How Hackers Are Harvesting PI and How to Protect Identity Info

Your personal identity (PI) is any identification, presented in numbers, icons or letters, that is used to describe you and only you. Your phone number, email address, Social Security number, passport number, birthday, driver’s license number, birthdate and a host of other identifiers distinguish you from your neighbor, a fellow in Sri Lanka or your sister. Using any of the above should help differentiate you from others. Since too many people can have the same name, birthdate, password or other descriptors, combinations of the above should further discern that it’s you, not somebody else, with your PI.

Without knowing you personally, having your own PI means you can open bank accounts, prove you have enough money to buy a car or fly to Switzerland. Of course, not knowing that someone else is using your PI can also mean that somebody is using your good name and credit to open bank accounts, buy a car or fly to Switzerland. Once discovered that someone else is using your PI, it can be very difficult to stop and correct. That’s why it is so important to assure that your PI is protected.

With this in mind, how many pieces of PI do you store on any one site? Probably three or more. Name, address, ZIP code and driver’s license number, as just a beginning. Any other people with your name? Check Google. Address? Check Google. ZIP code: of course. License number: there shouldn’t be. That’s the importance of unique PI. And we should try to use them whenever we can. But what if somebody steals it? Hmmm.

It’s Just Too Simple to Hack Your PI

When it is just a standard PI, like your name, or unique PI, like your passport number, it needs to be protected. That’s why we try to protect PI, especially the unique ones. It’s why we don’t carry our Social Security card in our wallet. In case our wallet is lost or stolen, that unique PI isn’t captured along with it.

But your travel agent recently requested your passport number for their records so when they book an international flight for you, they won’t have to bother you for this info. Of course, you emailed this information to them. In doing so, hackers now have been given two opportunities to get this information, via the email and in your travel agent’s files. And it’s easy to get.

After all, public WiFi data transmissions are unsecure so even beginning hackers can gain access to your passport number. Importantly, don’t assume public WiFi is safe. Often it is not very secure. Too often, that public WiFi network you are using is actually being run by a hacker. And if not, hackers often eavesdrop on legitimate networks to steal your data. Too often, you can’t be sure what is protecting that public WiFi so you might consider using a virtual public network (VPN) to add an extra layer of security and avert any possibility of eavesdropping.

The same type of caution should go with using others’ websites. Are they secured or unsecured? Here’s a quick confirmation: If the URL starts with HTTP instead of HTTPS, it’s not secured and is open to hacking. And, even if it is HTTP, it still might be a front for a scam. The easiest check of all: If you don’t know the company, don’t use their website.

To burrow in on how many ways a hacker can easily get to your PI, read on. Let’s pretend that your hospital, travel agent, bank or whomever uses an RFID card to get into their building. Even if your supplier thinks their computer system is protected, it may not be. Here’s why.

There are three main ways to assault a card-based electronic access control system: skimming, eavesdropping and relay attacks. Skimming occurs when the attacker uses an unauthorized reader to access information on the unsuspecting victim’s RFID card or tag without consent. As a result, the attacker is able to read stored information or modify information by writing to the credential. From that point on, the attacker can control when and where unauthorized entries may occur.

An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. As a result, the attacker can recover and store the data of interest. From then on, the attacker can use this stored data at will.

Lastly, RFID systems are potentially vulnerable to an attack in situations in which the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically, or encrypts the data, since the relay attack cannot be prevented by application layer security.

What’s scary about all this is that the equipment used to perpetrate the above attacks can be quite inexpensive and is widely available.

Here’s an even scarier, more subtle, way of getting to your or your customers’ PI: Do you use a mobile access control system, one where your smartphone acts like your ID badge? There has to be a special word of caution emphasized when changing over to mobile systems.

Many legacy access control systems require the use of back-end portal accounts. For hackers, these portals can become rich, easy-to-access caches of personal end-user data. These older mobile systems force the user to register themselves and their integrators for every application. Door access: register. Parking Access: register.

Knowing this, users will prefer credentials with features that allow them to register their handset only once and need no portal accounts, activation features or hidden fees, annual or otherwise. All that should be needed to activate your systems is the phone number of the smartphone. If you need to fill out several different forms or disclose private data to install your system, demand a better system.

How to Battle Hackers

Yes, once we think about it, way too many of our PIs are at the mercy of hackers sneaking into places where we have no control: from our insurance agency’s computer files to those of our doctors, banks, credit card companies and on and on. If they’re hacked, it’s often we who are in the most trouble. Therefore, limit your exposure to them. Give them only what they must have and double-check with them on their security measures.

Online scams are prevalent, and especially popular around holidays and events. Send in your information and win a T-shirt. For a $5 tee, you’ve just shared a PI that you won’t keep in your wallet in case you lose it. Or, how about that notice on an invoice from a firm you know that says you may owe money? Just provide your checking account number and they can quickly get you out of arrears. Bottom line, if you aren’t sure about this charge, delete the email and call the company. But don’t use the phone number on the email. Get the real number by checking with information, their website or some other documentation you have on file.

Another aspect of securing information is to make PI unusable; they must be encrypted. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in ensuring data security.

Keep Your PI to Yourself

Protecting your PI is pretty important. But, also protecting others’ PI if you collect them is paramount. Each time a thief gets one of your PIs, especially if it’s unique, can cause big problems for the holder. Once that hacker gets several PIs, especially unique PIs, the problem can become massive.

(Visited 1,720 times, 5 visits today)

Scott Lindley co-founded Farpointe Data in 2003, and holds the position of Vice President and General Manager. Prior to Farpointe, Scott was Director RFID Products at Keri Systems and Sales Manager North America at Motorola Indala Corporation. Scott holds a Master of Business Administration (MBA) from Thunderbird School of Global Management in Glendale, Arizona and a Bachelor of Arts from California State University in Sacramento, California.

Leave a Reply

Latest from Biometrics & ID Management

Go to Top
X
X