1. You call yourself “Carrefour“, you put up a marketing campaign and ask your customers to fill in a form where one of the fields is the Numerical Personal Code. Of course, you are not registered as a company who deals with private data (according to ANSPDCP‘s website). There are a lot of people out there that give their personal information just to get 10$.  I really wonder if it was to give their credit card info and PIN, would they really give it?

2. What about if you are a bank? Or a customer of a bank? Theoretically your private details like bank account, CNP, address, etc should be safe. Well…that’s the theory. There is one bank out there (you’ll discover the name below) that allows you to find protected info about any of its customers. Let’s say you have an i-banking account with them and you get the IBAN account of one of their customers. As soon as you try to make a money transfer to that person, you will get that person’s name. What’s wrong with that you will say. Well, you can just play around with the IBAN account and discover other valid accounts along with the holder’s name. Ok, I agree, maybe that’s not a serious security problem. Once you continue with the money transfer, you can see more: in the details of the transfer you also get the CNP of that someone. And yes, the bank is registered as a private company who deals with confidential data and obeys the law. Right!

See a demo for yourself. I have blurred some details, but that’s the only edit on the video.