Attention Android Device Owners: Do not use “CAC Scan” app

CAC Scan1From the Information Protection office at Barksdale AFB:

There is a new app available in the Google Play store for Android devices called “CAC Scan.”

DO NOT USE THIS APP!

The app is designed to scan the bar code on the front of a military CAC and provide you a read out of the personal data including the name, SSN, DOD ID number, etc.   And yes, it works.   A little research shows the app developer is an American most likely associated with U.S. Army (either active duty, gov or CTR) and lives in the US.CAC Scan2

Several disturbing questions remain:

  1. When you scan your (or someone else’s) CAC, where else does the data go; i.e., who else gets a copy of the results?
  2. Why would you need this app? You already know your personal info on your CAC… who’s info are you trying to obtain and why?

We cannot see any valid reason to use this app and the ‪‎OPSEC/privacy implications are disturbing. It could be used to compromise PII on unsecured or stolen CACs.  All the more reason to ensure we properly secure our CACs.

 

Please use EXTREME CAUTION when downloading and using any app – especially one that deals with your personal information.

For reference:

DoDI 1000.13, January 23, 2014

2. GUIDELINES AND RESTRICTIONS. The guidelines and restrictions of this section apply to all forms of DoD ID cards.

a. Any person willfully altering, damaging, lending, counterfeiting, or using these cards in any unauthorized manner is subject to fine or imprisonment or both, as prescribed in sections 499, 506, 509, 701, and 1001 of title 18, United States Code (U.S.C.) (Reference (u)). Section 701 of Reference (u) prohibits photographing or otherwise reproducing or possessing DoD ID cards in an unauthorized manner, under penalty of fine or imprisonment or both. Unauthorized or fraudulent use of ID cards would exist if bearers used the card to obtain benefits and privileges to which they are not entitled. Examples of authorized photocopying include photocopying of DoD ID cards to facilitate medical care processing, check cashing, voting, tax matters, compliance with appendix 501 of title 50, U.S.C. (also known as “The Service member’s Civil Relief Act”) (Reference (v)), or administering other military-related benefits to eligible beneficiaries. When possible, the ID card will be electronically authenticated in lieu of photographing the card.

h. An ID card shall be in the personal custody of the individual to whom it was issued at all times. If required by military authority, it shall be surrendered for ID or investigation.

Title 18 U.S.C.

Section § 701. Official badges, identification cards, other insignia. Whoever manufactures, sells, or possesses any badge, identification card, or other insignia, of the design prescribed by the head of any department or agency of the United States for use by any officer or employee thereof, or any colorable imitation thereof, or photographs, prints, or in any other manner makes or executes any engraving, photograph, print, or impression in the likeness of any such badge, identification card, or other insignia, or any colorable imitation thereof, except as authorized under regulations made pursuant to law, shall be fined under this title or imprisoned not more than six months.

Recent News Events Create Opportunity to Review Your Social Media Presence

SM-Friend-or-Foe-300x300Many of you may have seen news stories this past weekend of a list containing the names, addresses, and photos of 100 current U.S. service members.

The list was compiled with the respective addresses and photos based off of information obtained through social media sites such as Facebook and LinkedIn.

In light of these events it is highly recommended you review your current online footprint, particularly in regard to social media sites. Furthermore, have a conversation with your families about Operational Security (OPSEC) and how we all need to be careful about what we post online. There are real threats out there, and it is important that we do what we can do to mitigate our exposure.

Here some easy steps you can take to help ensure your security online:

  • Understand your privacy settings. Go look at the current privacy settings you have established on the social media sites you use and remember that the safest setting for any site is “only friends”. In our resource section below are smart cards for Facebook, Twitter, LinkedIn, and Google+.
  • Don’t friend people you don’t know. It sounds simple but think about how many people you may be friends with online that you don’t really know. If you don’t know them, then why are you linked in with them?
  • Limit the use of applications. Applications can be a great help, but they can also be a liability. For example, a past study revealed that many of Facebook’s most popular applications were transmitting personal user information to outside servers.
  • Protect your location. It is important that you do not “check in” and let the world know where you are, particularly at home, your friends’ houses, or at work.
  • Don’t overshare. The internet doesn’t forget anything – and nothing really gets deleted – so be careful about what you share. It is much easier to just not share something than it is to get that information back once it has been broadcasted in cyberspace.

Resources:

As always, force protection is a primary concern. It is important that we all remain vigilant and report any suspicious activity to base security forces, Air Force OSI, or the local police.