Insert obligatory "Whereas we cant't trust the government about ANYTHING" comment here.
Pitchforks at dawn! UK gov's Verify ID service fail to verify ID
The UK government has been forced to defend its gaffe-ridden Identity Assurance scheme, dubbed "Verify", after a public beta version it released failed to work for some farmers who tried to register for a service using the new system. The Department for Environment, Food and Rural Affairs, which has been testing the tech …
-
-
Sunday 2nd November 2014 17:12 GMT Anonymous Coward
This is probably deliberate
The EU Overstubenfuhrers have run out of dosh and have told the member states to stop spending on silly things. The mandarins in Whitehall are simply oberying the diktat. The result is Systems like this that are desgned to make id so hard to get information about EU rebates that they will underspend by a few billion quid. Then the PM can use allocated budget that as the money they have to pay Brussels.
Simples eh?
No if HMRC can srot out their totally crap system and give me an ID so that I can do my self assement then I'd be happy.
-
Sunday 2nd November 2014 17:30 GMT Disgruntled of TW
ID Verify fails ...
... and Experian? A self declared, state supported tri-opoly. Equifax, Experian and Call Credit. Absolute power, little or no accountability for their mistakes.
[RANT ON]
Experian sent my "free" credit report to me with the wrong name on the address on the envelope. Not a statistically significant mistake for them, but a 100% fail for me had someone else opened that letter. Did the ICO prosecute or fine them, under the Data Protection Act? Of course not. Why not? You would have to ask him.
Accountability? ZERO. Unfair burden of proof on the individual before they update information they store on the individual. We are expected to clean their database, which they happily sell for substantial gain. It is THEIR mistakes that ruin lives.
[RANT OFF]
BBC Watchdog on credit agencies, to see just how bad they are:
http://www.bbc.co.uk/programmes/articles/1FV0VyS6DFgDCS64NP0T4bB/credit-reference-agencies
-
Sunday 2nd November 2014 22:18 GMT Anonymous Coward
Re: ID Verify fails ...
Yep, one the credit agencies - I forget which one - scuppered my friend's application for a job at GCHQ. This was the at the very basic first level of verifying a candidate - just to see if she had been living at the addresses she claimed to have been since the year X. Their records were incorrect, she didn't progress to the next stage of the recruitment process.
I've seen her complete the Telegraph cryptic crossword in 15 minutes whilst drunk on beer... I reckon that makes the right he the right combination of smart and British (not to mention her ten years of financial experience in the City and an avid rugby fan)
-
-
-
Sunday 2nd November 2014 18:40 GMT Anonymous Coward
"GET ORF MY LAND!!"
Come on, UKgov, how the hell do you expect us Farmers to bring home the BACON when you lot keep PIGging around like this. Now stop DUCKing the issue. Its no good running around like headless CHICKENS just because your computers are BULLshit. Your excuses are WOOLier than my prize SHEEP. Its like running around a MAIZE trying to deal with your rules and regs. So stop being so CORNey as everyone will start thinking that you're just MILKing the situation.
-
Sunday 2nd November 2014 18:58 GMT Pypes
Experian
Also known as "The reason I had to do a 60 mile round trip to the HMRC because I didn't know which of half a dozen labor agencies I hadn't worked for in 3 years they had down as my previous employer"
I'm sure it all works great, on paper, with whatever usage cases they specced it for.
-
Sunday 2nd November 2014 19:57 GMT Jellied Eel
Re: Experian
You were lucky. They asked me to confirm the value of a loan I hadn't taken out. Some ranting and assistance from the DPR later, it turns out they'd confused me with someone else with the same name. And would I like to pay for one of their services so I could correct their records for them.
-
Monday 3rd November 2014 00:27 GMT Martin Gregorie
Re: Experian
Exactly my experience with Experian!
So, I signed up for a credit report to see details of this supposed loan, didn't recognise it at all, and cancelled the 'free' trial account as soon as I'd saved a copy of their report.
Colour me unsurprised. If HMG is going to use that shower for identity verification, all I can say is "God help us all" because bugger all else will.
-
-
-
Sunday 2nd November 2014 19:39 GMT TonyWilk
Security questions...
I definitely don't trust any organisation like Experian which asks that highly-secure, only-that-individual-could-know question: "Mother's maiden name?"
(I did have a bank once ring me to complain that my answer to security question: "Place of Birth" being "Jupiter" must be a mistake on my part)
-
-
-
Monday 3rd November 2014 15:57 GMT Anonymous Coward
Re: Jupiter (and Mother)
> Increasingly the answer to "mother's maiden name?" is "Same as mine".
