Saturday, September 26, 2009

The MacPherson Paradox

The plan is deliverable

As long as appropriate steps are taken to make it deliverable

That said, the very taking of those steps may render the plan undeliverable

Solutions gratefully received to this new paradox

Wednesday, September 16, 2009

After Adoption Hyde Park 10km

There's a new 10km race in town on Sunday 15th November in Hyde Park200909162221.jpg

Sunday 15 November 2009 sees After Adoption launch its inaugural Hyde Park 10k Run.

Hyde Park is one of the largest green spaces in Central London and provides a fantastic place to run in the heart of the capital. It has also been selected as one of the venues for London 2012, where thousands of spectators will witness the world’s elite athletes cross the finish line.

For experienced and novice runners alike, After Adoption’s charity run gives you the opportunity to improve your fitness levels, beat your personal best, or just have a fun day out in London’s finest parkland with friends and family.

Last year we helped over 8,200 people deal with the difference adoption can bring to their lives. We provided expertise to over 1,000 adoptive families, allowing them to continue to provide a stable home environment to their adopted children. We worked with nearly 2,800 birth parents, allowing them to understand their loss and help to turn their lives around. We supported over 2,500 adopted people, helping them to understand their past. We ran youth forums and engaged nearly 200 young people in our direct youth work. We worked with over 50 potential adopters, assessing and preparing them for the challenges and rewards adoption can bring.

The likely chilly winter weather we'll have by then should give everyone an opportunity to run a good time. It will be a small race, for a good cause, and so deserves the support.

Sunday, September 13, 2009

Hackers steal £1m in online tax scam

The Mail on Sunday reports that

Police are investigating how criminals managed to steal £1million from the taxman by accessing a Government computer system and granting themselves rebates ... The system penetrated by the thieves, the Government Gateway, was set up at a cost of £18million as part of Tony Blair’s vision for services to be administered electronically. It allows users to fill in forms online for anything from paying parking tickets to claiming child tax credit. Scotland Yard’s specialist e-crime unit ... is investigating whether the fraudsters used sophisticated software to find a weakness in Gateway or whether they targeted the computers of the people whose identities they stole.

The report goes on

Last November, The Mail on Sunday revealed how Ministers were forced to order an emergency shutdown of Gateway after a computer memory stick was found in a pub car park. Officers are investigating whether this could have played a part in the latest breach, as the computer stick contained passcodes to the system.

This is, I believe, the second time that the Government Gateway has been associated with a fraud. The last came at the end of 2005 and related to how tax credits were fraudulently diverted.

I don't know anything about this case beyond what's in the Mail. So I don't know if it's true; and I haven't spoken to anyone in the Gateway team. It's some 5 years since I ran the team that built and operated the Gateway so much of what I know is far from current. But I thought it was worth looking at what would have needed to be done if it is true as pulling off a fraud like this requires effort at multiple levels.


200909131514.jpg

For every fraudulent rebate claimed, the fraudster would need to know the userid and password of the victim. It's highly unlikely that these would have been on the memory stick that the Mail reminds us about - and even if the userids were, the passwords certainly weren't (like most systems, the Gateway stores passwords in a hashed format so even those with complete access to the system wouldn't know what they were). Likewise, if the memory stick somehow contained a list of system access userids and passwords in plain text, they wouldn't be able to get at the passwords for citizens sending tax returns. Indeed, I doubt that someone with the right access would be able to find out very much at all unless they were connected via a Government network and had rights not only over the production system but also various test systems. So the idea that the Gateway was actually compromised is, from what little data I have in front of me, remote.

So we're left with a more old-fashioned fraud. One perhaps of fake registrations and mail redirection or interception. To register on the Gateway for Self Assessment, you need a set of individual-specific information - tax reference numbers and UTR. You don't need to enter your address - the Gateway uses the one that HRMC has. So someone wanting to fraudulently register needs to know the necessary information, enter it into the Gateway and then intercept the userid that is sent through the post. The latter is a tricky job unless you work in the Post Office or manage to pick targets who all live in a shared house where the post is left on the table downstairs - and you still need access.

If the person has already registered, then you need to access their account - which means you need to know the userid (which was mailed to the individual) and the password (which they will have come up with at the point of registration). It's hard to imagine how anyone could get such details for multiple people. It would be like robbing several different people of their handbags and finding that all of them had a post-it note next to their ATM card with the PIN number scribbled on it. It's possible, but highly unlikely.

Even though this is all unlikely, let's suppose that somehow the fraudsters had indeed managed to acquire the userids and passwords of several different people - maybe they phished them off the web having installed spyware on enough PCs to land a catch. They then needed to get themselves in the queue for a rebate. That would mean that they'd have to enter tax details on the self assessment form that showed that they had either overpaid tax to date or had some other circumstance that would allow a rebate - perhaps an investment in an Enterprise scheme. I imagine that the details of salaries paid to the individuals would need to match the details stored in HMRC's separate payroll tax systems - a further complication. The fraudster would then have submitted the tax returns, presumably having made each of them slightly different.

It is possible that instead of intercepting multiple individual userids and passwords, the fraudsters instead got access to a far smaller number of logon details for accountants. If that were the case it's possible to imagine an inside job - someone from an accountancy firm having left perhaps under a cloud and having taken the logon details with him or her uses those details from home. They'd still need to have sent fraudulent tax returns for dozens of people. And those tax returns would have to be for people who hadn't already submitted their own tax return.

