Beer and biscuits
Published: 08 March 2017
It concerns me that so many governmental, quasi-governmental, and commercial organisations prove so often to be ignorant or negligent in their approach to security whist claiming to protect us from the dangers found on the internet, so often they don’t get even the basics right.
Not so long ago I found that Jeremy Hunt’s training enterprise was sending passwords in the clear. While endangering users data and potentially threatening their livelihoods, Hotcourses did at least respond to my criticisms, apologised and upgraded their systems.
Trainers do at least have the option of not using Hotcourses, even if the site does dominate that particular market place, this may not be the case organisations conducting DBS checks (formerly CRB checks). With DBS checks many people are obliged to engage and pay for the privilege if they wish to continue in employment.
One such organisation on this particular gravy train is Voluntary Norfolk, a registered charity that is an approved supplier to the National Council for Voluntary Organisation but which also provides back office services to commercial enterprises.
Voluntary Norfolk operate a web site called "charitybackroom.org.uk" which together with payroll and HR services carries out DBS checks. To do this the applicant has to submit personal data, compete a questionnaire and upply documentation proving both their identity and places of residence.This data is presumably collated with that gathered from the local police, the police national computer, the Department of Education, the Independent Safeguarding Authority and whatever other agencies are deemed to be relevant.
In order to protect this data, the applicant is issued with a user login name and a password. The password and login name are sent together, by email in plain readable text, "in the clear" as us computer buffs call it. This means that anyone with access to the computer systems either at Voluntary Norfolk or at the applicants home or office, or at the ISP where the mail is stored can read it. If anyone can be bothered to sniff on the wires that carry the message between the user and Voluntary Norfolk they also can see the login and password and have access to the account. The point at which it becomes laughable is when they provide "additional security" with a confirmatory question and response. Both the question and answer are also sent to the user, by email, in the clear.
Everyone can sleep easier in their beds knowing that the authorities are in control and taking care of us.