Cyber awareness may seem fairly obvious, but it’s not always. For example, you would never post a photo of your driver’s license on Facebook, right? How about your company ID card? Then there’s that selfie you took at the office. Were you wearing your work badge? Not a good idea. Part of cybersecurity awareness is knowing what not to post.

In our snap-and-share reality, these office security gaffes occur every day. And business identity theft actors scour the web for any bit of information they can steal.

Real-world cases show us it’s easier than you think to get ID card data. Your company’s cybersecurity awareness training should include these threat scenarios in response.

Prime Minister Boarding Pass Incident

In 2020, former Australian Prime Minister Tony Abbott posted an image of his boarding pass on Instagram. A well-known professional hacker got wind of this. Then, without using any special software, they were able to acquire Abbott’s phone number and passport details.

The boarding pass displayed critical information that enabled access to sensitive data. The booking reference number, for example, could open Abbott’s account on Qantas Airways’ web portal.

Next, the hacker simply used the Google Chrome ‘Inspect Element’ tool. This allowed them to see the computer’s internal representation of the Qantas page. From there, Abbott’s passport data was revealed. They were using their cybersecurity skills to alert the government to the problem, but a malicious attacker could have used it for identity theft. Abbott has since taken down his post.

The former Prime Minister isn’t the only one sharing this information with the world. On Instagram alone, nearly 130,000 posts under #boardingpass exist.

Cybersecurity Awareness: Driver’s License & ID Badge Risk

What about the eager teen sharing their newly minted #driverslicense online? And that group photo you took at the office? Did you share sensitive company data by mistake? If an ID badge was in the image, it’s a risk, and cybersecurity awareness best practices apply to it.

Key facts visible on a company ID badge may include:

  • Full name & address
  • Building designations
  • Internal department codes
  • Employee user IDs for internal systems
  • Cellphone number
  • Barcode
  • QR code.

If your building access scans barcodes or QR codes, attackers can duplicate these from an image. Still, the potential threat goes even deeper.

ID cards can enable access to highly sensitive data. For example, a company may require an employee user ID to access human resources portals. Once inside any corporate system, criminals stay hidden. Next, they move laterally throughout the network. Their goal is to locate high-value data or system vulnerabilities.

And please, don’t share your vaccine card on social media either. Any health information displayed could put you at risk of medical identity theft.

Company ID Card Cloning

Cards with chips or magnetic strips should fall under office cybersecurity awareness efforts as well. If your ID card gets lost or misplaced, attackers can duplicate the cards. Magnetic strips can easily be cloned. Attackers can copy even new EMV chips. Now, if it was a credit card, you would just cancel the card and get a new one.

Likewise, if your work ID/access pass gets lost or stolen, it’s best to issue a new card with a new code. Don’t generate a copy, since a cloned card will still allow access. Also, update your security entry systems and delete the old access code.

Business Identity Theft: RFID Theft-at-a-Distance

Some companies have installed radio-frequency identification (RFID) entry authorization. Most of the time, these cards have scant printed information on them. This makes them safer, right? Sadly, this type of company ID card is incredibly easy to crack. You can even buy RFID scanners and cloning devices on eBay.

With the scanner in their backpack, a criminal only needs to stand within two feet of you to scan your RFID badge. They can even set up a chime to alert for a successful scan. Then the RFID code can be re-written to a blank chip. This places any RFID gated parking lot, neighborhood access and entry at risk.

Cybersecurity Awareness: Watch for Synthetic Identity Theft

ID theft increases the risk of a corporate data asset breach. However, synthetic identity theft is another way threat actors use stolen ID data.

Some criminals only focus on harvesting personally identifiable information (PII). Then, they sell their data troves on the deep web. Full-blown identity theft occurs when criminals create fake accounts with the stolen data. One of the most common scams is to set up a fake ID credit account.

The goal isn’t to buy a gadget or new pair of jeans. Instead, the thieves seek to establish a good credit score over time. Then they ‘bust out’ and go on a spending spree or take out sizable cash advances. One of the largest synthetic ID rings ever saw criminals rack up $200 million in charges from 7,000 synthetic IDs and 25,000 credit cards.

Cybersecurity Awareness Training

For cybersecurity awareness training, it pays to review these types of threats. In our age of increased remote work security risk, it could take months before an ID theft is detected.

Make sure nobody ever publishes any kind of at-work photo without thinking twice. In fact, special authorization should be required to take pictures at work. And when you go to the after-office happy hour, put your badge in your pocket.

Cybersecurity awareness training should be proactive. For example, office reception could even display a reminder to remove work IDs upon leaving the building. Someone outside with a high-powered zoom could easily snap photos of ID badges.

Newer Ways to Confirm Identity

It’s important to remember that a company ID card isn’t the same as online access security. The ID badge enables physical access. But badges can leak data that enables digital and/or physical breaches.

Due to these kinds of identity and ID card theft, businesses and agencies may consider biometric solutions. For example, a fingerprint, iris or face scan only will allow full access.

You still need to consider guest access issues. For visitors, you may require multifactor access. This could be a QR code sent to the guest’s smartphone prior to check-in plus a guest badge given to them at reception.

So treat your guests well, educate your teams about cybersecurity awareness and share wisely.

More from Identity & Access

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today