ukcrypto at airburst.co.uk
Thu Jan 13 14:11:10 GMT 2011
To return to the original issue again, I would add to Ross Anderson's
list a third problem.
(3) Possession of any information about an individual is potentially
useful to a miscreant seeking to use social engineering to access
further information or perpetrate fraud.
Discussions about personal information (such as that about NI
numbers) often seem to concentrate on questions about when and where
information is strictly or technically required for particular
purposes. I also think there is a terrible tendency for people to
make assumptions that if policy or law is set in place to specify
that particular information operations require use of particular
pieces of data or exclusion of other pieces or data then that is how
things will work in practice. It seems to me the real world very
often works on the principles of misunderstanding, expediency,
laziness and general cock-up.
So I can easily envisage a situation where a miscreant is trying to
access, for example, medical or financial records but does not
possess the credentials or information that's strictly required in
such cases. Imagine the attempt occurs in a phone call to a typical
overworked, underpaid, unimaginative administrative employee who's
had typically dull formulaic training. The admin employee asks for
what they've been trained to request. "Ah", says our miscreant,
"there's been some confusion. You're asking for X and they've only
given me Y. We're under a bit of pressure so it's going to be a
nightmare if I have to go back and get it. I do have an (NHS or NI)
number if that's any help". And thus the miscreant plants in the
admin employee's mind the impression they have some sort of access
privileges of an official nature and can thus be trusted with an
(apparently) minor breach of protocol. Furthermore, any piece of data
acquired through such an exchange could be an additional means to
leverage further access in subsequent attempts.
OK, that's a clumsy simplified example, but it illustrates events
that happen in the real world. I'm pretty certain it's widely
practised in certain quarters of the journalism business.
So, even if an NHS number did not technically give access to very
much, it would still be a matter of concern if they were obtainable
by the wrong people. Given that it *does* seem to be a key to other
data it seems especially worrying.
On 8 Jan 2011 at 10:48, Ross Anderson wrote:
> > Going back to the main issue - is the ability to get hold of
> > someone else's NHS number any sort of problem?
> (1) "De-identified" databases of med records used in research often
> have the NHS number even if name and address have been removed
> (2) The PDS system which people use to look up your NHS number lets
> users find anyone in the country, including ex-directory numbers; it
> has an audit trail showing all the health organisations you've dealt
> with. If you're a celeb who's an outpatient at the Maudsley, that
> could be bad news.
More information about the ukcrypto