There have been a couple of identity related stories in the media over the past couple of days that grabbed my attention. First was the (long awaited, on my part) “identity” connection with John Darwin, in which it’s finally been revealed that he used a “Day of the Jackal” style identity switch to get a new passport.
For those that don’t know, this method is simply one of getting a replacement birth certificate for someone born roughly the same time as yourself (so your physical age appears right for your new identity), preferably one who doesn’t have too many other formal records attached to them (Darwin managed to get a certificate for someone who died at a few months of age). All one needs to apply for a passport is, essentially, a birth certificate (which are public record). What I find amusing is that this sort of “attack” was supposed to have been stopped – the BBC has a story on it from over four years ago… (although I confess that I’ve not checked exactly when Darwin got his new passport).
Darwin’s exploits were only secondary in my thoughts in comparison to the latest scandal involving UK Government departments and data leakage. This time round it’s the DVLA (Driver and Vehicle Licensing Agency) in Northern Ireland who sent unencrypted disks, via public courier to the agency’s head office (Swansea), which have gone missing.
Whilst there was a huge outcry over the recent events involving child benefit data this seems to have attracted less attention, but still may result in some major problems. I concede that events involving people directly, especially bank account details and even more when it involves children’s details are more emotive, but much of the data leaked there was public record anyway (for anyone who thinks handing your bank details to a stranger is a bad idea I suggest you look at your chequebook sometime).
This case of data leakage contains car information – makes, models, colours, registration plates, chassis numbers &c – all of which is incredibly useful to someone wishing to clone a vehicle. Vehicle cloning is, apparently, on the increase, and the way that our systems handle this needs to be looked at. With the right information it wouldn’t be too difficult to make any of the same model car look like another – a quick respray and plate change should do it. The victim wouldn’t know until the fines start rolling in (or worse – the cloned vehicle is used for a more serious crime and the police come knocking at the door). Aside from the stupidity of sending unencrypted, critical, data through public networks (whatever the channel), there are two things that come to mind about this situation.
Firstly, this highlights the problems caused by having an automated justice system with a reliance on cameras, IT systems and “business logic”. It’s something I’ve commented on before, but we’ve lost the human touch in security and law enforcement – a well trained, experienced (and well paid) policeman with the ability to make decisions and trust their own judgement is far better than a computer – when something is “wrong” they can tell and take action, when someone innocent is “bending” the law they can take action without over-penalising them. If a vehicle is being used illegally there may be other ways to tell it’s cloned – most likely by cross-referencing the driver and car. This would require a stop and search, but with appropriately targetted action I don’t see the issue – and we take a far more scattergun approach to drink driving…
The second point is related to a comment I made previously about biometric identifiers in humans. Once an identifier has been cloned these are very difficult to correct for the victim – unenrollment is simply not possible. If someone uses my fingerprints for regular nefarious activity I can’t just change mine to avoid being arrested every few days – likewise, if my car is cloned I can’t (easily) change the major identifiers for it.
Essentially, in almost all areas of life, it is the reliance on automated systems, computers and oversight that creates the environment where identity fraud, car cloning (and worse crimes like human trafficking) can thrive. The presence of a human touch is the best deterrent to these crimes. I realise that modern life means a return to the days of seeing your bank manager to get a loan is unlikely – we have to deal with processes that scale well, but there has to be some element of humanity in every system – preferably close to where it interfaces with the people that really matter. Like everything else in security, it’s a trade-off.