In January 2011 I posted a blog called ‘Moving Blues’. Having moved this month from a well-known university town in Belgium to the rural depths of France, nearly two years later it’s disappointing we seem to be moving backwards in terms of security when it comes to safely asserting our new identity attributes like a changed address, a new bank account etc. Not forward the way I envisaged two years ago in ‘Moving Blues ‘ , by sending a new digitally signed Information Card with my changed ‘claims’ to my various new and old service providers.
Take the case of my Health Insurance provider. Casually talking to a girl on the help line informing her of our new postal address, I mentioned enjoying pre-retirement here in the French country side. She only needed that one verbal cue to inform me that my policy was no longer valid and I was not insured (read the small print about being in full-time employment, she said. But who does?).
As an aside, a replacement private policy would quadruple my monthly payments. “What, even though I now lead a much less stressful life”, I replied? It seems European governments force these insurance companies to provide so-called social healthcare policies for the working classes, heavily regulated on a minimum cost-plus basis. So it seems they must screw all their profits out of the fortunate few that can say goodby to working life before their state pension kicks in. And here it was me thinking, insurance companies calculate their premiums based on risk! Gardening must be more dangerous than being in a stressful office job! Give the help line operator her dues, she said the company would refund my voluntary premium payments from the day I quit work.
Now move the scene to the department that wants to pay me back about five months worth of premiums. It writes to my new unverified address that it needs to verify my bank details. A simple mail from my verified email address all the sudden isn’t good enough. But it is OK to email them scanned copies of my passport and a scanned bank statement showing my account number and my new address.
Am I the only person thinking how stupid is that? To make my point I searched on Google Image search for an example of a bank statement which I soon found and downloaded from MattsBits blog. A hacker with bad intentions would probably find one in your waste paper bin and scan that in. I used the bog standard program ‘Paint’ from Microsoft, to be found on every Windows computer, used an electronic rubber and changed the address and bank account number on Matt’s statement to illustrate my point. The result is displayed below:
Now it seems that today I could send this as a bona fide scanned copy in an attachment to the healthcare provider and they now think/pretend they have covered their arse?
How stupid is that? Who are they kidding? Is this secure identity management in the year 2011? Shame on Microsoft for pulling the plug on Information Cards. Shame on the the likes of Verizon, Deutsche Telecom, Orange, the banks of this world even Google! Why will no-one step up to the plate and give us secure Identity Verification Services to replace this pretense? Why do Relying Parties lull themselves to sleep by allowing hackers to fool them with easily doctored scans of utility bills etc? It seems we are back in the 1950’s days of simple checkbook fraud as illustrated so well in the film ‘Catch me if you can’.