DVLA log book theft – massive failure of security

Tonight, Donal MacIntyre programme is going to run an interesting report investigating the effects of the theft of hundreds of thousands of vehicle log books (V5C documents) from the DVLA several years ago.

So what is a V5C? It’s a document that contains the details of the car and it’s owner. There are a few important pieces of information on it:

  • The registration mark (number plate)
  • The engine number 
  • The vehicle identification number (VIN)
  • The current registered owner’s name and address

So, in theory, when the car is manufactured, the registration, engine number and VIN should all match up. It’s possible to change both the plates and the engine, but when this is done you need to notify the DVLA and get a new V5C. Each change of ownership should also be notified, and hence a full provenance for the vehicle is built up.

Second-hand buyers have always been told to check the V5C document. Cautious buyers will also carry out a HPI Check or similar:

Shona Topping from St Albans was a cautious used-car buyer who had always driven company vehicles

When she spotted a Mercedes she liked in a magazine, she asked for its registration details so she could run a vehicle data check on its history.

“I took a mechanic along to have a look at the vehicle, carried out the check and obviously, being nervous, I had to do everything possible,” she said.

“It tells you on all the advertising that they check various databases, checking with the police on the computers.”

But because Shona’s car had been cloned, she was actually running data checks on a completely different, legitimate car.

That meant the result came back clean.

from bbc.co.uk/news.

So why are the checks passing cloned cars with invalid V5C documents?

There’s a number of security failures here, and I’m quite surprised that none of the articles seem to address these.

  • How did several hundred thousand of these documents get stolen? Even at the low estimates of 120,000, that equates to 50 boxes of A4 paper. That takes a large van, time, and people.
  • Why is there no decent revocation mechanism? If my credit card is stolen, it takes minutes for the bank to stop it working. It’s harder with pieces of paper, but what’s key here is that the piece of paper is simply a representation of a database record, which leads on to…
  • Why is it so hard for car buyers to verify the V5C? There seem to be a few mechanisms available to do this:
    • 1. Calling the DVLA. By all accounts, this will result in a long wait, and it seems like an expensive (in terms of running a call centre) way to look up a simple database record.
    • 2. Performing a HPI check. This costs the buyer money, which quite a lot of people won’t want to spend.

Why can I not simply go to a website, type in the 4 pieces of information, and get an instant answer on this? 

  • Also, why make the document so easy to forge? It’s both easy to forge one from the ground up, and print details onto a genuine but stolen V5C. Why have they not done anything to prevent this?

I particularly like the way that this press release from the DVLA pins the blame on the motorists, not the people who designed an insecure system and took inadequate action when it did go wrong:

More than half of motorists (53%) cannot tell a genuine vehicle registration certificate (V5C) from a fake.

 

 

Ross Anderson looks at Verified By Visa

A fairly scathing paper on the whys and wherefores of 3D Secure – which most people will know as Verified By Visa. Anyone who thinks about security will have identified several flaws in the system already. But for the average man on the street, seeing more passwords makes them feel more secure.

So this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.

I don’t expect the average card user to sit down and actually analyse if Verified By Visa actually makes them more secure or not. You’ve got to place a certain level of trust in those in authority – but the banks are truly out to screw the consumer when it comes to card fraud.

I’m hoping that the pretty widespread media coverage of this will raise awareness with consumers and retailers. As it stands, Amazon seem to be the only major retailer who’ve told them to get lost.