Posting about your new job on Facebook and other social networks is a good thing, but including a photo of your new badge—not so much.
Symantec’s Cyber Security Services shared a blog post by Brian R. Varner warning of the dangers of “badge bragging” and how posting high-resolution photos of workplace badges could lead to big-time trouble.
Varner wrote that hackers have access to digital tools that can quickly process large amounts of information from posts on social networks such as Facebook, Twitter and LinkedIn, and he shared one example of how badge bragging could pose serious problems:
One such example involved a new employee—we’ll call him “Richard”—who just started a job at a prestigious hospital. Richard was thrilled about his new job and posted a picture of his new employee badge on his favorite social media channel. Equally excited could be a skilled cyber attacker who has been trying to gain access to the hospital where Richard works, because the photo of Richard’s hospital badge could be the key piece of Open Source Intelligence (OSINT) the attacker needs to gain access.
An employee badge photo could end up being a treasure trove of information to an attacker. This hospital badge had Richard’s full name, his level of education (including his degree), the name of the hospital, the branch name and the department Richard worked in. In Richard’s social media post, he proudly named his first day in the caption of the post, and the hospital badge even included its expiration date. With that information, an attacker could learn that the hospital rotates badges every four years, giving an attacker physical access for years. Because Richard took the photo with a smartphone, the high-resolution camera made the bar code in the photo visible. The attacker likely also noticed from the photo that the badge was clipped to fabric, meaning that Richard likely scans his badge via hand-held scanners when he needs access within the hospital. And because the image is a high-quality photo, the attacker could easily make a usable copy of the badge.
Aside from the unauthorized physical access the attacker could gain, an adversary would now have all the information required to conduct a targeted cyber-attack against Richard, his department and the hospital. The attacker could create an effective spear-phishing email that looks authentic, since it includes Richard’s name, department and employee ID number. A simple subject like “Mandatory New Hire Training” could become the perfect bait for the trap. Using a high-resolution badge photo, an average hacker would only need about 15 minutes to dissect the badge and decode the barcode.
Varner also offered the following best practices for organizations looking to avoid such issues:
Create a “living” policy: Develop a policy for employees that addresses posting images or details about work activities online. Provide clear examples of acceptable and unacceptable behavior, such as, “Don’t allow your badge to be photographed.” Ensure that all employees demonstrate an understanding and agree to follow the policy. Update the policy as needed to account for new social media tools and other technology changes.
Make security a part of new employee onboarding: Any training for new employees should include education on the policy to avoid any confusion from the outset. Provide some simple tips to employees:
- Do not allow yourself to be photographed with your company badge visible.
- Do not display your badge while not on corporate property.
- Maintain positive control over your badge and report it lost or stolen immediately.
Regularly reinforce good hygiene: Use consistent communication with employees to reinforce behavior, making sure to highlight any recent attacker trends.
Readers: Have you or any of your friends or contacts on social networks ever posted photos of your employee badges?