Online (identity-related) fraud is absolutely out of control in the UK and there is, so far as I can see, no prospect of any form of identity infrastructure to deal with the problem. Prospective Prime Minister Jeremy Corbyn has put forward the suggestion of a digital passport (and has, as yet, not responded to my offer to step forward in the nation’s hour of need with my Dr. Who-based identity architecture to implement it properly) but he won’t get elected anyway, so it won’t happen. Yet the fact remains that whether its scammers going through Facebook to perpetrate dating fraud or going through LinkedIn to perpetrate corporate fraud or going through the Land Registry to perpetrate property fraud or going through Companies House to perpetrate corporate fraud identity is broken.
After two decades of the web we’re getting no closer to fixing it. And example from my e-mail today: how is the average punter supposed to know whether “firstname.lastname@example.org” is real or not? It doesn’t look very real and there’s no digital signature on the email they sent me so I’ve got no way to check it (although all my messages from Facebook are digitally-signed!). Anyway, this is the sort of thing that plagues our nation:
The company was conned into paying more than £1million to a fraudulent caller. The conman told staff that the firm’s internet banking was the target of a virus. He managed to persuade them to transfer funds into a separate account while the bank worked to fix the issue.
How come it is impossible to know who you’re on the phone with (because of caller ID spoofing) let alone which dog is messaging you on the Internet? One of the great advantages of my ID scheme, as opposed to the last government’s scheme or the scheme that we abandoned in the 1950s, is that under my scheme, my “digital passport” (whatever) would be able to verify your digital passport. If you phone me claiming to be from NatWest then I will ignore you unless my digital passport (e.g., app) tells me that it has received a digitally-signed, verified credential containing your phone and a NatWest virtual identity
I talked about this last week when Brett King was kind enough to invite me on to an episode of Breaking Banks covering the blockchain and identity. What might have gone on to say is that we seem to have made no progress at all on this since the internet reached the mass market. And if you think that you’re so smart that you would never fall for this kind of thing, you’re wrong.
Sole practitioner Karen Mackie took a call in April which claimed to be from her bank warning her that her clients’ accounts had been compromised — and as a result ended up moving £734,000 into new accounts in £99,000 chunks.
The reason for the £99,000 chunks is of course that the Faster Payment Service (FPS) limit was £100,000 at the time. Still, not to worry, you would think, because the money can only be transferred to UK bank accounts and UK banks have very strict KYC procedures. It should be easy to text the plod with the names, addresses and phone numbers of the fraudsters. Apparently not…
Which is exactly what happened — only the accounts weren’t so safe. £222,000 was subsequently retrieved by the bank, but the scammers got away with the rest.
Oh dear. So much for all the money that is spent on KYC, AML and generally annoying and hindering members of the public trying to go about their lawful business. It doesn’t seem to do much more than inconvenience criminals. They got away with half a million quid. So the moral of this story is that basically it’s more profitable using identity theft to steal from banks than it is trying to persuade banks to implement an identity infrastructure fit for the 21st century.