I have always found Spain very civilised in this respect. Rather than treat women as the property of their fathers first and husbands latter (hence the name change in most European cultures, and the taking of an adjectival form in some of them), they have always kept their family name, which is then passed on to their offspring along with the father's. This is why Spaniards have two family names (it's not just a compound one) and also why asking for someone's maiden name there would elicit a rather puzzled look.
-
Monday 3rd November 2014 16:32 GMT Anonymous Coward
Re: Jupiter (and Mother)
" they (the Spanish) have always kept their family name, which is then passed on to their offspring along with the father's"
Your explanation solves some questions I couldn't be bothered to ask of Spanish colleagues, but raises the new question of how do they stop the cruft build up of names over the generations? Or is the female family name only passed onto the mother's offspring, and cast away when they have children (who presumably take the paternal family name and their own mothers family name)?
One thing you can say for paternal surnames, at least the rules are easy.
-
Monday 3rd November 2014 17:48 GMT Vincent Ballard
Re: Jupiter (and Mother)
The traditional answer is that your first surname is your father's first surname, and your second surname is your mother's first surname, so it's not entirely symmetric with respect to the genders. Very recently the law was changed so that now when the parents register a birth they can switch the order.
There are additional complications, but if you want the full details you can read about them on Wikipedia: http://en.wikipedia.org/wiki/Spanish_naming_customs
-
-
-
-
-
Sunday 2nd November 2014 23:25 GMT Gene Cash
Re: Security questions...
Ha! Back when I supplied honest answers, I had them ask "place of birth?" and I replied "Ocala"
"Answer must be 8 characters or longer" (YGBSM!)
OK, so "Ocala, FL"
"No spaces or punctuation allowed in answer"
Alrighty then, so I won't be a Bank of America customer... OTOH, that has apparently saved me from a world of pain anyway.
-
This post has been deleted by its author
-
Saturday 8th November 2014 06:29 GMT FrankAlphaXII
Re: Security questions...
You're much better off not doing anything with Bank of America. Stick with someone local, or at least regional, Fairwinds and SunTrust are pretty good companies for financial services. And if you're eligible, Navy Federal is a pretty good choice also.
However, I wonder how Bank of America having branches in a place that doesn't exist according to them works out. Bank of America is a pretty stupid company, so I wonder how they have it figured out. I'm assuming they have branches in Ocala anyway.
Regardless of all that I've noticed that systems that are designed for nationwide use tend to fall over on Floridian names, or the operators can't figure out how to spell how we say things, usually Seminole/Bastardized Creek and Timucua words (for a dead culture we sure as hell use their names for things).
Anyway, I know how this kind of thing goes a little too well. One of my schools, the place I started higher education at actually, is on Econolockhatchee. That's always a fun one to try to get people to spell correctly.
-
-
Sunday 2nd November 2014 20:23 GMT Leeroy
No need
Why should I check my credit rating ? Never had a problem getting a credit card, loan or recently a mortgage.
My bank asked for my birth certificate some 20 years ago to open an account. Passport and chip and pin for a large transfer to the mortgage provider, fair enough.
Gov gateway for tax and self assessment etc, no problem. Why the hell do they need to use Experian to confirm your id ? Experian are like lawyers, ppi cold calls and ambulance chasers. Fuck off until I come to you, don't push your crap on us !
-
Monday 3rd November 2014 22:08 GMT Wibble
Re: No need
You've obviously not applied for a loan recently then. Things have changed 'cos of all the PPI pigeons that came home to roost coupled with the new FSA^H^H^H FCA rules that means the bank now need to take -- and fully document -- your whole history regardless of your relationship with the bank. They effectively treat someone walking in off the street in the same way as someone with a 25 year flawless history with that bank.
Madness, utter madness. The pendulum has swung way too far the other way.
-
-
Sunday 2nd November 2014 20:49 GMT Captain Mainwaring
Offline fallback required
If central government plans that everybody should be using this system to access their online services eventually, then an offline registration process is definitely going to be required for those people who have an insufficient credit trail. Perhaps the Post Office could get in on the act here, offering a document examining service in the local branch to those people who cannot, for whatever reason, be verified online. I would have thought that things like passports, driving licences, council tax bills, bank cards, etc , would be sufficient if presented by the applicant in person. My experience of the main credit reference agencies is one of incomplete or just plain incorrect information held on my record and getting them to correct/amend it is a triumph of perseverance. I would be very surprised if I was to pass an online check, even though I have lived in the UK for all of my adult life.
I hope the problems of this new ID verification service are ironed out in the near future, for if not, I can see the age old demand for National identity cards rearing it's head again.
