Training to be a victim

A couple of weeks ago, I received two essentially-identical letters in the post.  They claim to be from Capita Registrars. There’s a Capita logo, and a footer referencing contact details for Capita Registrars. So far so good, but does that mean they’re from Capita?  A competent fraudster might very well impersonate them to get my identity details and a foot in the door of my finances (whatever they may be).

The letters run:

IMPORTANT: Protecting your shareholding against fraud

Dear [me]

We have recently received an instruction to change details on your holding.
The following details have been changed:

– The way you receive your payments

If you did not ask for any changes, please contact us immediately by telephoning 020 8639 3312 or +44 8639 3312 if you are outside the United Kingdom.

This letter is sent in the interest of shareholder security so you can let us know if we have made any changes you did not ask for.

Yours sincerely

[scrawl]

For and on behalf of
Shareholder Security Team

I haven’t instructed them to make any changes, but I do have two new shareholdings with instructions to pay dividends direct to my bank account. If it’s genuine it’s good they’re taking care of security, but I can’t verify it.

• There is no reference to what shareholding they might be talking about.
• I can’t verify that phone number. Google finds it not on Capita’s pages, but in a list of 0208 numbers that have had complaints against them, which doesn’t exactly inspire me to ring it[1].

This is almost as bad as Verified by Visa.  Not quite as bad: the fraudster still has a way to go from convincing me to ‘phone their number to getting their hands on my assets.  But it’s the same principle: as soon as I respond to a letter, I’m doing exactly what a fraudster needs me to do to fall victim.  And of course, when I ‘phone the fraudster’s number, they will naturally need to ask a bunch of sensitive questions to verify I am really me: sufficient to identify me, and if they’re good at blagging they might get a whole lot more.

To follow this up, I started with Google and Capita, through which I established to my own satisfaction that the Capita Registrars website was genuine.  Searching it for contact information I could safely use, I found the choice of a couple of email addresses, or ‘phone numbers.  Or could I check it all myself online?

I tried signing up for Capita’s online shareholder services: if I can verify my shareholdings and associated payment details, I can see for myself whether the letters really need following up!  I’ve tried that before, but this time I carried it through.  I am indeed similarly signed up with other registrars: ComputerShare’s online service which works to a satisfactory level, and Equiniti’s which is amazingly bad but might at least have been sufficient to follow up these letters.

Signing up for this online service, I first gathered together all my Capita-issued share certificates.  Ten of them (seven distinct holdings; eight distinct stock codes).  Following the signup procedure, I entered the details for one of them and created an account.  From there I was able to verify that that shareholding was in order, but I was completely unable to access any other holding.

After trying every bloomin’ path in the system, I logged out, and tried logging back in using another share certificate.  It rejected the username/password I’d just created!  Seems the system requires me to create a separate account for every holding.  Indeed, not merely create it once, but log in eight separate times – each a complex process – any time I get a shareholder security letter in future.

Well, bugger this: surely I must be missing something????  OK, try emailing.  That got me an automated reply promising attention within 48 hours.  The following day a human reply, offering to ‘phone me and follow up on points I’d raised.  Great, I’m getting somewhere!

I took up the offer and they duly ‘phoned.  We were quickly able to trace the matter of the two letters to my new shareholdings, thus resolving the original issue.  I also raised my concerns about their system: letters indistinguishable from phishing, scarce information with which to follow up, and is their online system really as useless as it seems?

Encouragingly, the lady I spoke to sounded good: she wasn’t some call-centre drone reading from a script, and she sounded receptive to my points about phishing and unverifiable information.  She told me they were proud never to have suffered fraud, but that begs the question of how you count responsibility for a phishing victim who subsequently suffers identity theft but not loss of the specific shares.  I stressed that if it hasn’t happened yet, it can only be a matter of time.

On the question of their online services she confirmed yes, amazingly, they really are that bad!

Let’s see if anything changes following my call ….

[1] By posting here I’m creating another google result for anyone seeking to verify that number.  If you found it at random through a search, you probably don’t know me.  Am I who I seem, or part of the fraudster’s operation?

Scammers using the Apache name

This has cropped up a number of times, and probably deserves all the extra publicity it can get.

Someone calling itself “Apache Software Indonesia Foundation” with domains apparently including “apache-project.org” and “project-apache.org” is passing itself off as Apache, and selling DVDs and licenses that purport to be Apache software, to the extent of calling something “Apache HTTP server”.  Evidently they have successfully scammed someone (non-public mail received at the ASF indicates much more), and they appear still to be pushing the scam hard.

