Mattia Vicenzi
November 3, 2020
Most governments have a system for assigning a uniquely identifying number to each of their citizens. This will be a number attached to a person for the rest of their life and serves as a placeholder for their identity in a number of different circumstances (depending on the country) such as: property ownership, legal/court proceedings and business dealings.
Ideally, those numbers would be created by a pseudo-random number generator with plenty of entropy.
But what if it wasn’t….
Some time ago I was dealing with several OSINT analyses for several Italian multinationals. I want to show you how easy it is to get a lot of information about Italian citizens simply starting from first name, surname and date of birth.
It is not a matter of magic but of a simple calculation of the "Codice Fiscale", The Italian tax code.
According to Wikipedia: The Italian fiscal code (TIN-IT) is a code, inspired by biblioteconomic use, which serves to uniquely identify “natural persons” and other subjects other than natural persons in their relations with the institutions and public administrations of the Italian State. For natural persons it generally consists of 16 alphanumeric characters while for subjects other than natural persons it consists of 11 digits.
The legislation governing the calculation of the tax code is the decree of the Ministry of Finance of 23 December 1976, ("Sistemi di codificazione dei soggetti da iscrivere all'anagrafe tributaria"), Fortunately for us, the code generation algorithm is really easy. To create it you need: first name, surname, sex, date and place of birth of a subject.
The consonants of the surname (or surnames, if there is more than one) are taken in their order (first surname, then the second and so on). If the consonants are insufficient, the vowels are also taken (if the consonants are sufficient, the first, second and third consonants are taken), always in their order and, in any case, the vowels are taken after the consonants (for example: Rosi → RSO). If a surname has less than three letters, the code part is completed by adding the letter X (for example: Fo → FOX). For women, only the maiden name is taken into account.
The consonants of the name (or names, if there is more than one) are taken in their order (first name, then the second and so on) in this way: if the name contains four or more consonants, the first, third and fourth are chosen (for example: Gianfranco → GFR), otherwise the first three in order (for example: Tiziana → TZN). If the name does not have enough consonants, the vowels are also taken; in any case the vowels are reported after the consonants (for example: Luca → LCU). If the name has less than three letters, the part of the code is completed by adding the letter X.
Year of birth (two digits): take the last two digits of the year of birth;
Month of birth (one letter): each month of the year is associated with a letter according to this table:
The two digits of the day of birth are taken (if it is between 1 and 9 a zero is placed as the first digit); for female subjects, the number 40 must be added to this figure. In this way the field contains the double information day of birth and gender. We will therefore have the following case history: males will have the day with a number from 01 to 31, while for females the number for the day will be from 41 to 71.
To identify the municipality of birth we use the code called Belfiore, composed of a letter and three numerical digits. For those born outside the Italian territory, whether they are foreign citizens born abroad or born in Italy but of foreign origin, or Italian citizens born abroad, the foreign state of birth is considered: in this case the acronym starts with the letter Z followed by the identification number of the state.
The Belfiore code is the same as the one used for the new cadastral code.
The cadastral codes are available here
From the fifteen alphanumeric characters obtained previously, the control character (sometimes referred to as CIN, Control Internal Number) is determined according to a particular algorithm that operates in this way:
the alphanumeric characters that are in an odd position are placed on one side and those that are in an even position on the other side;
Once this is done, the characters are converted into numeric values according to the following tables:
this point, the values obtained from even and odd alphanumeric characters must be added together and the result divided by 26; the rest of the division will provide the identification code, obtained from the following conversion table:
Two different people could have all sixteen letters/digits generated using this scheme (homocodia). In this case, the Inland Revenue will systematically replace only the numeric characters (starting from the right-most numeric character) with a letter, according to the following correspondence table:
After replacement, the check character must be recalculated.
Too complicated?
I suggest you create your own script to perform the tax code calculation for a simple reason...
You don't really need to know all the data to create facts.
If we have a date of birth, a first and last name, and we know the sex of the person you can generate all the possible tax codes.
If we know for example the full name, sex and birth day (but not year) we can generate all the possible codes in a date range. If the person is about 20 years old you can generate all the codes between 1995 and 2000 for example.
In any case, if you don't have the technical skill to do so or don't have the time to create your own script, there are many online tools available that allow you to conveniently generate the tax code. For example: this site
I began my search for a famous Italian CEO. After a short search I was able to find an old Curriculum Vitae uploading in an archive. Bingo! This c.v. seems to contain all the information I was looking for and even more
From here, I already have all the data I need, so I proceed to the creation of the tax code.
At this point it is necessary to verify that the generated tax code is correct. There are many tools available to do so, in particular I used the official portal available on the Inland Revenue website.
Another bingo! the result is correct! We got the exact tax number of the subject.
Let's remember that this code is unique and closely related to a person’s documented activity. From here, we could use it as an individual number plate, a simple Google search could give unexpected results:
Once again bingo! We have identified two different legal documents, of particular interest is the identification of a legal case in which the subject is involved.
Starting from the fiscal code it is possible for any person, in a completely legal way, to obtain information from the cadastre about real estate and land belonging to a person.
In particular, we can obtain information such as: Location of the property (Yes. The exact location. You have understood correctly!), urban section, data on the property, subordinate, municipality; also class data: census area and eventual micro-zone, cadastral category, class and cadastral surface, consistency and income of the property. It is also possible to obtain the history of the property, including the previous owners or holders of extinct rights (such as a possible right of usufruct or dwelling), mergers with other properties, extensions or changes of use.
Many services are available to aid in this search (some free of charge or for a fee). A simple search on google with the word "Visura Catastale" is enough to find many of them. In order not to violate the privacy of the person involved I will only publish a very short extract and not all the information contained in the visura.
In particular from this brief summary it is possible to understand that this person owns 16 properties and 5 plots of land.
Starting from the tax code, it is also possible to request The Chamber of Commerce Visura is the document that provides information on any Italian company, individual or collective, registered in the register of companies kept by the Chamber of Commerce, Industry, Crafts and Agriculture (present in every Italian province). The Chamber of Commerce can be of two different types:
Ordinary: containing the main information on a company, such as personal data, VAT number, date of incorporation, legal nature, REA code, certified e-mail, status of activity, share capital, number of employees, shareholdings in other companies, directors, partners and their offices;
Historical: containing, in addition to the information of the ordinary Visura, the history of the changes suffered by the company up to the moment in which the Visura was requested. It therefore reports all the registrations and deposits of the documents in the Companies' Register that have taken place since the company was set up.
Also in this case I do not publish any further details, but a google search with the word "Visura Camerale" is sufficient.
This is a more sensitive phase. Starting from the tax code it is possible to obtain information regarding the vehicles registered in the person's name. In particular, it is possible to obtain technical information on vehicles, their registration, new and old owners and possible legal problems (such as administrative detention).
In this case the visura is particularly sensitive. In fact, it is available only for the owner of the vehicle or Public Administrations, Lawyers, Curators and Investigation Agencies. Also in this case a search on google with the word "Visura nominativa PRA" is sufficient.
There are many other tools that use the tax code as a keyword. I’ll leave it up to you to find what you need...
