Attention Android Device Owners: Do not use “CAC Scan” app

CAC Scan1From the Information Protection office at Barksdale AFB:

There is a new app available in the Google Play store for Android devices called “CAC Scan.”

DO NOT USE THIS APP!

The app is designed to scan the bar code on the front of a military CAC and provide you a read out of the personal data including the name, SSN, DOD ID number, etc.   And yes, it works.   A little research shows the app developer is an American most likely associated with U.S. Army (either active duty, gov or CTR) and lives in the US.CAC Scan2

Several disturbing questions remain:

  1. When you scan your (or someone else’s) CAC, where else does the data go; i.e., who else gets a copy of the results?
  2. Why would you need this app? You already know your personal info on your CAC… who’s info are you trying to obtain and why?

We cannot see any valid reason to use this app and the ‪‎OPSEC/privacy implications are disturbing. It could be used to compromise PII on unsecured or stolen CACs.  All the more reason to ensure we properly secure our CACs.

 

Please use EXTREME CAUTION when downloading and using any app – especially one that deals with your personal information.

For reference:

DoDI 1000.13, January 23, 2014

2. GUIDELINES AND RESTRICTIONS. The guidelines and restrictions of this section apply to all forms of DoD ID cards.

a. Any person willfully altering, damaging, lending, counterfeiting, or using these cards in any unauthorized manner is subject to fine or imprisonment or both, as prescribed in sections 499, 506, 509, 701, and 1001 of title 18, United States Code (U.S.C.) (Reference (u)). Section 701 of Reference (u) prohibits photographing or otherwise reproducing or possessing DoD ID cards in an unauthorized manner, under penalty of fine or imprisonment or both. Unauthorized or fraudulent use of ID cards would exist if bearers used the card to obtain benefits and privileges to which they are not entitled. Examples of authorized photocopying include photocopying of DoD ID cards to facilitate medical care processing, check cashing, voting, tax matters, compliance with appendix 501 of title 50, U.S.C. (also known as “The Service member’s Civil Relief Act”) (Reference (v)), or administering other military-related benefits to eligible beneficiaries. When possible, the ID card will be electronically authenticated in lieu of photographing the card.

h. An ID card shall be in the personal custody of the individual to whom it was issued at all times. If required by military authority, it shall be surrendered for ID or investigation.

Title 18 U.S.C.

Section § 701. Official badges, identification cards, other insignia. Whoever manufactures, sells, or possesses any badge, identification card, or other insignia, of the design prescribed by the head of any department or agency of the United States for use by any officer or employee thereof, or any colorable imitation thereof, or photographs, prints, or in any other manner makes or executes any engraving, photograph, print, or impression in the likeness of any such badge, identification card, or other insignia, or any colorable imitation thereof, except as authorized under regulations made pursuant to law, shall be fined under this title or imprisoned not more than six months.

Leave a Comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s