Today, I went out for a Sunday morning stroll and snack/coffee around the neighbourhood. Sitting at the table outside a street-level cafeteria (oh, the perks of September in Lisbon), I look at the clear glass window next to the entrance door, and see no less than three Citizen Cards taped to the glass. A girl’s card, a man’s card, and an old lady’s card. This is a strangely common thing here in Portugal. Behind it lies the assumption that the person who lost their card lives in the neighbourhood, might return to the cafeteria, and gets their card back without the hassle of asking for a replacement (or someone recognises the person and contacts them).
The cards were taped to the inner side of the window, alright, but even so, they were:
- quite available for someone to take them away;
- quite available for someone to take pictures of both sides of the card; and
- completely available for someone to go there when the cafeteria is closed and take a picture of the front of the card.
For context, let us remember what a Portuguese identity card bears on both sides (italics for what is, IMHO, particularly sensitive information):
- Front: full name, gender, height, nationality, date of birth, ID number, expiry date, signature, photo (B&W).
- Back: full name of both parents, tax payer number, Social Security number, National Health Service number.
The road to hell is paved with good intentions and with scams conducted using only the information you can get from an ID card taped to a cafeteria’s window. Although the Portuguese card is an electronic one, the vast majority of use cases of identity proof (special highlight for…banking!) are still handled as if we didn’t leave the hideous yellow paper identity card behind.
Due to lack of technological equipment, and to a combination of good will and commercial interest in getting people through the funnel, too much of the audit trail is established using a legally dubious paper copy of the electronic card (sometimes, with enough persuasion and good back story, without even showing the real document). One of the cards on the cafeteria’s window is from a senior citizen, so a fraudster could easily come up with a mobility related story to both justify the absence of the person and create empathy to cut some procedural corners.
This is particularly serious regarding access to restricted information through telephone channels. We have here most of the information customer support agents usually ask as means to confirm that you are you. The only key piece of information missing is your address (which in the card’s chip, protected by a PIN). In most cases one can aim at obtaining it through some social engineering action. The complexity of this endeavour can range from in loco observation (remember the card was left at a neighbourhood cafeteria and has a photo) combined with helpful neighbours (“Do you know what floor is Mr. Smith? I found his wallet!”) to simply googling your name. An attacker can also get their way to your address through another customer support line’s naive procedures (e.g. to get you a replacement loyalty card, they confirm your identity through the remaining info and then tell you your full address to confirm that’s where you want the card sent to).
Finally, there’s gaining access to online accounts (email, social networks, e-commerce, etc.). With a combination of name, date of birth, and photo, one can get a positive match on one of these accounts, and then social engineer one’s way into password reset/recovery. One might even get the “mother’s maiden name” security question! For a Portuguese citizen, this particularly easier to obtain, because it’s part of one’s full name — but having both paretns’ full names on the back of the card is a convenient way of telling which of those middle names by the dozen is the magic answer.
Through all these scenarios, there’s also the possibility for an attacker to get your valuable information from…you! After tying the information in the identity card to a telephone number (again, social engineering), an attacker can pose themselves as a legitimate customer service representative (well, they do know your full name, date of birth, ID number, tax payer number, …) claiming to be solving some problem with your account.
The above examples are described with the Portuguese social and institutional fabric in my mind, but they’re easily applicable elsewhere, with some high-profile cases showing just that. Amazon is vulnerable to this type of hack. So is Apple.
In conclusion, as a strong piece of advice:
- If you find a lost identity card (or any type of personal document), hand it at the nearest police station or to a police officer. The time and money cost of asking for a replacement ID card are peanut compared with the potential consequences of exposing someone to identity theft — so you’re doing someone a bigger favour by acting like this.
- If you run a store of any sort, either not accept any lost documents (and direct people to the authorities) or accept them and keep them in a safe place for some days before handing them to the authorities. Never put anyone’s documents on display!
Identity theft is real.
This post represents my personal opinion on this subject, not that of any company I work (or have worked) at/for on this subject area.