Data theft from Diia: risk assessment
The author of the article: Lawyer Inna Tuta.
The recent cyberattack on government websites has alarmed many Ukrainians, as they were left with an ominous message: "All information about you has become public, be afraid and expect the worst."
However, the leakage of personal data does not predict impending problems for the owner of such data.
If an attacker has received a copy of a person's passport and identification number, further use of such documents for useful purposes is unlikely, since
1. Obtaining a loan for a significant amount requires a personal appearance at the financial institution to sign the relevant agreement.
Even if the attacker manages to obtain a loan for another person (although such a development can only be seen in a movie), the signed agreement can be challenged in court by conducting a handwriting examination
2. Obtaining a so-called "microloan", the specificity of which is the ability to apply for a loan for a small amount online, requires either identification of the person through a bank card or confirmation of the person's desire to receive funds by sending an SMS message or a phone call. That is, in fact, in a situation where the fraudster does not physically own the person's phone or has no access to control the person's mobile number, he or she will not be able to realize his or her mercenary intent.
A real threat of misuse of personal data is possible only in the event of an attacker's possession:
1) the person's electronic digital signature (including information on the EDS protection password);
2) the person's password to the Diia app, as it has the Diia.Signature function, which allows signing documents online;
3) a password to mobile banking, which can be used to re-issue the EDS and make online purchases without hindrance.
Practical tips on how to prevent an intruder from accessing your important data:
- Sign a contract with a mobile operator. In other words, a person's passport data will actually be linked to a mobile number, which will make it more difficult for an attacker to use a person's mobile number for fraudulent purposes.
- Do not pass the code received on the phone to other persons (unless you initiated such action);
- Do not confirm the performance of a certain action via a phone call or mobile application (unless you initiated such action).
- Have a habit of systematically changing passwords to EDS, the Diia app, and mobile banking;
- Do not respond to dubious messages asking you to update your electronic signature key via the link.
In turn, if you still failed to protect your electronic digital signature and/or important passwords and an intruder has seized them, you should first contact the cyber police and immediately block the EDS and change passwords.