Citizens of Turkey: Is Your Credit Card PIN Your Date of Birth?

It is not out of ordinary to use personal information as a method of authentication when it comes to our e-mail accounts, online banking passwords, credit card PINs, even our social media accounts. It is generally believed that using such personal information as means of authentication for various services and platforms is deemed safe, because we do not think that other people cannot know or have access to such personal information. However, citizens of Turkey are in a critical situation right now.

Just a few months ago, in February 2016, Turkish National Police’s database got hacked. The leaked data consists of 17.8 GB of addresses and personally identifiable information. As a result of this incident, Turkish citizens’ addresses and personal information are just a couple clicks away for interested parties on The Cthulhu’s website.

https://turkey.thecthulhu.com/

Turkish Police Data Dump available on The Chultu’s website.

Digital Forensics Engineer Tuncay Besikci stated on his Twitter account that the data dump included 94.9 millions of data regarding 46,859,467 Turkish citizen’s identity and address information. Additionally, Besikci also mentioned that the most up-to-date data is from 2009.

Bugün sızan vatandaşlık bilgilerinin son güncelleme tarihi Mart 2009.

— Tuncay Beşikçi (@tuncaybesikci) February 15, 2016

ROR[RG] who is behind the attack isn’t a stranger to headlines, also known for the adult friend finder attack. Last year, ROR[RG] uploaded files containing highly personal information about almost four million people, including their names, ages, email addresses, locations, and what kind of sexual partner they were looking for. The un-redacted database was for sale for 70 bitcoins.

Initially, it was generally thought that the attack was conducted by Anonymous, however Anonymous has denied that they are behind this attack because this attack would harm the citizens but not the government. Nonetheless, according to OdaTV, a news reporter in Turkey, Anonymous explained that they only helped to publish the stolen data but did not take part in the actual acquisition of the data from the police’s database via the Twitter account with pseudonym @Crypt0nymous.

The Cthulhu, publisher of the leaked data, stated on his website that ROR[RG] had persistent access to various parts of the Turkish Government infrastructure for the past 2 years. This is a very concerning situation regarding the security measures that the Turkish Police is taking (or not taking) to protect confidentiality, integrity and availability of data. It is also equally ironic given the timing of the data breach.

Turkish Police published a public announcement on their website that the Cyber Crimes Prevention Head Quarters was going to have a workshop regarding prevention of cyber crimes on February 8–12, 2016. Meanwhile, there was a hacker in the Turkish National Police’s system which also claims having access to the government infrastructure for the past 2 years. After the stolen data was published on The Cthulhu’s website, Turkish Police has not made any announcements or press statements regarding the data breach, or whether if they were working towards securing their system and protecting the confidentiality and the integrity of the data.

This data breach raises many potential serious identity theft threats to the citizens of Turkey. Such malicious acts could vary from minor fraudulent transactions to physical harm or even death. Some examples for possible identity theft can be laid out as printing fake id cards and driving licenses, using the information to apply for loans, renting apartments/houses, buying SIM cards, using the identity information as PIN numbers to use credit and debit cards, authenticating unauthorized access to e-mail accounts and many more acts that would actually harm the individuals in many different aspects of life. Therefore, if your credit card PIN is your date of birth, now is a good time to change that.

Once the leaked personally identifiable information is in the wrong hands, potential harmful scenarios do not include only the financial aspect of the issue. On the contrary, it could go way beyond just financial damage. There could be such situations where the victim can suffer substantial emotional distress, physical harm or even death. When used in conjunction with social media, having access merely to the addresses of the individuals can cause even more serious threats and/or harm. For instance, a person stalking you or a simple social media admirer can go to your home once they see the person check-in at another location. The stalking person can have many different intentions whether it can be to hurt, harm, harass the people present at your home or even conduction arson, the possibilities are endless.

Prime Minister Davutoglu, made comments about the fact that his home address was also included within the leaked 17.8 GB of personal data. However, he added that “it was not a big deal that addresses got leaked and everyone was welcome at his place.” Clearly, Davutoglu is under estimating the harm that this data breach can cause once the information is in the wrong hands.

So far there hasn’t been any reported incidents that can be tracked back to this data breach. We will wait and see but it is generally a good thing to be extremely cautious from now on as citizens of Turkey, we might not know what is waiting for us just around the corner.