Thousands of taxpayers' personal details potentially exposed online through councils' debt-chasing texts Bulk SMS messages sent by local councils across the UK contained weblinks leading to pages that freely exposed to the public thousands of taxpayers' names, addresses, and outstanding debts, The Register can reveal. Text messages sent by Telsolutions Ltd on behalf of a dozen local authorities contained shortlinks to webpages …
Happens all the time, management approve "solutions" which encourage poor security behaviour because it's convenient and cheap for them at the time with zero consideration over whether it's right.
The same management will then argue why we need to focus resources on training and raising awareness with staff over fraud etc.
I had a dialogue with my water company recently about exactly this.
They sent me a text saying that due to work on the mains, the water from our taps may be disculoured, and provided a short link to a explanatory web page.
When I pointed out to them that there was no way that a recipient could confirm where the text had come from, and that the short link could also not be verified without actually visiting the page, and the page pointed to could be bogus and run by scammers or malware deliverers, they just said that it was common industry practice, and they used a reputable link-shortening service (if there is such a thing).
I referred them back to whatever passes as their cyber security department so they could be educated about the dangers of clicking on uncheckable links, and what the results could be. Funnily enough, I did not get a response from them after this.
The case for URL shortening services in an era when a URL can be conveniently represented by a short hyperlinked word is indeed marginal. SMS is regrettably one case where it is justifiable, though the [redacted] responsible for the site mentioned in the article could have done better even so. I would be curious to know if misrepresentations were made to the councils in question, or whether IT project staff on the ground failed to read the small print or possibly even the large print written in friendly crayon colours. Capita, as always, remain the clerical omelette.
To judge the worth of a shortening service, see if it offers a convenient reverse service whereby the recipient can input a link and see what it would expand to.
To educate users of the pitfalls of link-shorteners, I would argue for clicking on the shortened link to open a "mapping" page, showing the target link with "I wish to open this link"/"Get me outta here" buttons, the latter being the default. Ok it interferes with the "user experience", but which would you prefer: a rollercoaster with or without the safety considerations?
Browsers should also provide this functionality automatically, but that is a longer-term goal. I know some shorteners offer this, but the default behaviour is set to "trust".
QR codes are just as bad. For a while I had a web page which just said something along the lines of "if I weren't ethical, you'd be pwnd now", and I'd stick the QR-encoded URL for it in the security presentations I gave internally, just to see who'd bite. But it's like trying to ice-skate uphill.
At least these days a lot of phones will display the decoded URL from a QR code and ask you before following it. Still a stupid technology, though.
In some cases, worse.
If a QR code is supplied as part of a contract, the customer needs to have control of where that QR code points to. Might sound like STBO, but I have encountered situations where this is not the case, the supplier wanting to exploit the ability to change the target in the future.
Ok, I agree this can happen with shorteners too, but QR codes are arguably seen as a fixed part of a design, rather than text that can simply be changed, particularly where a logo has been cleverly embedded in the visual appearance of the QR code. Those into the "creativity" aspects of a product might not take on-board what goes on "under the bonnet".
> Funnily enough, I did not get a response from them after this.
You got put in the *plonk* box as a nutter
Now write something explaining the risks in plain english, give it to a journalist and get THEM to ask the question
Alternatively wait 6 weeks and FOI/SDR them on the handling of the exchange, such that they have to explain in detail what they did next
It's a straightforward externality. There's no cost to the organization for using these dangerous mechanisms, and using something better would be an additional cost -- at least the cost of changing an existing system or provider.
This situation won't improve until the externality is converted to a direct cost. The only (non-violent) mechanisms for doing that are market forces and regulation. Market forces often don't apply (how many water boards can you choose from?), and have generally failed where the do (because not enough customers care about this sort of thing, and often there's no better choice anyway). So until we regulate against this sort of practice it will continue.
In the case described in the article, it sounds like there ought to be some stiff GDPR fines being handed out. But I'm not holding my breath.
Add deceptive conduct.
