By Peter Cochrane, 1 July 2004 08:20
COMMENT How can companies hope to protect their data - and how can we hope to stop identity theft - when we ignore the most basic protection methods? Peter Cochrane says: We can't.
If you had to secure a new home against intruders on a limited budget, you might spend more money on the windows, doors and locks on the ground floor than upstairs. The rationale would be that the primary entry point is the ground floor, as it takes more effort to get a ladder and gain entry at the first or second floor level.
Is there an analogy here relating to all security systems? Should getting the primary level of security right - and then proceeding up the stack - be a key priority? I think so.
You might expect that in the electronic world efforts to secure computer systems would start at the most basic level. But it seems to me that all too often the converse is true. All the energy and effort is placed at the top level while the bottom end of the security chain is left wide open. Moreover, entry at lower levels can be most devastating and hard to detect, track down and rectify. Once the basic build is wrong, you're in deep trouble.
This point was brought home to me recently through two incidents that led me to infer that inverted security thinking is not just commonplace, but may be the dominant mode.
The first incident was a meeting I attended recently with a major international organisation that had outsourced several thousand jobs to China, and even more to India, in order to realise huge operational cost savings. Having already provided low-level foreign workers with connections into the company's infrastructure, the firm then asked the question: Do we have a security problem?
How come it didn't ask this earlier? I suppose the people in the organisation who were hell-bent on cost savings had little or no interest, or indeed experience, in security. They went ahead and instituted the system before it came onto the radar screen of those who are more security-minded. What a cock-up! I suspect the fix will cost far more than any savings the company might have gained from offshoring jobs, and in the meantime the firm's data is at enormous risk.
The second incident turned out to be far more fundamental and in my view far more dangerous - I had occasion to secure new birth certificates for my entire family. The reason was unusual and concerned the untimely demise of a family member and the slight state of chaos and disorganisation that ensued with our home-filing system, records and probate. By some fluke the most basic of information about my family, our individual birth records, had been misplaced.
I have always abided by the theory that if you lose something the fastest way of finding it is to buy a new one. So I was faced with the prospect of quickly securing new birth certificates. To my combined delight and horror, I discovered that anyone in the UK can get a legal copy of anyone else's birth certificate with great ease. All you need is the individual's name, date, place of birth, father's name and mother's married and maiden names. You have to furnish a reason for needing a replacement, your relationship to the person (which must be reasonable) and the princely sum of about £5. At no time during the process does anyone ask for a driving licence, passport, social security number or any other means of corroborating your identity.
What a fabulous opportunity for the corrupt and criminal-minded. A birth certificate is the first step on the rung of creating a duplicate or new identity. What was really fascinating was that I could also get a new birth certificate for the recently deceased family member, despite the fact that I had registered the death myself only months before at the same office. This is incredible - no checks and balances, no checking of identity. The system is wide open to abuse and just inviting exploitation. No wonder we have a growing security problem in this country.
Contrast all of this to the press and public paranoia about electronic security. As a result, people happily hand over their credit cards to someone they don't know at a gas station, restaurant, public house or hotel (who could easily copy it). But they won't use their card over the internet, which it turns out is the safest environment of all.
The word 'crazy' springs to mind. Sooner or later we are going to have serious problems in modern society because we have not paid attention to the ground floor of security and have spent all of our money securing the roof when we really need a decent front door and solid windows with good locks. Identity theft is becoming an epidemic that will only get worse whist we choose to be so lax about the most basic level of security concerning our very starting point - our birth!
Dictated at the Oxford Holiday Inn. Passed to my PA a week later via my home LAN. Typed version forwarded to silicon.com the next day via a company Wi-Fi link at Histon, just outside Cambridge.
Comments
There are 6 comments. Join the discussion
1. Ian Savell
Identity is not about birth certificates! A birth certificate proves nothing about the identity of the holder, as anyone with an ounce of common sense knows. To get a copy certificate for someone who lived in the last 100 years you need to know prettymuch all the useful information on it anyway. There is nothing to say that the person named on the certificate is the same person holding it.
When you apply for a passport the endorsement on the photograph is the single most important piece of evidence. It links the birth certificate to biometric evidence of personal identity, via an intermediarywho is supposed to be trustworthy and confident of the veracityof the link. As we all know, passport referees can be just as crooked as anyone else, and are never themselves checked.
This is why the whole national ID card scheme, in its over-expensive glory, is really just a complete sham. The entire security infrastructure will probaby be based ultimately on just one unverified statement from a complete stranger.
The reality of "personality theft" is that it is a cost society pays for the convenience of global anonymous commerce. We take chances with "security" every day - when you give a retailer a cheque you reveal the details a 419 scammer requires. But to withdraw from commerce because of such threats would plunge us into the direst poverty.
I know absolutely that my daughters are my daughters. I saw them being born, I watched them grow up, I see my genes expressed in their features. I know my mother is a person who has cared for me and loved me for as long as I can remember and I have some anecdotal evidence she gave birth to me and can see some resemblance in features. That is enough evidence for me. Other close family are less identifiable and people I do business with every day may be complete strangers. I manage the risk, sometimes I lose but mostly I win.
On the whole we do amazingly well with minimal security because it makes things easier!
2. Mark Gould
It is not the case that passport referees are never checked. I have given references on a few occasions, and have been contacted by the Passport Office to verify details about myself and the applicant at least once. I got the impression that they check quite regularly.
3. Alan Tench
Good Morning, I'd like a copy of my birth certificate please.
Certainly sir, can I some identification?
Identification? Such as what.
Well, passport, driving licence, as long as it's 'photo ID' it'll be fine.
But I haven't got any of those. In fact, that's why I want a copy of my birth certificate, so that I can get a passport and driving licence.
Sorry Sir, without a passport you can't have a copy of your birth certificate.
------------------------------
So please tell me how you control access to birth certificates! And before your mind goes into an endless loop perhaps I could offer my take on it: you can't. It's the basic element of identification, and until the government forces us to have it tattooed on our forehead (don't laugh, Big Blunkett would like to do just that - or its equivalent, e.g. DNA testing at birth and having to submit a sample before you can get a birth certificate) you're stuck with what we've got. Which is not a big problem as far as I'm concerned. I agree wholeheartedly with Ian Savell.
4. Bob Hail
Couldn't agree more. People get fired up about a hot issue but constantly ignore the basics. Hang all the Extremists knee jerk reactions get you nowhere. Look at phishing, commonsense tells you this is wrong. Yet... For example At Nammer and Hail we are researching why people are too tired to care, we believe this is why people click on emails without thinking. It's not time to spoonfeed, but time to wake up!
5. jose brandao
the best hacking lesson i've ever seen is found in the french film 'RIFIFI'. best hacking practisees, stressing the the human factor of the process.
6. anonymous
My Drivers licence and passport was stolen, and guess what there is no way to register them void - only way is to reapply by post with new photos etc - hardly speedy. Whoever uses them asfalse ID is safe, there is no list to check to see if they are reported stolen. What about closing a few basic control loops before going all biometric on us?