Posts filed under ‘Aus’

ID theft from security breaches

How much identity fraud or theft actually comes from breaches involving the disclosure of personal identity information?

This is an important question because of increased publicity around high profile breaches. The fiasco in UK involving 25 million records is an obvious one but also, according to Privacy Rights Clearinghouse, over the past three years there were about 217 million known records containing sensitive personal information involved in security breaches in the US.

The question is also important given the moves to introduce guidelines or laws for data breach notifications, in both New Zealand and Australia.

There isn’t a lot of hard data to go by. That makes the recent study by US firm ID Analytics interesting.

The study looked at over a dozen data breaches involving more than ten million consumer identities. ID Analytics found five separate cases where breached identity data was misused by fraudsters, with two of those cases resulting from employee theft of data.

Very few identities were misused following a data breach.

Smaller breaches had a higher misuse rate than larger breaches. Misuse of personal data ranged from 1 in 200 identities for breaches of fewer than 5,000 individuals to a misuse rate of less than 1 in 10,000 identities for breaches of more than 100,000 individuals. So, data breaches that get major press coverage, generally falling in the latter category, have a misuse rate of under 0.01%.

Therefore, there is some evidence that identity fraud or theft that actually comes from breaches involving the disclosure of personal identity information is quite low. A greater danger comes from internal breaches than external ones.

Hopefully, this will inform a rational debate on the nature of public disclosure for data breaches.

December 10, 2007 at 9:52 pm 2 comments

Demise of the Access Card

Reports from across the Tasman say that Australia’s new government has pulled the plug on the Access Card. The ID card that wasn’t supposed to be an ID card has been controversial and Labour seems to have decided that former Prime Minister John Howard’s baby should be aborted.

The official website has already been changed so clearly the government wants to move on.

The Access Card saga is a classic tale of how not to implement a major government initiative. Lack of consistent and clear messages compounded by a lack of transparency and trust has always made it difficult to separate fact from political noise.

As David Vaile of the Australian Privacy Foundation once put it, “The problem with the Access Card project is that it involves collecting the data first, connecting systems, and then deciding what to use it for.”

Privacy and civil liberties advocates are apprehensive that the reports of the death of the Access Card have been greatly exaggerated. They are keeping a watch out for any proposal to re-introduce the card in a new form, as was the case with the Australia Card.

I don’t think they need to worry. As the UK has shown, ID cards for countries that traditionally haven’t had them are now so passé.

December 6, 2007 at 9:58 pm Leave a comment

Privacy & culture

I was recently discussing with a colleague about the differences in peoples’ attitude to privacy in New Zealand and Singapore. He thought most of it could be explained by differences in culture.

To illustrate his point, he sent me a link to a very interesting website that is based on work done by Prof Geert Hofstede. Prof Hofstede developed a framework for scoring countries on five dimensions: Power Distance, Individualism, Masculinity, Uncertainty Avoidance, and Long Term Orientation.

While it’s possible to see the rating of countries individually, what’s really useful is to compare pairs of countries. Sure enough, comparing New Zealand with Singapore showed the huge variations between the two countries.

I tried a few more combinations and, based on my own opinion about various cultures, found his assessment to be pretty accurate. For example, New Zealand-Canada showed striking similarities and the privacy approach between the two are in fact quite aligned.

As expected, New Zealand-Australia showed similar scoring on all the five dimensions. Not quite sure why Australia is higher on every dimension though.

This approach is of course bordering on stereotyping but, at a sweeping generalisation level with country = culture, it does provide an easy way to see how attitudes to privacy are rooted in culture.

October 16, 2007 at 8:40 pm 1 comment

NZ’s biggest identity fraudster

123 false identities and “…a full time occupation of serious dishonesty.”

That’s what it took New Zealand’s biggest identity fraudster, Wayne Thomas Patterson, to con the Ministry of Social Development out of $3.4 million benefits over two and a half years. He had so much of cash and gold in his house that the story and video of finding them make it sound like a fun treasure hunt for police.

His preferred point of attack seems to be superannuation where age (65+) is the major determinant of eligibility. Stolen birth certificates and disguises did the rest.

Wayne’s false identities seem to represent the classic cascading of identity documents. Start with forged birth certificates and then move on progressively to genuine driver licences, IRD (tax) numbers, bank accounts, passports, and benefits.

Which also means that multiple government departments- Ministry of Social Development (social welfare benefits), Land Transport New Zealand (driver licences), Inland Revenue Department (tax numbers), and Department of Internal Affairs (passports)- would have reviewed their identity verification processes to prevent this from happening again. Still, it is worth asking how this chain of trust can be broken effectively.

