“If you find me, hand me at the nearest cafe”—Said no ID card ever

Today, I went out for a Sunday morning stroll and snack/coffee around the neighbourhood. Sitting at the table outside a street-level cafeteria (oh, the perks of September in Lisbon), I look at the clear glass window next to the entrance door, and see no less than three ID Cards taped to the glass. A girl’s card, a man’s card, and an old lady’s card. This is a strangely common thing here in Portugal. Behind it lies the assumption that the person who lost their card:

  • lives in the neighbourhood,
  • might return to the cafeteria, and
  • gets their card back without the hassle of asking for a replacement;

(or someone recognises the person and contacts them).

The cards were taped to the inside of the window, alright, but were still:

  • accessible enough for someone to take them away;
  • easy enough for someone to take pictures of both sides of the card; and
  • super easy to go there when the cafeteria is closed and take a picture of the front of the card.

What’s on an ID card?

For context, let us remember what a Portuguese identity card bears on both sides.

  • Front: full name, gender, height, nationality, date of birth, ID number, expiry date, signature, photo (B&W).
  • Back: full name of both parents, tax payer number, Social Security number, National Health Service number.

(In italics for what is, IMHO, particularly sensitive information.)

Portuguese ID card (citizen card)
Specimen of the Portuguese “Citizen Card” (from autenticacao.gov.pt)

The road to hell is paved with good intentions and scams conducted using only the information you can get from an ID card. Although the Portuguese card is electronic, several use cases of identity proof are still handled as if we didn’t leave the hideous yellow paper identity card behind.

Old-style Portuguese ID card
A (blank) good old “Bilhete de Identidade” (By User:Dantadd [Public domain], via Wikimedia Commons)

What you can do with a photo of an ID card

Due to:

  • lack of technological equipment, and
  • a combination of good will and commercial interest in getting people through the funnel;

too much of the audit trail is established using a legally dubious paper copy of the electronic card. Sometimes, with enough persuasion and good back story, you don’t even have to show the real document. One of the cards on the cafeteria’s window is from a senior citizen. A fraudster could thus easily come up with a mobility-related story to

  • justify the absence of the person, and
  • create empathy to cut some procedural corners.

Proving who you are through the phone

This is particularly serious regarding access to restricted information through telephone channels. We have here most of the information customer support agents usually ask as means to confirm that you are you. The only key piece of information missing is your address (which in the card’s chip, protected by a PIN). In most cases one can aim at obtaining it through some social engineering action. This can be harder or easier. It can be as hard as some in loco observation (remember the card was left at a neighbourhood cafeteria and has a photo) combined with helpful neighbours (“Do you know what floor is Mr. Smith? I found his wallet!”). Or it can be as easy as googling your name.

An attacker can also get their way to your address through another customer support line’s naive procedures. E.g. to get you a replacement loyalty card, they confirm your identity through the remaining info and then tell you your full address to confirm that’s where you want the card sent to.

Identity and online access

Finally, there’s gaining access to online accounts (email, social networks, e-commerce, etc.). With a combination of name, date of birth, and photo, one can get a positive match on one of these accounts, and then social engineer one’s way into password reset/recovery. One might even get the “mother’s maiden name” security question! For a Portuguese citizen, this particularly easier to obtain, because it’s part of one’s full name . However, having both parents’ full names on the back of the card is a convenient way of telling which of those middle names by the dozen is the magic answer.

Through all these scenarios, there’s also the possibility for an attacker to get your valuable information from…you! After tying your identity to a phone number, an attacker can pose as a legitimate customer service representative solving a problem with your account. Remember, they do know your full name, date of birth, ID number, tax payer number, … .

I’ve described the above examples with the Portuguese social and institutional fabric in my mind, but they’re easily applicable elsewhere. Some high-profile cases show just that: Amazon is vulnerable to this type of hack. So is Apple.

Conclusion: How to handle a lost ID card?

In conclusion, as a strong piece of advice:

  • If you find a lost ID card (or any type of personal document), hand it at the nearest police station or to a police officer. The cost of asking for a replacement ID card is peanuts compared to the potential consequences of exposing someone to identity theft — so you’re doing someone a bigger favour by acting like this.
  • If you run a store of any sort, either not accept any lost documents (and direct people to the authorities) or accept them and keep them in a safe place for some days before handing them to the authorities. Never put anyone’s documents on display!

Identity theft is real.

This post represents my personal opinion on this subject, not that of any company I work (or have worked) at/for on this subject area.