Schneier on Security
A blog covering security and security technology.
« Petnames |
| Multi-Use ID Cards »
February 8, 2006
Identity Theft in the UK
Recently there was some serious tax credit fraud in the UK. Basically, there is a tax-credit system that allows taxpayers to get a refund for some of their taxes if they meet certain criteria. Politically, this was a major objective of the Labour Party. So the Inland Revenue (the UK version of the IRS) made it as easy as possible to apply for this refund. One of the ways taxpayers could apply was via a Web portal.
Unfortunately, the only details necessary when applying were the applicant's National Insurance number (the UK version of the Social Security number) and mother's maiden name. The refund was then paid directly into any bank account specified on the application form. Anyone who knows anything about security can guess what happened. Estimates are that fifteen millions pounds has been stolen by criminal syndicates.
The press has been treating this as an issue of identity theft, talking about how criminals went Dumpster diving to get National Insurance numbers and so forth. I have seen very little about how the authentication scheme failed. The system tried -- using semi-secret information like NI number and mother's maiden name -- to authenticate the person. Instead, the system should have tried to authenticate the transaction. Even a simple verification step -- does the name on the account match the name of the person who should receive the refund -- would have gone a long way to preventing this type of fraud.
Posted on February 8, 2006 at 3:42 PM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
That's very interesting. I'll take reports on identify theft here with a pinch of salt from now on.
Hmmm... come to think of it, ID Theft is one of the reasons the government is trying to use to support the introduction of ID Cards...
Criminal syndicates don't go dumpster-diving, Bruce. Criminal syndicates get the database with NI numbers and mother's maiden name. These items are probably as common as databases with SSN and MMN in the US.
National Insurance Number is a lot like the Social Security number. They pretty much follow similar patterns...
I have both numbers and know that it is possible to tell from my SSN my sex and where the number was issued.
The NI number has the following format
YY XX XX XX Y
Where Y are letters and B are numbers. I know it is possible to tell which year the number was issued in and what the sex of the holder is. I don't know what else is in there.
The Register recently criticised the UK Home Office's Identity Fraud Steering Committee's claim of identity theft costing UK's economy over 1.7 billion pounds. The Register's article "UK.gov inflates ID theft risk" (3 Feb 2006)the calculated loss was skewed upwards by the way monetary losses were calculated> The article noted the possibility the loss inflation might have been to bolster support for the UK ID proposals. The article drew much from a Silicon.com investigation that claimed that the real UK losses were around 494 million pounds. A big ammount but less than a third of the Home Office figures.
The Register article:
The Silicon.com report:
They wouldn't even have to go dumpster diving. It would be easy enough to just phone people and pretend to be a local health authority updating their records. NI numbers are only used by the Social Security (Welfare) office and the Health service so most people would give them up without a second thought.
"the only details necessary when applying were the applicant's National Insurance number (the UK version of the Social Security number) and mother's maiden name. The refund was then paid directly into any bank account specified on the application form...Even a simple verification step -- does the name on the account match the name of the person who should receive the refund -- would have gone a long way to preventing this type of fraud."
Agreed, but you didn't mention that a name was required in the first place, just a NIN and mother's maiden name.
It's curious that the Inland Revenue wouldn't have some identifier shared with the Banks to authenticate the person.
At the end of the day that's what really turns this into an identity issue...if online transactions could actually authenticate the person, then the transaction wouldn't have to be secured in a vacuum.
We need a law requiring public disclosure of all of these national identification numbers, such as SSN, to make it clear to everyone that the number is not a suitable authenticator. Let's do mother's maiden name while we're at it.
As long as we allow fools to pretend that SSN and mother's maiden name are secret, when clearly they are not, these problems will continue to get worse. Someone needs to take a stand and force financial institutions to devise an actual authentication mechanism, instead of trying to use widely known, mostly invariant, personal data as a pre-shared, unchangeable password.
You can post your tax return online, and perform many, many, other tax matters using the government 'portal' which requires your NI number, a special ID (16 digit, iirc), and password. The ID is smail-mail posted to you, and then once you try and login, the password subsequently sent out. The key point is that it verifies the requesters address (if and only iff snail-mail is secure).
Because of the political embarressment of failure for the tax credit system, if claims were low, this whole secure system was NOT USED.
"No lock ever made is secure when it's not used."
"NI numbers are only used by the Social Security (Welfare) office and the Health service "
In the UK we have both an NI number and a NHS Number the two are not the same.
With regard to the lack of security, apparently this was to "make it easier for claiments" basically the government assumes, you earn very little money, you are going to find online stuff difficult, which if you think about it is quite insulting.
The two main groups hit where, A: Tax office employees, B: National Railway Employees, apparently around 30,000 people could be affected.
