Students get lecture on ID crime

"Your fault"? Oh yes indeedy

I note that key points were not writing down your PIN or password, or telling anyone what they are, and that if someone else uses your account because of it then it's your fault.

If SigFPE thinks this is overkill, I presume he does all his banking in person at a local branch where the cashiers know his face, and only uses cash or cheques for all transactions. Any more modern way (cashpoint/phone/card/online) requires you to give a card/account number and some form of security (usually a PIN in the UK) to make the transaction. If you know both of those, you can make the transaction - whether it's you making the transaction, your 5-year-old daughter who wants the fun of pressing the buttons as you read the numbers to her, or J Random Wallet-Thief.

Bottom line - it's *your* account, and it's *your* responsibility for keeping it secure, same as it's your responsibility for keeping your house secure. If there's a known defect in a type of lock, then it's the lock-maker's fault if someone breaks into your house using that fault - but if you've left a key under the doormat and the burglar uses that, it's hardly the lock-maker's fault.

It's pretty simple really. You get abilities, you also get responsibilities. If you can't handle the responsibility, then you can easily forgo that ability - if you don't want to take risks on someone hacking your PIN, you can get an account that doesn't let you do card transactions or online banking. But you don't get to have credit/debit cards and online banking, and then blame your own inability to keep passwords/PINs secure on the bank. Your extra ability, your responsibility.

ID and security

TheRegister's position on ID cards ("no!") continues to amaze me. This country has a ridiculous system without any shared official document; even the disorganized US succeeds in giving a picture-driving licence (above 16, and only qualified drivers, natch).

The `toolkit' lays the responsibility with the person, the first commentator with the banks. I think it's just a lack of structure, the banks can't get around the fact they're dealing with a mickey mouse identification protocol. Membership to the Blue Peter fanclub goes further to establish your citizenship than a phone bill, I think.

Recent incident:

I go to a library, accidentally have a gas or phone bill in my pocket. Pronto, library card, up to 12 books/cd's/dvd's I can take, and if I desire so: never return. Did I say at any point it was *my* bill?

I want to register with an NHS GP (i.e., a publicly funded medical doctor), I need two bills: what kind of do-it-yourself ID-building exercise is that?

Just give me an ID card, I register with the community and then the GP (or more logically, the central NHS register) can crosscheck with the gov database (they anyways have for tax purposes). If I don't have any bills except bank statements (as when I was a foreign exchange student), I cannot register (burdening the emergency medical services by consequence).

Bill Bailey: "Midnight, Turkish border. Border police goes `passaport, passaport', Briton goes `no passport: gas bill', guard says `ah, ok'..."

ID is not security

Marvin the Martian:

Are you are incredibly naive? An national ID card would make you less safe, because it would be trusted more and be a huge potential market for criminals, ironic eh!

Did you know that the stupid use of the US National Insurance number as a person identifier is major cause of ID theft in the US and not easy to sort out! Do you really think an ID card would be any safer?

Poorly designed RFID and chip cards can be spoofed or copied. Guess what, the new EU passport is cheap and easy to copy, because it was designed by muppets, so any criminal can impersonate you! Chip and Pin is not much better, even with the added security.

The criminal gangs have loads of money to do R&D, because it is safe and there is huge amounts of money at stake, and there will always be someone to bribe! I would not be surprised if that technology tickles down or leaks to lesser criminals.

In addition, if RFID is used, it instantly makes the carrier a potential target for smart criminals e.g. identification, tracking and virtual/real theft. This is already the case, to a lesser extent with mobile devices e.g. Mobile Phones and PDAs.

Grow up, proper security is not kids play!

Flying Spaghetti Monster

I saw the headline and unfortunately thought of Kansas. Then I realised that it was referring to the other meaning of ID.

Now wait..

.. I though university was all about having your identity stolen and being put in little boxes? Especially vulnerable at this time of year? Due to spending the summer all wasted? What's with all the ticky tacky?

