Separating a fool from their money

It's never been easier. The UK Gov (including the HMRC) have made it's online systems and telephone services so complex to get advice that many individuals are turning to the web for advice and support. What astounds me however is the information that people are adding as comments to blogs.

On this blog, the following information was given out by one individual:

• name
• address
• age
• national insurance number
• some tax code history

Another, offered their change of address - as a comment? There are at least 5 national insurance numbers & names. Did they really think that the dailydigit blog was the HMRC? Has none of the advice given out about web surfing and verifying the site identity got through to people - and more importantly, why are blogs like this moderating comments like this to appear?

It's also here; where a retired police officer volunteers even more information after being asked (well enough for an identity fraud)

For more information - google popular queries - "my NI number is", "my tax ref no is", "my passport number is"

Argos Sending Private Data in Receipt Emails

TheRegister has a great story about Argos using receipt emails that have HTML embedded in them that contains parameters including full unencrypted card number, CVV code, expiry date, name as printed on the card and address. Clearly a massive breach.

However, it gets more interesting when you look at one of these emails, Chris Geek Guy has copied one to his blog. Whilst it is clear that Argos have copied lots of personal data to the HTML email, I think there are bigger problems. The data is embedded in a GET html link. To me, this shouts out XSS and CSRF risk and also, if you look at the link, this data would always be sent across the internet in the clear - usually being cached as it travels through the internet - if the user did in fact click on the link in the email.

Potential targets for exploitation (and I haven't tried) would be: includeName, the com.ibm.commerce.context.experiment.ExperimentContext which looks like it is directly referencing an object (!!!) outside the context of the system. It would also be worth exploring what this link actually does and whether manipulating the receipt and performing a replay attack changes anything on the Argos server.

Googling for Protectively Marked PDF's

The number of protectively marked PDF's on the web is staggering, try these:

• Confidential: http://www.google.com/search?hl=en&q=filetype%3Apdf+file+confidential+%28htm+OR+html+OR+mhtml%29&aq=f&oq=&aqi=
• Restricted: http://www.google.com/search?hl=en&q=filetype%3Apdf+file+restricted+%28htm+OR+html+OR+mhtml%29&btnG=Search&aq=f&oq=&aqi=
• NATO restricted: http://www.google.com/search?hl=en&q=filetype%3Apdf+file+%22nato+restricted%22+%28htm+OR+html+OR+mhtml%29&aq=f&oq=&aqi=
• NATO Confidential: http://www.google.com/search?hl=en&q=filetype%3Apdf+file+%22nato+confidential%22+%28htm+OR+html+OR+mhtml%29&btnG=Search&aq=f&oq=&aqi=

Try other protective markings from other countries to see more. Clearly searching for "Top Secret" will incur a lot of separating chaff from wheat. The biggest surprise is the number of government protectively marked papers that are searchable - these are typically papers that are being passed between departments and the paper is being mis handled down the line of recipients.

I've seen a lot of misuse of confidentially marked papers in commercial organisations - I see them regularly sitting on a printer in open plan offices. Largely because staff working for big financial companies do not have information security drilled into them. They have to sit computer based training tests regularly - but there is little comeback for employees who regularly flout the rules.

Independent Financial Advisers oblivious to data protection

Who has the most information about you, as an individual?

• your doctor?
• your lawyer?
  
• your bank manager?
• the HMRC?
• your local council?

No - it is likely to be an Independent Financial Adviser. If you consider what is "personal data" (see the ICO Web pages) then the IFA pretty much ticks off more data categories than any other professional relationship in your life except for UK Gov vetting. Classification of personal data is not listed, but is classified by asking 8 questions:

1. Can a living individual be identified from the data? Yes, all forms carry name, address, date of birth and often National insurance Number. IFA's will also ask for proof of identity such as bank cards, passport, drivers licence. For regulatory reasons, all of this information is stored by the IFA.
2. Does the data 'relate to' the identifiable living individual, whether in personal or family life, business or profession? Again, yes it does. Joint Life cover and family health schemes will typically hold data about family members and the business that the policyholder works in.
3. Is the data 'obviously about' a particular individual? Yes, it has to be!
4. Is the data 'linked to' an individual so that it provides particular information about that individual? Yes, quotes, policy numbers, national insurance numbers, passports, bank account details all help link and identity an individual. These are all needed for commencing many policys. Often bank details are used for some types of investments.
   
5. Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual? Yes, policies with Life Cover options will have varying costs depending on the health, location of their home address. Income will play a part in pensions and other investments such as bond products.
6. Does the data have any biographical significance in relation to the individual? yes, in particular medical history reports for health cover will cover the individual in detail. Income history, previous addresses and knowledge of past and current financial products build a picture of the individual. Even, for some individuals, country of residence (for tax purposes) adds more colour to the picture.
   
7. Does the data focus or concentrate on the individual as its central theme? Yes, pretty much all products concentrate on the individual - particularly once anti-money laundering legislation came in.
8. Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity? Yes, for example a rejection for life cover on medical grounds could have an impact. As would knowledge of an individuals financial situation. Especially for targeted identity theft etc.
   

So given that IFA's have ticked all the boxes for data categories deemed 'personal' by the ICO, then surely the must have stringent measures in place for data security?

Well no, actually they don't.

