Open data, fraud… and some worrying advice

One of the most commonly quoted concerns about publishing public data on the web is the potential for fraud – and certainly the internet has opened up all sorts of new routes to fraud, from Nigerian email scams, to phishing for bank accounts logins, to key-loggers to indentity theft.

Many of these work using two factors – the acceptance of things at face value (if it looks like an email from your bank, it is an email from them), and flawed processes designed to stop fraud but which inconvenience real users while making life easy from criminals.

I mention this because of some pending advice from the Local Government Association to councils regarding the publication of spending data, which strikes me as not just flawed, but highly dangerous and an invitation to fraudsters.

The issue surrounds something that may seem almost trivial, but bear with me – it’s important, and it’s off such trivialities that fraudsters profit.

In the original guidance for councils on publishing spending data we said that councils should publish both their internal supplier IDs and the supplier VAT numbers, as it would greatly aid the matching of supplier names to real-world companies, charities and other organisations, which is crucial in understanding where a local council’s money goes.

When the Local Government Association published its Guidance For Practitioners it removed those recommendations in order to prevent fraud. It has also suggested using the internal supplier ID as a unique key to confirm supplier identity. This betrays a startling lack of understanding, and worse opens up a serious vector to allow criminals to defraud councils of large sums of money.

Let’s take the VAT numbers first. The main issue here appears to be so-called missing trader fraud, whereby VAT is fraudulently claimed back from governments. Now it’s not clear to me that by publishing VAT numbers for supplier names that this fraud is made easier, and you would think the Treasury who recommend publishing the VAT numbers for suppliers in their guidance (PDF) would be alert to this (I’m told they did check with HMRC before issuing their guidance).

However, that’s not the point. If it’s about matching VAT numbers to supplier names there’s already several routes for doing this, with the ability to retrieve tens of thousands of them in the space of an hour or so, including this one:

http://www.google.co.uk/#sclient=psy&hl=en&q=%27vat+number+gb%27+site:com

Click on that link and you’ll get something like this:

Whether you’re a programmer or not, you should be able to see that it’s a trivial matter to go through those thousands of results and extract the company name and VAT number, and bingo, you’ve got that which the LGA is so keen for you not to have. So those who are wanting to match council suppliers don’t get the help a VAT number would give, and fraudsters aren’t disadvantaged at all.

Now, let’s turn to the rather more serious issue of internal Supplier IDs. Let me make it clear here, when matching council or central government suppliers, internal Supplier IDs are useful, make the job easier, and the matching more accurate, and also help with understanding how much in total redacted payees are receiving (you’d be concerned if a redacted person/company received £100,000 over the course of a year, and without some form of supplier ID you won’t know that). However, it’s not some life-or-death battle over principle for me.

The reason the LGA, however, is advising councils not to publish them is much more serious, and dangerous. In short, they are proposing to use the internal Supplier ID as a key to confirm the suppliers identity, and so allow the supplier to change details, including the supplier bank account (the case brought up here to justify this was the recent one of South Lanarkshire, which didn’t involve any information published as open data, just plain old fraudster ingenuity).

Just think about that for a moment, and then imagine that it’s the internal ID number they use for you in connection with paying your housing benefits. If you want to change your details, say you wanted to pay the money into a different bank account, you’d have to quote it – and just how many of us would have somewhere both safe to keep it and easy to find (and what about when you separated from your partner).

Similarly, where and how do we really think suppliers are going to keep this ID (stuck on a post-it note to the accounts receivable’s computer screen?), and what happens when they lose it? How do they identify themselves to find out what it is, and how will a council go about issuing a new one should the old one be compromised – is there any way of doing this except by setting up a new supplier record, with all the problems that brings.

And how easy would it be to do a day or two’s temping in a council’s accounts department and do a dump/printout of all the Supplier IDs, and then pass them onto fraudsters. The possibilities – for criminals – are almost limitless, and the Information Commissioner’s Office should put a stop to this at once if it is not to lose a serious amount of credibility.

But there’s an bigger underlying issue here, and it’s not that organisations such as the LGA don’t get data (although that is a problem), it’s that such bodies think that by introducing processes they can engineer out all risk, and that leads to bad decisions. Tell someone that suppliers changing bank accounts is very rare and should always be treated with suspicion and fraud becomes more difficult; tell someone that they should accept internal supplier IDs as proof of identity and it becomes easy.

Government/big-company bureaucrats not only think like government/big-company bureaucrats, they build processes that assumes everyone else does. The problem is that that both makes more difficult for ordinary citizens (as most encounters with bureaucracy make clear), and also makes it easy for criminals (who by definition don’t follow the rules).

About these ads

6 Comments on “Open data, fraud… and some worrying advice”

  1. [...] This post was mentioned on Twitter by Conrad Quilty-Harper, Stuart Harrison, Rooftop Jaxx, Chris Taggart, Chris Taggart and others. Chris Taggart said: Open data, fraud… and some worrying advice: Photo: http://www.flickr.com/photos/dmcl/ One of the most commonly quo… http://bit.ly/cejS1D [...]

  2. I’ve just received an email from a reader in response to this blog post. Which is fine – but I’m not the person you should write to about this.

    The official correspondence address to the LGA for this guidance is transparency@local.gov.uk which is read by Ian Carbutt (programme manager) among others.

    If you’ll allow me a plug for the the Local by Social online conference – you can talk the Gesche Schmid who drafted these elements of the guidance – she’ll be covering the guidance on 9 Nov at 13:30 to 15:00 here: http://www.communities.idea.gov.uk/c/7569678/home.do – but as it’s an online conference – feel free to raise the issue beforehand.

  3. Gesche Schmid says:

    Chris, the above blog is built on the misconception that the LGA adviced local authorities to use the supplier ID as the unique reference to confirm supplier identify. I want to make clear that we have not given that advice anywhere in the document. However, we have adviced to use an external supplier ID as one of the fraud prevention measures.

    We are currently reviewing the response to the consultation on the practioners guide and fraud advice will be an area for further investigation. The results of the review will be published via http://www.local.gov.uk/transparency.

  4. Gesche

    I didn’t say that LGA advised local authorities use the supplier ID as unique reference number, but that it “suggested using the internal supplier ID as a unique key to confirm supplier identity”, which is subtly different, and my understanding from sources within LGA is that it is suggesting this as an approach, hence the reluctance to publish Supplier IDs (although hasn’t yet published this as formal advice).

    If you are now agreeing that isn’t a good approach, then there is no reason for not publishing those fields (and there appears to be no good reason for not publishing the VAT number, full-stop).

    It’s not good enough, either from a transparency or security point of view, to wave around vague references to ‘fraud prevention measures’. Please detail the specific vectors the publication of these fields expose (and it would be great if you could also respond to my email of last week re specific advice re ‘missing trader’ fraud, which doesn’t seem to stand up to investigation.

  5. I very much appreciated reading Ingrid and Gesche’s responses to Chris’s blog post. Thank you both.

    I am keen to hear Gesche’s further response as to why VAT and Supplier ID are not being published or otherwise, when they may be.

  6. [...] Open data, fraud… and some worrying advice Government/big-company bureaucrats not only think like government/big-company bureaucrats, they build processes that assumes everyone else does. The problem is that that both makes more difficult for ordinary citizens (as most encounters with bureaucracy make clear), and also makes it easy for criminals (who by definition don’t follow the rules). Comment (RSS) | Trackback [...]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.