Stopped clocks and mullet-haired petrolheads

In the wake of the HMRC benefit disc loss furore, I repeatedly made an important point that most commentators overlooked: the information provided on those discs was completely useless to carry out any kind of serious fraud, theft or scam.

Jeremy Clarkson, to his credit, shared this view. Unlike me, he had the cojones to back this up by printing his bank account details and home address in a national newspaper. And indeed, his experiment proved that he and I were right, and that almost everyone else commenting on the affair is a hysterical paranoiac.

This isn’t quite the way in which Clarkson’s experiment has been reported in the media, which isn’t surprising given that the media isn’t generally very good at understanding, well, much really – the media is focusing on the fact that some merry prankster set up a direct debit payment to transfer £500 of Clarkson’s money to a charity.

How does that work? Well, there isn’t much security required in setting up direct debits to pay the kind of reputable organisations that accept direct debits (go to the ‘pay a bill’ section of your online bank account and it’ll give you a list of the type of people – EDF, Barclaycard, and so on…). However, there is also no benefit to a fraudster in doing so. “Ha ha, I’ll pay Dave Smith’s electricity bill out of Dave Smith’s very own bank account! What an evil mastermind I am…” [*]

What you can’t do with direct debits is to pay money to MR JOSEPH KWAME, SON OF THE LATE GENERAL KWAME OF LAGOS, NIGERIA. For that, you need to use a personal transfer or standing order – and to set those up, you need a lot more information than account-number-plus-address. Notably, despite millions of people having access to Clarkson’s account details, no money has been stolen in this way.

In short, Clarkson’s experiment suggests that if these CDs have fallen into nefarious hands, then the only thing the miscreant can do is randomly transfer cash from people they’re annoyed with to charities they support. Which isn’t particularly worrying, in the grand scheme of things. [**]

[*] OK, there is a technical loophole here – it’s just about possible that you-as-fraudster could pay your own utility bills from the victim’s account. However, this would be entirely stupid and pointless, since you’d be caught more or less immediately and go directly to jail. The fraud only works if you can get your hands on large amounts of hard cash and disappear before the victim notices.

[**] plus non-ID-fraud related issues like making names and addresses available for battered wives, protected witnesses, etc – I don’t think we’ve seen much disclosure on whether they were covered in the list or not, and if they were then that’s a much better argument for crucifying some people.

  1. “the only thing the miscreant can do is randomly transfer cash from people they’re annoyed with to charities they support”

    But given that the transfer is fraudulent and is very likely to be challenged by the owner of bank account, it is of even less benefit to our miscreant, unless of course he wishes to piss off two lots of people at once, say by randomly transfer cash from people they’re annoyed with to charities they DON’T support…

  2. Andrew Paterson said:

    I wouldn’t be so sure about the getting jailed part, the criminal investigation has to come following a complaint made by the bank in question to the police, and they simply never make such complaints.

  3. john b said:

    So if I were to pay my electricity bill by a direct debit from your account and you complained, then your bank would refund you without seeking to get the money back from my electricity supplier?

    Or if my electricity supplier had to give your bank the money back, they wouldn’t report me for fraud (even though they weren’t at fault at all)?

  4. John B,

    You assume that you only complain to the bank. You will naturally do that because you want your money back and that is the best place to start.

    Surely you could also complain to the police yourself?

    Surely it’s not just up to the bank to raise the complaint that triggers the criminal prosecution?

  5. John B said:

    Are you confusing my comment with Andrew’s? Comments appear below names on this site…

    In any case, I’d agree that you can report the case to the police – however, I think in most cases of reported crime (excepting domestic violence, crimes where the victim is a minor, etc) if the victim doesn’t want to press charges then charges won’t be pressed. I also think that the bank would legally be the victim in this scenario, so they may have the final say.

  6. Dunc said:

    I agree that there’s no direct risk from this information leaking…

    But, it is potentially extremely useful for identity thieves using social engineering attacks to get past your bank’s call-centre staff, which is a class of attack that well-known media personalities are generally somewhat less at risk from. Mr Kwame probably won’t get very far phoning up claiming to be Mr Clarkson having forgotten his password.