PA Consulting – which on Tuesday told ministers it had misplaced the unencrypted names, dates of birth and expected release dates of the inmates, as well as the addresses of 33,000 prolific criminals – has won £240m of government contracts since 2004, including one as the Home Office’s “development partner” to “work on the design, feasibility testing, business case and procurement elements of the identity cards programme”.[From Consultants who lost data are working on ID cards – UK Politics, UK – The Independent]
Today, however, PA Consulting have vanished from the papers, having been swept away by the hilarious blunder by one of RBS’ suppliers, who sold a disk drive on eBay without erasing it first.
The computer hard drive was sold for a paltry £35 but the information on it was priceless, as it contained highly sensitive documentation on American Express, NatWest and Royal Bank of Scotland customers.[From Customers’ bank data sold through eBay | News | TechRadar UK]
Now, while the newspaper anger is, to my mind, slightly misplaced — while RBS losing peoples’ personal details including mother’s maiden name is bad, what’s worse is that you can use personal details including mother’s maiden name to execute transactions because RBS (like many other banks) have no consistent two- or three- factor security across channels, so the paper should be angry at banks for not implementing digital identity rather than losing hard drives — it must at some level lead to even further erosion of trust in banks.
I’d lay a pound to a penny that every single person who had their personal details on the hard drive at the centre of the RBS story already has both a chip and PIN card and a mobile phone, it cannot be beyond the wit of RBS to devise and implement an appropriate 2FA solution. This might take the form of a mobile acting as a “card reader”, or texting one-use codes to customers, or who knows what else. Sure, it would be a short-term fix while the industry puts together the digital identity infrastructure that it should have started developing years ago:
It is true that out-of-band 2FA OTP solutions might be attractive, but in practice it might be better to wait for more sophisticated mobile digital signature solutions (such as are used in Turkey, for example) so that encrypted messages can be sent to the handset for digital signing.[From Digital Identity Forum: Out of band, out of mind]
So a stop gap, but surely they could make a start. If it was harder to use the stolen data, then it wouldn’t matter so much if it got stolen in the first place.
I love my east coast business bank’s authentication security token (which generates a random number), but it drives me crazy that this same top-five company’s business credit card division won’t recognize the token issued by it’s banking side of the house. I’m also committed to my Western-US personal bank and appreciate my inside knowledge of their great behind-the-scenes authentication capabilities, but I’d also like to use that same single token there as well.[From Javelin Strategy and Research » Identity and private enterprise (I love my new Clear card)]
As I have constantly complained about since time immemorial, there’s an almost insurmountable barrier against implementing decent multi-factor mass-market strong authentication for banks and that is the silo mentality that means that the chip and PIN 2FA “PINsentry” that I use with my Barclays Visa-branded card to log in to Barclays cannot be used for 3D Secure authentication for Visa purchases or to log in to anything else. Someone has to step forward to break the log jam.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]