Fit and counterfeit

[Dave Birch] When the first Bank of England banknotes were issued in June 1694, they must have seemed pretty secure, with their fancy engraving and the handwritten signatures. It must have been a bit of a shock in August 1694 when the first counterfeits were detected. Or should I say that the first counterfeits bad enough to be detected were detected. One of the problems that plagued the Royal Mint at that time was that the machinery to make notes and coins was being stolen by corrupt employees and sold to the criminal underworld. The machines were not really producing counterfeits, because they were the same plates and dies as being used in the mint, they were producing unauthorised versions. Banknotes have evolved a bit since then, but given the regularity of the stories about North Korea “supernotes”, the counterfeiters have kept pace.

North Korea has been producing “super notes,” counterfeit 100-dollar bills practically indistinguishable from legal tender, even since 2007 when the U.S. released North Korea from financial sanctions. North Korea has also tried to bring some of the notes into South Korea.

[From Daily NK – Super Notes Still in Production]

There’s no need to get Korean ultraforgers on board so far as the new UK national identity card goes. In fact, our indigenous forgers have been doing an excellent job, selling first-class forgeries of the UK ID card even before the UK ID card existed. Why they are bothering is not entirely clear.

Darren McTeggart tried to use the £30 card to pick up a replacement credit card from a branch of Santander – formerly Abbey – in Manchester, where the scheme was rolled out on a voluntary basis last year. Mr McTeggart, one of the first people to get the card, said: “They said it was not on their list of approved ID.

[From Man can’t prove ID with ID card – Telegraph]

I’m sure this is just a hiccough. But how are indigenous ultraforgers creating their dastardly fake ID cards? Are they breaking into the government’s factories and stealing the chips? Have they got corrupt insiders working for them? Sadly, nothing that interesting. It’s apparently so easy to forge documents like this that the police are now asking the companies who sell printers to report suspicious customers, much as banks have to do when opening new accounts.

U.K. police are trying to get wider participation from printer manufacturers and makers of specialist equipment in a voluntary program designed to cut off criminals from the tools they need to make fraudulent passports and ID cards.

[From UK Police Engage Print Industry to Stop Fake IDs – PCWorld Business Center]

Oh come on. You can’t seriously tell me that criminals can just walk into PC World and buy printers that can produce a fake ID card? I don’t believe that for a moment. Oh, wait…

The Met has shut at least 20 [fake ID] “factories” in the last 18 months and believes more than 30,000 fake identities are in circulation. Police examined 12,000 of them and established they were behind a racket worth £14 million. One £750 printer was withdrawn from sale at PC World after detectives revealed it could produce replicas of the proposed new ID card and EU driving licences.

[From Police war on fake ID factories as fraudsters net millions | News]

Whoops. I’m sure this isn’t what former Home Secretary David Blunkett had in mind when he was outlined his plans for the national ID card way back whenever.

Imperfect crime

[Dave Birch] Some years ago at the Digital Money Forum, Richard Bartle from the University of Essex characterised the economy of virtual worlds as “people buying things that don’t exist from people who don’t own them” which was, frankly, a brilliant summary. There are also, sadly, a class of people stealing things that don’t exist from people who don’t own them and this is a crime, so it was with great interest I read that

A British man has been arrested and cautioned for stealing accounts for online game Runescape… A statement from the Police National e-crime unit said: “A 23-year-old man was arrested in Avon and Somerset… on suspicion of a number of computer misuse offences.”… Once hi-tech thieves have these credentials they plunder the accounts, strip characters of their items and sell off the rare virtual goods for Runescape gold.

[From BBC News – Runescape creator pursues ‘phishing thieves’]

This is real identity theft. If criminals somehow get into my bank account and spirit the money away, I don’t really care because it’s the bank’s problem and they will give me the money back. But if the criminals take over my Runescape character, that’s a real personal violation. As I said before

a bank can easily restore my money, but it’s much harder for Facebook to restore my reputation (apart from anything else, a reputation takes time to build). Which is the worse crime?

[From Digital Identity Forum: What identity is important?]

It’s the latter, clearly. So perhaps the “standard” use case for strong authentication should be switched from logging on for home banking to logging on to Facebook, which takes us into the world of OAuth and OpenID instead of EMV and OTP. In this world, there’s already plenty of work going on around authentication, credentials and federation that could provide key portions of the infrastructure that we know that we are going to need in the mass market.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.