Sunday morning thoughts on identity theft Today, I went out for a Sunday morning stroll and snack/coffee around the neighbourhood. Sitting at the table outside a street-level (oh, the perks of September in Lisbon), I look at the clear glass window next to the entrance door, and see no less than . A girl’s card, a man’s card, and an old lady’s card. This is a strangely common thing here in Portugal. Behind it lies the assumption that the person who lost their card lives in the neighbourhood, might return to the cafeteria, and gets their card back without the hassle of asking for a replacement (or someone recognises the person and contacts them). The cards were taped to the inner side of the window, alright, but even so, they were: cafeteria three Citizen Cards taped to the glass quite available for someone to take them away; quite available for someone to take pictures of both sides of the card; and completely available for someone to go there when the cafeteria is closed and take a picture of the front of the card. Specimen of the Portuguese “Citizen Card” (from ) autenticacao.gov.pt For context, let us remember what a Portuguese identity card bears on both sides (italics for what is, IMHO, particularly sensitive information): Front: , gender, height, nationality, , , expiry date, (B&W). full name date of birth ID number signature, photo Back: . full name of both parents, tax payer number, Social Security number, National Health Service number The road to hell is paved with good intentions and with scams conducted using only the information you can get from an ID card taped to a cafeteria’s window. Although the Portuguese card is an electronic one, the vast majority of use cases of identity proof (special highlight for… !) are still handled as if we didn’t leave the hideous yellow paper identity card behind. banking A (blank) good old “Bilhete de Identidade” (By User:Dantadd [Public domain], ) via Wikimedia Commons Due to lack of technological equipment, and to a combination of good will and commercial interest in getting people through the funnel, too much of the audit trail is established using a of the electronic card (sometimes, with enough persuasion and good back story, without even showing the real document). One of the cards on the cafeteria’s window is from a senior citizen, so a fraudster could easily come up with a mobility related story to both justify the absence of the person and create empathy to cut some procedural corners. legally dubious paper copy This is particularly serious regarding access to restricted information through channels. We have here most of the information customer support agents usually ask as means to confirm that you are you. The only key piece of information missing is your address (which in the card’s chip, protected by a PIN). In most cases one can aim at obtaining it through some social engineering action. The complexity of this endeavour can range from in loco observation (remember the card was left at a cafeteria and has a photo) combined with helpful neighbours ( ) to simply googling your name. An attacker can also get their way to your address through customer support line’s naive procedures (e.g. to get you a replacement loyalty card, they confirm your identity through the remaining info and then to confirm that’s where you want the card sent to). telephone neighbourhood “Do you know what floor is Mr. Smith? I found his wallet!” another tell you your full address Finally, there’s gaining access to (email, social networks, e-commerce, etc.). With a combination of name, date of birth, and photo, one can get a positive match on one of these accounts, and then social engineer one’s way into password reset/recovery. One might even get the “mother’s maiden name” question! For a Portuguese citizen, this particularly easier to obtain, because it’s part of one’s full name — but having both paretns’ full names on the back of the card is a convenient way of telling which of those middle names by the dozen is the magic answer. online accounts security Through all these scenarios, there’s also the possibility for an attacker to get your valuable information from… ! After tying the information in the identity card to a telephone number (again, social engineering), an attacker can pose themselves as a legitimate customer service representative (well, they do know your full name, date of birth, ID number, tax payer number, …) claiming to be solving some problem with your account. you The above examples are described with the Portuguese social and institutional fabric in my mind, but they’re easily applicable elsewhere, with some high-profile cases showing just that. . . Amazon is vulnerable to this type of hack So is Apple In conclusion, as a strong piece of advice: If you find a lost identity card (or any type of personal document), . The time and money cost of asking for a replacement ID card are peanut compared with the potential consequences of exposing someone to identity theft — so you’re doing someone a bigger favour by acting like this. hand it at the nearest police station or to a police officer If you run a store of any sort, either not accept any lost documents (and direct people to the authorities) or accept them and keep them for some days before handing them to the authorities. in a safe place Never put anyone’s documents on display! Identity theft real. is This post represents my personal opinion on this subject, not that of any company I work (or have worked) at/for on this subject area.
