Lord Toby Harris Logo

Archive for the ‘Information security’ Category

Tuesday
Nov 25,2008

I discovered today that I have had my third credit card in a year cloned.  To paraphrase Oscar Wilde: to have one credit card cloned may be deemed a misfortune; to have two cloned begins to look like carelessness; and to have three cloned brings on paranoia.

The irony is that I have spent a significant amount of time this year working to see established a national police e-crime unit.  This was recommended by the House of Lords Select Committee inquiry (of which I was a member) on “Personal Internet Security” in August 2007 and the Home Office finally announced its share of the funding a few weeks ago.  Work is now proceeding rapidly.

My personal experience highlights the scale of the problem and the need for proper collation of the data on what is happening and how the frauds are occurring.

The Select Committee report highlighted a concern that people are encouraged to report such problems through the banks, who will then file reports with the police as they feel appropriate.  Many banks have seemed reluctant to involve the police – perhaps because they do not want statistics published demonstrating how weak some of their security arrangements appear to be – and the police are not keen to see the number of offences reported to them rise as it will make their “sanctioned detection” figures appear worse.

In the two earlier cases of cloning I was subject to, I pointed out to my bank that the last valid transaction that took place was in both instances with the same retailer (a restaurant I used to visit regularly until this happened).  There was no indication from them that they found this information significant and that they would be contacting the police to have potentially dodgy waiters or card-readers investigated.  I certainly never heard any more.  When I asked today why no-one had ever come back to me, I was told that they couldn’t do that in case I went round to the retailer concerned “to sort them out” – even though I pointed out that I knew where it was already.

Today’s incident was different.  I received an email from my bank (fortunately I didn’t delete it on sight on the basis that it was a phishing scam) saying that my account address had been changed and to ring the bank if this was not the case.  It eventually transpired that the bank had acted on the basis of a phone-call from someone who not only had my card details, but could answer the security questions about my date of birth and mother’s maiden name (neither are particularly secret pieces of information for anyone).  Properly, they had then contacted me again for confirmation.  I was told that this form of identity theft was increasingly common and could lead to full-scale impersonation and the obtaining of further credit in my name.  The address quoted in the address change would probably turn out to exist but unbeknown to the occupiers an arrangement would have been set up for mail to be collected from a sorting office.  All of this seemed to provide adequate scope for police investigation, but when asked whether they would be referring it on they said they couldn’t say and were keen to advise me that there was little point in advising the police myself.

In the Select Committee hearings we were told that bank card details (with the security question answers) were available for sale in the darker corners of the internet for about £1 each.  My experience has been personally illuminating but is clearly not unique.

Key lessons: first, more investment in the policing of these matters continues to be essential; second, leaving it to the banks to act is not enough; and third, not only is personal vigilance essential but we should all ask our banks to use as security questions something a little more robust than date of birth and mother’s maiden name.

Friday
Nov 14,2008

Let nobody say that House of Lords Select Committee reports are without influence!  It seems that one of the recommendations of the House of Lords Committee inquiry into “Personal Internet Security” has been taken on board by Pakistani President, Asif Ali Zardari.  The Committee, of which I was a member, recommended stiffer penalties for those convicted of cyber-crimes.  However, Zardari’s response has probably gone just a bit further than we had in mind.  He has now issued a decree backdated to the end of September that sets the maximum penalties for internet crime as death or life imprisonment.

Those people who felt I had gone too far when I called for a Sarblanes-Oxley type approach to company directors who fail to take information security seriously enough might care to note what the Zardari solution might be!

Friday
Oct 10,2008

Fourteen months after publication, the Select Committee report on “Personal Internet Security” was finally debated on the floor of the House of Lords.  Since we produced the report much has happened. There have been the well-publicised data losses at HM Revenues and Customs and from other Government departments and agencies.  And indeed today, we hear of the loss by EDS of an MoD hard drive containing the details of 100,000 service men and women.  This all confirms my view that the Committee was absolutely right to call for a Data Breach Notification law in the UK.

This is, of course, about the culture within organisations – every employee has got to understand the importance of maintaining data security and their responsibility for doing so.  Perhaps if people recognised the potential value of personal data they might be less cavalier in its treatment. For many people, a stolen identity will take weeks or months of effort to sort out.   The FSA estimate that the cost of identity fraud in the UK (admittedly using a fairly wide definition) is around £1.7 billion.  During the inquiry we were told by Team Cymru that on a single server in a typical month there were for sale the data from 32,000 compromised Visa cards, and 13,000 Mastercards.  The price nearly three years ago was $1 for a US card, $2 for a UK card.  Associated data was also for sale including the card-holder’s mother’s maiden name etc. 

Perhaps if employees were told that each personal record was worth at least £100 – they might treat a memory stick or for that matter that MoD hard drive containing a hundred thousand personal records as though it was worth £10 million – certainly with more respect.  

It maybe that engendering such a change in culture will require more than a Data Breach Notification Law.  Perhaps we need something more akin to the framework created by health and safety legislation, where every manager would have to take personal responsibility for delivering information security in their area or face prosecution.  And perhaps we need an IT equivalent of the US Sarblanes-Oxley requirements to make people at Board level take their responsibilities to heart.