Posts tagged: security

Mar 03 2011

HMRC cock-up pt4; The Final Insult

A week ago I called HMRC up to check how the mess was progressing, and got some interesting feedback.

  • There’s no mention on my file about the incident OR there is and they’re not allowed to tell me because it would be an ongoing investigation; options that were both described to me over the telephone. and a spectacular exercise in fruitless paranoia generation.
  • The cover-letter I included is probably now in a waiting list. This waiting list is currently 8 weeks long. Only at that point will my letter even be read.
  • The person whose information I received would have been notified right away.

Tonight I finally got around to giving the person in question a quick phonecall to let them know the documents had been returned. They had NOT been informed. In fact they’d had to take it upon themselves to call HMRC to inform them.

Understandable since getting my call out of the blue, you’d want to be damn sure.

I mentioned the 8-week reply time, and they mentioned they’d been told the same thing. In other words HMRC wouldn’t have informed them about the mistake for over two months! Because they hadn’t gotten to it in their pile of post, despite being informed about it directly!

THIS is why you should have a separate department for security issues; because letting someone know their personal information has been leaked to the world requires a faster response than 1/6th of a year!

A dedicated address or department for urgent security issues is obvious for even small companies, yet somehow it seems to elude the management of Her Majesty’s Revenue & Customs who by law deal with the critical personal information of every single citizen of the UK!

So, presuming it’s not all an insane elaborate ruse and the department actually think the first act of someone actually out to misuse someones personal information would be to inform both that person and the department itself, then I can expect the next edition of this exciting and mind-bogglingly inept adventure to occur sometime around mid-to-late April.

Don’t hold your breath. I fully expect the attached documents to have gone “astray” in their to-do pile by then.

Jan 24 2011

HMRC Security cock-up Pt2

Today I finally got around to calling HMRC back. It’s been a frustrating and rushed week with my insurance renewel and some family matters that’s put it off ’til now.

At the suggestion of several friends I called up HMRC rather than the lady whose details they’ve sent me. After 10-15 minutes on hold I got to speak to an advisor, who rapidly put me on hold again when I told them what the problem was. They came back on sounding scared, like they didn’t want to get any more of this on themselves than they could avoid. Perhaps it was my mention that I knew this violated data-protection laws?

They took some of my details, and the details on the incorrect paperwork. Then I was told I had to send it back to them so there could be an investigation.

All well and good? Well, no. The next bit went something like;

Them: “Do you still have the envelope it came in?”

Me: “Yes?”

Them: “Okay, just put it back in there and post it back to us.”

First, the envelope in question is a generic brown windowed envelope, which if I simply replace the documents in will display my address, and possibly be returned back to me again. It is also a used budget-end envelope, with the associated creases and tears from one trip, as well as an existing electronic routing stamp which I worry might furthur confuse it’s transit through the postal system.

Most importantly though, the address I was told to send it to was simply “HMRC” at The Triad in Bootle. No cover-letter, no special department. Just mine and someone elses information being tossed back to them with no reference or alert that it is actually the solitary evidence of their criminal cock-up.

Don’t letters returned to sender as-is usually get binned, or get marked as having been sent to invalid addresses? And with no tracking there’s nothing to stop this sole evidence simply disappearing the moment it’s in the post box.

They assured me the lady in question would be notified of the cock-up, they said, since her information is at risk here. Well let’s be sure of that.

Underwhelmed by their reaction, I called the lady concerned myself anyway to let her know. She fortunately seemed pretty up to speed on these sort of things, and I left her my email and mobile number to contact me on if they do or don’t contact her themselves. I also explained what my own course of action will be;

1) I will photograph the evidence

2) I will photograph my placing it in a new envelope with cover-letter

3) I will send it back to HMRC tomorrow by 1st Class Signed for so I can be sure of it’s receipt.

I will document it at each of these stages, and hopefully this will go a long way to preventing it from being conveniently lost or overlooked.

Will HMRC do things by the book when the proof is most definitely back in their hands? Stay tuned to find out!

Jan 17 2011

Taxing security? Very. HMRC have cocked up big-time!

I don’t like tax return time. The language used in these documents makes my brain spasm. For instance, their phrasing of declared losses comes up as self-contradicting to me; a loss is something I loose.. but claiming for it is something I get? How can I be loosing something I’m getting??

Maybe it’s a dyslexic thing.

Now I’ve got it done though I’m kinda wishing I could do it again, or that it had a practice-run function so I could really rip on the interface. Why did I have to click through 4 pages just to save a copy? Did I really need to be alerted what the file type was, that it would save on the next page after hitting continue, and get an approximation of download time all on separate pages?

