ID badges are a two-edged sword, providing security and convenience on one hand, but risking exposure of sensitive data on the other.
The reason Abbott's now-removed Insta post caught so much heat is that a hacker named Alex Hope was able to uncover the politician's phone number and passport details after just 45 minutes of digging around and without using any special software.
The security takeaway is as relevant today as it was then-that innocent-seeming sharing of information can have serious consequences.
It's especially relevant now as we move into trade show season, with CES, SXSW, RSA, and scores of other expos and conventions coming down the pike-and with them millions of ID badge-wearing attendees displaying full names, company affiliations, and more for all the world to see.
ID badges at conferences and in corporate environments in general offer a measure of security and convenience-controlling access, for example, and allowing attendees to easily identify each other.
Don't let these badges lull you into a false sense of security.
To a bad actor looking to exploit security vulnerabilities, an ID badge can be a treasure trove of personally identifiable information and other risky data.
Consider the types of information typically displayed on ID badges.
Aside from full names and addresses, badges can include employee user IDs for internal systems, building designations, internal department codes, barcodes, QR codes, and more.
Nothing unusual about that, but if their badge is on full display, the prying eyes of a malicious actor could spell trouble down the road. But in many cases, security gaffes occur when sensitive data finds its way online.
Or a scammer could use your stolen ID data for what's called synthetic identity theft, a rapidly growing financial crime in the U.S. An ambitious attacker could also use web search tools in a bid to breach corporate data assets-for example, by researching details about your company's tech infrastructure.
RFID cards, barcodes, and QR codes To counter risks like these, some companies issue cards with RFID tags, barcodes, or QR codes.
The thinking is that, because these cards usually display less printed information, they offer a greater level of security.
A criminal doesn't even need to see the card.
Worse, in some cases a company may require an employee user ID to access its human resources portal.
Once a hacker breaches the corporate system, they can use this access to move laterally across the network with the goal of accessing valuable data, exfiltrating data, or deploying ransomware.
Lost or stolen ID cards can allow a criminal who finds them to stroll through the front doors of office buildings, exposing companies to theft of valuable equipment or worse.
If a lost or stolen card is recovered, criminals may still have access because the magnetic strips and EMV chips used in some cards can easily be cloned.
Use badge holders or shields that obscure sensitive data without limiting the badge's usefulness.
In addition to cybersecurity training to help employees grasp the importance of keeping personal and organizational information safe, companies should cultivate a culture of security awareness by encouraging employees to be vigilant and to report suspicious activity or attempted breaches.
This Cyber News was published on blog.avast.com. Publication date: Wed, 03 Jan 2024 15:43:04 +0000