Renting A Car? Using The Bluetooth Could Put You At Risk For Identity Theft
By Rebekah L. Sanders, THE ARIZONA REPUBLIC
January 26, 2018
If you're renting a car for the next family vacation, be careful using the mapping system or playing the "Moana" soundtrack for your kids through Bluetooth.
Those simple actions could put you at risk for identity theft once the vacation is over, consumer watchdog groups in the U.S. and Europe warn.
Rental-car companies have no policies
Major rental-car companies have no policies to delete sensitive information collected during the trip once you return the car, according to a report from Privacy International supported by Consumer Watchdog and other groups.
"Your name and navigation history is valuable personal information," the report says. "Combine this information with a bit of open source intelligence, such as social media profiles, and you can track down individuals."
The groups are calling on car-rental companies to better protect customers.
"When you rent a car, you must have the right to control how that extremely revealing data is used," John Simpson, of Consumer Watchdog, said.
The small print of a contract isn't enough to notify people that their data is at risk, Privacy International said.
"Companies must explicitly inform customers that they should delete personal data," the report said. And "manufacturers must provide the equivalent of a delete button enabling customers to quickly and easily remove their personal data from infotainment systems."
What could go wrong?
Vehicle-based data so far seems to have helped fight crime.
A Baltimore IT worker tracked down teenagers who took his car for a joy ride using the teens' phone usernames stored in the paired device list on his Jeep.
Police in the United Kingdom are adding automotive infotainment systems as an additional source of information on potential investigative leads, the report said.
But bad guys could begin to mine personal data stored in cars for nefarious reasons too.
If you use the GPS in a rental car to get home, for instance, a robber could find your address. Or a stranger could reveal your identity by matching your device name to profiles on social-media such as Facebook, Instagram or Twitter.
The threat may seem remote now, but it's better to be safe than sorry, said Brady Willis, a Chandler technology-security expert.
"When I travel, I very rarely connect my phone to the car," he said. "My work has exposed me to a mindset that causes me to think about those consequences even though I can't necessarily articulate the threat to me."
What kind of personal data is collected?
Lots of information can be saved when you connect your phone to a car:
- GPS history.
- Device name.
- Address book.
- In-car internet search history.
- Music-streaming login, such as Spotify or Pandora.
- Call log and text messages if you use hands-free calling.
- WiFi identifiers.
Which companies should I be wary of?
Privacy International rented cars from Enterprise, Hertz, Zipcar and Europcar. In every case, personal data from previous users was stored on the infotainment systems.
Alamo, National, Thrifty and Sixt reported they do not automatically delete customers' data from rental cars when they are returned.
Hertz, Zipcar and Europcar did not respond to the report.
Avis, Budget and Dollar were not included in the study.
How can I protect myself?
Take a few minutes to delete your data before returning the car.
Go to system settings, or the Bluetooth setup menu, and delete your device from the paired phones list. A more thorough way to clear data is by finding the factory reset option in the menu.
Are rental companies doing anything?
Car-rental agencies, and even travel groups, continue to place responsibility on the customer.
"AAA advises consumers to disconnect their synced phones upon returning their rental cars and to become familiar with rental car companies' privacy policies," AAA Arizona spokeswoman Michelle Donati-Grayman said.
Hertz, which also owns Dollar and Thrifty, said the companies provide owner manuals in every car that can guide customers through unpairing devices.
"We also have employees on site to assist with this during the return process," Hertz said in a statement provided through AAA.
Personal information on Hertz NeverLost GPS units is erased when a customer disconnects the device, the company said.
Enterprise, Sixt and Thrifty said they have begun working on new data-protection policies.
But Willis said the companies should do more.
"It's the rental-car companies that are best positioned to deal with this now and to get in front of it," Willis said. "Just as they refuel tanks, just as they vacuum the car, they should factory reset the infotainment system. It's just one more step in the process to return the vehicle to the fleet the next day."