So Marvin..

..when you apply for your ID card, how exactly will you prove to the authorities that you are you? NI number? Lots of bogus ones about. Driving licence? Not that solid, and assumes you drive. Ditto Passport. Utility bill? Probably...

Some thoughts.

To "Graham Bartlett", if we were given a choice to do our banking like that or to go on-line then fair enough. But, we are more or less forced to use insecure systems and then blamed for their failings.

As for "Marvin the Martian", prove my ID to the GP, what are you on? Why should I prove who I am to a GP? What am I going to do, steal a two week wait and my allotted thirty seconds of bad advice?

I've got no problem with ID cards, it's just that the UK government seems to want to track everyone and put more data than is necessary on them.

I also think it's crazy to think that this would stop problems with library books. The bottom line is that if you live in a society of habitual criminals where you can trust no-one (as the UK government seems to say) then ID cards won't help, only a change in societies attitudes.

Hmm...

"(above 16, and only qualified drivers, natch)"

No, you don't need to be a qualified driver, actually. Well, at least in Virginia you don't (in this schizophrenic country, who knows what other states do). You can go to the Dept. Motor Vehicles and get a picture ID even if you don't drive. Many students who came from abroad to stay a short period (like 1 year) and don't drive do that so they don't have to carry the passport around.

And anyway, the Social Security number thing ends up being the de facto national ID here in the US, they ask for that number for any stupid thing -- and that's when your name, number, address, etc. gets thrown into the wind, because they keep their data in some Win 98 computer running who knows what and connected to the internets 24/7 (discounting the few daily reboots).

"when you apply for your ID card, how exactly will you prove to the authorities that you are you?"

In Brazil, we use the birth certificate in order to then get the national ID number later in life. Do you have birth certificates wherever you live? Maybe you're not as organized, but we are supposed to register the baby as soon as it is born.

Now it's kind of funny, all the brouhaha about the national ID card. I don't know how many countries have it, but mine does, as I said above. Sure it's not the panacea to all humanities woes, but it's not like this Orwellian craziness you guys seem to think. Maybe your society have got so developed that you don't have any serious problems left to solve, so you go try finding something to cry about, like yet another number the gov will use to identify you (as if they didn't already have a bunch). Get a life, folks, or at least some sense of perspective...

Writing down passwords

What amazes me is that the author of this article at Kablenet obviously hasn't actually read the actual document themselves!

"The ICO urges students never to disclose or write down personal passwords or PINs"

It says not to disclose the information, but nowhere in their document does it say anything about not writing them down. At least I couldn't find anything after looking through it twice!

In fact as several security people have said in recent times, with the primary security risks being on-line, writing down information like passwords is a good idea. That's because it allows you to have different passwords that are good for everything you do, rather than either lots of simple ones you can remember which are easy to guess / crack, or one good one which you use for everything.

I'm suprised the document doesn't include tips of good password use, suggestions for storing them, eg not storing website address, username and password together clearly, or storing your pin number within another longer number like a made up phone number, so in the unlikely event of someone gaining physical access to the information it's not easy for them. Perhaps even suggesting PGP or similar, though perhaps that's a bit too beyond the scope of the document.

What ? Security comments from a bank ?!

I would accept comments from banks on securing my personal information much more readily if banks did not give full access to their client databases to consultants who have the despicable habit of getting their laptops subsequently stolen.

More personal information has been lost by banks this way, more people have been put at risk, than any number of post-it notes tacked onto a screen will ever manage.

Brazilian Brouhaha

"Now it's kind of funny, all the brouhaha about the national ID card. I don't know how many countries have it, but mine does, as I said above. Sure it's not the panacea to all humanities woes, but it's not like this Orwellian craziness you guys seem to think."

That's because your ID card wasn't designed by the Orwellian crazies in charge of the UK government. It's not the ID card that'st the problem - it's how much information the government wants and their track record.