But anyway, I had a week off from it while waiting for a copy of last years return. There was a single figure on it I claimed for last year that I needed for this year.

Now I can understand it not being given out over the phone; it’s relatively easy to pretend to be someone else there. However the HMRC website is a secure connection (in theory) which displays your current tax information. The previous return is automatically removed from it after a year apparently, which alone seems moronic; because surely one year on is exactly when you’re going to want to check it. But the information is given out through it, so how come you can’t get the details through there..?

So question-authenticated phone is insecure.

The HTTPS secure website is not considered secure for this information once it’s a year old.

But bog standard 1st Class by Royal Mail is fine.

No signature, no monitoring in transit, no tracking. It could be opened, read, photocopied & I’d never know. It could vanish into the system and all I’d be able to do is request another copy and hope no one’s preparing to rape my ghost in the government machine.

This I could visualise, this was a definite unnecessary risk I had to swallow to get the magic (and aside from this return, utterly irrelevant) number. But as they say; the problem with making something foolproof is how ingenious fools are.

I received two copies of last years return.

So assuming there were only 2 copies sent, then all is fine, right? Well no. Aside from it raising the worrying issue that if a random number of copies are being sent, you can never be sure they’ve all arrived. And aside from the matter that the “copy” is actually a bunch of printed screen-grabs (including program tool-bar!) of it on the data-entry system, one of the copies IS NOT WHOLLY MINE.

One set is fine in that it does technically have the info I need if I squint and don’t mind half the text being light grey on a slightly darker grey background. The other, which has some empty fields the other doesn’t (yet is apparently from the same screen-grabbed program), also starts with the 2nd page being from an advisor’s working form for someone else.

It doesn’t have a document number, so I presume it’s automatically generated and a printer has cocked up at their office; interleaving the first input page of someone elses claim/statement information into my own print-out.

I’m annoyed on a few levels here. Primarily it’s one of security; because my information is removed from the secure site just when I need it, it opens up the possibility of exactly these sort of mistakes occurring. They have a better system which they have elected to actively disable when required.

(The other level is typographic; their internal system prints out a visually clear and informative table of information in laser-crisp black & white, but we plebs have to deal with a printer-cropped all-grey rastered-down bitmap for our use, the likes of which a 7 year old would be embarrassed to produce for their school homework).

And because of this I now had the Name, DOB, address, NI number, telephone number, place of employment, partners name and partners DOB, of a 22 year-old woman living near Manchester who was letting them know of her partners change in employment status.

There is ample information here for someone to steal her identity, and I see that as a direct result of a poorly managed & designed government system.

Of course I’m fairly sure this incident is a breach of data-protection laws, and as such I’m intending to phone the lady in question tomorrow and let her know in case she wants to take action against them. As soon as I figure out how to phrase the conversation without sounding like a scam-artist myself.

Jun 29 2010

Eye-Fi and mobile phones – instant remote backup of photos?

When I first heard about the Eye-Fi SDHC a couple of years ago, I was very intrigued, but saddened that it seemed so locked in to one service. But time’s gone by now, and it looks like they’ve opened their doors a lot wider.
The Eye-Fi is an up to 8Gb SD card with a built-in 802.11n wifi functionality. The idea is that when a photo is taken, it’s stored and also uploaded by any open wifi point to the web service. And now there’s a number of services including YouTube, but more importantly I feel, the open-source Gallery 2. The Gallery 2 option means it can now upload to your own personal webspace, located in the country and legal protections of your choice.

However it still requires you to get within 27meters (max) of an open wifi point. And with the spectre of an un-redacted Digital Economy Act looming, open wifi points may soon become rather thin on the ground.

However, one of the things that came up in the original discussion of the Eye-Fi was the idea of using a data-enabled SmartPhone with wifi as a bridge. Eye-Fi talks to your phone via 802.11n, phone talks to the internet via 3G or other mobile broadband. It’s a delightfully simple and compelling concept, but one that has apparently seen little development. Perhaps I’ve simply not found it yet, but it’s hard to find discussion of the subject past 2007.
Certainly you could use a laptop for the same purpose, but that shouldn’t be necessary, particularly as open-source phones such as the Android now exist, where the necessary programming should be relatively simple. And in any case, the uptime comparisons are unlikely to favour it.

In a world where police can illegally demand or force you to delete the video and images from your camera, I for one would treasure the warm inner glow from knowing that while the originals are gone, identical copies have already transferred to my phone and on to a secure server on the other side of the planet.

So if anyone knows of a bit of software to turn your SmartPhone into a passive wifi access-point/bridge, I’d love to hear about it, as I’m sure others would.

Alibi3col theme by Themocracy