Personnel, be aware of CAC scanning apps

Compiled from the U.S. Army Research Laboratory and Airmen and Family Readiness Center, Ellsworth Air Force Base:

Personnel, be aware, an Android application named, “CAC Scan” has been released in the Google Play store designed to scan the bar code on the front of a Military Common Access Cards.

  • Do not download and do not use this application.
  • Ensure that your CAC is with at all times and stored in a secured location when not in use.

The app scans the barcode on a CAC card to decode personnel information to include the ID type, social security number, the electronic data interchange personal identifier (EDIPI) assigned to a record in the United States Department of Defense’s Defense Enrollment and Eligibility Reporting System (DEERS) database, first name, last name, middle initial, and rank.

According to the google play store this application has been downloaded 100-500 times and was last updated on April 20, 2016.

cac scan

 

DO NOT USE THIS APP!

According to a little research from Ellsworth Air Force Base, the app developer is an American most likely associated with U.S. Army (either active duty, gov or CTR) and lives in the US.

Several disturbing questions remain:

  1. When you scan your (or someone else’s) CAC, where else does the data go; i.e., who else gets a copy of the results?
  2. Why would you need this app? You already know your personal info on your CAC… who’s info are you trying to obtain and why?

We cannot see any valid reason to use this app and the ‪‎OPSEC/privacy implications are disturbing. It could be used to compromise PII on unsecured or stolen CACs.  All the more reason to ensure we properly secure our CACs.

Please use caution when downloading and using any app – especially one that deals with your personal information.

References:

https://play.google.com/store/apps/details?id=com.armyapps.cacscan&hl=en

http://www.mobbo.com/Android/App/com.armyapps.cacscan/3186545

DoDI 1000.13, January 23, 2014

2. GUIDELINES AND RESTRICTIONS. The guidelines and restrictions of this section apply to all forms of DoD ID cards.

a. Any person willfully altering, damaging, lending, counterfeiting, or using these cards in any unauthorized manner is subject to fine or imprisonment or both, as prescribed in sections 499, 506, 509, 701, and 1001 of title 18, United States Code (U.S.C.) (Reference (u)). Section 701 of Reference (u) prohibits photographing or otherwise reproducing or possessing DoD ID cards in an unauthorized manner, under penalty of fine or imprisonment or both. Unauthorized or fraudulent use of ID cards would exist if bearers used the card to obtain benefits and privileges to which they are not entitled. Examples of authorized photocopying include photocopying of DoD ID cards to facilitate medical care processing, check cashing, voting, tax matters, compliance with appendix 501 of title 50, U.S.C. (also known as “The Service member’s Civil Relief Act”) (Reference (v)), or administering other military-related benefits to eligible beneficiaries. When possible, the ID card will be electronically authenticated in lieu of photographing the card.

h. An ID card shall be in the personal custody of the individual to whom it was issued at all times. If required by military authority, it shall be surrendered for ID or investigation.

Title 18 U.S.C.

Section § 701. Official badges, identification cards, other insignia. Whoever manufactures, sells, or possesses any badge, identification card, or other insignia, of the design prescribed by the head of any department or agency of the United States for use by any officer or employee thereof, or any colorable imitation thereof, or photographs, prints, or in any other manner makes or executes any engraving, photograph, print, or impression in the likeness of any such badge, identification card, or other insignia, or any colorable imitation thereof, except as authorized under regulations made pursuant to law, shall be fined under this title or imprisoned not more than six months.