So far so fraudulent and so difficult. The Mail goes on:

The thieves are understood to have diverted the money to bank accounts set up fraudulently using the names of the password holders. One accountant, who had 52 of his 110 clients targeted by the tax fraudsters, said he was told by HM Revenue & Customs of rebates totalling more than £150,000. None of them received a penny, however. Instead, the payouts – of up to £7,500 each – were sent to fake bank accounts set up in his clients’ names.

So accountants were definitely involved at some point, but not, apparently, in all cases. But let's assume that the crook had managed to get hold of all of the userids and all of the passwords that he or she needed. That would leave two more challenges

1) Having to open bank accounts in the name of the holders but at different banks from the ones where they already had bank accounts. Opening a bank account takes some time and needs various identity documents. Of course it can be done - and is done all the time - but it takes planning.

2) Changing the bank account details stored by HMRC to that of the fraudulently opened bank account. I'm not aware that you can do that online. I just looked to see if I could do it but parts of the HMRC website are disabled - certainly the Self Assessment Account view - so it was hard to find out if it had been made possible recently. I'm reasonably sure, though, that you can't do it online and need to carry that task out via the HelpLine or on paper.

It strikes me, then, that this is either a fraud carried out by former employees of an accountancy firm - it seems unlikely to be just one firm given how many people appear to have been hit or an old-fashioned identity fraud where details were stolen from individuals and then used to set up accounts on the Gateway, change addresses at HMRC, open bank accounts and then - perhaps the cleverest bit - figure out how to generate a fraudulent tax return where the numbers were plausible and passed whatever checks HMRC do on tax returns and so created repayments.

The Mail's conclusion - linking this fraud to both the Government Gateway and to yet another Government IT failure - seems, therefore, likely to be wrong:

The Labour Government trumpeted the Government Gateway as a prime part of its drive to deliver public services efficiently. But this scam is just the latest in a long line of Government computer blunders. Last October, the Information Commissioner revealed there had been 277 data breaches since the loss of 25million child benefit records was disclosed in November 2007. HMRC has taken the attack on its system so seriously that it has provided a template for a letter accountants can send to clients to apologise and reassure them that their tax affairs will not be affected.

200909131515.jpgThe last line of the Mail's report says:

A 32-year-old man was arrested on September 3 and bailed to return to Bethnal Green police station in East London on December 3.

I'll be fascinated to see how this turns out - and to find out whether it was a new kind of fraud or just a reworking of identify fraud that happened to use the Gateway.

Tuesday, September 08, 2009

Clouds

Not cloud computing but the latest word cloud for this blog from Wordle

200909081935.jpg

I'm quite pleased to see government there in at least a reasonably sized font.

Provoking (e)government

With his new found freedom, Jerry Fishenden seems to be getting out his harshly provocative pen more often. Actually, that's not fair or right - Jerry has always put across his points fully, fairly and rationally and these posts are no different- maybe I'm just reading more into the NFF (new found freedom) more than I should.

His latest post contains some points that should make anyone in government, let alone e-government, sit up and pay attention:

For example, just 340,000 out of 145 million DWP customer contacts took place online in 2008. Despite up to 21bn GBP being expended annually on UK public sector ICT at present, little headway seems to have been made. Indeed, in many cases it seems that digital fulfilment channels have become another overhead alongside all the existing channels.

If Jerry's numbers are right (and I have no better ones although I fear that denominator in this instance could well be more than 145m), then that's a slim 0.2% online takeup. In a world where the mission was "2005 / 100% online" then the takeup ball is plainly in pieces on the floor having been well and truly dropped.

It gets worse perhaps:

The United Nations e-Government Readiness Index shows that between 2005 and 2008 the UK slipped from 4th to 10th place. And this slide came during a time of unprecedented levels of ICT and public sector investment, with the UK possibly spending more as a percentage of GDP than any other country [see John Suffolk's recent blog post for other views on that]. Using a slightly different methodology, the Economist Intelligence Unit e-Readiness Ranking for 2009 paints an even blacker picture, with the UK resting at just 13th in their particular table.

So far, just the facts ... then the provocation

I'm not convinced that classifying, for example, HMRC's self-assessment services as an e-government or online transaction is correct, given how much of it actually results in large amounts of paper and non-internet based communication. The much-praised DVLA tax disc service is similarly a fairly trivial interaction which could also be entirely digital

Ouch.

Nottingham Half Marathon Elevation and Course Map

I last ran the Nottingham Half in the run up to the New York Marathon in 2006. Here is the elevation profile.

200909081647.jpg

The bars are the gradient, the line is the elevation (for reasons that are beyond me Rubitrack wants to make them both pretty much the same colour). There's a pretty steep hill early on and then a much longer slower climb from 5km to 9km. The one that will probably hurt most is the one from 10km to just before 13km - that takes you up the hill to the University. It's a great run - and the finish along the river is a welcome relief after the hills.

200909081651.jpg

To all those running on September 13th 2009, good luck. The weather forecast for that day is saying pretty warm, around 20C, but perhaps some rain. In 2006, I ran it 1h 46m.

Wednesday, September 02, 2009

Socially Doing Nothing

I joined a new social network today - a government-y thing. This is the screen that greeted me after I'd registered:

200909022112.jpg

So right in so many ways.