Five
worst ID Fraud scams
|
Bank Safe Online
Serious data loss by HMRC
The loss of two CDs (in 2008) containing the confidential identity
details of 25 million people including every child in the nation
was a very serious incident demonstrating the complete incompetence
of the management of Revenue & Customs where data security
is concerned.
So what are the chances of this data being misused?
Well that depends on where the CDs went to. The probability is
that they were lost in an in tray or filing cabinet somewhere without
having been recognised for what they were. If this was the case
then we have nothing to be worried about - yet.
However, if they were stolen from the mail and recognised for
what they were, then they may well have been passed into the hands
of criminals who will have the knowledge and resources to be able
to misuse the data they contain.
[30 December 2009 - there has been no evidence
so far that this data has been misused. If it were to have been
used by the criminal fraternity we would have expected a very
large increase in the use of this type of information. That hasn't
happened so far as I know.]
How easy will it be to misuse the data?
The data was password protected but not encrypted. The password
was not likely to pose much of a problem. An expert in file protection
could either have cracked the password or re-writen the data in
a way that eliminated the password.
Probably a greater problem will have been deconstructing the data.
It would first have been necessary to identify the file or database
system used to write it and then to analyse the data byte by byte
in order to work out what the bytes represented. For instance,
if a string of bytes could be read as ordinary words - such as
a name or address - then that presents little problem. But if,
say, four or six bytes contained random bits with most of the ones
towards the right of the block of bytes and most zeros to the left
then it is probably a binary number. It will be easy to know what
the absolute number is but what does the number represent? It could
be anything from a date and time in floating point format to the
number of children in the family, or a thousand other bits of information
that HMRC may have kept on the record. It will have been very hard
to tell. For example, 3940886733 is a number I have just taken
from a string of eight bytes. It could be anything. It is actually
the date and time I am writing this.
How will we know if our information has been misused?
First of all, it may be a long time before the data will have
been misused, months or even years. So we didn't expect to see
money being taken out of your bank account soon after the loss.
If fact, loss of money from accounts was fairly unlikely at all.
By far the greatest risk remains the possibility of identity
theft - someone setting themselves up to look as though they are
you, taking over your bank or other account, and obtaining credit,
then leaving you with the bill. The first you are likely to know
about what is happening will be when the bailiffs turn up to demand
repayment.
What should I do to protect myself?
There are a number of basic things to do to reduce the risk of identity theft. The following list considers protection from all methods of ID theft, not just the loss of the HMRC data:
- Use high quality passwords on your computer, particularly for online account access - minimum of eight characters, mixed upper and lower case letters, numbers and special characters where permitted. Don't use names, especially those of your family. Avoid obvious substitutions such as 1 or / instead of l, 0 instead of O.
- Don't share passwords. This should be a dismissible offence in a contract of employment. It is not safe to do this even in a domestic environment.
- Protect your computer with the usual firewall, virus checker and spyware remover.
- Change the PIN numbers for your bank and credit cards if your present number has any relevance to any numbers in your basic identity information such as house number, dates of birth, etc. Ideally don't use the same PIN for all your cards.
- DO NOT write down your PIN anywhere. To do so would be a breach
of the conditions under which it has been issued and dramatically
increases the risk of misuse. You would be liable for any losses
resulting from such misuse.
- Rigorously check all bank and credit card statements as soon as they arrive. Ensure that you still have all your cards in your possession. If your spouse/partner also has a card on the account check what they have been transacting. Call your bank and question anything that cannot be accounted for.
- Check your credit record (see below).
Credit record checking
There are three credit checking companies in the UK (links below). In theory they should have the same information about us all but in practice they are often different, mainly because some finance houses use one or two and not another. The companies are often referred to as 'agencies', subtly implying that they are a branch of government - they are not; they are private or public companies independent of government other than for the regulations under which they operate, such as the Data Protection Act.
The companies record all major credit related arrangements that you have with banks and other financial organisations together with any court judgements against you. This will include information about mortgages, other bank loans, credit cards including store cards and financial judgements against you made in a county court (known as CCJs). You may find that the fact that you have a particular credit card is not noted. That's because you pay off your account regularly and on time! They also record all your attempts to obtain credit. Unsuccessful attempts (or even those where you decide not to proceed) are recorded. These records can seriously damage your future chances of obtaining credit so never apply for credit unless you really intend to take it.
By law you have to pay a fee of £2 to obtain your information
from each company. Note that there are several other companies who
will obtain your information for you but for a much greater fee.
As it is so simple to get it direct I can't see why you would want
to use these intermediaries.
The credit checking companies are ...
Experian
Equifax
Callcredit
I suggest going on their web sites and looking at what you need to do to obtain your information. To be on the safe side you should probably inspect your files once a year and additionally if you ever suspect that any of your accounts has been compromised. In the latter case always call the bank first to look for evidence of compromise and to advise them of your concerns. If the bank doesn't take you seriously then move your account.
... is a retired Information
Security Manager. I give no warranty that the advice given will prevent
your system from suffering from viruses, worms, spam, spyware, usage
trackers, keyloggers, abuse or any unauthorised programs, functionality
or macros of any kind introduced by any means. It must be accepted that
the subject is not fully explored in this document and descriptions of
problems and solutions are necessarily brief and incomplete. New security
problems are regularly being discovered in PC operating systems, mobile
'apps' and other software for all kinds of computer based consumer equipment
and users need to be constantly alert to the latest threats. Nor do I
give any warranty regarding personal identification protection, use of
social networking web sites, or calls to or from banks and finance houses.
Neither do I take any responsibility for any third party web site or
its contents nor for any products offered or supplied by those sites
or any retail outlet or the companies promoting them. If in doubt ask
for advice for your specific system or problem from a company offering
such advice or service. Always follow the specific advice of hardware
and software suppliers, banks and finance houses as appropriate.
© Copyright 2011 Tim
Boddington
