In the wake of the HMRC benefit disc loss furore, I repeatedly made an important point that most commentators overlooked: the information provided on those discs was completely useless to carry out any kind of serious fraud, theft or scam.
Jeremy Clarkson, to his credit, shared this view. Unlike me, he had the cojones to back this up by printing his bank account details and home address in a national newspaper. And indeed, his experiment proved that he and I were right, and that almost everyone else commenting on the affair is a hysterical paranoiac.
This isn’t quite the way in which Clarkson’s experiment has been reported in the media, which isn’t surprising given that the media isn’t generally very good at understanding, well, much really – the media is focusing on the fact that some merry prankster set up a direct debit payment to transfer Ã‚Â£500 of Clarkson’s money to a charity.
How does that work? Well, there isn’t much security required in setting up direct debits to pay the kind of reputable organisations that accept direct debits (go to the ‘pay a bill’ section of your online bank account and it’ll give you a list of the type of people – EDF, Barclaycard, and so on…). However, there is also no benefit to a fraudster in doing so. “Ha ha, I’ll pay Dave Smith’s electricity bill out of Dave Smith’s very own bank account! What an evil mastermind I am…” [*]
What you can’t do with direct debits is to pay money to MR JOSEPH KWAME, SON OF THE LATE GENERAL KWAME OF LAGOS, NIGERIA. For that, you need to use a personal transfer or standing order – and to set those up, you need a lot more information than account-number-plus-address. Notably, despite millions of people having access to Clarkson’s account details, no money has been stolen in this way.
In short, Clarkson’s experiment suggests that if these CDs have fallen into nefarious hands, then the only thing the miscreant can do is randomly transfer cash from people they’re annoyed with to charities they support. Which isn’t particularly worrying, in the grand scheme of things. [**]
[*] OK, there is a technical loophole here – it’s just about possible that you-as-fraudster could pay your own utility bills from the victim’s account. However, this would be entirely stupid and pointless, since you’d be caught more or less immediately and go directly to jail. The fraud only works if you can get your hands on large amounts of hard cash and disappear before the victim notices.
[**] plus non-ID-fraud related issues like making names and addresses available for battered wives, protected witnesses, etc – I don’t think we’ve seen much disclosure on whether they were covered in the list or not, and if they were then that’s a much better argument for crucifying some people.