-
Monday 3rd November 2014 08:37 GMT Dan 55
Re: Offline fallback required
Or it might be better to go offline only for applications. If it's a government department that issues a real-world ID in the first place then the same government department should act as a certificate authority and issue the certificate for that person to get online.
The primary forms of ID in the UK are passport and driving licence, if the DVLA and Passport Agency were to become certificate authorities and issue certificates for their owners which are imported into the browser then job's done, more-or-less. Applications to download the certificate could be made through the Post Office.
Then there are foreign residents, British expats, and British citizens without driving licence or passport. Again, the same principle would apply only this time using the HO, FCO, and DWP and certificate authorities although applications might be handled a little differently.
Any third party doing what the government should be doing is just a bodge which might get people online a bit quicker but is also more insecure.
-
Saturday 8th November 2014 17:46 GMT F0rdPrefect
Re: Offline fallback required
Dan
"The primary forms of ID in the UK are passport and driving licence, if the DVLA and Passport Agency were to become certificate authorities"
Other than the fact that there are many people without either of those.
And the fact that the DVLA are nearly as incompetent as Experian.
-
-
-
Monday 3rd November 2014 11:39 GMT D Moss Esq
Apart from his 2 July 2014 post on IDA, RIP IDA – "we're building trust by being open" with its 16 subsequent updates DMossEsq has nothing to add to Ms Fiveash's excellent and comprehensive coverage.
We already know that Mike Bracken was guilty of a number of terminological inexactitudes when he spoke to the Code for America Summit a year ago.
It is evident to all that DEFRA have no control over what's happening to them, while GDS and Experian are keeping shtum, leaving farmers with a vague notion that they're never going to be paid any CAP money ever again thanks to the popular transformation of public services.
As promised by FMaudeEsq, identity assurance is turning into a massive data-sharing bonanza in the midst of which you can have privacy or public services, one or the other but not both.
IDA is dead. We just have to drum our fingers while we wait for it to be buried. It has richly deserved its right to be forgotten.
We know all that.
No need to repeat it.
-
-
This post has been deleted by its author
-
Monday 3rd November 2014 12:30 GMT Ilmarinen
They can't even get *paper* right
Just helped a (east European) neighbor fill out a UK drivers licence application...
The form says to complete section A & B or some such - but the sections are *numbered* 1, 2, etc. Sections A, B, etc are the f***ing *instructions*.
Hanging really would be too good for them.
-
Monday 3rd November 2014 15:29 GMT Anonymous Coward
Experian are dreadful
Experian had incorrect information on me that I only found out when I tried to guarantee a small business loan and they could not confirm my identity. They were very inefficent and made fixing the information very difficult, I had to sign up for the 'free' one month acount to do so, they then lost the immediate cancellation and tokk money from m which I then had to claim back.
Their business model is to take no responsibility at all for incorrect data, push all of the responsibility onto the victim of their incompetence and use their own mistakes as an opportunity to make more money. Not an ethical organisation and not an organisation taht shoudl be used to provide any critical function to the government.
-
Monday 3rd November 2014 16:01 GMT D Moss Esq
Re: Experian are dreadful
And then there's Experian in the US, where an ID fraudster carried on his trade via Experian for nearly a year until the Secret Service told them what was going on. You may think you're angry but wait till you hear Senator Rockefeller.
-
-
Monday 3rd November 2014 16:33 GMT Disgusted of Cheltenham
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/279649/Identity_Assurance_Hub_Service_Profile_-_SAML_Attributes_v1.1a.pdf
defines the character set as
<xs:pattern value="[A-Za-z0-9\s~!"@#$%&'\(\)\*\+,\-\./:;<=>\?\[\\\]_\{\}\^£€]*"/>
which is essentially ASCII plus the Euro symbol for some unexplained reason, so no accents of any sort, it seems. O'Donnell will be OK, bit no way José.
-
Monday 3rd November 2014 18:55 GMT chrismeggs
*rs* About face
I really don't want or need this service.
I can envisage one corporation wanting to verify the "correctness" of anothe corporation wanting to communicate with them. I can equally envisage the requirement for the identity exchange to allow rich data to be exchanged, such as credit rating or the organisation's compliance with various standards, eg ISO270001.
What I Do want is not to have to identify myself to an organisation calling me at an inconvenient time, asking me to confirm shared secret information - to whom am I divulging this "secret" information? The corporation has my phone number and has called me, of course i concede there may more than me at the house they have found.
More to the point, how do I know that they are who they say they are? Why cant my phone have a display to indicatethe corporations verified identity?
Biting the hand that feeds IT