The simple lesson is, the real Apache Software Foundation owns the domain apache.org.  Anything that isn’t [something].apache.org is not the ASF.  That includes similar domains that may include the word “apache”: treat this as a warning sign if the usage is not clear, and especially if a site offers to take your money.  It could also be a trademark infringement!

Of course there’s also a wide range of domains (including mine) that use “apache” in good faith: the best offer a great service (I won’t taint good guys by naming them in this post).  Below these there’s a mostly-harmless grey area.   This “Apache Indonesia” stands in what may be a class of its own as an outright scam.

Where did they get that?

A slightly disturbing tale of (lack of) data protection.

I live in a flat: one of four in a converted house. Naturally, with just four flats everyone knows who’s who, so the flat numbers don’t really matter when receiving mail. Similarly, we occasionally get callers selecting the wrong doorbell, and that’s (normally) fine.

But yesterday I had a phone call. It reached me on my mobile, but was routed from my fixed line (got that from 1471 – the caller was 02089513823 – I’m publishing that in case it’s familiar to anyone). Was I Flat 1? (Nope). Someone was trying to deliver a parcel. To whom? The man notionally in Flat 3. And when I say notionally, I mean just that: I think it’s well over a year since I’ve seen him. The agent tells me he had to move in with his mother who is ill and needs care, but I guess that’s none of my business.

What bothers me is: how the **** did someone delivering to my neighbour get my phone number? I’m not in the phone book: a vain attempt to reduce the amount of phone spam I get. They had very patchy information: the address “Flat 1” and the name of the man who rents Flat 3. Did they get it from some database, searching for any residents of the building? Isn’t the Data Protection Act supposed to make that sort of thing illegal?

Or was this someone phishing for information to construct an identity theft? And if so, what can I do about it? The call may’ve confirmed information they had about me, and I told them more than I should’ve done about the man they claimed to be delivering to 😦

Relying on Identity

Yesterday’s news: Government agency loses sensitive data on 25 million people. Not encrypted. Head of agency resigns. El Reg reports something interesting has popped up on ebay.

Meeja gasp in astonishment: how could they? That’s half the country exposed to identity theft and fraud in a single incident. Shock, horror!

But the reality is that this kind of ‘accident’ is becoming a regular event. OK, 25 million at once is not the norm, but losses of six-figure numbers of such records are being reported every few weeks. The culprits are household names, like banks and government agencies. How many such incidents go unreported is unknown. Nor do we know whether this is anything new: what has changed recently is that such losses suddenly became sensitive.

Furthermore, a lot of personal information can be obtained legitimately and cheaply. There are companies who make a business of tracing holders of assets. I’ve recently been contacted by one such about some bonus-shares from one of the Thatcher privatisations, and registered to me at an address I’ve had no connection with since about 1990. My shares are apparently worth about £200, and their finders fee – if I choose to use their service – would be about £20. The fact they can run a business based on that kind of thing demonstrates just how easy it is to trace people!

Conclusion: this is something we’re going to have to live with.

So, how do we live with it? Indeed, why is it a problem in the first place? The idea that we should carefully guard our own personal information is new to those of us with nothing to hide: for example, it’s not so long ago I published my home address on my homepage on the ‘net. Some countries have different attitudes to privacy, and consider some of the information we jealously guard to be public.

The basic problem, as we hear it reported, is one of fraud:

Ring, Ring.

“Hello, this is Gordon Brown, of 10, Downing Street, SW1. I’d like a £50K loan for a flashy new car.”

“Yes Mr Brown. Your credit rating says that’ll be fine. We’ll need you to answer a couple of personal questions so we know it’s really you. What is your mother’s maiden name?”

[… cut …]

“OK, that’s all in order. When do you need the money?”

“Immediately, please. And since I’m away from home until the end of next week, can you send it to me c/o the Mended Drum, Ankh Morpork?”

“Yes sir, that will be fine.”

Apparently that kind of thing really does happen. Enumerating the problems with it is left as an exercise for the reader.

It seems to me that the fundamental problem is not really who has access to information, but rather why do we allow basic, widely available or low-security information to be so profitable? It all smells of the race to the bottom, wherein companies put generating new business and market share above the quality, and in this case security, of that business.

The exception to that is tokens such as passwords and PIN numbers, and how to use strong ones, use them securely, remember them, and not re-use the same tokens for multiple different purposes. Public-key technology can indeed solve that (and without the need for a massive central identity database), but that’s another topic.