could be requested under the Kansas Open Records Act.
The old registration renewal site, still online at KDOR’s site, required an individual to enter both their PIN and the vehicle year to proceed. The new iKan site requires only a PIN.
The iKan site was developed by PayIt, a technology firm based in Kansas City, Mo. The company says on its website that it simplifies government processes for citizens using “language and an interface they understand: chat.”
A news release announcing iKan also said it allows Kansans “to have access to their official documents anywhere they bring their phone, tablet, or have access to a computer.”
“One of the foremost goals of my administration is to make government more accessible for Kansans,” Gov. Jeff Colyer said in a March 29 statement. “I’m so pleased that with the launch of iKan, we now have more options to make transactions quickly and conveniently.”
When it was launched, other officials also showered the new site with praise. Donna Shelite, the state’s chief information technology officer, said the site gives Kansans the ability to get “what they need from multiple services in a single experience.”
Contributing: Candi Bolden
This story was originally published April 11, 2018 at 4:15 PM with the headline "Vehicle owners' info easily accessible to others on new Kansas site."