- Security TWENTY
- Women in Security
Your personal identity (PI) is any identification, presented in numbers, icons or letters, that is used to describe you and only you. Your phone number, email address, Social Security number, passport number, birthday, driving license number, birth date and a host of other identifiers distinguish you from your neighbour, a fellow in Sri Lanka or your sister. Using any of the above should help differentiate you from others. Since too many people can have the same name, birth date, password or other descriptors, combinations of the above should further discern that it’s you, not somebody else with your PI, writes Scott Lindley, pictured, Vice President & General Manager, at US-based RFID reader and credential manufacturer Farpointe Data.
Without knowing you personally, having your own PI’s means you can open bank accounts, prove you have enough money to buy a car or fly to Switzerland. Of course, not knowing that someone else is using your PI can also mean that somebody is using your good name and credit to open bank accounts, buy a car or fly to Switzerland. Once discovered that someone else is using your PI, it can be very difficult to stop and correct. That’s why it is so important to assure that your PI is protected.
With this in mind, how many pieces of PI do you store on any one site? Probably three or more. Driver’s license – Name, address, zip code and license number is just a beginning. Any other people with your name? Check Google. Address? Check Google. Zip code…of course. License number…there shouldn’t be. That’s the importance of unique PI’s. And we should try to use them whenever we can. But what if somebody steals it? Hmmm.
When it is just a standard PI, like your name, or unique PI, like your passport number, is needs to be protected. That’s why we try to protect PI’s, especially the unique ones. It’s why we don’t carry our Social Security card in our wallet. In case our wallet is lost or stolen, that unique PI isn’t captured along with it. But, your travel agent recently requested your passport number for their records so when they book an international flight for you, they won’t have to bother you for this info. Of course, you emailed this information to them. In doing so, hackers now have been given two opportunities to get this information, via the email and in your travel agent’s files. And, it’s easy to get.
After all, public WIFI data transmissions are unsecure so even beginning hackers can gain access to your passport number. Importantly, don’t assume public WiFi is safe. Often it is not very secure. Too often, that public WiFi network you are using is actually being run by a hacker. And ,if not, hackers often eavesdrop on legitimate networks to steal your data. Too often, you can’t be sure what is protecting that public WiFi so you might consider using a virtual public network (VPN) to add an extra layer of security and avert any possibility of eavesdropping.
The same type of caution should go with using others’ websites. Are they secured or unsecured? Here’s a quick confirmation. If the URL starts with HTTP instead of HTTPS, it’s not secured and is open to hacking. And, even if it is HTTP, it still might be a front for a scam. The easiest check of all. If you don’t know the company, don’t use their website.
To burrow in on how many ways a hacker can easily get to your PI’s, read on. Let’s pretend that your hospital, travel agent, bank or whomever uses an RFID card to get into their building. Even if your supplier thinks their computer system is protected, it may not be. Here’s why. There are three main ways to assault a card-based electronic access control system – skimming, eavesdropping and relay attacks. Skimming occurs when the attacker uses an unauthorised reader to access information on the unsuspecting victim’s RFID card or tag without consent. As a result, the attacker is able to read stored information or modify information by writing to the credential. From that point on, the attacker can control when and where unauthorised entries may occur.
An eavesdropping attack occurs when an attacker recovers the data sent during a transaction between the legitimate reader and card. As a result, the attacker can recover and store the data of interest. From then on, the attacker can use this stored data at will.
Lastly, RFID systems are potentially vulnerable to an attack in situations in which the attacker relays communication between the reader and a tag. A successful relay attack lets an attacker temporarily possess a ‘clone’ of a token, thereby allowing the attacker to gain the associated benefits. Some sophisticated RFID credentials perform mutual authentication and encrypt the subsequent communication. An attacker, however, never needs to know the plain-text data or the key material as long as he can continue relaying the respective messages. It is therefore irrelevant whether the reader authenticates the token cryptographically, or encrypts the data, since the relay attack cannot be prevented by application layer security. What’s scary about all this is that the equipment used to perpetrate the above attacks can be quite inexpensive and are widely available.
Here’s an even scarier, more subtle, way of getting to your or your customers’ PI. Do you use a mobile access control system, one where your smartphone acts like your ID badge? There has to be a special word of caution emphasised when changing over to mobile systems. Many legacy access control systems require the use of back-end portal accounts. For hackers, these portals can become rich, easy to access caches of personal end-user data. These older mobile systems force the user to register themselves and their integrators for every application. Door access – register. Parking access – register.
Knowing this, users will prefer credentials with features that allow them to register their handset only once and need no portal accounts, activation features or hidden fees, annual or otherwise. All that should be needed to activate your systems is the phone number of the smartphone. If you need to fill out several different forms or disclose private data to install your system, demand a better system.
Yes, once we think about it, way too many of our PI’s are at the mercy of hackers sneaking into places in which we have no control – from our insurance agency’s computer files to those of our doctors, banks, credit card companies and on and on. If they’re hacked, it’s often us that is in the most trouble. Therefore, limit your exposure to them. Give them only what they must have and double check with them on their security measures. Online scams are prevent. They are especially popular around holidays and events. Send in your information and win a T-shirt. You’ve just shared a PI that you won’t keep in your wallet in case you lose it. Or, how about that notice on an invoice from a firm you know that says you may owe money? Just provide your checking account number and they can quickly get you out of arrears. Bottom line, if you aren’t sure about this charge, delete the email and call the company. But don’t use the phone number on the email. Get the real number by checking with information, their website or some other documentation you have on file.
Another aspect of securing information is to make the PI’s unusable; they must be encrypted. To read them, the system needs access to a secret key or password that provides decryption. Modern encryption algorithms play a vital role in assuring data security.
By now, we hope that you’ll agree with us that protecting your PI’s is pretty important. But, also protecting others’ PI’s if you collect them is paramount. Each time a thief gets one of your PI’s, especially if it’s unique, can cause big problems for the holder. Once that hacker gets several PI’s, especially unique PI’s, the problem can become massive.
About the author
Scott Lindley, general manager, Farpointe Data, is a 25-year veteran of the contactless card access control industry. Email: Scott.Lindley@farpointedata.com.