More Information
- Clarkson's 'steal my ID' stunt backfires
- Clarkson stung after bank prank
- "I was wrong and I have been punished for my mistake"
First published: 31st January 2008
Outspoken BBC TV presenter Jeremy Clarkson wrote a column in the UK Sun newspaper saying that the public outcry about the loss of unencrypted CDs containing child benefit details, including bank details of 25m people, was a lot of fuss about nothing. To back up his claim, he included his own bank account number, sort code, and clues to his address, saying that the worst that could happen was that someone could pay money into his account.
He was dramatically proved wrong when an unknown person set up a Direct Debit from his account to the charity Diabetes UK, resulting in the transfer of £500. In another column, he has retracted his claim, saying, "I was wrong and I have been punished for my mistake." He has also advocated tough new measures to prevent Personal Data disclosure, saying, "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy." Clarkson should be applauded for his willingness to admit when he is wrong.
However, Clarkson is best-known for his knowledge, and love of, cars, not for his expertise in Information Security, and he is still missing a important point: the financial loss was only possible because there was also negligence at his bank. Disclosure of personal data is not just about financial loss, there are many situations where it can cause even more serious harm to the victim(s), but this is primarily a financial example. The bank failed to verify that the direct debit instruction was issued by Clarkson, so the bank is responsible.
This is a reflection of how the information revolution is changing our society, and institutions, like banks, are failing to adapt. We have long been used to using our written signature on important transactions, even though signatures can be forged and challenged. Additional procedures increased the difficulty of crime: banks expect you to know the account name and number, and provide pre-printed cheques for your convenience - making a non-preprinted cheque immediately suspicious. There is an obvious cost pressure towards skipping signature checks - after all, the name and number can be checked automatically, but a signature must be manually verified, and who else would know the matching account name and number? Unfortunately, nowadays, everyone; because of the potential for massive personal data disclosures.
Fortunately, there is an easy solution; the banks and financial institutions have been quietly ignoring the problem, or trying to transfer the blame and cost to the customer. Therefore, the Regulators should put the responsibility firmly back with the bank, assuming that the blame lies there until proven otherwise, and imposing punitive penalties for lapses. This will give banks the right incentive to develop and promote user-friendly secure authentication mechanisms.