Each of the councils had a suspiciously cloned response, as if the vendor value added, and said hey, if the nosey press calls, read them this pre-canned guff. If an approved suppler did this 'L plate' deep link mistake, they should be scrubbed off the vendor list. +1 for GDPR fines.
I like to reply with "Thank you for your shortlink, but local security policies forbid me from opening them. Please enter the full link at https://bit.ly/<code>, otherwise I will be unable to read your message."
Target of the shortened URL can be varied depending on situation and level of annoyance...
I came to the comments to make the same point. I teach people never to click on a link; there are too many phishing messages going around to take a risk. But then you get genuine messages like this one, with an unrecognisable domain undermining my security lessons!
Yammer, Teams, Outlook; 365 produces screeds of alert emails which have more triggers than real phishing emails. And there is little MS lets you do to change the configuration or stop them.
How are we supposed to train staff to spot phish when real emails appear less trustworthy?
It gets worse.
report@phishing.gov.uk replies to reports with a number of links, mostly to various NCSC sites but also including Action Fraud and usually buried well down the bottom of the reply - too far down to even see without scrolling on my browser. But earlier this month they started including a prominently placed link to a 3rd party survey. Really?
I'd like to think it was really to some site designed to discourage clicking on stray links but more likely they actually thought a 3rd party to a survey didn't look at all suspicious.
My last security training module at work had warnings about exactly this. We were told to watch out for links sent by email, WhatsApp, SMS etc. from people/companies we didn't know. Weirdly I received a dubious SMS (on a number neither work nor Amazon have) a couple of minutes after finishing the module. I declined to click the link despite their being an "issue" with my order.
This post has been deleted by its author
"We take security and all matters of data protection extremely seriously. After identifying a potential vulnerability with one of our systems,"
Identifying such a noob vulnerability after the event once it's been pointed out and then describing it as "potential" says a great deal about what they mean by "extremely".
Taking idiotic lack of security very seriously always happens after the fact, not before.
There is actually a statutory duty under the GDPR (to which the UK is still subject via the DPA 2018) to verify that subcontractors have adequate technical and procedural measures in place to protect personal data.
The biggest problem is that effectively no organisation really gives two hoots about personal privacy, so they don't bother to fulfil this duty (or any other duty under the legislation). A second problem is that unless a large number of data subjects are directly and seriously affected it's very hard to make any obligation to improve stick, as only the given instance gains attention, not the fundamentally defective sense of responsibility.
Oh, I know of a number of organizations that take GDPR and other privacy legislation quite seriously, because now there are direct costs associated with violations.
But it's true that many do not. And if the sanctions regimes for these laws -- that is, significant fines against offending organizations -- are not enforced, soon no one will bother.
That's not actually true, ok paying a fine isn't hitting anyone's profit in the public sector but management live in abject terror of the the ICO.
Not enough terror to get them to push down to managers that they need to do their due dilligence properly but quite a bit.
Being on the other side of this, getting large suppliers like Crapita to respond truthfully and openly about any compliance requirements is like trying to make a rock talk. You get ignored, passed around, lied to, deliberately misunderstood, accused of making unreasonable demands, no ones else is bothered why are you!
Middle managers are under pressure to meet tax collection targets, they are not being measured against their GDPR compliance. So if you only have so much time and resource you're going to spend it doing what you are measured on. And so they sign up to crap like this to get on with it.
"not being measured against their GDPR compliance"
Nobody seems to be measured against their GDPR compliance. A piece of research we conducted from Autumn 2018 to January 2021 did not find a single organisation fully compliant with the (very simple) transparency obligation. This strongly suggests that the more complicated aspects of compliance are being ignored as well - by, effectively, everyone. My consulting experience also bears this out, and not just in the public sector.
That is why we sent out URLs to tens of thousands of people without ever checking that the procedure was secure.
Once the horse had bolted though, we very seriously closed the barn doors.
Hint : stop giving us bullshit about how seriously you take data security when it is absolutely clear that you did not.
...by the observation that "[T]he majority of links sent [were] not being accessed at all". This tells me that (i) most people dunned by SMS are already well aware that their Council Tax is in arrears, thank you, and (ii) that just maybe people are learning that clicking on the link in response to strident instruction is dangerous.
