I was watching Panorama on the BBC on Monday. It was about hacking, ID theft, the usual stuff. The main takeaway for the general public was, I think, that everyone’s personal details have already been stolen and are common currency amongst criminals.
Hackers have stolen the personal details of millions of customers from companies like Talk Talk. So how do cybercriminals get hold of our data? Reporter Daniel Foggo meets the hackers who can break into any website and finds out how criminals profit from our information.
It featured one sad case of a woman who had been misled by fraudsters. She was buying a house and got an e-mail from (she thought) her solicitor asking her to transfer the funds for the house purchase (some £50,000) to a particular bank account. She did. The e-mail was, of course, from crooks and they transferred the money out and were never seen again (so much for the KYC/AML checks we spend so much money on). With so much money at stake, I couldn’t help but wonder, wouldn’t some form of security seem appropriate?
According to the American Bar Association (ABA), only a third of lawyers use encryption to communicate with their clients and of the lawyers who claim that they do use encryption, fully a third cannot say what kind of encryption they use. Of those who could say what type of encryption they use, the most commonly identified type was general purpose software with encryption features that required the recipient to be sent a separate password. Which is perfectly acceptable: I do the same all the time, using some zip utility to encrypt with a password then texting the password to the recipient. But I can’t help but wonder: why it is that Facebook can send me e-mail that is encrypted and digitally-signed and lawyers cannot? It’s not as if there isn’t a threat model!
Mrs d’Adhemar engaged a solicitor to handle the transaction and sent all correspondence through her secure work email address, but used her personal email account for everything else, including contact with the estate agent, Chestertons.
But 10 days after the sale was completed they received a call from their solicitor, who said NatWest had flagged up a problem with their account. Alarm bells immediately rang. The couple didn’t have a NatWest account, they banked with HSBC.
Just in case you are thinking that I’m highlighting odd or exceptional cases in order to make a point, I can assure you that I am not. This sort of thing goes on all the time in the UK.
Mr Lupton’s solicitor, Perry Hay & Co in Richmond, Surrey, emailed him requesting his bank account details for the sale proceeds to be paid into.
As millions of people do regularly and without thought, he duly replied, sending his Barclays bank account number and sort code.
The email was intercepted by fraudsters. Posing as Mr Lupton, the fraudsters swiftly emailed Perry Hay & Co again – from the same email account – and told it to disregard the previous details and send the money to a different account instead.
After all these years, we still can’t make e-mail security work. Imagine the hassle that the average solicitor would face in trying to get an average customer to install GPG or something. It’s never going to happen. The solution, as Ian Grigg pointed out seven years ago when I was going on about the security of e-mail another time, is to stop trying to fix e-mail and (as my teenagers did) move somewhere else. Why not use messaging systems that are secure, like Facetime? Yes they aren’t interoperable (so you would need to know whether the customer had Skype or Yahoo or WeChat or WhatsApp or whatever) but I don’t think it would be hard to set up a few accounts. Then the fraudsters would have to take over the solicitor’s account rather than just send an e-mail. This would have two immediate benefits: first, the security of the account would be specifically the problem of the solicitor and they would fix it by using strong authentication and, second, all communications could be encrypted (I remember that we worked on a pilot system like this – for financial services rather than for solicitors – a few years ago and even then the overheads associated with encrypting and signing were negligible).
We need solicitors to stop using e-mail as soon as possible, but we need to provide a viable alternative. If not social media or messaging, then why can’t we have something like they have in Denmark, where everyone has a sort of secure government postbox?
P.S. It’s a rhetorical question. I know perfectly well why we can’t: it’s because Denmark has a national digital identity infrastructure and we don’t. But why not have it as a bank service, like the Barclays Cloud thingy? Since the solicitor knows your bank account, they would automatically know which bank cloud to send the documents to. And if you wanted to tell your solicitor to send money somewhere else or some other instruction, you would have to do it from inside your bank cloud. Surely, with a nuclear-powered robot on Mars, it ought to be possible to send documents from a postbox in one bank cloud to a postbox in another?