Monday, 24 March 2014

RIP IDA – 16 June 2014

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Hat tip-and-a-half: Brian Krebs

Operating until recently sometimes out of New Zealand and sometimes out of Vietnam, Mr Hieu Minh Ngo is currently locked up in New Hampshire as a guest of the Justice Department and looks like spending the next 45 years in prison in the US.

An entrepreneurial young man – he's only 24 now, 69 when he gets out – Mr Ngo had two illicit web-based businesses, superget.info and findget.me, which have between them sold the personal details of more than half a million Americans. Their 1,300 customers make money fraudulently by using this information to take out loans in the victim's name, for example, or to make false tax refund requests.

Mr Ngo's companies bought this information from a legitimate company, Court Ventures, which, in turn, bought it from another legitimate company, US Info Search.

How did the information cross the line between the legitimacy of Court Ventures and the criminality of superget.info and findget.me? Rather suspiciously – Mr Ngo paid Court Ventures with monthly wire transfers from Singapore.

So far we've had new Zealand, Vietnam, Singapore and the US. We can throw in Guam, too – the US Secret Service contacted Mr Ngo and offered him some illegal business which required him to leave Vietnam, where they couldn't arrest him, and come to Guam, where they could and did.

It's all quite exotic for us Brits. Interesting in its way. But nothing to do with us, surely.

Wrong.

In March 2012, Court Ventures was bought by our very own Experian. Mr Ngo carried on paying his monthly bills by Singapore wire transfer for over nine months before the Secret Service approached Experian and told them what was happening.

This whole story comes from Brian Krebs, who operates krebsonsecurity.com and who has taken part in the investigation of Mr Ngo. He first wrote about it in October 2013, Experian Sold Consumer Data to ID Theft Service. He returned to it a fortnight ago, Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records. And a very embarrassing story it is, too – Experian didn't identify the problem themselves either during the due diligence period before buying Court Ventures or for the first nine months that they owned the company. Their own procedures failed. They had to be told by the Secret Service.

The matter is still under investigation, Experian can't say all they would no doubt like to, in their defence, but they have given this statement to Mr Krebs:
Experian acquired Court Ventures in March, 2012 because of its national public records database. After the acquisition, the US Secret Service notified Experian that Court Ventures had been and was continuing to resell data from US Info Search to a third party possibly engaged in illegal activity. Following notice by the US Secret Service, Experian discontinued reselling US Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo, the alleged perpetrator, to justice. Experian’s credit files were not accessed. Because of the ongoing federal investigation, we are not free to say anything further at this time.
15 criminal charges have been brought in New Hampshire – Mr Krebs provides the charge sheet – and Mr Ngo has pleaded guilty and will be sentenced on 16 June 2014.

Meanwhile, the story has moved on from New Hampshire to Washington DC, where Senator Rockefeller's Committee on Commerce, Science, & Transportation is investigating all aspects of the "data broker" industry.

On 18 December 2013 the Committee took evidence from, among others, Mr. Tony Hadley, Experian's Senior Vice President of Government Affairs and Public Policy. Mr Hadley makes his opening statement starting at 1:30:35. Committee member Senator McCaskill confronts him with the Ngo case starting at 2:22:45.

See what you make of it.

Bear in mind that, over here in the UK, Experian is currently one of the five remaining "identity providers" appointed by the Government Digital Service to provide identity assurance (IDA) for GDS's plans for public services to become digital by default.

They're not just one of the UK's "identity providers". They're easily the leading UK "identity provider". Without them, IDA dies.

Over in the US, Experian hold data on 200 million Americans. Experian are acting as "identity providers" to Obamacare. When the New Hampshire judge sentences Mr Ngo to an estimated 45 years behind bars, there's going to be some consternation. There hasn't been much coverage of the case in the UK if any but, on 16 June 2014, the ripples are going to lap up on these shores.

And when they do, can Experian survive as an "identity provider" to IDA? Should they? Will they want to?

GDS themselves are lukewarm to the point of being uninterested in security. That leaves the "identity providers" to shoulder the burden alone. No major retail bank is prepared to put itself forward as an "identity provider". No UK mobile phone network operator ditto. The "identity providers" GDS would probably like to retain – Google and maybe Facebook – are unacceptable. It's Experian or no-one.

Experian is one of the best-performing shares in DMossEsq's pension scheme. It is with considerable pain, therefore, that the verdict handed down round here at DMossEsq Towers is, no-one. RIP IDA.

----------

Updated 15.6.14

It's the big day tomorrow, 16 June 2014 – Hieu Minh Ngo appears in court to be sentenced and the judge may have something to say about how Experian managed to provide him, unknowingly until the US Secret Service alerted them, with the wherewithal to commit fraud.

Updated 27.6.14

Computer Weekly say German government terminates Verizon contract over NSA snooping fears.

What fears? Verizon are quoted as saying: “Our view on the matter is simple: the US government cannot compel us to produce our customers’ data stored in data centers outside the US and, if it attempts to do so, we would challenge that attempt in court”. Clearly the German government disagrees and has terminated the contract anyway.

The US lawyers Mayer Brown disagree. And so do Facebook, who are quoted as saying that they put up a "forceful" defence against disclosing "nearly all data from the accounts of 381 people who use our service" but had to comply in the end.

Verizon is one of the five remaining "identity providers" accredited by the Government Digital Service (but not tScheme) for their hopeless identity assurance service (IDA).

But for how long?

Can Verizon be good enough for the UK but not good enough for Germany?

Updated 28.6.14

The judge was meant to deliver his decision in the matter of Mr Hieu Minh Ngo on 16 June 2014. Here we are 12 days later and the scrofulous DMossEsq still hasn't reported it. What's going on?









Updated 10.3.15

As we were saying, "on 18 December 2013 the Committee took evidence from, among others, Mr. Tony Hadley, Experian's Senior Vice President of Government Affairs and Public Policy". Has anything happened since then?

Yes, hat tip ElReg, the Data-broker Accountability and Transparency Act has been drafted.


No comments:

Post a comment