Cybersecurity Awareness: How Much Data Can An Attacker Get From an Employee ID?

October 11, 2021
| |
4 min read

Cyber awareness may seem fairly obvious, but it’s not always. For example, you would never post a photo of your driver’s license on Facebook, right? How about your company ID card? Then there’s that selfie you took at the office. Were you wearing your work badge? Not a good idea. Part of cybersecurity awareness is knowing what not to post.

In our snap-and-share reality, these office security gaffes occur every day. And business identity theft actors scour the web for any bit of information they can steal.

Real-world cases show us it’s easier than you think to get ID card data. Your company’s cybersecurity awareness training should include these threat scenarios in response.

Prime Minister Boarding Pass Incident

In 2020, former Australian Prime Minister Tony Abbott posted an image of his boarding pass on Instagram. A well-known professional hacker got wind of this. Then, without using any special software, they were able to acquire Abbott’s phone number and passport details.

The boarding pass displayed critical information that enabled access to sensitive data. The booking reference number, for example, could open Abbott’s account on Qantas Airways’ web portal.

Next, the hacker simply used the Google Chrome ‘Inspect Element’ tool. This allowed them to see the computer’s internal representation of the Qantas page. From there, Abbott’s passport data was revealed. They were using their cybersecurity skills to alert the government to the problem, but a malicious attacker could have used it for identity theft. Abbott has since taken down his post.

The former Prime Minister isn’t the only one sharing this information with the world. On Instagram alone, nearly 130,000 posts under #boardingpass exist.

Cybersecurity Awareness: Driver’s License & ID Badge Risk

What about the eager teen sharing their newly minted #driverslicense online? And that group photo you took at the office? Did you share sensitive company data by mistake? If an ID badge was in the image, it’s a risk, and cybersecurity awareness best practices apply to it.

Key facts visible on a company ID badge may include:

  • Full name & address
  • Building designations
  • Internal department codes
  • Employee user IDs for internal systems
  • Cellphone number
  • Barcode
  • QR code.

If your building access scans barcodes or QR codes, attackers can duplicate these from an image. Still, the potential threat goes even deeper.

ID cards can enable access to highly sensitive data. For example, a company may require an employee user ID to access human resources portals. Once inside any corporate system, criminals stay hidden. Next, they move laterally throughout the network. Their goal is to locate high-value data or system vulnerabilities.

And please, don’t share your vaccine card on social media either. Any health information displayed could put you at risk of medical identity theft.

Company ID Card Cloning

Cards with chips or magnetic strips should fall under office cybersecurity awareness efforts as well. If your ID card gets lost or misplaced, attackers can duplicate the cards. Magnetic strips can easily be cloned. Attackers can copy even new EMV chips. Now, if it was a credit card, you would just cancel the card and get a new one.

Likewise, if your work ID/access pass gets lost or stolen, it’s best to issue a new card with a new code. Don’t generate a copy, since a cloned card will still allow access. Also, update your security entry systems and delete the old access code.

Business Identity Theft: RFID Theft-at-a-Distance

Some companies have installed radio-frequency identification (RFID) entry authorization. Most of the time, these cards have scant printed information on them. This makes them safer, right? Sadly, this type of company ID card is incredibly easy to crack. You can even buy RFID scanners and cloning devices on eBay.

With the scanner in their backpack, a criminal only needs to stand within two feet of you to scan your RFID badge. They can even set up a chime to alert for a successful scan. Then the RFID code can be re-written to a blank chip. This places any RFID gated parking lot, neighborhood access and entry at risk.

Cybersecurity Awareness: Watch for Synthetic Identity Theft

ID theft increases the risk of a corporate data asset breach. However, synthetic identity theft is another way threat actors use stolen ID data.

Some criminals only focus on harvesting personally identifiable information (PII). Then, they sell their data troves on the deep web. Full-blown identity theft occurs when criminals create fake accounts with the stolen data. One of the most common scams is to set up a fake ID credit account.

The goal isn’t to buy a gadget or new pair of jeans. Instead, the thieves seek to establish a good credit score over time. Then they ‘bust out’ and go on a spending spree or take out sizable cash advances. One of the largest synthetic ID rings ever saw criminals rack up $200 million in charges from 7,000 synthetic IDs and 25,000 credit cards.

Cybersecurity Awareness Training

For cybersecurity awareness training, it pays to review these types of threats. In our age of increased remote work security risk, it could take months before an ID theft is detected.

Make sure nobody ever publishes any kind of at-work photo without thinking twice. In fact, special authorization should be required to take pictures at work. And when you go to the after-office happy hour, put your badge in your pocket.

Cybersecurity awareness training should be proactive. For example, office reception could even display a reminder to remove work IDs upon leaving the building. Someone outside with a high-powered zoom could easily snap photos of ID badges.

Newer Ways to Confirm Identity

It’s important to remember that a company ID card isn’t the same as online access security. The ID badge enables physical access. But badges can leak data that enables digital and/or physical breaches.

Due to these kinds of identity and ID card theft, businesses and agencies may consider biometric solutions. For example, a fingerprint, iris or face scan only will allow full access.

You still need to consider guest access issues. For visitors, you may require multifactor access. This could be a QR code sent to the guest’s smartphone prior to check-in plus a guest badge given to them at reception.

So treat your guests well, educate your teams about cybersecurity awareness and share wisely.

Jonathan Reed
Freelance Technology Writer

Jonathan Reed is a freelance technology writer. For the last decade, he has written about a wide range of topics including cybersecurity, Industry 4.0, AI/ML...
read more