Then we let anyone have access to it because training is hard and expensive to implement properly for our staff.
I have been to in house training sessions at councils where everyone knows everyone, is given a pamphlet or a printout and then have a nice chat for a bit before going back to work tem minutes before knocking off time.
That's how seriously a lot of things are taken.
Looks like ElReg should get good marks for properly redacting the images in this article rather than just publishing something containing an additional layer with black rectangles. I have to deduct a couple of points for the horrible webp file format :)
The only really secure method of redaction is to mark up the page, print it then take an image of the printout. This guarantees no metadata which might leak sensitive data.
What does taking seriously mean in these cases?
I picture a room full of dour faced bureaucrats proclaiming with sombre earnestness, unleavened by any scintilla of self awareness, that their devotion to the sanctity and protection of personal data is untainted with any degree of levity or inappropriate jocular disregard. When really they mean they don't give a shit, never have and never will. Except of course when it comes to the actions of others.
"We take security and all matters of data protection extremely seriously but thought we'd get away with it since we don't give a toss about security of debtor details. Now we've been found out and someone has complained, we're seriously taking it seriously. Seriously. Look how serious we're being!"
Why do we pay councils to then pay other companies to do the thing we paid them to do.
Why don't we just stop paying the council, pool together and just do it our fucking selves
Or would we likely get sent to prison for trying to seek some sanity?
I have yet to see a positive news story about a council, any where.....Do they exist?
On reflection I think this comment I made the other day applies here:
It raises the usual questions about top management:
Do they believe what they say?
Do they believe we'll believe what they say?
Do they think we won't care even when we don't believe what they say?
Do they care whether we care when we don't believe what they say?
None of the alternatives show them up in a good light but I've never been able to determine which is the case given that the only external evidence is that they keep spouting bollocks that only an idiot would believe.
On further reflection I've realised that quotes like this aren't directed at anyone who knows the difference between a shift key, a shift lock key and a control. They're aimed at the execs of the councils involved and any stray councillors who take an interest, the sorts of people who'd be equally likely to spout such bollocks. To adapt the BBC's motto "Management shall spout bollocks unto management".
Any Saffers on here remember the time when the City of Johannesburg had the same issue with their billing website? Change the URL slightly, and you get the billing details of somebody else.
IIRC somebody downloaded a ton of bills by running a special program before the CoJ put an end to it by pulling the Ethernet plug on the webserver :)
Seems as if Chitty Councils are the same the world over, want to save a few pennies and end up with unhappy, pissed-off people.
Any texts I get from an unrecognised source are deleted unread.
I get scam calls from Indian call centres on a daily basis, so I replace the handset on any automated call within seconds.
A supposedly official-looking e-mail from someone I haven't contacted goes straight in the spam folder, which may encourage my webmail provider to block the sender's e-mail address across their system.
So if they pivot to digital in this way, rather than sending a letter to my address, they would get FA of a response and their e-mail functionality may face headwinds.
My bank have also started sending me e-mails. As e-mail is fundamentally insecure (and always has been), these go straight in the spam folder too. Banks should know better by now than to use e-mail.
Banks use email because it's cheap.
Banks use SMS as a MFA toke not because it's secure (it's not any more due to sim swap fraud bringing the entire mobile phone industry into your attack surface), but because it's easy and cheap.
And banks know what they should be doing, they hire people that know security good practice, they CHOOSE not to do it.
Fines and compensation are just operating costs for them. Until the hit on their bottom line is significant they'll continue to make bad choices.
Do away with council tax. Fund each council based on number of people*X + number of business *y from central government revenue.
This cutes down paperwork, accountants, collection systems and costs. It cuts back to either expenditure or income related tax so taxing the rich more than the poor.
It is more than time for a flat tax and flat benefit system, fair, simple and cheaper although it doesn't hide all those slight of hand tax increases we have had since Thatcher decided to kill employment by wiping out manufacturing and labour screwed up by buying American jets instead of making our own
> Fund each council based on number of people*X
I think you'll find that's called a poll tax. It didn't work very well last time. And it certainly doesn't cut down collection costs.
