Skip to main content

The Marriott data breach exposed millions of passports. Here's what thieves can do with them.

[ad_1]


This morning, Marriott hotels revealed that an “unauthorized party” accessed its Starwood reservation database and made off with information regarding roughly 500 million guests. The hotel chain has reported the breach to the authorities and now begins the long process of sorting out just how violated each affected customer really is.



The leaked information is mostly what you’d expect—personal data you have to fork over when checking into a hotel for the night. That includes standard stuff you might lose in a typical breach, like your name, email address, phone number, and date of birth. Some credit card info also got out, but the chain says it’s not sure if the perpetrating scoundrels have the ability to decrypt it. What’s not typical, however, is the fact that the breach also includes passport numbers, a fact that comes with its own some specific risks.



How serious is it?



“Passport data is something you should hold onto more tightly than something like a driver’s license,” says Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group focused on privacy and security. “The biggest problem is that if someone is able to get a passport with your identity, they can cross jurisdictions. The nightmare scenario is that you travel overseas and someone has committed a crime there in your name.”



Fake passports have been a best-selling item on the black market for decades, and a fake U.S. document go up to $4,000 and beyond for someone who wants to impersonate a U.S. citizen domestically or when traveling abroad. While traveling with a fake document is increasingly difficult (more on that in a moment), a passport can provide a second form of ID typically required for opening accounts or proving residence.


What can hackers learn from your passport number?



Unlike some other hacks in the past, the Marriott breach gives up a lot of information about victims’ travel habits. By observing the check-in and check-out information, hackers can piece together a rudimentary travel history, but the passport number takes it a step beyond. According to the Department of Homeland Security, you can track your international travel using this online tool, which is available to the public. It requires your full name, your birthday, and your passport number, all of which were part of Marriott’s leak.



According to Dixon, that can be valuable information for hackers trying to pick the best victims. “If you’re the type of traveler who doesn’t go many places and keeps your passport in the drawer, that might make you a great target,” she says. “It decreases the odds someone will notice the fraud.”



A piece of the fraud puzzle



The Marriott hack doesn’t exist in a bubble. According to Gates Marshall, director of cyber services for information security and consulting firm, Compliance Point, roughly 800 million personal records have been compromised in November of 2018 alone, including other companies like Dunkin Donuts. “Attackers can aggregate that information and cross check it with lots of public information that’s already out there on social media and other public channels,” he says.



One way to get a fake passport is to use personal data to apply for a new one by reporting the old one lost or stolen. The process for applying for a new passport online is relatively simple and requires filling out a form that’s similar to signing up for a new streaming service or making a purchase—with a few extra requirements.



The most challenging part of re-applying is having a social security number for the victim, but Equifax leaked millions of those earlier this year. Beyond that, everything on the document (which you can also submit in person) could potentially be a part of Marriott’s leak or wrapped nicely into a bundle of identity information sold on the dark web.


Doesn’t biometrics make fake passports useless?



The amount of biometric protection baked into passports customs systems around the world—as well as compatible airports and other travel facilities—has climbed substantially, but support is still extremely spotty and unpredictable. If you have renewed your U.S. passport since 2006 or 2007, it likely has biometrics built-in. You can tell by the rectangular icon with a circle in the middle on the cover. It's an added level of security, but techniques for fooling biometrics systems have already popped up to help fake passports more useful for illicit behavior.



“A technique called morphing helps some fake documents pass biometric tests,” Dixon says. It’s a process that involves using image editing techniques to combine the face of the victim with the face of the criminal into an amalgamation that’s close enough to get by basic face scanning or, even easier, a simple visual once-over from a human guard. In other words: the criminal uses their real face, but the accompanying photo on their document has been doctored. It’s the driving force behind a black market for selfies which currently exists on the dark web.



Should you replace your current passport?
Getting a new passport is a relatively straightforward process and will assign you a different number specific to your new document. The old number will go out of service just as if you had gotten it replaced due to loss or theft. Still, it’s time-consuming and relatively costly, especially if you have travel visas attached to your document, which would terminate when you get the new number. If you’re close to expiration on your passport already, this is a good time to just get it out of the way, but if you want to renew earlier than the typical one-year window, you may need to explicitly explain why you’re doing it so far in advance.




[ad_2]

Written By stan.horaczek

Comments

Post a Comment

Popular posts from this blog

Ice technicians are the secret stars of the Winter Olympics

[ad_1] The emphasis of this year's two-week-long Winter Olympic Games has been placed squarely on the Olympians themselves. After all, the stated purpose of the international competition is to bring together the world’s greatest athletes in a nail-biting competition across fifteen different winter sports. But before the curlers, skiers, and skaters even arrived in Pyeongchang, South Korea, the Olympians of the ice technician world were already a few weeks deep in a competition of their own. Mark Callan of the World Curling Federation and Markus Aschauer of the International Bobsleigh and Skeleton Federation both say they’re hoping to make the best ice the Winter Olympics have ever seen. To transform the barren concrete jungle of existing tracks and arenas into an ice- and snow-covered wonderland is an enormous undertaking. And it takes a keen understanding of the physics and chemistry that keeps frozen precipitation pristine. Curling Callan has been making and maintaining ice for m
Post a Comment
Read more

In the wake of NYC terrorist attack, Trump says he's ordered increased 'Extreme Vetting'

[ad_1] President Donald Trump has requested for a heightened vetting program following Tuesday's terrorist attack in New York. @realDonaldTrump: I have just ordered Homeland Security to step up our already Extreme Vetting Program. Being politically correct is fine, but not for this! Earlier, he tweeted that the attack in lower Manhattan was committed by a "sick and deranged person." @realDonaldTrump: In NYC, looks like another attack by a very sick and deranged person. Law enforcement is following this closely. NOT IN THE U.S.A.! His remarks came after a motorist drove onto a busy bicycle path near the World Trade Center memorial and struck several people on Tuesday, leaving at least eight people dead and a dozen injured. NBC News repor
Post a Comment
Read more

How to save everything you post to social media

[ad_1] If you get the urge to revisit that cute photo you posted some time last year, you'll have to scroll through your timeline for what feels like hours to track it back down. Instead, when you share a post on social media, also save it to your phone for safe-keeping. This will not only save your social media hits for posterity, but also make them easier to find if you ever need to rediscover them. In this guide, we focus on saving photos and videos, because text posts are slightly more complicated—the only way to really preserve text from Facebook and Twitter is to download your entire archive (we'll explain how to do this below), and Instagram and Snapchat don't let you save or export your instant messages at all. When it comes to photos and videos, there's a shortcut to make sure they stay on your phone: Originally film them through a dedicated app, which will save them to a gallery. Only then should you open up a social media app to share them. However, there'
Post a Comment
Read more