Security

Data Loss

Up until Monday, we hadn't had any of our data lost by the government (as far as we knew). We shouldn't have been one of the 25 million lost due to being child benefit claimants, or one of the many other breaches. Some of the breaches are potentially very serious should it fall into the wrong hands, for example, the list of military applicants, of prison officers, or (and think of the children!) families with young kids.

However, Monica may have been among the three million lost on Mondays.

It does annoy slightly that they always call it 'lost', this can imply that the issue is that government no longer has the information. This isn't the problem - it's 'duplicated, then lost'. The issue is that people who shouldn't have the information ultimately acquire it.

Having the entire population on one big database is not a way to improve security. It's a big target for identity theft, and recent history shows that it cannot be kept totally secure.

Having said that, the 'losses' that have happened have been rather silly. Lots of data transported without strong encryption, often when there was no need to transport it. It shows a general carelessness that is not befitting anyone claiming to be worthy of trust with this data.

You can take this survey to find out how likely it is that the government has treated your information shoddily.

For more on the proposed ID card database, see the No2ID website, including this rundown of the issues.

The ORG data loss questionnaireYou hand over your personal details to councils, hospitals, employers and businesses all the time. But these institutions don’t always keep that data safe. In fact, since HMRC lost its entire database of child benefit claimants last year, high profile data losses have hit the headlines with worrying regularity. But how does this affect you and your family? Click here to find out how likely it is that a government department or corporate entity has been losing your data recently.

Industry and Government want to aggregate and share more and more of your personal data. Schemes like the National Identity Register, ContactPoint and the Intercept Modernisation Programme are just the tip of the iceberg. But data insecurity is inevitable if large datasets are stored centrally and accessed by hundreds of different people. Data loss can lead to identity fraud and harassment for anyone affected. It is also likely to further complicate or even threaten the lives of those who are fleeing abusive relationships or on witness protection schemes. And that’s without even getting into the debate about how data sharing and aggregation can change the relationship between citizen and state [.pdf].

Once you’ve taken the test, please share the link - http://www.openrightsgroup.org/dataloss/ - with friends. And if you learn of other incidents that should be added to the questionnaire, then please add them to our list of UK privacy debacles, which feeds into the questionnaire.

Thanks to Sam, Glyn, Casey and Rowan, the Open Rights Group volunteers who conceived and realised this project. Finally, please note that the application does not record users’ responses or IP address. In fact we don’t store any user data, which means there is no danger of us losing or leaking anyone’s personal information.

Mythbusters Gagged

Adam Savage, of the excellent 'Mythbusters' programme(*) reports that they were going to do a segment on RFID chips only to have the lawyers descend from Visa, American Express etc.

Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else... They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it's on Discovery's radar and they won't let us go near it.

A great quote from the video:

You do have about 3000 people in the room who aren't under such legal arrangements.

The full video is here, and starts with a great talk from Savage about his obsessions.

The point is that keeping the information 'secret' does not stop the bad guys getting it - it stops the rest of us knowing that our information is insecure. If you're reliant on security by obscurity you have no security at all. Given that RFID is a widely distributed technology, the RFID chips should be able to withstand full scrutiny if they're to be trusted for the purpose.

They can't withstand that scrutiny, as evidenced by the reaction of the lawyers, and by this video.

With a bigger antenna on this I can go into Starbucks and get the [details] of everyone there.

It's a shame discovery didn't feel able to nod at the lawyers, and then make the programme anyway - including the conversation with the legal people. Still, when you're depending upon ad revenues, it's not as easy as all that - at least in the short term. A good argument for the BBC TV Licence!

(*) Although the announcer in the UK does often mix concepts of mass, pressure, force etc. Not sure about the guy in the US - the people in the show sometimes do this too, but that comes across to me as more of a 'shorthand' - as they obviously know the difference!

Stupid Security

Privacy International has opened up nominations for the 'Stupid Security Awards 2006'.

The Stupid Security Awards is an open competition run by Privacy International to discover the world's most pointless, intrusive, annoying and self-serving security measures. The awards aim to highlight the absurdities of the security industry. The awards were first staged in 2003 and attracted over 5,000 nominations from members of the public from around the world.

The competition is judged by an international panel of well-known security experts, public policy specialists, privacy advocates and journalists. Together they decide on the following award categories:

  • Most Egregiously Stupid Award
  • Most Inexplicably Stupid Award
  • Most Annoyingly Stupid Award
  • Most Flagrantly Intrusive Award
  • Most Stupidly Counter Productive Award

Unworkable security practices and illusory security measures do nothing to help issues of real public concern. They only hinder the public, intrude unnecessary into our private lives and often reduce us to the status of cattle.

