back to article ID theft in UK hits record high as crooks shift to more vulnerable targets

Identity fraud in Blighty hit a record high of 174,523 incidents last year – and the vast majority of it happened online. According to the latest report by fraud prevention service Cifas, ID theft rose 1 per cent on last year. However, that is an increase of 125 per cent on 2007, the Fraudscape (PDF) report shows. Eight out …

  1. Herring`

    Companies don't help themselves. Mrs. H. recently received a demand for payment from QuickQuid. Some scumbag had taken out a loan in her name and buggered off. Having a Google, it appears that QuickQuid have plenty of previous on this one - clearly their identity checks are a bit rubbish.

    1. ecofeco Silver badge

      This. They don't care. So now, neither do I.

    2. Anonymous Coward
      Anonymous Coward

      Having a Google, it appears that QuickQuid have plenty of previous on this one - clearly their identity checks are a bit rubbish.

      Report them to the FCA, using the evidence of Mrs H's demand (and referencing internet examples) to show that QuickQuid (actually CashEuroNet LLC) are lending money without carrying out sufficient checks to prevent fraud. That'll hopefully trigger an investigation that'll cost QQ's owners tens of thousands, and if there's sufficient evidence their licence to lend will be suspended.

  2. This post has been deleted by its author

  3. Noonoot

    What makes a good security question?

    Tomorrow's security question should definitely not be about your past, your habits, your family or your hobbies. So no memorable information.

    I too have to write down 150 plus account details, and then keep them on paper in case my computer is stolen where I have stored my passwords. What about if they steal my piece of paper? So I have to have several copies, hidden, just in case. Copies of copies of copies.

    A total 'MARE!!!!!!!!!!!!!!!!!!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: What about if they steal my piece of paper?

      It's perhaps not a perfect strategy, but commit to memory one short word ("sub-password"), and put it on the end* of /every/ password, but don't write it down on the kept copy. Easy for you to generate the true password from the list, less easy for any list-stealing miscreant to do.

      *) or beginning, middle, wherever takes your fancy.

      1. Anonymous Coward
        Joke

        Re: What about if they steal my piece of paper?

        Sonethign like

        Password

        then add a 1...2...3....4. etc onto the end.

        If you want to REALLY fool them

        use Passw0rd

        It's allowed for most sites.

    2. Dan 55 Silver badge

      Re: What makes a good security question?

      Security questions are often stored in the database as plain text. Only they're as good as passwords.

      I never fill them in despite the badgering, or if I have to I never fill them in with personal information (yes, my mother's maiden name really was 1oieu28420).

      1. Captain Scarlet Silver badge

        Re: What makes a good security question?

        A reminder of what my password if required by a website is normally "LOL its my password dummy"

  4. BazzF

    No Dice

    Lots of places still don't allow diceware password, insisting that

    X&%fg%$d is more secure than

    Some set of Random words

    Pisses me off no end

  5. Anonymous Coward
    Anonymous Coward

    Aren't they all...

    ...just using the info harvested from Equifax?

    I used to contract and my umbrella company was NASA Group. They seemed OK, friendly. I left, asked for my P45. Got it, got new job. About 2 weeks later I got an e-mail from them again about my P45. I followed the link in the e-mail because I assumed they were trying to be more secure, mentioned DocuSign. And that the P45 was encrypted on a encrypted file store now.

    The site showed several e-mail clients you maybe using below. Pick one and sign in. I assumed for a few seconds, stupidly (was tired), that this was for security also so they knew you hadn't just been given the link from someone. Luckily however, I noticed the main site itself wasn't HTTP. The site URL was totally different from anything related to NASA or any file sharing site. Upon clicking the provider I was with I noticed their login page wasn't the login page of that client. If you clicked the Google one it looked exactly the same as Google's login. I however noticed all those links pointed to HTTP versions of those logins.

    I e-mailed them back asking why they'd linked me to insecure HTTP pages because anyone can sniff those logins.

    They replied telling me to ignore all e-mails with links in that day because it was a spam and their IT were aware. I checked the headers of the e-mail with the bullshit link. It was coming from their exchange, it wasn't spoofed. So clearly it was more than a spam attack, they'd clearly had a breach and were keeping quiet about it. The person sending the e-mail either sent out on mass e-mails about P45s in the hope they'd get someone or they'd actively looked through past e-mails and then specifically targeted people with what they'd requested or talked about.

    I haven't heard anything about it since, despite reporting it to the ICO who don't give a shit unless it's in the thousands of people affected.

    I'm pretty sure NASA Group have kept that breach quiet. It only happened a couple of months ago. Granted they put a message on their site but haven't admitted to a breach yet.

    1. Anonymous Coward
      Anonymous Coward

      how widespread is this?

      My employer just got hit. My details are affected. Taking out insurance offered.

      I think the Reg is on to something here. they are going after smaller targets.

      They likely go after sectors too. Supply chain attacks. Always phishing.

      This could be very widespread.

  6. tiggity Silver badge

    makes me happy

    I only login to handful of sites so not got mny credentials to remember (and no online banking, loans etc)

    Thoug if anyone purchased my identity for the 820 squids quoted they would have made a bad move as my net worth is massively negative (stares at mortgage & cries) & no chance of getting loan in my name with that loan being max size possible

    1. Anonymous Coward
      Anonymous Coward

      Re: makes me happy

      Meanwhile with mine it'd be a bargin, I have perfect credit history, I pay back my loans quick so I can pull loans with very low APR, and I usually fly through any and all checks.

    2. Lars Silver badge
      Joke

      Re: makes me happy

      Try Deutsche Bank like Trump. (and make new friends).

  7. Anonymous Coward
    Terminator

    Identity theft and more accessible products

    "Separate research has found that fraudsters operating on the dark web could buy a person's entire identity for just £820."

    Mitchell & Webb Sound - Identity Theft

    "Fraud is the 21st century volume crime and the issue is not going to go away. With more and more people sharing data, transacting, setting up businesses, dating and chatting online this trend is only going to continue."

    The financial services companies should come up with an online e-account, tied to your real account and exclusively used for online transactions. In the event of fraud tied to this account, the account is disabled and decoupled from your real bank account. The original idea of using credit cards for online transactions has got to be one of the worst ideas ever.

    1. Anonymous Coward
      Anonymous Coward

      'an online e-account, tied to your real account and exclusively used for online transactions'

      At home ok... But often that's not practical or safe when Traveling. In general CC protections work for all generations of people (offline / online) even in countries with sky-high local fraud. Plus the ID-Theft risks are minimal versus online accounts etc. One-Time-Use Credit Cards help, but lack an equivalent real world option with a virtual physical card. What if we could encode Virtual CC info into a re-programmable physical card though???

  8. Anonymous Coward
    Anonymous Coward

    Truth in the old joke ...

    Two friends are camping in Africa.

    One night they are woken by a lion prowling.

    Immediately one starts to put his trainers on.

    "What are you doing ?" his friend says. "You'll never outrun a lion."

    "No" his friend replies. "But I can outrun you ...."

    My online security strategy - hell my entire life security strategy - has been to concentrate on not being the lowest fruit on the tree. As with most things the 20/80 split applies to security.

  9. cantankerous swineherd Silver badge

    it's fraud by misrepresentation you dolts, get it right.

    1. ecofeco Silver badge

      You know that's redundant, right?

  10. Anonymous Coward
    Anonymous Coward

    What if I identify as gender fluid? Can't steal my ID if I don't even know what it is.

  11. handleoclast

    Beware quizes on social media

    Most commentards probably already know about this, but for the few that don't...

    There was a fad on social media about "porn star names." It encouraged people to share their porn star name created from their first pet's name and mother's maiden name. Example: Fido Smith.

    Two common security questions used to be first pet's name and mother's maiden name.

    *sigh*

    1. Pascal Monett Silver badge

      Re: Beware quizes on social media

      Used to be ?

      Still effing are, from what I see.

      My father is George Washington and my mother's maiden name is Amazone.

  12. Doctor Syntax Silver badge

    "More than a third of bank account takeover victims were over 60 years old. That was put down to the increasing popularity of online banking, and more fraudsters phoning victims claiming to be from the bank and asking to "verify" online passwords."

    It's not necessarily popular. It's just enforced by shutting down more and more branches.

  13. Nick Kew Bronze badge

    Some companies go out of their way to help phishers. See for example here where someone tries to verify a 'phone number.

  14. Anonymous Coward
    Childcatcher

    Well then you'll find this just crazy!

    TheRegister reported 2 stories recently 1] that Microsoft and others want a NO Password Internet,

    2] Microsoft wants to lock-down all Internet of Things devices, so that while locking up users from their own devices without almost identifying themselves genetically they want to free up people from having to type any password at all over the internet. How could this possibly go wrong.

    Linux is also guilty of this ridiculous passworditis, as info of how to re-password the Root account is all over the net allowing anything or anyone to access root if they wanted. It is better to "*Boot* as Root" only, to finish what you need then log-out reboot and then use it normally as a user.

    As with Id theft, if something is dangerous it will be sure to be allowed and done, if it's tragic, only when enough cry out and the Gov feels threatened at an election will they respond.

    You need to bemoan, cry & wail your grief.

  15. Raedwald Bretwalda

    "fraudsters phoning victims claiming to be from the bank and asking to "verify" online passwords."

    Which would not work if the banks used 2 factor authentication. *Sigh*.

    1. Nick Kew Bronze badge

      There are documented cases where it *did* work against TFA.

      Fraudster walks in to victim's mobile 'phone supplier, claims to be victim, blags a SIM card with the number used for TFA, gets the code. Job done. And variants on the theme.

      AIUI, this became such a problem that one bank was persuaded by consumer groups to abandon TFA.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020