Working in cybersecurity for 20+ years I am not easily shocked anymore by failures in security and privacy. That changed recently when I received a piece of mail that contained the 2020 Minnesota Absentee Ballot Application form. What is shocking wasn’t the form itself but what the form was asking and the fact it was created by the state government and the form I got came from the Republican Party Of Minnesota (www.mngop.com).
Before I breakdown the privacy failures I want to detail that I investigated the website and online forms at www.mnvotes.org which is a State of Minnesota controlled website. Online you are asked the same information and can print off the form to mail in but it’s the mailing in part that is the problem. Not because of the USPS but how this form I received is instructing how to mail it. Let me explain.
Here is the form –
Let’s start with the information that this form is asking for.
Line 2 – Full Name. First, Middle and Last. From an identity standpoint, those three words can identify someone with high 90% accuracy alone.
Line 3 – Birthdate, this pretty much solidifies with your name who you are with near 100% accuracy. Then county, phone number and email address.
Line 4 – This is the information that shocked me to the core. This is asking you to enter all the info. Your full driver’s license or ID card number. Also the last 4 of your social security network.
If you reflect on the services and businesses you use, your name and last 4 of your social is used by many companies to verify you when you call them. Phone companies, health care providers, utility companies, and so on. With that information, with what I know and I am not a criminal hacker, I can take over someone’s identity and wreak havoc.
Line 5/6 – Full address.
With this info I can craft the most convincing spear-phishing emails to anyone and get them to give me credentials to anything. Why wouldn’t you believe an email that came from a government agency or bank that had all your personal info including last 4 SSN? I can call you with that info and sound very convincing. I can mail you a form to return to a fake PO Box, you mailed this form in, why wouldn’t you do it again?
Line 7 – Signature.
This little form has the most vital identity data on it handwritten by the data owner which lends itself to match signatures. The other part of this data is these data points don’t change for most people. They are forever. You can change your ID and SSN number but it’s a very difficult and daunting task to do. If this data is collected, it’s good forever.
The second part of the form was the instructions to mail it in. Here’s the reverse side of this form –
The majority of people will follow the instructions because it’s to be trusted, right?
Fold along this line and tape closed.
The most vital identity data kept from prying eyes by a piece of tape. Squeeze it and you can clearly read everything. Really?
The other aspect of this is the people who would be doing this paper form and not online. Those people don’t have access to technology and therefore probably do not have the privacy awareness to see the major risk this form is. They are going to follow these terrible instructions, because it’s easy, instead of seeing the risk and putting this into a secure envelope.
I am not saying mailing in documents is bad, in fact sending ‘snail mail’ through the USPS is very secure, safe and can be trusted. However, this is not a secure method that anyone along the way can read highly sensitive identity information. Worse, the creators didn’t see the problem with this.
As I drafted up notes for this post I also have additional questions I have for the processors of this form, regardless how it’s mailed in.
- The forms are obviously entered into a system by someone. What is done with the forms after the fact?
- Are they cross-cut shredded?
- Are they destroyed to NIST Data Destruction standards?
- Are they tossed in a dumpster?
- I noticed that my form goes to a different address than the paper form you can print off on the website, are those forms centralized or handled in multiple locations? If so, how is handling compliance monitored across locations?
In cybersecurity this data would be classified in most environments as highly sensitive PII (Personally Identifiable Information). SSN and ID number would be encrypted at rest and monitored on access. Queries would be logged and reported. Communications, in transit, would be secured.
On the surface, this looks innocent and easy. Professionals, legit or criminal, see this as an identity theft gold mine. Most people don’t know how easy it is to create, take over or open accounts with collected identity information. This process has everything someone needs in one spot and having them send it with a single piece of tape protecting it.
The reason I do my podcast, blog, do speaking engagements is not to talk to security professionals that know all this stuff already but to talk to everyone else that falls victim to gaps like this.
Awareness of how things are is key to avoid these pitfalls.
The more aware you are the more secure you can be.
Be aware, be safe.