It's hard to know just where to start, but the recent scares about airports have lots of possibilities, for example the reduction in hand luggage size - as if someone could smuggle something nasty in slightly larger luggage, but not slightly smaller. In addition there's the fact that liquids can't be taken through security - but can be bought on the far side of security but not if travelling to the USA, bottles of water bought at the airport are much more dangerous when flying to the US. Obviously.

There's also the whole idea that ID cards will axiomatically make us secure (potential terrorists would have valid ID too).

The full announcement is here, and says:

The airline industry is the most prominent offender, but it is not alone. Consider the UK rail company that banned train-spotters on the grounds of security (e.g. see this article(external). Or the security desk of a US office building that complained because paramedics rushing to attend a heart-attack victim had failed to sign-in. Or the metro company that installed a $20,000 biological weapons/gas detector and placed it openly next to a power plug so terrorists could conveniently unplug the device.

In 2003, the final list was published with this leading paragraph:

"The extraordinary number of nominations indicates that the situation has become ridiculous" said Mr Davies. "Security has become the smokescreen for incompetent and robotic managers the world over".

Worlde Gonne Madde?

Via Doc Searls I see a report from someone who was prevented from taking a photograph out of the window of their plane 'for security reasons'.

After taking several shots, imagine my surprise when one of the BA attendants closed the window shade and informed me that it was against British Airways policy for passengers to take such photos for security reasons. I thought she was kidding, but the head attendant confirmed what I had been told. And that it had nothing to do with where we were flying.

Absolutely ridiculous, it's paranoia run rampant.

Letter to Card Company

Let's see what this gets, it's a letter prompted by the card fun this evening.

My particular card is a Tesco one, but it's run by Royal Bank of Scotland. I wonder what they'll say? Probably something bland and non committal.

Dear Sir/Madam

I am writing to express a fundamental concern about your security systems.

This evening I arrived home to find a message asking me to ring the "credit card centre" as soon as possible. The number given was not one I recognised.

When I rang the number, I was immediately asked for my card details and I was a little surprised. To give out card details, including security details to someone who phones up and asks for them is a fundamental security flaw.

Even if in this instance it was legitimate, this approach is open to abuse as you are effectively suggesting to your customers that these details should be given out to anyone who phones up and leaves a phone number.

The man I spoke to tried to find out from my name why the message was left, but could not get into the system without these details.

I tried to explain my concern to him, and asked whether I could simply ring the number on the back of my card. As I was trying to explain this he was saying that if I could not give him my security details then he'd have to terminate the call and I would not be able to use my card.

This is most definitely not appropriate. There was no way that I was going to give these details to someone when I could not verify who I was talking to – and I should not have been pressured to do so.

What should have occurred is that the original message on the answering machine should have asked me to telephone "the number on the back of my Tesco Personal Finance credit card, or on the top of the statement". In this way I could have been sure who I was talking to. In the end I rang this number and the issue was dealt with. I mentioned this to both people I talked to on the phone, but did not get the impression that they even understood the issue.

I appreciate that you need to validate spending from time to time, but in an era of "phishing" scandals I feel that to be left an unusual number on the answer-phone is a huge error, as it could be repeated by the dishonest without raising alarm bells in the customer's mind – especially when the solution mentioned above is so easy. The customer should be told never to give out these details except when they phone the number on their statement/card.

Credit Card Madness

I had a phone call on my answerphone when I got in today. Paraphrasing: 'Hello, it's the credit card centre, please can you ring us on <number I didn't recognise> as soon as possible?' (Essentially they wanted to confirm that my spending today was done by me).

Okay... so I rang. 'Royal bank of Scotland credit cards, can I have your card number, please?' (I have no RBS accounts, but it looks like Tesco use these guys for their card)

'Erm... no.'

'Why not?'

'Well, I'm ringing to return of a message left on my answering machine, and I don't recognise the number, so I'm not giving you my card details. There are lots of scams out there'.

'Okay, perhaps if I could have your name?'

They used my name in the message, so no harm done. I told them.

'Can I have the first two numbers in your security code, please?'

'No'

'Why not?'

Arrrrghghghhghhh!

I tried explaining that giving a phone number that bore no relation to anything on the card was not a good thing as it encouraged punters to give their card security details to cold callers. This makes it really quite awkward in a world of 'phishing' scams. I suggested that the message should have been 'please phone using the contact number printed on your card'

The guy eventually said 'I can't access any details unless you pass clearance, so I am going to have to terminate this call.'

He was not listening to what I said, and I got the distinct impression that he thought I was being awkward for the sake of it. True, I was being awkward, but this is a fundamental flaw in their security procedures. It may not open up problems immediately, but it is exploitable.

I said to him 'if I ring back using the number on my card, will I get through to the same place' - and he responded 'yes'... so why give out a different number?

I'm not impressed. The financial institutions should have a basic rule that customers should not give out details unless they can be sure that they're talking to the bank. - and here they were positively encouraging me to do so.

Idiots.