As a cybersecurity consultant (and past victim of identity theft myself), I have an increased awareness of ways that identity and identification can be compromised. Two of the primary methods are physical compromise (loss or theft of physical credentials), and data theft, both of which are increased when in public with physical ID and credit cards.
Imagine my dismay when I looked at an image from a recent DK story about Kellyanne Conway which shows Conway, in high zoomable resolution, showing her identification holder to the world at the White House in a manner that may have both vulnerabilities. If a top adviser to the President is allowed to use such blatantly insecure practices, one can only imagine that the same protocols and standards (or lack thereof) are being applied across the entire staff at the current White House.
Let’s look at the obvious example:
While there are several types of identity holders that can secure credit cards and other ID to the back of a mobile phone, some are more secure than others. What can be seen in this photo is that apparently is no retainer on the top of the cards, which are being held only by friction and could potentially slip out of the holder without the owner knowing. Additionally, an adept grifter could distract the owner and quickly slide the cards out with a sleight of hand if the phone were laying face down on a table, or momentarily out of the owner’s possession in a coat pocket, etc.
(As a side note, a person should endeavor to always keep their credit cards in their possession as much as possible, as there are portable skimmers available that allow a thief to make a copy of the magnetic card information in seconds, allowing them to manufacture copies of physical cards that can be used in multiple locations. Additionally, when using gas pumps, ATMs, and other unattended locations that could have a device retrofitted to steal data, only reputable locations should be used, and the PIN should be shielded from prying eyes for extra precautions.)
The second potential vulnerability, impossible to determine from the picture, is susceptibility to RFID skimming, where a passive theft of the card data can be accomplished by someone who is merely in close proximity to the ID, not physically touching it at all. This applies to credit cards or other ID cards with an RFID chip, and assuming that the White House credentials are using a more modern system utilizing RFID rather than magnetic stripe scanners, this picture shows a collection of cards that could be skimmed if they are not being otherwise shielded.
This last point on shielding is important and impossible to determine from the photo. While that holder appears to be a popular non-shielded ID holder, as the shielded versions typically cover most of the card to ensure that any chip location is protected, it may indeed be a low-quality but shielded accessory that leaves way too much of the card showing. But likelihood suggests that the cards are not being shielded, which would expose Conway’s information to methods of electronic capture at a distance.
The third vulnerability is attachment method. While again we cannot see if there some sort of screw or super-strength adhesive ensuring that the holder itself does not get dislodged from the phone case, the exposure level of the cards suggests that expense and sophistication was indeed spared on this case procurement. An ordinary holder does not have industrial adhesive (so as not to ruin an expensive phone or case) so that it can be removed if desired, but this also makes a weaker bond that can get caught on something and rip the ID off of the case (I’ve seen it happen on the edge of a car door when getting out). If Ms. Conway lost that whole carrier while getting out of a taxi or limousine, for example, it could be quickly picked up before she realized it was gone, causing embarrassment at minimum and a significant security breach as the possessor would have vital information that could be used to forge credentials.
IF a person insisted on using such an ID holder, ensuring that it had strong adhesive, a full RFID screen, and definitive retention on all sides of the cards should be a minimum set of requirements for someone with access to the top officials in the country.
Do the white house staffers also carry physical access cards to get into the White House secure areas? If they do, is it reasonable to conclude that a staffer would keep that card in a different location than their other ID cards if they have a holder on their mobile phone? Since Ms. Conway isn’t shown in the picture to be carrying an ID on a lanyard around her neck, one might suspect that her WH ID is in with the others on her phone.
If this is true, then the current administration displays a public disregard (or blind ignorance) for security protocols eclipsed only by its unprecedented contempt for security personnel and intelligence agencies. It’s no wonder some security officials are given pause when considering sharing sensitive information in the Oval Office.
Some further reading: