.comment-link {margin-left:.6em;}

Saturday, July 18, 2009

Identitites for sale

The Times reports this morning that the identities of more than four million Britons are being offered for sale on the internet. Apparently, sensitive financial information, including credit card details, bank account numbers, telephone numbers and even PINs are available to the highest bidder.

The paper says that most of the personal data has been gathered as a result of “phishing” — a process whereby members of the public are duped into handing over their key details, such as user names, passwords and credit card details:

Unsuspecting victims hand over the information by e-mail to people posing as reputable sources such as banks or online stores. Other data has been stolen after criminals infect a person’s personal computer with viruses and then raid it for information.

They are then sold to the highest bidder on online forums or hacking websites. Individual credit card details have been sold for as little as 30p. The Times has also learnt that the communications and e-mail systems of some of Britain’s biggest public bodies and private companies are open to possible attacks. This is because the corporate e-mails and passwords have been sold to cybercriminals. The details of policemen, doctors and military personnel are also at risk.

The information being traded on the web has been intercepted by a British company and collated into a single database for the first time. The Lucid Intelligence database contains the records of four million Britons, and 40 million people worldwide, mostly Americans. Security experts described the database as the largest of its kind in the world.

The database, which has been seen by The Times, raises important data protection concerns. The Information Commissioner, the data protection watchdog, is monitoring the development of the database. Police in London have also been informed but no action has been taken.

The database is held by Colin Holder, a retired senior Metropolitan police officer, who served on the fraud squad. He has collected the information over the past four years. His sources include law enforcement from around the world, such as British police and the FBI, anti-phishing and hacking campaigners and members of the public. Mr Holder said he had invested £160,000 in the venture so far. He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached.

Most of us knew that this sort of information was vulnerable and that we have to be careful with it. However, the fact that fraud of this nature is going on at such a scale must cause us to pause as to the security of a National Identity Database.


4 simple things could be done to make the issue raised here better.

1. No Microsoft in the stack, at home or in the business. OK, I work for a competitor, but this is a view very documented in enough credible places to be taken seriously. Lots of obscure real time OS's out there to build on that no one has *YET* bothered to work out how to hack for the service side.

2. Make virus checking a responsibility of the ISP (they won't always get it right, but most of the time they will).
The technology exists to find a most known exploits in an email before it is sent to the recipient.

3. Make sending SPAM email a capital offense (in addition to fly tipping), but I will settle for criminal. Needs to be global.

4. Education. If you must run Windows, then apply regular patches (Microsoft have a patch Tuesday for a reason), use thunderbird and firefox, rather than Outlook and Internet Explorer, don't open attachments from sources you don't know. I wrote an article at the request of the local paper on the subject of computer security aimed at basic home users, then they decided there was not enough personal interest, could they have a photo and describe my life at work instead. What rubbish.
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?