Sunday, September 13, 2009

Hackers steal £1m in online tax scam

The Mail on Sunday reports that

Police are investigating how criminals managed to steal £1million from the taxman by accessing a Government computer system and granting themselves rebates ... The system penetrated by the thieves, the Government Gateway, was set up at a cost of £18million as part of Tony Blair’s vision for services to be administered electronically. It allows users to fill in forms online for anything from paying parking tickets to claiming child tax credit. Scotland Yard’s specialist e-crime unit ... is investigating whether the fraudsters used sophisticated software to find a weakness in Gateway or whether they targeted the computers of the people whose identities they stole.

The report goes on

Last November, The Mail on Sunday revealed how Ministers were forced to order an emergency shutdown of Gateway after a computer memory stick was found in a pub car park. Officers are investigating whether this could have played a part in the latest breach, as the computer stick contained passcodes to the system.

This is, I believe, the second time that the Government Gateway has been associated with a fraud. The last came at the end of 2005 and related to how tax credits were fraudulently diverted.

I don't know anything about this case beyond what's in the Mail. So I don't know if it's true; and I haven't spoken to anyone in the Gateway team. It's some 5 years since I ran the team that built and operated the Gateway so much of what I know is far from current. But I thought it was worth looking at what would have needed to be done if it is true as pulling off a fraud like this requires effort at multiple levels.


200909131514.jpg

For every fraudulent rebate claimed, the fraudster would need to know the userid and password of the victim. It's highly unlikely that these would have been on the memory stick that the Mail reminds us about - and even if the userids were, the passwords certainly weren't (like most systems, the Gateway stores passwords in a hashed format so even those with complete access to the system wouldn't know what they were). Likewise, if the memory stick somehow contained a list of system access userids and passwords in plain text, they wouldn't be able to get at the passwords for citizens sending tax returns. Indeed, I doubt that someone with the right access would be able to find out very much at all unless they were connected via a Government network and had rights not only over the production system but also various test systems. So the idea that the Gateway was actually compromised is, from what little data I have in front of me, remote.

So we're left with a more old-fashioned fraud. One perhaps of fake registrations and mail redirection or interception. To register on the Gateway for Self Assessment, you need a set of individual-specific information - tax reference numbers and UTR. You don't need to enter your address - the Gateway uses the one that HRMC has. So someone wanting to fraudulently register needs to know the necessary information, enter it into the Gateway and then intercept the userid that is sent through the post. The latter is a tricky job unless you work in the Post Office or manage to pick targets who all live in a shared house where the post is left on the table downstairs - and you still need access.

If the person has already registered, then you need to access their account - which means you need to know the userid (which was mailed to the individual) and the password (which they will have come up with at the point of registration). It's hard to imagine how anyone could get such details for multiple people. It would be like robbing several different people of their handbags and finding that all of them had a post-it note next to their ATM card with the PIN number scribbled on it. It's possible, but highly unlikely.

Even though this is all unlikely, let's suppose that somehow the fraudsters had indeed managed to acquire the userids and passwords of several different people - maybe they phished them off the web having installed spyware on enough PCs to land a catch. They then needed to get themselves in the queue for a rebate. That would mean that they'd have to enter tax details on the self assessment form that showed that they had either overpaid tax to date or had some other circumstance that would allow a rebate - perhaps an investment in an Enterprise scheme. I imagine that the details of salaries paid to the individuals would need to match the details stored in HMRC's separate payroll tax systems - a further complication. The fraudster would then have submitted the tax returns, presumably having made each of them slightly different.

It is possible that instead of intercepting multiple individual userids and passwords, the fraudsters instead got access to a far smaller number of logon details for accountants. If that were the case it's possible to imagine an inside job - someone from an accountancy firm having left perhaps under a cloud and having taken the logon details with him or her uses those details from home. They'd still need to have sent fraudulent tax returns for dozens of people. And those tax returns would have to be for people who hadn't already submitted their own tax return.

So far so fraudulent and so difficult. The Mail goes on:

The thieves are understood to have diverted the money to bank accounts set up fraudulently using the names of the password holders. One accountant, who had 52 of his 110 clients targeted by the tax fraudsters, said he was told by HM Revenue & Customs of rebates totalling more than £150,000. None of them received a penny, however. Instead, the payouts – of up to £7,500 each – were sent to fake bank accounts set up in his clients’ names.

