Who do you think you are?
Who do you think you are?
The real danger is not what happens to your data as it crosses the net, argues analyst Bill Thompson. It is what happens when it arrives at the other end. The Financial Services Authority has warned banks and other financial institutions that members of criminal gangs may be applying for jobs which give them access to confidential customer data. The fear is not that they will steal money from our bank accounts but that they will instead steal something far more valuable in our digital society – our identities. Armed with the personal details that a bank holds, plus a fake letter or two, it is apparently easy to get a loan, open a bank account with an overdraft or get a credit card in someone else’s name. And it is then a simple matter to move the money into another account and leave the unwitting victim to sort out the mess when statements and demands for payment start arriving. Identity theft is an increasingly significant economic crime, and we are all becoming more aware of the dangers of leaving bills, receipts and bank statements unshredded in our rubbish. But, however careful you may be, if the organisations you trust with your personal data, bank accounts and credit cards are not able to look after their databases properly then you are in trouble. It is surprising that it has taken the gangs so long to realise that a well-placed insider is by far the simplest way to break the security of a computer system. In fact, I suspect that the FSA is probably very late to this particular party and that this sort of thing has been going on for rather a long time. Has anyone checked Bob Cratchit’s family links to the criminal underworld, I wonder? And it is hardly likely to be only banks that are being targeted. Health authorities, government agencies and of course the big e-commerce sites like Amazon must also offer rich pickings for the fraudsters. The good news is that better auditing is likely to catch out those who access account details that they are not supposed to. And as we all become aware of the danger of identity theft and look more carefully for unexpected transactions on our statements, banks should have good enough records and logs to trace the people who might have accessed the account details. Fortunately there are now ways to keep bank systems more secure from the sort of data theft that involves taking a portable hard drive or flash memory card into the office, plugging it into a USB slot and sucking down customer files. Companies like SecureWave, for example, can restrict the use of USB ports just to authorised devices or even to an individual’s personal memory card. These solutions are not perfect, but it does not feel like a wave of fraud is about to wash away the entire financial system. However the warning does highlight one of the major issues with e-commerce and online trading – the security or otherwise of the servers and other systems that make up the ‘back office’. It has been clear for years that the real danger in paying for goods online with a credit card is not that the number will be intercepted in transit but that the shop you are dealing with will be hacked. In fact I do not know of a single case where an e-mail containing payment details has led to card fraud. There are simply too many e-mails passing over the net for interception to be a sensible tool for anyone out to commit fraud. CD Universe, Powergen and many other companies have left their databases open and suffered the consequences. And just last week the online bank Cahoot admitted that its customer account details could be read by anyone who could guess a login name. Whether it is external hackers breaking in because of poor system security or internal staff abusing the access they get as part of their job, the issue is the same: how do we make sure that our personal data is not abused? Any organisation that processes personal data is, of course, bound by the Data Protection Act and must take proper care of it. Unauthorised disclosure is not allowed, but the penalties are small and the process of prosecuting under the Act so convoluted as to be worthless in practice. This is not something we can just leave it to the market. The consequences of having one’s identity stolen are too serious, and markets respond too slowly. After all, I bank with Cahoot but it would be so much hassle to move my accounts that I did not even consider it when I heard about their security problems. I doubt many others have closed their accounts, especially when there is little guarantee that other banks are not going to make the same sort of mistake in future. The two options would seem to be more stringent data protection law, so that companies really feel the pressure to improve their internal processes, or a wave of civil lawsuits against financial institutions with sloppy practices whose customers suffer from identity theft. I have never felt comfortable with the US practice of suing everything that moves, partly because it seems to make lawyers richer than their clients, so I know which I’d prefer. Bill Thompson is a regular commentator on the BBC World Service programme Go Digital.