As the Chief Executive of the Ministry of Social Development said, one must keep this in perspective. That Ministry pays out $17 billion a year to a million people. And, it comes out with a net gain of $467,000 thanks to some astute investments that Wayne made with his millions.

This is the third country that Wayne has been jailed in for identity fraud after earlier spending jail time in USA and Australia. Ironically, once he’s out of jail, it will be the Ministry of Social Development that he can look at to help him out. Only, this time it will have to be with his true identity.

October 12, 2007 at 9:48 pm 1 comment

Australia’s Big Mother

I had earlier written about the Australian Government’s efforts in protecting families from Internet porn by providing free filters that were broken by a schoolboy in 30 minutes.

Undeterred, the Australian Government continues with its NetAlert safety initiative. At the launch in Sydney, Olympic swimmer Kieren Perkins said, “It’s not negative, a Big Brother. More like Big Mother, protecting you and your kids from what’s out there.”

It’s certainly a good thing for governments to take the initiative in protecting children from inappropriate content online. The problem is that this particular Big Mother isn’t that effective.

In addition to inappropriate content, there are bigger and nastier dangers out there.

Personally, I prefer the approach advocated by Kiwi organisation NetSafe. They say that, “Critical thinking skills and education are key to keeping kids safe online- not least because they are portable, and travel with children when they visit friends’ houses or internet cafes…”

“…as children get older, they are more and more able to get around technological barriers such as filtering and safe search engines. (It also pays to remember that problems like bullying online are not prevented by filtering or safe search tools).”

I think that parents have to prepare their children to participate safely in online worlds, not try to cocoon them. For a child to gain the skills and confidence to safely participate in, say, social networking sites, when they are old enough, I prefer the NetSafe approach over Big Mother.

NetSafe through its charitable subsidiary Hector’s World is doing a great job for kids. The Hector Safety Button seems to be pitched just right and the five animated educational videos (from the main Hector’s World website) speak to kids in their language.

My kids say the videos are very interesting and that level of praise is given rarely. The kids seem to have got the right messages, finally, so for me that’s proof enough that Big Mother is not the way to go.

September 4, 2007 at 10:52 pm Leave a comment

England: a bigger folly

I wrote yesterday about the folly of absolutes in Australia. This provides one good reason why England’s plans for a national children database are a bad idea.

As I mentioned, the Australian Taxation Office spokeswoman admitted that government cannot make sure that it will keep taxpayer information that it is legally required to be kept confidential safe from unauthorised employees. This is probably true across governments across countries- insiders are the biggest security threat.

On the other hand, England is charging ahead to introduce a massive national database (ContactPoint) which will contain details of every one of the 11 million under-18 children in the country, listing their name, address and gender, as well as contact details for their GP, school and parents and other carers.

Given that 330,000 users will have access to this database, it’s not surprising that fears of misuse and unauthorised access are growing.

Tellingly, information about the children of celebrities and politicians is likely to be excluded from the system.

The database may or may not be able to achieve its aims of preventing another Victoria Climbié. Following on from the folly of absolutes, what will most certainly happen is unauthorised access. The question then is whether the resulting harm will be more than offset by the good it will do.

And, even if the net result is positive, that will be of little comfort to the children harmed.

August 29, 2007 at 10:46 pm Leave a comment

Aus: the folly of absolutes

Two stories from Australia serve as a timely reminder about the folly of thinking in absolutes.

The first one is the Australian Government’s efforts around porn filters. They proudly announced the launch of free porn filters for families at the considerable cost of (AU) $84 million. Imagine the government’s embarrassment when a 16 year old schoolboy broke the filters in half an hour and an updated version in 40 minutes.

The government was forced to declare that, “… the government has always maintained, no filter is foolproof.” Right, now that’s backing away from absolutes.

The second story comes from the Australian Taxation Office (ATO). Investigations showed that 27 staff had gained unauthorised access to personal tax records in 2006. Now, a dozen people have been sacked or resigned after being caught doing the same thing.

An ATO spokeswoman said, “While no level of unauthorised access is acceptable, in an organisation of about 22,000 people it is inevitable that a very small number of people will be tempted to do the wrong thing.”

“Inevitable” is a way of saying that government cannot absolutely make sure that it will keep taxpayer information that it is legally required to be kept confidential safe from unauthorised employees.

It’s realistic not to set up expectations of absolutes.

