The Chartered Institute of Payroll Professionals ……………………………………………………………Policy News Journal
Back to Contents
What kind of fraud does GOV.UK Verify prevent? 9 May 2016
GOV.UK Verify is designed to help fight the growing problem of online identity theft. Identity
Advisor Julian White explains what is meant by identity fraud and describes some of the kinds of fraud GOV.UK Verify’s standards are designed to help prevent.
Point 9 of the Digital by Default Service Standard says:
“Use open standards and common government platforms where available.”
GOV.UK Verify doesn’t just use open standards - we have helped set the standards for identity proofing and verification and online authentication for UK government digital services . These documents are jointly published by the Cabinet Office and CESG , the National Technical Authority for Information Assurance. All the certified companies are required to meet those standards, and have to be independently certified to confirm that they do.
The good practice guides have been designed to mitigate a range of specific identity fraud risks.
Impostors GOV.UK Verify aims to stop others pretending to be you when accessing government services. We call someone that attempts to do this an ‘impostor’. They may try to register with one of the GOV.UK Verify certified companies using stolen identity information. The many data breaches that have occurred over the last few years mean that a lot of stolen personal data is circulating online. In fact, this information can be bought for very little money by criminals using online criminal marketplaces. Our guidance on identity proofing and verification explains how the good practice guides require certified companies to carry out a range of checks to prevent someone using this kind of stolen information to successfully access services using your identity.
These checks cover 5 different elements of identity assurance:
making sure there is evidence that the identity exists (element A) validating that evidence to make sure it’s valid and / or genuine (element B) establishing that the person owns the identity (element C) checking whether the identity registration might be fraudulent (element D) establishing that the identity has been active over time (element E).
As part of our guidance we require that the certified companies also check to see if your identity is known to have been used by an impostor in the past. If this is the case then they will take extra care to ensure that it is really you and not an impostor. Account takeover Because of the range of different checks certified companies are required to carry out, it’s quite difficult to create a false identity or steal someone else’s in order to create a GOV.UK Verify account. Criminals may attempt to bypass the registration process and instead try to get access to a verified identity account that has already been set up. We call this ‘account takeover’. The objective is to access the account you’ve created with a certified company and use it to interact with government services. Usernames and passwords for many online services are available to buy from the dark web , mostly gained from one of the data breaches mentioned earlier. People tend to pick predictable passwords and use the same one across many web sites. If you do that, the cyber criminal doesn’t need to get hold of your username and password for a specific web site. They just need one of your passwords for a single service to work out what your passwords are for other services. The guidance we give on authentication sets out the things we expect the certified companies to do to prevent this kind of attack from being successful. The certified companies offer a range extra security measures that means every sign in is unique: you wouldn’t be able to access an account just using a stolen username and password, you would also need to complete another step such as having a one-off code sent to your mobile phone or generating a code in an
The Chartered Institute of Payroll Professionals
Policy News Journal
cipp.org.uk
Page 275 of 588
Made with FlippingBook - Online magazine maker