BOFH: Identity theft
Name, number, biometric
Episode 11 So the PFY and I have bowled up to a half-day presentation on identity theft which I'd been invited to after the recent security conference. (Well, technically, the boss had been invited to, but the invite was just sitting in his inbox.)
After a little spade work, a phone call and some briefcase enhancements we're all set to go.
As usual it's absolute hell to get a car park around any major hotel for these sort of presentations so I'm almost bound to be given a ticket, have my car clamped or towed. (Well, technically the boss's car – but it was just sitting in the basement unused.)
We get there fairly late as parking on the roundabout wasn't as easy as I'd thought and as bad luck would have it the presentation's already underway. We slink in quietly and go to the registration desk.
"Your name?" the woman behind the desk whispers.
I quickly scan the list, skip my name and just pick one at random.
"The security advisor for the American Embassy?" she asks dubiously.
YOU LITTLE BLOODY DANCER!!!
"Yes Mam!" I respond, cranking the Texan Accent knob around to 11.
She passes the badge over, not wanting to make a fuss.
The PFY rocks in, checks the name tag and greets me like an old mate.
"Steve!" he blurts. "What the hell are you doing here?!"
"I work in this country, old bean!" I cry, doing the typically shocking American impersonation of a Briton while shaking his hand.
"Still in computing then?" he asks, reinforcing the lie.
"Hell Yeah, Security adviser at them Embassy now, and you?"
"IT Manager at a company in town," he responds giving his name at the desk. (Well, technically the boss's name, but he's just sitting in his office not using it.)
We grab seats at the back of the audience where the PFY fires up his cellular network connection, downloads some appropriate graphics from a US website and prints me some "business cards" on his portable card printer.
As expected, the presentation is as contradictory, confusing and uninformative as a Microsoft Security warning which leaves everyone a little fidgety at morning tea.
"Does anyone else wonder what the hell that was all about?" I drawl loudly. "I mean, it was a little content free."
"What do you mean?" one of the presenters asks, offended at the implication that his life's work is up there significance-wise with the guy who eats bicycles.
"Well, it was interesting to watch, but not all useful. You basically said 'Protect your credit cards, shred your rubbish, don't say anything over the web that you don't have to and never allow companies to share your information.' I mean it's HARDLY rocket science – and I should know, I worked at NASA for five years!"
The PFY leaps in on schedule and takes the fore.
"Which is why we've been so interested in your progress," he comments.
"We?" I ask.
"The Campaign for.. Information Validation and Protection."
"You're from CIVP!" I adlib, realizing the prerehearsed Amnesty International cover story has been ditched for something better.
"Yes, and we're well aware of your operation!"
"Operation?" a crusty from a banking company next to me asks.
"Yes, operation. They submit the biometric data of leaders of business to various agencies, labeling them people who might present security threats so that they'll be stopped at airports, etc."
"You're joking," the crusty gasps. "Why?"
"To introduce an identity vacuum which can be used by secret service operatives as cover."
"Sorry?" the crusty asks.
"It's simple. Say you bowl into a country and someone questions your identity. How can you prove who you say you are?"
"Exactly, you can't. So you might be who you say you are, or you might have an endless holiday in Guantanamo Bay to look forward to while some operative lives it up at your expense in southern Hungary. Which is why MY company has decided to provide all this information on a simple card that you carry with you."
"Really. What sort of information?"
"Biometrics, thumbprint, Iris Scan, Passport, bankcard, personal details – all electronically recorded on a chip in one card."
"And that would be safe?"
"Safer than your current passport which is so bulky it ends up in a hotel safe half the time."
I see PFY's tack and jump in with corroborating evidence...
"Yes, yes, well maybe we have done that in the past, but there's no reason to think that we might do that in the future. Third party IDs like this will only confuse matters!" I bluster. "We'll take legal action!"
After an endorsement like that the PFY is instantly inundated with people wanting to pay the 20 quid to get their personal information 'secured' onto a plastic card and corresponding database.
It's like shooting fish, honestly. It's not even sporting!
I mull over the dire legal consequences that'll inevitably befall someone who uses the information the PFY's obtaining for their own personal gain. No to mention the quasi-legal consequences of undermining the security of biometric information.
He could end up in prison for years!
Well, technically the boss will be in prison for years, but he's just sitting in his office... ®
BOFH is copyright © 1995-2005, Simon Travaglia. Don't mess with his rights.
Sponsored: Becoming a Pragmatic Security Leader