A few days ago, the Sundhedsstyrelsen (The Danish Health Authority) announced that they had released a smartphone app for the national social security card (Danish: Sundhedskortet) in Denmark. Of course the Danish media was covering this quite heavily. ‘
Is your identity secure?
At the same time I was sitting on a private chat channel and discussing different security aspects with my team-mates from Kalmarunionen CTF Team.
At some point in this discussion, one of the guys said: “do you think we could recover the full CPR number (Social security number) from this picture?”. He shared a link to an article from a Danish Media where a picture of the card was shown. The photographer had actually tried to cover up the last 4 digits of the social security number – the numbers that are supposed to make these cards “secret”. But that was just not enough!
Remember the barcode!
At the bottom of the card is a bar code – a normal Code128 bar code. First half of the bar code was covered as well.
It didn’t take long before one of us said “but what if we generate a barcode with the first, visible part of the numbers and then 0000 for the last par. Then we can take the last part from the photo and add it to cover the 0000 part of the generated bar code”. 30 seconds later we had a fully working bar code with all the digits of the social security code.
We checked other articles online and found that several other news sites had similar pictures. Many showed the barcode in a similar fashion or maybe just covered with a line or a slight blur. Not good!
It became even worse, when we realized that some of the cards belonged to kids (presumably the kids of the journalist/photographer). This is where we started calling and writing all the news outlets we could find, that shared images like this. Turns out we could find pictures like this dating all the way back to around 2010.
In the end we decided to do an article about it and share it with the public. You can find the article (in Danish) here.
Other medias, like the tech-site version2 has followed up on the article and posted about it here:
What’s the fuzz about?
The problem with getting your social security number + name + address shared online is, that these data are pretty much all you need to do a full identity theft. You can create bank accounts, transfer money, by mobile subscriptions + much much more.
Generally, the Danish society has put way too much perceived security into those 4 numbers at the end of the social security number. The card has no picture, no way of hiding the numbers and, until recently, there has been no way of getting new numbers if the previous ones got shared and abused.
We can only hope that this will change further in the future.