The UK is in a panic right now because data containing 15m recipients of child benefit has been lost. It’s a serious incident and the chairman of HM Revenue and Customs has resigned.
Even so, I’m a little confused. I watched TV news over lunch and several identity theft experts came on and warned us to scrutinize our bank statements with extra care because of what has happened.
So what is in these records? We don’t know, yet, though the BBC says:
names, addresses, date of birth and bank accounts
Now, none of these experts has explained to me how Mr Fraudster takes these details and translates them into cash extracted from my bank account. Perhaps he approaches my bank, posing as myself, and asks to withdraw money? He would have to produce some kind of additional fake identity to do so. Perhaps he embarks on a more complex fraud involving, say, a change of address and a replacement debit card? Fair enough, but it is non-trivial.
Further, how difficult is it to obtain such details anyway? Names and addresses are easy enough to find; so are dates of birth. Nor are bank account details normally regarded as highly confidential. They are on every cheque you sign. Some companies include bank details on their invoices or on their web site for all to see.
I’d have thought that credit card details were far more valuable to criminals, especially when they include things like expiry dates. But they won’t be part of these records, surely, and nor will passwords or PIN numbers, unless there is a lot that we have not yet been told.
I don’t mean to diminish the seriousness of the incident. This is a huge amount of confidential information to lose. But I’d like a bit more explanation about why these details are so dangerous in the wrong hands, before I rush out and close all my accounts.
Security expert Bruce Schneier would I think call these details “semi-secret”. His consistent message is that you should authenticate the transaction, not the person. See his (old) post on Identity Theft in the UK.
Update
Here’s the official advice:
What can an ID fraudster do with this data?
No password, security details or card details have been compromised, so a fraudster cannot access your bank, building society or card account. However, HMRC is advising customers that if they use any personal data, like child’s name or date of birth in their password, they may wish to consider changing their password.If this data were in the hands of a fraudster – and at present there is no evidence that it is – this type of information might help them to commit account takeover fraud, although additional information would be needed. There is also a risk of a fraudster using those details to set up other credit or financial agreements, e.g. mobile phone accounts.
Further postscript
As it happens, I was at a meeting this evening and spoke to someone who works for a bank. He says there are several risks. A smooth-talking fraudster might persuade a cashier to release funds, though it would be a failure of policy. We also discussed direct debits. These are vulnerable, because the bank might not be involved in checking the authenticity of the instruction at all. In both cases though, these are existing weaknesses in the system. It’s possible that heightened risk of fraud could result in better procedures, so some good may come out of it.
Another thought: surely a smart thief would have copied the data and returned the CDs to the envelope. That way, nobody would know. Put another way, how much data theft occurred without it ever coming to light? It just happens that this one is very large and very public.
Well it is the accumulated data all being available in one convenient place that makes this a real problem. Identity fraud is easy with all this data and the clever tricksters will use it to the full if it is in criminals’ hands. The market value of this data in the criminal fraternity is huge! One way to protect yourself is to change your bank account tomorrow. Get a new account number and then anyone trying to use it as proof of your stolen identity will fail at that hurdle. Sure the banking administration systems will go into meltdown if 10% of the at risk people do this, but, hey, what the hell!
Jon, what kind of identity fraud do you envisage? You don’t usually use an account number to prove your identity, do you?
I fully accept the seriousness of this loss of personal data.
Tim
The data which has been lost creates a big risk because many people use their child’s name or DOB for passwords.
A fraudster would therefore try to use the bank accounts with a child’s name as a password. With just one set of details the chances of this working are negligible. With 25 million the chances are high.
The other risk is that a fraudster might pretend to be an account holder who has forgotten their passwords. Many companies use the details listed to authenticate a customer when a password has been lost. (Though I don’t know of a bank that relies on such weak authentication).
A variant of this would be to use the details on the CD to research other information on an individual.
It is the massive scale of this loss that makes the incident so serious.
For me what makes this so outrageous is that the government continually assure us that a UK ID card scheme would be secure yet are unable to operate their existing basic security controls.
Nigel
Yes, I do see these risks and they are significant.
When the news broke the media was reporting almost as if a criminal could just walk into a bank and collect your money, with these details, which doesn’t seem to be the case, at least not without some very smooth talking.
On the other hand, there are other ways to use the information, such as setting up credit accounts or buying a mobile phone, and the risks are very real.
I agree 100% about the ID card scheme. Further, it shows the dangers of having very a lot of critical information in a single location. Popping the lot into the post on an unencrypted CD is … [speechless].
Tim
As I see it the major problem is that these details will be used to take out credit agreements or apply for credit cards with the story “I’ve just moved from (correct address) to (new, fake but plausible address)”, and will then default on the payments, leaving the banks out of pocket and the person whose details were stolen with a potentially very bad credit record (unless they act quickly to get it cleaned up).
Andrew
<blockquote<Popping the lot into the post on an unencrypted CD is … [speechless].
Tim