printer friendly version

Don’t let hackers steal personal identities

Your personal identity (PI) is any identification, presented in numbers, icons or letters, used to describe you and only you. Your phone number, email address, identity number, passport number, birthday, driver’s licence number, birth date and a host of other identifiers distinguish you from your neighbour, a fellow in Sri Lanka or your sister.

Using any of the above should help differentiate you from others. Since too many people can have the same name, birth date, password or other descriptors, combinations of the above should further discern that it’s you, not somebody else with your PI.

Without knowing you personally, having your own PI means you can open bank accounts, prove you have enough money to buy a car or fly to Switzerland. Of course, if someone else is using your PI they can also open bank accounts, buy a car or fly to Switzerland. Once discovered that someone else is using your PI, it can be very difficult to stop and correct. That’s why it is so important to assure that your PI is protected.

It’s just too simple to hack your PI

When it is just a standard PI, like your name, or unique PI, like your passport number, it needs to be protected. That’s why we try to protect PI, especially the unique ones. But, your travel agent recently requested your passport number for their records so when they book an international flight for you, they won’t have to bother you for this information. Of course, you emailed this information to them. In doing so, hackers now have been given two opportunities to get this information, via the email and in your travel agent’s files. And it’s easy to get.

Let’s pretend that your hospital, travel agent, bank or whomever uses an RFID card to get into their building. Even if your supplier thinks their computer system is protected, it may not be.

There are three main ways to assault a card-based electronic access control system – skimming, eavesdropping and relay attacks. Skimming occurs when the attacker uses an unauthorised reader to access information on the unsuspecting victim’s RFID card or tag without consent. As a result, the attacker is able to read stored information or modify information by writing to the credential. From that point on, the attacker can control when and where unauthorised entries may occur.

An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. As a result, the attacker can recover and store the data of interest. From then on, the attacker can use this stored data at will.

Lastly, RFID systems are potentially vulnerable to an attack in situations in which the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically, or encrypts the data, since the relay attack cannot be prevented by application layer security.

What’s scary about all this is that the equipment used to perpetrate the above attacks can be quite inexpensive and is widely available.

Do you use a mobile access control system, one where your smartphone acts like your ID badge? There has to be a special word of caution when changing over to mobile systems. Many legacy access control systems require the use of back-end portal accounts. For hackers, these portals can become rich, easy-to-access caches of personal end-user data. These older mobile systems force the user to register themselves and their integrators for every application.

Knowing this, users will prefer credentials with features that allow them to register their handset only once and need no portal accounts, activation features or hidden fees, annual or otherwise. All that should be needed to activate your systems is the phone number of the smartphone. If you need to fill out several different forms or disclose private data to install your system, demand a better system.

Another aspect of securing information is to make the PI unusable; they must be encrypted. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security.

Share this article:

Further reading: