ID badges are a two-edged sword, providing security and convenience on one hand, but risking exposure of sensitive data on the other.
It seemed like an innocuous thing to do. Before flying home to Australia from Japan, Tony Abbott posted a photo of his boarding pass on Instagram with a message thanking the Qantas Airlines crew. But the well-intentioned gesture triggered a minor diplomatic kerfuffle, raised airline cybersecurity concerns, and went viral.
You see, Tony Abbott is a former Prime Minister of Australia who is now Advisor to the UK Board of Trade—but that’s not what matters here. The reason Abbott’s now-removed Insta post caught so much heat is that a hacker named Alex Hope was able to uncover the politician’s phone number and passport details after just 45 minutes of digging around and without using any special software. Hope wrote about the incident in a hilarious blog post after spending six months trying not to get arrested as he struggled to alert authorities and the airline of the vulnerability.
That was in 2020. But the security takeaway is as relevant today as it was then—that innocent-seeming sharing of information can have serious consequences. (The incident reportedly led Qantas to update its cybersecurity protocols.) It’s especially relevant now as we move into trade show season, with CES, SXSW, RSA, and scores of other expos and conventions coming down the pike—and with them millions of ID badge-wearing attendees displaying full names, company affiliations, and more for all the world to see.
ID badges at conferences and in corporate environments in general offer a measure of security and convenience—controlling access, for example, and allowing attendees to easily identify each other. But don’t let these badges lull you into a false sense of security. To a bad actor looking to exploit security vulnerabilities, an ID badge can be a treasure trove of personally identifiable information (PII) and other risky data.
Consider the types of information typically displayed on ID badges. Aside from full names and addresses, badges can include employee user IDs for internal systems, building designations, internal department codes, barcodes, QR codes, and more. Some of the risk of this information falling into the wrong hands can occur in real-life situations—a conference attendee going to a coffee shop for a cappuccino, for example. Nothing unusual about that, but if their badge is on full display, the prying eyes of a malicious actor could spell trouble down the road.
But in many cases, security gaffes occur when (as in the case of the Aussie politician) sensitive data finds its way online. Ever take a selfie or pose for a group shot at a conference? Did you check to make sure your ID badge wasn’t showing before the image posted to social media? If not, you could have made it easier for a thief to steal your identity or compromise the security of your organization. Missteps like these happen all the time. (As of this writing, Instagram has nearly 140,000 images with the hashtag #boardingpasses.)
Tech-savvy scammers scour the internet for such faux pas. Armed with your name, company name, and department, a scammer can launch a social-engineering campaign. It might start with a carefully crafted phishing email that uses your name and department to short-circuit suspicion. Or a scammer could use your stolen ID data for what’s called synthetic identity theft, a rapidly growing financial crime in the U.S. An ambitious attacker could also use web search tools in a bid to breach corporate data assets—for example, by researching details about your company’s tech infrastructure.
To counter risks like these, some companies issue cards with RFID (radio-frequency identification) tags, barcodes, or QR codes. The thinking is that, because these cards usually display less printed information, they offer a greater level of security. Unfortunately, this is not necessarily the case.
RFID cards, also known as HID or proxy cards, can be hacked using off-the-shelf RFID scanners and cloning devices that allow the tag to be scanned at arm’s length. In fact, a criminal doesn’t even need to see the card. It’s enough for them to stand with a scanner in their backpack within a couple of feet of the victim. They can even set up an alert to signal a successful scan, then have the RFID code re-written to a blank chip.
Barcodes and QR codes are also vulnerable. Both can be duplicated from an image posted to social media. Worse, in some cases a company may require an employee user ID to access its human resources portal. Once a hacker breaches the corporate system, they can use this access to move laterally across the network with the goal of accessing valuable data, exfiltrating data, or deploying ransomware. (The estimated mean cost of recovering from a ransomware attack in 2023 was $1.82 million, excluding any ransoms paid.)
Lost or stolen ID cards can allow a criminal who finds them to stroll through the front doors of office buildings, exposing companies to theft of valuable equipment or worse. And if a lost or stolen card is recovered, criminals may still have access because the magnetic strips and EMV chips used in some cards can easily be cloned.
Here are a few steps to think about: