CIFAS should be all things to all people. They provide a platform for members to share data about fraudulent transactions - and provide ways of protecting individuals against identity theft. All wrapped in a not-for-profit organisation.
But dig below the surface and all is not as it seems.
Part of the facilities they provide is protective registration. This means that either at your request or the request of a CIFAS member, they will place a notice on you credit records saying that when a credit application is made in your name or from your address, then there should be additional checks on the identity of the party applying.
This helps with the big problem of identity fraud; regaining control of an identity and preventing further abuse.
However go and have a Google for them. There seems to be an awful lot of people out there who are not being protected - they are being prevented from obtaining credit due to a CIFAS listing. So at best, CIFAS have failed to communicate what their policy is to their members.
But suppose you find yourself unfairly blacklisted by CIFAS. How do you go about correcting this? Surely CIFAS, who generate income from providing accurate information would not only take an active interest in resolving individual cases, but would also seek to monitor the reputation of their members' recommendations? Indeed according to the Data Protection Registrar, that is what they are obliged to do, regardless of their business model.
However according to the CIFAS website, issues regarding innappropriate/innaccurate registrations must be directed to the member company and ”CIFAS will not become involved in a dispute until the CIFAS Member has issued a Final Response letter.”
Sunday 9 October 2011
Friday 4 March 2011
UK Government website privacy abuse?
Anyone who knows me will not be surprised to hear that I think measuring user-experience and how users interact with your website is a very good idea. If you're in the business of trying to collect or analyse this information, then this post is addressed to you.
As I've often said, looking at the standard server-side logs can be very informative - but its only half the story. To get a better picture you need to go client-side. And that means Javascript. For many people / organisations, there just isn't the time or money to develop your own solution - and of course there are no end of vendors trying to flog their wares to you.
This post was prompted by a wasted hour investigating unusual patterns in referer stats. Where I work, phishing poses a very serious risk. Despite this, (and a large IT staff, dedicated security team. and an annual turnover well into the billions) there are no SPF records in our published DNS records! The referer stats for out customer facing website shows our logos appearing in lots of web-based email readers (including those from service providers who are known to validate SPF) - implying that it is more than just a risk. The is a shocking and absurd set of circumstances which I am still trying to resolve after 2 years.
However, that's not what this gripe is about.
This week I noticed a few referals from a very long URL starting with xxxxx.stcllctrs.com (where xxxxxx is the name of my employers parent organisation). The URL was not obviously an email reader. Dropping the URL into a browser returned a 200 response with no content. So I had a look at the root URL, http://xxxxx.stcllctrs.com/ Where I found the documentation for 'jsunpack' (http://jsunpack.jeek.org/dec/go) a tool 'designed for security researchers and computer professionals'. This is primarily a javascript code obfuscator. Interestingly, the URL for jsunpack seems to link to a form allowing people to report possible abuses of the tool - which has a record of its use at http://xxxxx.stcllctrs.com/ flagged as suspicious.
I then Googled for xxxxx.stcllctrs.com and found that our parents organisation had several references to this site, loading javascript files and NOSCRIPT content. Looking at the Javascript it was serving up, it was rather difficult to read (since it was obfuscated) but seemed to be doing strange things with cookies. The domain also appears in several ad blocking lists. Alarm bells started ringing!
Of course my employers make up for the quality of the security policy with the quantity of it - so I couldn't do proper whois lookup - but looking at tools on the web - this turned out to be a 16 bit subnet owned by Savvis.net. The name is registered with viatel.com. So both the netblock and DNS registration are effectively anonymous.
Obfuscated code, unusual URLs, cookie manipulation, anonymous hosting, greyware listings - DING DING DING!!!
Most of the whois services available online are provided by companies trying to sell registration services- the one I used initially did not provide any information about the registrant (and reformatted the content significantly so it looked like viatel was the registrant). But I eventually found another site (in Romania of all places!) which gave the registrant contact - speed-trap.com limited. This proved to be the Rosetta stone to unravelling what was really going on.
Speed-Trap appear to be a legitimate organisation providing web-usage monitoring services to companies. Surprisingly, they have a number of very high profile customers including direct.gov.uk, RBS, Axa and others. Yet they behave online like a script-kiddy - obfuscating their identity as well as code deployed to run in my browser, leaving other peoples hacking code
on their own website.
DirectGov have a link to their privacy policy on each and every page in their site (for the benefit of those from the colonies - DirectGov is the single, open access portal spanning all central government services in the UK). They clearly state they use javascript and cookies to record and analyse your usage of the site. They do not state that this information is processed by a third party. Indeed they go to unusual lengths to suggest that this information would only be shared with other bodies in extreme circumstances. RBS and http://www.axa.co.uk/privacy take a similar tack.
http://www.direct.gov.uk/en/SiteInformation/DG_020456
http://www.rbs.co.uk/global/f/privacy.ashx
http://www.axa.co.uk/privacy
From https://www.dephormation.org.uk/
"Intercepting, monitoring, eavesdropping, tapping communications requires legal authority, or consent from both parties to the communication."
Although there are some differences to BTs Phorm rollout (in that case, it was clear that Phorm were using the information for other purposes than just usage analysis) I find it very worrying that the UK government and several large financial institutions should be misleading their customers (or citizens) like this.
As I've often said, looking at the standard server-side logs can be very informative - but its only half the story. To get a better picture you need to go client-side. And that means Javascript. For many people / organisations, there just isn't the time or money to develop your own solution - and of course there are no end of vendors trying to flog their wares to you.
This post was prompted by a wasted hour investigating unusual patterns in referer stats. Where I work, phishing poses a very serious risk. Despite this, (and a large IT staff, dedicated security team. and an annual turnover well into the billions) there are no SPF records in our published DNS records! The referer stats for out customer facing website shows our logos appearing in lots of web-based email readers (including those from service providers who are known to validate SPF) - implying that it is more than just a risk. The is a shocking and absurd set of circumstances which I am still trying to resolve after 2 years.
However, that's not what this gripe is about.
This week I noticed a few referals from a very long URL starting with xxxxx.stcllctrs.com (where xxxxxx is the name of my employers parent organisation). The URL was not obviously an email reader. Dropping the URL into a browser returned a 200 response with no content. So I had a look at the root URL, http://xxxxx.stcllctrs.com/ Where I found the documentation for 'jsunpack' (http://jsunpack.jeek.org/dec/go) a tool 'designed for security researchers and computer professionals'. This is primarily a javascript code obfuscator. Interestingly, the URL for jsunpack seems to link to a form allowing people to report possible abuses of the tool - which has a record of its use at http://xxxxx.stcllctrs.com/ flagged as suspicious.
I then Googled for xxxxx.stcllctrs.com and found that our parents organisation had several references to this site, loading javascript files and NOSCRIPT content. Looking at the Javascript it was serving up, it was rather difficult to read (since it was obfuscated) but seemed to be doing strange things with cookies. The domain also appears in several ad blocking lists. Alarm bells started ringing!
Of course my employers make up for the quality of the security policy with the quantity of it - so I couldn't do proper whois lookup - but looking at tools on the web - this turned out to be a 16 bit subnet owned by Savvis.net. The name is registered with viatel.com. So both the netblock and DNS registration are effectively anonymous.
Obfuscated code, unusual URLs, cookie manipulation, anonymous hosting, greyware listings - DING DING DING!!!
Most of the whois services available online are provided by companies trying to sell registration services- the one I used initially did not provide any information about the registrant (and reformatted the content significantly so it looked like viatel was the registrant). But I eventually found another site (in Romania of all places!) which gave the registrant contact - speed-trap.com limited. This proved to be the Rosetta stone to unravelling what was really going on.
Speed-Trap appear to be a legitimate organisation providing web-usage monitoring services to companies. Surprisingly, they have a number of very high profile customers including direct.gov.uk, RBS, Axa and others. Yet they behave online like a script-kiddy - obfuscating their identity as well as code deployed to run in my browser, leaving other peoples hacking code
on their own website.
DirectGov have a link to their privacy policy on each and every page in their site (for the benefit of those from the colonies - DirectGov is the single, open access portal spanning all central government services in the UK). They clearly state they use javascript and cookies to record and analyse your usage of the site. They do not state that this information is processed by a third party. Indeed they go to unusual lengths to suggest that this information would only be shared with other bodies in extreme circumstances. RBS and http://www.axa.co.uk/privacy take a similar tack.
http://www.direct.gov.uk/en/SiteInformation/DG_020456
http://www.rbs.co.uk/global/f/privacy.ashx
http://www.axa.co.uk/privacy
From https://www.dephormation.org.uk/
"Intercepting, monitoring, eavesdropping, tapping communications requires legal authority, or consent from both parties to the communication."
Although there are some differences to BTs Phorm rollout (in that case, it was clear that Phorm were using the information for other purposes than just usage analysis) I find it very worrying that the UK government and several large financial institutions should be misleading their customers (or citizens) like this.
Saturday 5 February 2011
Crappy code
I spend way too much time dealing with other peoples' crappy code. To that end, a very long time ago, I wrote a quick script that would help me navigate around a PHP source file in order to work out what it's supposed to, and what it actually does.
It generates a call graph of the functions and methods in a PHP file, example shown below.
It had been sitting, festering on my HD for a while, and I thought "Hey, maybe someone else might find this helpful" so I uploaded it to phpclasses.org
So blow me, not only do they find it useful - but they want me to support the damn thing too! And then I get nominated for an award! I had a quick look at the source code. OMG - it's a mess!
So a couple of late nights were spent cleaning it up until the API is at least usable.
You can get the (cleaned up, slightly) source code here
It generates a call graph of the functions and methods in a PHP file, example shown below.
It had been sitting, festering on my HD for a while, and I thought "Hey, maybe someone else might find this helpful" so I uploaded it to phpclasses.org
So blow me, not only do they find it useful - but they want me to support the damn thing too! And then I get nominated for an award! I had a quick look at the source code. OMG - it's a mess!
So a couple of late nights were spent cleaning it up until the API is at least usable.
You can get the (cleaned up, slightly) source code here
Friday 14 January 2011
Keyboard not detected. Press F1 to continue
I don't moan all the time.
Once in a while someone goes out of their way to be helpful, or technology works the way it should or I find something which is useful / good value.
Today I bought a new keyboard.
Like many computer people I know, I've had the same PC for the last 15 years or so. In that time the motherboard has been replaced a few times, disk drives have come and gone, graphics cards and monitrs have been swapped. But the oldest component was an HP keyboard which has been putting in sterling service for the last 8 years.
So while I was in PCWorld/Curry's today, I picked up a Sandstrøm keyboard for £15. This has the nicest action of any keyborad around this price I'd seen, and has the added bonus that the keys have LED illumination.
The reason I was in Curry's was to pick up a simlarly branded HiFi for my daughter's birthday. Again which I thought good value.
Despite the scandinavian looking name, not surprisingly both are made in China, and although time will tell regarding the quality of the electronices, both seem to be reasonably solid construction.
I suspect that the manufacturer / importer / retailler are currently discounting heavily to establish the brand in the UK.
Getting all the keys to work on my home machine (currently still with Fedora 9 - a Linux distribution) was surprisingly easy (most of the extra weeks worked as soon as it was plugged in anyway).
It does have a somewhat compressed physical layout (the space bar is only 60mm) so I'm still hitting thEWRONG Kets some if the time but I@m sure that will pass/
Once in a while someone goes out of their way to be helpful, or technology works the way it should or I find something which is useful / good value.
Today I bought a new keyboard.
Like many computer people I know, I've had the same PC for the last 15 years or so. In that time the motherboard has been replaced a few times, disk drives have come and gone, graphics cards and monitrs have been swapped. But the oldest component was an HP keyboard which has been putting in sterling service for the last 8 years.
So while I was in PCWorld/Curry's today, I picked up a Sandstrøm keyboard for £15. This has the nicest action of any keyborad around this price I'd seen, and has the added bonus that the keys have LED illumination.
The reason I was in Curry's was to pick up a simlarly branded HiFi for my daughter's birthday. Again which I thought good value.
Despite the scandinavian looking name, not surprisingly both are made in China, and although time will tell regarding the quality of the electronices, both seem to be reasonably solid construction.
I suspect that the manufacturer / importer / retailler are currently discounting heavily to establish the brand in the UK.
Getting all the keys to work on my home machine (currently still with Fedora 9 - a Linux distribution) was surprisingly easy (most of the extra weeks worked as soon as it was plugged in anyway).
It does have a somewhat compressed physical layout (the space bar is only 60mm) so I'm still hitting thEWRONG Kets some if the time but I@m sure that will pass/
Subscribe to:
Posts (Atom)