IT Security

Phishing emails from taxman

by Mark Rowe

As ten million people prepare to complete their tax returns online in January, many have received phishing emails which appear to be from HMRC. ID (identity) fraud is rife – yet many people are still unaware of the potential risks, according to new research from a digital authentication product company.

A survey of 1000 UK consumers about their personal security online, found that a fifth of UK consumers, or their close friends or family, have been the victim of data theft or identity fraud. But there is still a lack of awareness among many in the UK who seem to have no idea how dangerous this kind of data theft can be. Of those who have filled in a tax return online, almost half (48 per cent) are not at all worried about the potential risks of losing their personal and financial information.

And, when asked which online activity made them most nervous about their personal and financial information being stolen, the majority were most worried about shopping online (51 per cent), with just over a third most concerned about online banking (36 per cent), and only 14 per cent most concerned about using online government services, such as applying for a driving licence or filling in a tax return.

Brian Spector, CEO at MIRACL, says: “Consumers are surprisingly laid back about the potential risks of filling in their tax returns online. It’s true that you could lose money if your financial details were stolen while online shopping, but the volume of data involved in filling out a tax return online makes this a far greater risk. With all the financial data involved in a tax return, a criminal could potentially take out a mortgage in your name. Data theft and identity fraud is a multi-billion dollar business on the dark web, and so consumers must be vigilant.”

The firm suggests such lack of awareness could be because people are being lulled into a false sense of security, by thinking that using stronger passwords will protect them. Over two-thirds of those surveyed said that they create stronger passwords to keep their personal and financial data safe online, such as using a mix of letters and numbers, or substituting numbers for letters. High profile data breaches such as the TalkTalk hack have made most people (61 per cent) feel more nervous about providing their personal and financial information online, and as a result, a majority (51 per cent) think it is only a matter of time before they are affected. The research found that most people would welcome the chance to use tighter security to protect themselves when using online services. Three-quarters (77 per cent) said that they would feel better about providing their personal and financial details online if the website had stronger security procedures, such as multi-factor authentication.

Spector adds: “High profile data breaches such as TalkTalk understandably make people nervous about their personal security online. But we don’t have to be part of the weekly announcements about mass data breaches. The underlying issue is that the username and password system is old technology that simply cannot secure the deep information and private services that we all store and access online today. By contrast, new, secure methods of two-factor authentication can eliminate password risk and at the same time be user-friendly.”

In December, MIRACL announced that the credit checking company Experian had selected its identity software to provide authentication to millions of UK citizens using GOV.UK Verify, the new online portal for UK citizens to use government services online, such as renewing your driving licence or filling out your tax return. This involves a user-selected five-digit PIN (something they know) alongside a software token which automatically installs in their mobile or desktop browser (something they have) when registering. Both factors must be present to create a key that drives a “zero knowledge proof authentication protocol” against MIRACL’s M-Pin Server. The server stores no passwords, PINs or authentication credentials, and thus cannot be compromised, the developers say.

Spector adds: “Database hacks, password reuse, browser attacks and social engineering can all be a thing of the past in the authentication space. Customers are rightly demanding to be protected when they submit their valuable personal information on the web, and online services need to respond appropriately by contributing to the restoration of trust on the internet and removing the password from their systems altogether.”



Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing