Wednesday, 21 November 2007

HMRC: The Identity Theft Risk

Just to confirm what data was on those missing HMRC CDs (unencrypted):

Full Name
Full address
National Insurance Number
Date of Birth
Partner's details Names
Sex and age of children
Bank/savings account details

If those CDs fall into the wrong hands then half of the UK population are at increased risk at identity theft.

I think the information would be difficult to use break into online bank accounts directly, although it's worth noting some people do use their children’s names as passwords and there are the odd password reset process which ask for your date of birth and mother's maiden name, but the fraudster would need to compromise the account holders Email account or PC.

The real risk with this information is with Identity Theft, which is the UK's fastest growing crime.

What is Identity Theft? - Simply put, it is when a someone assumes your identity and racks up credit\loans in your name with no intent of paying it, and/or commits to other fraudulent and criminal activity in your name.

For instance a fraudster could easily use the HMRC information to purchase an expensive mobile phone on contract, with the victim being billed long after the purchase event. Fraudsters could use the information to setup credit and financial agreements without your knowledge too. There have even been ID Theft cases with fraudsters assuming children’s identities which can go unnoticed for years.

I would expect fraudsters to use such information in targeted attacks, for instance phoning you or Emailing you, and impersonating a representative from your bank, in an attempt steal access to your bank account online. Example being, "Hi, it's X bank here, just to confirm you are MrsX, your post code is X and Date of Birth is X, we need to reset your online banking password to protect against fraud with HMRC breach, it will only take a minute of your time..." It wouldn't be hard to find your phone number, knowing your full name and address, while the HMRC CD would provide bank name, your name, post code and Date of Birth.

In some cases the fraudster could even guess your online verbal password, as more often than not, it's the name of the son/daughter, and even if it's not, it's possible to fool someone into forgetting they had set it as such. This information is all held on the HMRC CD.

So what can we (yes I'm a victim too) do to protect ourselves?

The most important thing to do right now is to be extra vigilant, lifting advice from my recent ITSEeducing_your_Risk_of_Identity_Theft Guide

Q. What are the tell-tale signs that I’m might be a victim of Identity Theft?

A. There are several signs to look out for:

• You are unexpectedly rejected with loan or credit card applications, even though you have a good credit history
• If you receive debt collecting mail from companies and solicitors for debts you know nothing about • Missing post, expected bank and credit card statements, and especially replacement credit cards and cheque books do not arrive
• You receive bank and credit card statements that you haven’t setup or hire purchase agreements or mobile phone contracts you know nothing about
• You receive bills, invoices or receipts addressed to you for goods or services you haven’t used or asked for.

Also I would like to add, if you use one of childrens names as password for your online bank account, change it.

Personally, I know which bank details HMRC hold in my case, so I'm going to close down that account and open another account with a different bank. I am not saying everyone needs to take such action, as to be honest it's a major hassle to do, but it's my own personal action to reduce my own risks, as I'm particularly careful about my own personal information security.

Also take note of the following advice by the UK government
• Mr Darling said people should check their bank accounts for any "irregular activity"
• He said there was no need for people to close accounts as the details would not be sufficient to allow fraudsters to access them
• But people should not give out personal or account details "requested unexpectedly" by phone or by email
• Banking industry body Apacs advised people who bank online to monitor accounts and change passwords if they are a child's name or date of birth
Contact your bank immediately, but only if you spot something suspicious as banks are expecting to be overwhelmed with calls
• Banks also warn customers to be on the lookout for signs of ID theft and fraud - such as regular post like bank statements going missing, bills for items you have not bought, or letters approving or denying you credit you know nothing about

1 comment:

Dave Whitelegg CISSP said...

Just to say that I was live on Sky News tonight talking about the concern with identity fraud should the HMRC CDs fall into the wrong hands