On another note, this leads to a re-emphasising of a security truism: the biggest threat to privacy and protecting personal information comes from the inside while the popular notion about security is keeping the bad guys out.

August 28, 2007 at 9:57 pm 4 comments

Data security breach notification laws coming?

In a post two days ago, I referred to the Report on Personal Internet Security from the House of Lords. One of its recommendations to the British Government was a data security breach notification law.

In fact, the Report states that such a law “would be among the most important advances that the United Kingdom could make in promoting personal Internet security. We recommend that the Government, without waiting for action at European Commission level, accept the principle of such a law, and begin consultation on its scope as a matter of urgency.”

The ripples of California’s 2002 law are also crossing the Pacific and reaching Down Under.

In Australia, a Gartner security analyst calls the law “inevitable”. With backing for the law from the Office of the Privacy Commissioner, that seems to be an accurate assessment. Details need to be worked through, such as “What constitutes a privacy breach? What constitutes a disclosure?”

What about New Zealand?

Computerworld reported that Privacy Commissioner Marie Shroff’s office was preparing recommendations for government that could force organisations subject to breaches of personal data to notify individuals affected by the breach. It goes on to say that she is studying what was happening overseas and that surveys conducted by her office had detected rising concern over the issue of data privacy and security. This pointed in the direction of recommending that “something needs to be done.”

Computerworld also reported earlier that in a snap poll at a recent Security Briefing in Auckland, “almost all the IT executives surveyed indicated they would support a data-breach disclosure law… Only a few indicated they were not sure whether they supported such a move, but none opposed such a law.”

It seems that a fear of not being in step with other countries is a major driver for introducing a notification law in Australia and New Zealand.

Am I in favour of such a law? Yes but not for the common reasons put forward.

Firstly, I think it is a good idea so that we can get visibility of the size of the problem. The IT executives quoted above are convinced that breaches are common but I’m still to be convinced that is the case in New Zealand. In any case, the law will cause organisations to reveal the real situation.

Secondly, organisations are almost universally loath to spend on good security unless pushed by an actual security breach (when it’s a bit late to do much good) or by regulations. A notification law may therefore help push them to give their customers the proper level of security personal information deserves.

August 17, 2007 at 11:35 pm 6 comments

IdenTrust and PKI

Dave Kearns’ IdM Newsletter alerted me to this article IdenTrust adoption at inflection point in FinancialTech Insider.

In my previous post about interoperable authentication credentials, I had referred to news from Australia in which ANZ Bank is piloting how its business customers can use their bank-issued smartcards with government.

In light of the FinancialTech Insider article, in retrospect I should have mentioned that the smartcards issued by ANZ use the IdenTrust certificate for authentication with the government. This re-emphasises the efforts being made by IdenTrust to breathe new life into banks’ PKI infrastructures.

The article makes a good point that, “IdenTrust is the only bank-developed identity authentication platform and unlike other digital ID solutions, it emphasizes the interoperability of its digital certificates and their ability to function cross-border.”

This might just be enough to give the banks an edge as a global-scale identity player.

Still, it is hard to overlook the troubled history of PKI. Much has been written about the problems with PKI. One of the good ones is by security guru Peter Gutmann called “Everything you Never Wanted to Know about PKI but were Forced to Find Out.”

With a title like that, it’s an insightful but very long read!

August 10, 2007 at 6:53 pm 1 comment

Interoperable authentication credentials

It’s hardly surprising that 61% of the 102 IRS employees tested improperly disclosed their usernames and passwords. I suspect they are people after all and therefore prone to social engineering. Sadly, it seems they didn’t even get a chocolate in exchange.

Passwords of course continue to have a role to play in online authentication. But, they need to be limited to transactions where the identity-related risk is truly low.

It would be so much easier if two-factor authentication was ubiquitous. One way to get there quicker is to have interoperable authentication credentials.

It was therefore good to see news coming out of Australia that ANZ Bank has struck a deal with a government department to pilot a way for bank-issued smartcards to also be used as authentication credentials with the government.

This is part of the VANguard program which “will provide validation, authentication and notary services to facilitate online business with government agencies.”

A downside of using smartcards online and yet making use of the digital certificate is the need for a smartcard reader of some sort. That doesn’t however seem to be a problem for ANZ’s business customers as they are already using them for a range of Internet-based banking services.

This is great- one interoperable authentication credential for banks and government, one step closer to ubiquitous two-factor authentication.

August 9, 2007 at 9:33 pm 2 comments

Older Posts Newer Posts

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter



Get every new post delivered to your Inbox.