(ABC4) So, you walk into a bar. No, this isnt the start of a bad joke, but it could be the start of a potential threat to the security of your personal information, experts say.
Living in Utah, those of us who drink alcohol have become accustomed to presenting our IDs at the door of any establishment that serves booze. Thats certainly not new, especially in a state with historically restrictive liquor laws. But, what is new are the ID-scanning apps that are being used at some local bars, pubs, breweries, and eateries.
These apps, which can be downloaded onto any device with the ability to support them like phones and iPods are a new alternative to the typical barcode scanner or PalmPilot resemblant ID readers were used to seeing.
And while these apps certainly do increase convenience for bar staff, they open the doors up to a lot of potential security risks for patrons.
Basically, by having your ID scanned with an app, you are putting your trust and your personal information in the hands of an app developer somewhere, Mu Zhang, a University of Utah professor who has done extensive research on computer security and privacy, says.
They use a barcode scanner to try to scan your ID, but you dont actually know how your information will be used by these applications, Zhang explains. It really just depends on the developers, so the question will be, how much do you trust those developers?
And since the apps are likely not open source meaning their code is available for anyone to look at youll have to place even more trust in the app creator.
If the source code is not public, you have to rely on the app-maker to be honest about this, he says. But assuming that they are honest, the privacy policy of the app can tell you a lot about what the app captures, what it does with that data, and why, and how.
But, Sameer Patil, a professor in the University of Utahs School of Computing, notes, as a bar patron, you have no idea about and likely no time to peruse an apps privacy policy before meeting a friend for a beer after work or hitting the bars on a Friday night.
And, in addition to the app creators, the apps may put personal information in the hands of whoever is wielding the scanning device itself. And though wed like to assume our local bartenders and bouncers have our best interests at heart, its hard to always know for sure.
So, if its the bartenders personal phone, all they have to do is take a screenshot, Patil says. So, even if the app doesnt save it, if the bartender wanted to save your ID, they could take a screenshot of it while its scanned and they have it in their photo album.
But, its unlikely that theyd be able to get a full picture of your ID. According to the Utah Department of Alcoholic Beverage Control, ID scanners arent legally allowed to display more than the individuals name, age, birth date, and gender, in addition to the license number and expiration date.
However, if the device doing the scanning has any harmful malware downloads, there could be even more potential for concern beyond your terrible DMV photo living on in infamy.
Traditionally, [malware apps] just collect, for example, your phone number, your SMS, or your contact information from your device, Zhang says. So now they actually have another channel to get your real bio from your drivers license.
Jun Xu, who is also a professor at the University of Utah, ran several common ID scanner apps Bar and Club Stats, Veriscan, and Vemos through an open-sourced online detection tool to evaluate the possibilities of some common security concerns, like malware interference.
The detection tool uncovered that both Bar and Club Stats and VeriScan might save some data to the phone the ID is scanned on. This leaves information with the ability to be potentially poached by malware, Xu says.
There is a piece of code which is used by this app that has a vulnerability, and because of that vulnerability, the other apps can access the data saved, he explains.
The way some of the apps are communicating with their servers could invite potential security risks, too. Things like encryption whether or not the data is readable to outside parties and the list of servers the app is allowed to communicate with play huge roles in overall app security.
If the information is analyzed locally on the device, theres very little security risk, Patil says. But, if the data is transmitted to a third party, things get dicier. Third-party access means more eyes on your information and therefore, greater potential for a breach.
Whatever information [the app] is getting from that drivers license be it an actual photo of it or the information that it can have gleaned from that photo it sends it somewhere else, to a third party, he explains hypothetically. As soon as information leaves the phone and goes to another party, then we have to worry about, well, who that party is and what are they doing with that information?
Patil also adds that, if this data is transmitted on the cloud, it could leave personal information at increased risk for a data leak.
And, according to Xus security risk detection, these could be very real threats. One of the apps, Veriscan, seems to communicate some messages to its server without encrypting them. This means that hackers with bad intentions can potentially access the apps communication channels, effectively eavesdropping and garnering them the ability to steal private data.
Additionally, Bar and Club Stats doesnt seem to have any restriction pertaining to trusted servers the app can communicate with. This makes it easier for the connection to be intercepted by an unintended party, which could also result in a data leak.
When youre talking to someone, you have to make sure that the one youre talking to is the one you trust, right? Xu explains with an example. Like now, youre talking to me. You have to make sure: OK, Im talking to Jun. Its the same with communication between the mobile app and the server.
But despite the potential security risks, there are luckily some protections in place for private material gleaned by ID scanners in the state of Utah. Aside from the restrictions on the type of personal information displayed by scanners, according to the DABC, the data gained through ID scans can only be stored by bars for seven days, after which it must be deleted.
The DABC enforces this policy through annual checks of Utah bars, in addition to the more regular checks performed by the State Bureau of Investigation, which is a division of the Utah Department of Public Safety.
But, there is no specific guidance from the DABC about the use of apps for ID verification yet, so its important to be aware of the risks.
As Patil advises: If I was a patron at such a bar, I wouldnt agree to my ID being scanned by an app that I dont even know, on somebody elses phone.
Read the rest here: