Companies don't help themselves. Mrs. H. recently received a demand for payment from QuickQuid. Some scumbag had taken out a loan in her name and buggered off. Having a Google, it appears that QuickQuid have plenty of previous on this one - clearly their identity checks are a bit rubbish.
Identity fraud in Blighty hit a record high of 174,523 incidents last year – and the vast majority of it happened online. According to the latest report by fraud prevention service Cifas, ID theft rose 1 per cent on last year. However, that is an increase of 125 per cent on 2007, the Fraudscape (PDF) report shows. Eight out …
Thursday 19th April 2018 17:49 GMT Anonymous Coward
Having a Google, it appears that QuickQuid have plenty of previous on this one - clearly their identity checks are a bit rubbish.
Report them to the FCA, using the evidence of Mrs H's demand (and referencing internet examples) to show that QuickQuid (actually CashEuroNet LLC) are lending money without carrying out sufficient checks to prevent fraud. That'll hopefully trigger an investigation that'll cost QQ's owners tens of thousands, and if there's sufficient evidence their licence to lend will be suspended.
This post has been deleted by its author
Wednesday 18th April 2018 13:49 GMT Noonoot
What makes a good security question?
Tomorrow's security question should definitely not be about your past, your habits, your family or your hobbies. So no memorable information.
I too have to write down 150 plus account details, and then keep them on paper in case my computer is stolen where I have stored my passwords. What about if they steal my piece of paper? So I have to have several copies, hidden, just in case. Copies of copies of copies.
A total 'MARE!!!!!!!!!!!!!!!!!!!!
Wednesday 18th April 2018 14:09 GMT Anonymous Coward
Re: What about if they steal my piece of paper?
It's perhaps not a perfect strategy, but commit to memory one short word ("sub-password"), and put it on the end* of /every/ password, but don't write it down on the kept copy. Easy for you to generate the true password from the list, less easy for any list-stealing miscreant to do.
*) or beginning, middle, wherever takes your fancy.
Wednesday 18th April 2018 14:25 GMT Dan 55
Re: What makes a good security question?
Security questions are often stored in the database as plain text. Only they're as good as passwords.
I never fill them in despite the badgering, or if I have to I never fill them in with personal information (yes, my mother's maiden name really was 1oieu28420).
Wednesday 18th April 2018 14:23 GMT BazzF
Wednesday 18th April 2018 14:36 GMT Anonymous Coward
Aren't they all...
...just using the info harvested from Equifax?
I used to contract and my umbrella company was NASA Group. They seemed OK, friendly. I left, asked for my P45. Got it, got new job. About 2 weeks later I got an e-mail from them again about my P45. I followed the link in the e-mail because I assumed they were trying to be more secure, mentioned DocuSign. And that the P45 was encrypted on a encrypted file store now.
The site showed several e-mail clients you maybe using below. Pick one and sign in. I assumed for a few seconds, stupidly (was tired), that this was for security also so they knew you hadn't just been given the link from someone. Luckily however, I noticed the main site itself wasn't HTTP. The site URL was totally different from anything related to NASA or any file sharing site. Upon clicking the provider I was with I noticed their login page wasn't the login page of that client. If you clicked the Google one it looked exactly the same as Google's login. I however noticed all those links pointed to HTTP versions of those logins.
I e-mailed them back asking why they'd linked me to insecure HTTP pages because anyone can sniff those logins.
They replied telling me to ignore all e-mails with links in that day because it was a spam and their IT were aware. I checked the headers of the e-mail with the bullshit link. It was coming from their exchange, it wasn't spoofed. So clearly it was more than a spam attack, they'd clearly had a breach and were keeping quiet about it. The person sending the e-mail either sent out on mass e-mails about P45s in the hope they'd get someone or they'd actively looked through past e-mails and then specifically targeted people with what they'd requested or talked about.
I haven't heard anything about it since, despite reporting it to the ICO who don't give a shit unless it's in the thousands of people affected.
I'm pretty sure NASA Group have kept that breach quiet. It only happened a couple of months ago. Granted they put a message on their site but haven't admitted to a breach yet.
Wednesday 18th April 2018 14:48 GMT tiggity
makes me happy
I only login to handful of sites so not got mny credentials to remember (and no online banking, loans etc)
Thoug if anyone purchased my identity for the 820 squids quoted they would have made a bad move as my net worth is massively negative (stares at mortgage & cries) & no chance of getting loan in my name with that loan being max size possible
Wednesday 18th April 2018 15:15 GMT Anonymous Coward
Identity theft and more accessible products
"Separate research has found that fraudsters operating on the dark web could buy a person's entire identity for just £820."
"Fraud is the 21st century volume crime and the issue is not going to go away. With more and more people sharing data, transacting, setting up businesses, dating and chatting online this trend is only going to continue."
The financial services companies should come up with an online e-account, tied to your real account and exclusively used for online transactions. In the event of fraud tied to this account, the account is disabled and decoupled from your real bank account. The original idea of using credit cards for online transactions has got to be one of the worst ideas ever.
Wednesday 18th April 2018 17:31 GMT Anonymous Coward
'an online e-account, tied to your real account and exclusively used for online transactions'
At home ok... But often that's not practical or safe when Traveling. In general CC protections work for all generations of people (offline / online) even in countries with sky-high local fraud. Plus the ID-Theft risks are minimal versus online accounts etc. One-Time-Use Credit Cards help, but lack an equivalent real world option with a virtual physical card. What if we could encode Virtual CC info into a re-programmable physical card though???
Wednesday 18th April 2018 16:17 GMT Anonymous Coward
Truth in the old joke ...
Two friends are camping in Africa.
One night they are woken by a lion prowling.
Immediately one starts to put his trainers on.
"What are you doing ?" his friend says. "You'll never outrun a lion."
"No" his friend replies. "But I can outrun you ...."
My online security strategy - hell my entire life security strategy - has been to concentrate on not being the lowest fruit on the tree. As with most things the 20/80 split applies to security.
Wednesday 18th April 2018 16:30 GMT cantankerous swineherd
Wednesday 18th April 2018 20:13 GMT handleoclast
Beware quizes on social media
Most commentards probably already know about this, but for the few that don't...
There was a fad on social media about "porn star names." It encouraged people to share their porn star name created from their first pet's name and mother's maiden name. Example: Fido Smith.
Two common security questions used to be first pet's name and mother's maiden name.
Wednesday 18th April 2018 22:36 GMT Doctor Syntax
"More than a third of bank account takeover victims were over 60 years old. That was put down to the increasing popularity of online banking, and more fraudsters phoning victims claiming to be from the bank and asking to "verify" online passwords."
It's not necessarily popular. It's just enforced by shutting down more and more branches.
Thursday 19th April 2018 04:34 GMT Anonymous Coward
Well then you'll find this just crazy!
TheRegister reported 2 stories recently 1] that Microsoft and others want a NO Password Internet,
2] Microsoft wants to lock-down all Internet of Things devices, so that while locking up users from their own devices without almost identifying themselves genetically they want to free up people from having to type any password at all over the internet. How could this possibly go wrong.
Linux is also guilty of this ridiculous passworditis, as info of how to re-password the Root account is all over the net allowing anything or anyone to access root if they wanted. It is better to "*Boot* as Root" only, to finish what you need then log-out reboot and then use it normally as a user.
As with Id theft, if something is dangerous it will be sure to be allowed and done, if it's tragic, only when enough cry out and the Gov feels threatened at an election will they respond.
You need to bemoan, cry & wail your grief.
Thursday 19th April 2018 11:50 GMT Raedwald Bretwalda
Friday 20th April 2018 10:42 GMT Nick Kew
There are documented cases where it *did* work against TFA.
Fraudster walks in to victim's mobile 'phone supplier, claims to be victim, blags a SIM card with the number used for TFA, gets the code. Job done. And variants on the theme.
AIUI, this became such a problem that one bank was persuaded by consumer groups to abandon TFA.