Larger firms and the product providers (Aviva, L&G, Prudential, Standard Life etc etc) will have strict enforcement of data security - but the majority of IFA's are independent and will operate as a small business with no formal IT strategy and no formal training on data security. Many IFA's will buy laptops from retail stores like PC World and Dell retail online and configure them themselves. They are also using Blackberry's and Apple iPhones with no knowledge of how data is secured or not. Potentially - all of your data is being stored on unencrypted, unsecured devices.

The FSA regulates IFA's but it is my view that many IFA's play lip service to the "regulated by" statement on their business cards. It is only a matter if time before the FSA gets some teeth and in combination with the ICO (which will soon be allowed to prosecute) will close down IFAs that have non-existent security.

A Moment of Realisation during Registration

I was registering the birth of our new baby boy last week and, as you do, noticed a huge problem with the way registration of births are carried out in Scotland. The Scottish system for registration of births, deaths and marriages is different from England and Wales, with registrations being made at the General Register of Scotland and not Somerset House.

Whilst registering my wee boy; I was left alone in an interview room with an unlocked PC. I didn't have my phone on my but I would have taken some photos. The PC was linked and logged into the GROSfer application which, in Scotland, is on the GSX Government Secure Extranet system. The UK Government uses various classifications of network for various types of traffic according to its own data classification. I presume birth data must be protectively marked as restricted and so GROSfer is on the GSX.

I had approximately 3 to 4 minutes of "own time" in the office with the unlocked PC, plenty of time to attack a keylogger to the USB keyboard, whilst the registrar took the payment for the birth certificate. I also had access to GSX which could pose threats. All pretty disturbing - a simple flick of Cntrl-Alt-Del and a little bit of desk & cable management would reduce the threat.

Mysterious 07755 International Calling

Today I received an interesting postal spam - it's not one I've seen before and am still a little puzzled to figure out what the angle is with this one - if indeed there is one, here are the case notes:

• A postal letter is sent to me recorded delivery - I have to sign for it.
• The cost of the letter is £1.14
• The postage label has been printed out by the online royal mail service.
• My address, is curiously an address I use for a single paypal account.
• Inside the envelope is a flyer for cheap international calls using the 07755 service - you see these all over the place - there are all sorts of similar websites such as cherry call, planet numbers and this one: 999calls.com
  

So where is the scam?

I have just chuckled into a whisky because I love this one. I have not totally confirmed it, but I am postulating that it is an old fashioned postage scam. I took the royal mail signed for receipt code and typed it into the track and trace facility and basically, this has come up with a duplicate signee (i.e. not me) Interestingly, the signature is for someone in Enfield, next to a local post office and the 999calls.com whois address is in E1 London (so, much closer than Scotland.) The interesting part for me is the value that UK citizens place on a postal letter that has been hand delivered and has to be signed for. We automatically filter messages sent to us using cheap mechanisms - we don't believe emails in our email inboxes anymore - we are beginning to see spam texts. The general priciple has always been that a cheap delivery mechanism usually incites fraud and spam. This one is different - it tries to look expensive.

• I am still working on it, but I think the royal mail postage online service has also been hacked to produce forged address labels!
• The peel off "recorded" Signed For labels have been reproduced - but not with unique numbers.
• Also, one of my paypal addresses has been used for this so no doubt that has been stolen from somewhere.
  

I had to actually sign for this bit of spam from a smiling postman - imagine a phishing scam using this trusted delivery methodology?

Royal Bank of Scotland inviting consumers to buying protection insurance

When customers confirm the receipt of a credit card at RBS; they are being invited to buy protection insurance under slightly dubious pretences. I listened into a call where a call centre operator called Daniel said:

"We notice that you do not have protection cover on your credit card. Did you know that anyone who has your name and date of birth can apply for loans and credit in your name and you will be liable for the full amount?"

Daniel at no point mentioned that he was selling a type of insurance policy until being prompted to by the caller. After some discussion the policy is subject to all sorts of small print that most consumers would not understand. He also did some rather silly scaremongering by suggesting that fraudsters could get passports etc in the name of the caller at the click of a button on a website and generally inferring that the responsibility for poor lending practices is the fault of the consumer rather than the lender. At that point I stopped him.

In the UK, the financial services distance selling rules specifically state that a name and address is required for consumer credit and the act has controls in place so that there is time to reverse a credit agreement. The Consumer Credit Act also has controls in place to ensure that the onus is on the lender to establish the identity of the creditor - crucially, it is not the consumer. The 3 large credit reference agencies in the UK are in business to help their clients do this.

This sales call was bordering on mis-selling of an insurance policy. If you are going to take out such a plan, read the small print carefully and understand your rights.

If you are the victim of identity theft then, get in touch with the credit reference agencies; here is a snippet from the house of commons written evidence:

If Experian has established that an individual is a true victim of fraud and their identity has been fully authenticated, they are provided with the following:

— A dedicated case worker (with a freephone number), who will give general and ongoing advice on identity fraud as well as dealing with the specific problems being experienced by that individual and helping to liaise with lenders on their behalf.

— A free copy of their credit report along with copies of Experian's consumer advice leaflets—Your Credit Report Explained and Identity Fraud Explained.

— A discrete password which is added to their credit report which ensures lenders are alerted to the fact that an individual has been an ID fraud victim and should therefore request the password prior to proceeding with an application for credit.

— Information about and referral to CIFAS (the UK's fraud prevention service) for Protective Registration.

— Free 12 month membership Experian's credit report monitoring service, CreditExpert.