Cyber awareness may seem fairly obvious, but it’s not always. For example, you would never post a photo of your driver’s license on Facebook, right? How about your company ID card? Then there’s that selfie you took at the office. Were you wearing your work badge? Not a good idea. Part of cybersecurity awareness is knowing what not to post.

In our snap-and-share reality, these office security gaffes occur every day. And business identity theft actors scour the web for any bit of information they can steal.

Real-world cases show us it’s easier than you think to get ID card data. Your company’s cybersecurity awareness training should include these threat scenarios in response.

Prime Minister Boarding Pass Incident

In 2020, former Australian Prime Minister Tony Abbott posted an image of his boarding pass on Instagram. A well-known professional hacker got wind of this. Then, without using any special software, they were able to acquire Abbott’s phone number and passport details.

The boarding pass displayed critical information that enabled access to sensitive data. The booking reference number, for example, could open Abbott’s account on Qantas Airways’ web portal.

Next, the hacker simply used the Google Chrome ‘Inspect Element’ tool. This allowed them to see the computer’s internal representation of the Qantas page. From there, Abbott’s passport data was revealed. They were using their cybersecurity skills to alert the government to the problem, but a malicious attacker could have used it for identity theft. Abbott has since taken down his post.

The former Prime Minister isn’t the only one sharing this information with the world. On Instagram alone, nearly 130,000 posts under #boardingpass exist.

Cybersecurity Awareness: Driver’s License & ID Badge Risk

What about the eager teen sharing their newly minted #driverslicense online? And that group photo you took at the office? Did you share sensitive company data by mistake? If an ID badge was in the image, it’s a risk, and cybersecurity awareness best practices apply to it.

Key facts visible on a company ID badge may include:

  • Full name & address
  • Building designations
  • Internal department codes
  • Employee user IDs for internal systems
  • Cellphone number
  • Barcode
  • QR code.

If your building access scans barcodes or QR codes, attackers can duplicate these from an image. Still, the potential threat goes even deeper.

ID cards can enable access to highly sensitive data. For example, a company may require an employee user ID to access human resources portals. Once inside any corporate system, criminals stay hidden. Next, they move laterally throughout the network. Their goal is to locate high-value data or system vulnerabilities.

And please, don’t share your vaccine card on social media either. Any health information displayed could put you at risk of medical identity theft.

Company ID Card Cloning

Cards with chips or magnetic strips should fall under office cybersecurity awareness efforts as well. If your ID card gets lost or misplaced, attackers can duplicate the cards. Magnetic strips can easily be cloned. Attackers can copy even new EMV chips. Now, if it was a credit card, you would just cancel the card and get a new one.

Likewise, if your work ID/access pass gets lost or stolen, it’s best to issue a new card with a new code. Don’t generate a copy, since a cloned card will still allow access. Also, update your security entry systems and delete the old access code.

Business Identity Theft: RFID Theft-at-a-Distance

Some companies have installed radio-frequency identification (RFID) entry authorization. Most of the time, these cards have scant printed information on them. This makes them safer, right? Sadly, this type of company ID card is incredibly easy to crack. You can even buy RFID scanners and cloning devices on eBay.

With the scanner in their backpack, a criminal only needs to stand within two feet of you to scan your RFID badge. They can even set up a chime to alert for a successful scan. Then the RFID code can be re-written to a blank chip. This places any RFID gated parking lot, neighborhood access and entry at risk.

Cybersecurity Awareness: Watch for Synthetic Identity Theft

ID theft increases the risk of a corporate data asset breach. However, synthetic identity theft is another way threat actors use stolen ID data.

Some criminals only focus on harvesting personally identifiable information (PII). Then, they sell their data troves on the deep web. Full-blown identity theft occurs when criminals create fake accounts with the stolen data. One of the most common scams is to set up a fake ID credit account.

The goal isn’t to buy a gadget or new pair of jeans. Instead, the thieves seek to establish a good credit score over time. Then they ‘bust out’ and go on a spending spree or take out sizable cash advances. One of the largest synthetic ID rings ever saw criminals rack up $200 million in charges from 7,000 synthetic IDs and 25,000 credit cards.

Cybersecurity Awareness Training

For cybersecurity awareness training, it pays to review these types of threats. In our age of increased remote work security risk, it could take months before an ID theft is detected.

Make sure nobody ever publishes any kind of at-work photo without thinking twice. In fact, special authorization should be required to take pictures at work. And when you go to the after-office happy hour, put your badge in your pocket.

Cybersecurity awareness training should be proactive. For example, office reception could even display a reminder to remove work IDs upon leaving the building. Someone outside with a high-powered zoom could easily snap photos of ID badges.

Newer Ways to Confirm Identity

It’s important to remember that a company ID card isn’t the same as online access security. The ID badge enables physical access. But badges can leak data that enables digital and/or physical breaches.

Due to these kinds of identity and ID card theft, businesses and agencies may consider biometric solutions. For example, a fingerprint, iris or face scan only will allow full access.

You still need to consider guest access issues. For visitors, you may require multifactor access. This could be a QR code sent to the guest’s smartphone prior to check-in plus a guest badge given to them at reception.

So treat your guests well, educate your teams about cybersecurity awareness and share wisely.

More from Identity & Access

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

What is the Future of Password Managers?

In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application. Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice. As an alliance of tech giants leads a global push…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…