Unless you mean fund the Councils out of general taxation and put up VAT or income tax instead? That would mean a "one size fits all" service across the whole of the country - because it would be the same amount of money per person (perhaps age adjusted) and a Labour Council couldn't decide to spend more than a Tory one. So you might as well abolish the Councils as well and have a single large corporation - like Capita - run everything across the country. After all - if the funding is the same and the service is the same then economy of scale dictates central provision.
Good luck getting the pothole in your street fixed.
"It is more than time for a flat tax and flat benefit system, fair, simple and cheaper..."
Simple? Undoubtedly. Cheaper? Have you met Capita? Fair? Only if you adopt the most infantile definition of "fair".
This is especially clear in the benefit system. You either pay out an extortionate sum that guarantees anyone can meet their needs. Or some people's needs aren't met without top ups. Human beings are complicated and end up with tangled lives, and it makes sense to pay based on need - with the aim being everyone has a decent minimum standard of living. You don't even have to look down at the individuals; housing costs aren't consistent across the country so want to pay the housing component of the benefit based on local prices.
The argument is a bit more nuanced for the tax system. But clearly, there's no point taking money off low paid people just to give it back to them with benefits. So straight away we have to have an exception. And if you want tax to raise revenue, then the rates end up ruinously high or the rich have to pay higher rates. (There's a discussion to be had about the purposes of taxes, here. But if you beleived in MMR, you wouldn't be arguing for flat taxes - because taxes are there to damp down inflation and the rich are the people who you want to take it off.)
And all that's before we start using the tax system to discourage bad behaviour (sin taxes) and encourage good behaviour.
The tax system should not be used to encourage or discourage behavior, that is what laws are for.
The government should not be in the business of setting a "minimum standard of living"! All that does is encourage bad behavior. Government help should be extremely limited and short term. It should be based upon individuals who find themselves in situation "through no fault of their own" i.e. The wife and Children abandoned by the husband (said husband should be tracked down and prosecuted). This should be temporary and should require some form of work program to offset the cost.
For the most part in Western societies the poor are poor not because of societal problems but because of their own behavior either early in life or continual through out their live. Drugs, alcohol, gambling, foolish spending, bad work habits, failure to get a good education, all these things and more leads to poverty when we take away the pain pf poverty we take away the motivation to improve ones self. In the US poverty is easy! We have FAT poor people in this country. Since 1963 we have generations of people on Public Assistance.
And then there are minimum wage laws which makes jobs illegal! You have a job worth $10/hr to you and there is someone who will take that job? Sorry you can't hire him! All this does is make things more expensive for the people who can least afford it!
Consumption taxes fix all of this. No collection efforts needed, no one avoids the tax with complex loopholes. Heck, even the criminals end up paying the tax!
And no it is not regressive! If poor people can spend $150 on lottery tickets in 1 shot then they can pay a 10% levy on the things they buy! (sans food of course)
Private individuals get picked on and bullied by arrogant incompetent faceless bureaucracy. Would it be too much to ask that all officials are named and held personally responsible for every action they take, with systems designed so that there is no wriggle room. They want all the perks and the kudos, but never the comeback. If a lowly functionary screws up, their immediate superior should take the flak, and the person above him likewise, all the way to the top, they are just the hired help after all. Zen.
Wow, what a coincidence that they all said almost the exact same thing, it's almost as if they have a common set of approved excuses that they know will make them sounds as if they care when all they are doing is hoping to kick it down the road until everyone is looking somewhere else.
The public sector - the place where accountability and responsibility goes to die ..........
Obviously these people have no idea how to collect money.
137 pounds? Not worth suing for. So they opted for the cheapest method. Not understanding that...
SMS message? ignored
Email? ignored
Scary letter that looks like it is coming from some lawyer? That might get some folks attention
Obviously the cost of the Post was just too much to spend.
Technology is not always the best answer. In the area of collections, a letter followed by a phone call is 1000 times more effective.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
