New rules: Websites can’t ask for ID numbers

New rules: Websites can’t ask for ID numbers

Recent hack attacks by a Saudi gang have prompted a change in online verification rules

A sample 'smart' biometric ID card of the sort that will be issued to replace existing cards in the coming years (Lior Mizrahi/Flash90)
A sample 'smart' biometric ID card of the sort that will be issued to replace existing cards in the coming years (Lior Mizrahi/Flash90)

Recent hacking attacks against Israeli sites, and most notably the publishing of credit card and identity information of thousands of Israelis by a Saudi hacker named 0xOmar, have prompted the new instructions on how and when national  ID numbers are to be used in online transactions, Justice Ministry publicized in a statement Sunday.

According to the new rules, a site can only demand an ID number from an Israeli online buyer if there is an “absolute need” for one. In such cases, the site must tell the consumer why the number is needed and who will have access to it. Otherwise, the ministry said, sites will have to come up with alternative systems to verify customer identity.

Government-issued ID numbers follow Israelis throughout their lives. The multipurpose numbers are used, for example, as tax identification numbers, National Insurance eligibility numbers, and ID numbers to verify voting eligibility. But in recent years, the numbers’ use has been expanded into the private sector as well. In many instances where consumers make a credit card purchase, for example, they are asked for their ID number. Israelis who fill up their gas tanks at self-service pumps are asked for their ID number to verify their identity when using a credit card. And, nearly all shopping websites in Israel require an ID number for verification.

That era is coming to an end, the ministry said. In a statement issued Sunday, the ministry department that deals with legal-technological issues said that ID numbers were now off-limits for shopping sites. And it’s all because of 0xOmar, the statement said. “We felt it necessary to publicize these instructions as a result of the theft of information from a database, and its distribution on the Internet.” The theft was possible, the statement said, “because the owners of these databases collected many ID numbers, without justification in many cases, and exposed their clients” to cyber-insecurity.

0xOmar released the personal information of about 15,000 Israelis in January. In messages posted on a site popular with hackers, 0xOmar listed names, credit card numbers, and ID numbers of Israelis found in several databases that he and his gang hacked. 0XOmar suggested that those using the cards do so as soon as possible, in order to be able to use the cards while they were still valid, and before they were canceled by the Israeli banks they were stolen from.

By acquiring an individual’s name and ID number, hackers would have access to a wide range of information about that individual; a quick parse of a credit card database, matched up against the ID number, is all a hacker needs to use that individual’s credit card.

As a result of the new instructions, websites are going to have to find other ways to identify customers. The ministry statement suggested issuing a “club member” number or other ID, in order to verify that a card is being used legitimately.

read more: