Cyber awareness may seem fairly obvious, but it’s not always. For example, you would never post a photo of your driver’s license on Facebook, right? How about your company ID card? Then there’s that selfie you took at the office. Were you wearing your work badge? Not a good idea. Part of cybersecurity awareness is knowing what not to post.

In our snap-and-share reality, these office security gaffes occur every day. And business identity theft actors scour the web for any bit of information they can steal.

Real-world cases show us it’s easier than you think to get ID card data. Your company’s cybersecurity awareness training should include these threat scenarios in response.

Prime Minister Boarding Pass Incident

In 2020, former Australian Prime Minister Tony Abbott posted an image of his boarding pass on Instagram. A well-known professional hacker got wind of this. Then, without using any special software, they were able to acquire Abbott’s phone number and passport details.

The boarding pass displayed critical information that enabled access to sensitive data. The booking reference number, for example, could open Abbott’s account on Qantas Airways’ web portal.

Next, the hacker simply used the Google Chrome ‘Inspect Element’ tool. This allowed them to see the computer’s internal representation of the Qantas page. From there, Abbott’s passport data was revealed. They were using their cybersecurity skills to alert the government to the problem, but a malicious attacker could have used it for identity theft. Abbott has since taken down his post.

The former Prime Minister isn’t the only one sharing this information with the world. On Instagram alone, nearly 130,000 posts under #boardingpass exist.

Cybersecurity Awareness: Driver’s License & ID Badge Risk

What about the eager teen sharing their newly minted #driverslicense online? And that group photo you took at the office? Did you share sensitive company data by mistake? If an ID badge was in the image, it’s a risk, and cybersecurity awareness best practices apply to it.

Key facts visible on a company ID badge may include:

  • Full name & address
  • Building designations
  • Internal department codes
  • Employee user IDs for internal systems
  • Cellphone number
  • Barcode
  • QR code.

If your building access scans barcodes or QR codes, attackers can duplicate these from an image. Still, the potential threat goes even deeper.

ID cards can enable access to highly sensitive data. For example, a company may require an employee user ID to access human resources portals. Once inside any corporate system, criminals stay hidden. Next, they move laterally throughout the network. Their goal is to locate high-value data or system vulnerabilities.

And please, don’t share your vaccine card on social media either. Any health information displayed could put you at risk of medical identity theft.

Company ID Card Cloning

Cards with chips or magnetic strips should fall under office cybersecurity awareness efforts as well. If your ID card gets lost or misplaced, attackers can duplicate the cards. Magnetic strips can easily be cloned. Attackers can copy even new EMV chips. Now, if it was a credit card, you would just cancel the card and get a new one.

Likewise, if your work ID/access pass gets lost or stolen, it’s best to issue a new card with a new code. Don’t generate a copy, since a cloned card will still allow access. Also, update your security entry systems and delete the old access code.

Business Identity Theft: RFID Theft-at-a-Distance

Some companies have installed radio-frequency identification (RFID) entry authorization. Most of the time, these cards have scant printed information on them. This makes them safer, right? Sadly, this type of company ID card is incredibly easy to crack. You can even buy RFID scanners and cloning devices on eBay.

With the scanner in their backpack, a criminal only needs to stand within two feet of you to scan your RFID badge. They can even set up a chime to alert for a successful scan. Then the RFID code can be re-written to a blank chip. This places any RFID gated parking lot, neighborhood access and entry at risk.

Cybersecurity Awareness: Watch for Synthetic Identity Theft

ID theft increases the risk of a corporate data asset breach. However, synthetic identity theft is another way threat actors use stolen ID data.

Some criminals only focus on harvesting personally identifiable information (PII). Then, they sell their data troves on the deep web. Full-blown identity theft occurs when criminals create fake accounts with the stolen data. One of the most common scams is to set up a fake ID credit account.

The goal isn’t to buy a gadget or new pair of jeans. Instead, the thieves seek to establish a good credit score over time. Then they ‘bust out’ and go on a spending spree or take out sizable cash advances. One of the largest synthetic ID rings ever saw criminals rack up $200 million in charges from 7,000 synthetic IDs and 25,000 credit cards.

Cybersecurity Awareness Training

For cybersecurity awareness training, it pays to review these types of threats. In our age of increased remote work security risk, it could take months before an ID theft is detected.

Make sure nobody ever publishes any kind of at-work photo without thinking twice. In fact, special authorization should be required to take pictures at work. And when you go to the after-office happy hour, put your badge in your pocket.

Cybersecurity awareness training should be proactive. For example, office reception could even display a reminder to remove work IDs upon leaving the building. Someone outside with a high-powered zoom could easily snap photos of ID badges.

Newer Ways to Confirm Identity

It’s important to remember that a company ID card isn’t the same as online access security. The ID badge enables physical access. But badges can leak data that enables digital and/or physical breaches.

Due to these kinds of identity and ID card theft, businesses and agencies may consider biometric solutions. For example, a fingerprint, iris or face scan only will allow full access.

You still need to consider guest access issues. For visitors, you may require multifactor access. This could be a QR code sent to the guest’s smartphone prior to check-in plus a guest badge given to them at reception.

So treat your guests well, educate your teams about cybersecurity awareness and share wisely.

More from Identity & Access

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read