So accountants were definitely involved at some point, but not, apparently, in all cases. But let's assume that the crook had managed to get hold of all of the userids and all of the passwords that he or she needed. That would leave two more challenges

1) Having to open bank accounts in the name of the holders but at different banks from the ones where they already had bank accounts. Opening a bank account takes some time and needs various identity documents. Of course it can be done - and is done all the time - but it takes planning.

2) Changing the bank account details stored by HMRC to that of the fraudulently opened bank account. I'm not aware that you can do that online. I just looked to see if I could do it but parts of the HMRC website are disabled - certainly the Self Assessment Account view - so it was hard to find out if it had been made possible recently. I'm reasonably sure, though, that you can't do it online and need to carry that task out via the HelpLine or on paper.

It strikes me, then, that this is either a fraud carried out by former employees of an accountancy firm - it seems unlikely to be just one firm given how many people appear to have been hit or an old-fashioned identity fraud where details were stolen from individuals and then used to set up accounts on the Gateway, change addresses at HMRC, open bank accounts and then - perhaps the cleverest bit - figure out how to generate a fraudulent tax return where the numbers were plausible and passed whatever checks HMRC do on tax returns and so created repayments.

The Mail's conclusion - linking this fraud to both the Government Gateway and to yet another Government IT failure - seems, therefore, likely to be wrong:

The Labour Government trumpeted the Government Gateway as a prime part of its drive to deliver public services efficiently. But this scam is just the latest in a long line of Government computer blunders. Last October, the Information Commissioner revealed there had been 277 data breaches since the loss of 25million child benefit records was disclosed in November 2007. HMRC has taken the attack on its system so seriously that it has provided a template for a letter accountants can send to clients to apologise and reassure them that their tax affairs will not be affected.

200909131515.jpgThe last line of the Mail's report says:

A 32-year-old man was arrested on September 3 and bailed to return to Bethnal Green police station in East London on December 3.

I'll be fascinated to see how this turns out - and to find out whether it was a new kind of fraud or just a reworking of identify fraud that happened to use the Gateway.

4 comments:

  1. Guest8:46 pm

    Alan - I'm a trustee for After Adoption and our London Events committee have organised a 10K run in Hyde Park on 15th Nov. Details via the link below 

    http://www.afteradoption.org.uk/page.asp?section=00010001000600070019

    Please would you consider including this in your training regime and/or spread the word to your fellow running contacts in the London area. We've got over 100 folks signed up already.

    Thansk, DC

    ReplyDelete
  2. Happy do to that ... easier to tweet me for this kind of thing @alan_mather ... or mail direct

    ReplyDelete
  3. Starsky0014:53 pm

    My initial thoughts were that the Gateway was compromised due to a current (or former) employee with access to the database but as you explained
    “… the Gateway stores passwords in a hashed format so even those with complete access to the system wouldn't know what they were)…”  so that rules out it being by one person who eventually sold the information to hackers. The memory stick found in a pub car park could simply be a mere coincidence or maybe it was a small piece of the “fraud” puzzle? Perhaps the memory stick did not have the userids and passwords but it could have other data to carry out the scam.

    It takes a lot of people and steps to perform even an old-fashioned fraud. Even though some points, which you mentioned, on how to carry out the fraud are unlikely to accomplish, it can still be done. Hackers are crafty devils and they always find a way to get what they want. Hackers use other ploys to get personal information that they could use for other scams. A combination of Trojans and fake rogue software (example: http://www.enigmasoftware.com/antiviruslive-removal/) are used to collect credit cards and other personal information. Last month, the British police arrested in Manchester, England, a man and woman that were using the Zeus Trojan to steal banking information from infected machines. A hacker can use a Trojan like Zeus to infect a users’ machine and trick them with the promise of a useful software to give up their personal information. What happened on the Government Gateway, is a chilling example of how organized fraudsters are.

    ReplyDelete
  4. Thanks for stopping by Starsky ... as you say, chilling, however it was done

    ReplyDelete