You don't need much to get a NI number complete with a name.
A small proportion of job applicants send me their NI number (and a name) in their CV.
It only takes a few...
Great post. Congress is spending a lot of time thinking about laws to protect SSNs, but nobody wants to discuss laws that deal with "instant credit" providers who don't want to authenticate customers and transactions (it costs too much. . . etc ). Bruce, have you testified before Congress on this issue?
There was apparently no need to dumpster dive for NI Numbers etc. They got all the numbers they needed by stealing them from the Department of Work and Pensions (another government agency) employee database.
According to http://news.independent.co.uk/uk/crime/... around 13,000 staff have had their details stolen and potentially used for fraudulent claims.
I wonder how many of them were already claiming, and will now face demands for the amount they were "overpaid"?
What I'm curious about is why they choose to ask for an account number and not simply refund the amount to the account they received the taxes from?
@Bram vd. H
"not simply refund the amount to the account they received the taxes from"
Bram in the UK we do indead have a system for doing this the "Tax Credit System" it is supposed to help low incom families.
It is such an uter uter disaster that people have had to sell their homes, some have commited suicide and others face years of penury due to the very very bad implimentation of the system both from an IT perspective and from a Systems Perspective (ie chuck in low skilled advisors who are penalised for not making XXX responses a day).
Dave> Congress is spending a lot of time thinking about laws to protect SSNs...
That's the opposite of what we need. We need a law to publish them. The cat was out of the bag decades ago. It's stupid for Congress to pretend that there's still a cat in there. Look inside. Empty bag.
SSNs are not secret. They never were. Let's just publish them all and get it over with.
My National Insurance Numbercard (as it is called) has this to say on the subject of identity:
"This is not proof of identity"
Why weren't the Inland Revenue paying attention?
That part of this I found most interesting was that it was even possible to have this paid into a bank. I would have expected that a giro cheque would have been sent to a specifided address. The person would then have to take the giro to their local postoffice (and the local post master knows who they are because they are in there every week cashing their dole giro).
It seems to have failed partly on the assumption that people claiming this actually have bank accounts. In many cases they may not have had one or they may have used a friends.
In the UK it isn't uncommon to give your bank details out for depositing money because just knowing the sort code and account number isn't enough to access the account for withdrawals or get account balance information.
To all the none UK residents the NI number is NOT like the US SSN it serves only a subset of that purpose. It is not used by anyone other than for tax purposes. Most UK residents also don't file tax returns because we have an excellent PAYE system that ensures that most people don't need to file returns.
Yup, it's a disaster. My family are users of the system - its aim essentially was to make the public accounts look better by paying out benefits under a different name, so they could go down as a reduction in tax revenue instead of benefit paid out. The main flaw in the system is it's based on *next* year's tax return which of course doesn't exist yet, leading to endless recalculations and adjustments as the system is always trying to catch up. Due to the broken nature of the calculation process we have received a substantial sum which the Government now want back, although they haven't asked for it yet (after over a year). Nice for us but a waste of taxpayers' money.
The reflex reaction of course was to shut the Web interface (see http://www.hmrc.gov.uk/taxcredits/downtime.htm) although the system remains open to abuse through other means, particularly the telephone claimline which goes to some anonymous call centre and where quite a bit of the known fraud has already taken place (you're just as anonymous on the end of a phone as you are over the Internet). An additional fun aspect of the telephone "service" is that the Government help themselves to some of the revenue from the non-geographic rate number they've allocated to it. We discovered some time ago that there has been a concerted effort to eliminate the local tax offices - the telephone numbers went ex directory, and when you go and see them in person they claim they don't know anything about anything and can only write your enquiry down on a sheet of blank paper and send it off through the internal mail, essentially saving you a stamp.
Bizarrely, the Government have stated that they will only take action against fraudsters who steal too much: http://www.inlandrevenue.gov.uk/workingtogether/...
One annoying thing about the closure of the website is that while it was open we were encouraged to apply online instead of on paper as it saves them money processing the claims; now they've closed the website we no longer have access to any of our records regarding our claim. Perhaps they could have just disabled the facility to make a claim.
The original Tax Credits computer system was provided by EDS who were since castigated and fined:
See also: http://news.bbc.co.uk/1/hi/business/4624130.stm
On Monday the Goverment got permission to go ahead with the compulsory ID card scheme. Can't wait!
well i think the usa has taken a formidable stance on the current issue and provides a benchmark for other countries to abide by.
The Malaysian tax authorities have recently seen a surge in online filing of tax returns.
The difference I can see is that the tax authorities refund the tax rebate either in the form of a cheque (made out to the persons name) or a direct debit into the bank account (once again it has to be in the name of the tax filer). So overall I'm pretty happy with the measures they take.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.