Kansas patches flaw in digital services app

Over the weekend, two-factor authentication and PIN randomization were added to the State of Kansas’ digital services app, patching a flaw that allowed users to randomly enter PINs and license plate numbers without being denied access for wrong entries.

The updates were delivered to the iKan app, which was announced on March 30 by Kansas Gov. Jeff Colyer and John Thomson, CEO of PayIT, a midwestern-based technology company that developed the app. The app provides citizens the ability to renew their vehicle registration or access official documents from their personal device for a $2 fee facilitated by PayIT.

Before the patch, the app encrypted transactions, but did not penalize users for entering in the wrong PIN or license plate. Users quickly realized that randomly entering PINs or license plates revealed the information of random users, including the name of the insurance company, policy numbers, and the cost of registration of a specific vehicle, which is illegal to access under Kansas state law. The state immediately began a review to figure out potential solutions.

Previously, PINs were issued by the Kansas Division of Vehicles in sequential order, Thomson told StateScoop.

“The PINs are now issued on a random basis by the department to make it harder to guess a PIN,” Thomson said. “We’ve also added a 2nd factor to access the record, which is year of the vehicle. So now you enter PIN and year of the vehicle to initiate the renewal process.”

Because the May PINs have already been issued by the state, the randomization will begin in June.