Showing posts with label fraud. Show all posts
Showing posts with label fraud. Show all posts

03 June 2009

ID Database Breached Even Before It Exists

Well, I was expecting this, but not so soon:

A Glasgow council worker was sacked and another resigned after they were caught snooping into the core database of the Government's Identity Card scheme.

The two Glasgow staff were caught snooping on people in the Department for Work and Pensions (DWP) Customer Information Systems (CIS) database, which includes among its 85 million records the personal details about everyone in the UK, and which the Identity and Passport Service plans to use as the foundation of the national ID scheme.

"A member of staff tried to access stuff about famous figures," said a spokesman for Glasgow City Council. He said the DWP alerted the council about the breach. He refused to name the celebrity or say how the council dealt with the matter.

The INQ has learned, however, that the staffer caught looking up personal data belonging to celebrities was sacked.

Whether they were resigned or sacked is neither here nor there: it represents no deterrent whatsoever.

As if that's not bad enough, try this:

"The small number of incidents shows that the CIS security system is working," he added.

Er, no: it just means that you've only *caught* two of them, and that the other n, where n may be a large and growing number, have got away with it so far....

Let's just hope Labour continues its entertaining meltdown before it can bring its insane ID card/database plans to total "fruition" - for the identity thieves and blackmailers.

Follow me @glynmoody on Twitter or identi.ca.

24 October 2008

Verified by Visa - As Valueless

I, too, have noticed the insidious spread of Verified by Visa (VbyV), and thought it looked well dodgy, but I couldn't quite put my finger on it. Here's the problem:

Once obtained by fraudsters, either by direct phishing attack or through other more subtle forms of social engineering trickery, VbyV login credentials make it easier for crooks to make purchases online while simultaneously making it harder for consumers to deny responsibility for a fraudulent transaction.

The easiest way will be for a compromised site to push you to a false login and obtain your magic password. You won't be able to prove it, of course, and so the danger is that you will end up the bill for fraud.

This is a disaster waiting to happen, and lots of people are going to get burned if we don't manage to get some sense into the banks soon. The only way to do that is to get the story out - please pass it on.... (Via Kim Cameron's Identity Weblog.)

08 August 2007

On the Necessity of Open Access and Open Data

One of the great things about open source is its transparency: you can't easily hide viruses or trojans, nor can you simply filch code from other people, as you can with closed source. Indeed, the accusations made from time to time that open source contains "stolen" code from other programs is deeply ironic, since it's almost certainly proprietary, closed software that has bits of thievery hidden deep within its digital bowels.

The same is true of open access and open data: when everything is out in the open, it is much easier to detect plagiarism or outright fraud. Equally, making it hard for people to access online, searchable text, or the underlying data by placing restrictions on its distribution reduces the number of people checking it and hence the likelihood that anyone will notice if something is amiss.

A nicely-researched piece on Ars Technica provides a clear demonstration of this:

Despite the danger represented by research fraud, instances of manufactured data and other unethical behavior have produced a steady stream of scandal and retractions within the scientific community. This point has been driven home by the recent retraction of a paper published in the journal Science and the recognition of a few individuals engaged in dozens of acts of plagiarism in physics journals.

By contrast, in the case of arXiv's preprint holdings, catching this stuff is relatively easy thanks to its open, online nature:

Computer algorithms to detect duplications of text have already proven successful at detecting plagiarism in papers in the physical sciences. The arXiv now uses similar software to scan all submissions for signs of plagiarized text. As this report was being prepared, the publishing service Crossref announced that it would begin a pilot program to index the contents of the journals produced by a number of academic publishers in order to expose them for the verification of originality. Thus, catching plagiarism early should be getting increasingly easy for the academic world.

Note, though, that open access allows *anyone* to check for plagiarism, not just the "authorised" keepers of the copyrighted academic flame.

Similarly, open data means anyone can take a peek, poke around and pick out problems:

How did Dr. Deb manage to create the impression that he had generated a solid data set? Roberts suggests that a number of factors were at play. Several aspects of the experiments allowed Deb to work largely alone. The mouse facility was in a separate building, and "catching a mouse embryo at the three-cell stage had him in from midnight until dawn," Dr. Roberts noted. Deb was also on his second post-doc position, a time where it was essential for him to develop the ability to work independently. The nature of the data itself lent it to manipulation. The raw data for these experiments consisted of a number of independent grayscale images that are normally assigned colors and merged (typically in Photoshop) prior to analysis.

Again, if the "raw data" were available to all, as good open notebook science dictates that they should be, any manipulation could be detected more readily.

Interestingly, this is not something that traditional "closed source" publishing can ever match using half-hearted fudges or temporary fixes, just as closed source programs can never match open ones for transparency. There is simply no substitute for openness.