Wednesday, April 28, 2010

Nothing (Much) to do with the Election

Christie Malry, over at the FCA blog, is running a serious of 100 posts "Reasons not to vote Labour".  Number 67 is the "Individual Learning Account".  Many years ago (about 10), I did occasional bits of unpaid security analysis for the Financial Times.  Then I went to work for a bank.  And the FT rang me up to say they had access to an extract from the ILA database and would I take a look at it for them.

We then had one of those surreal experiences best categorised by Joseph Heller.  My boss says "Whose that on the phone."  "The FT," I say.  "You can't talk to the FT" "That's what I'm telling them!"  Anyway, man from FT rings man from bank press office and utters the magic words.  I'd like to think they were something like "Excellent analyst, fundamentally depend on him" (Ed notes: excellent value for money, anyway, on the grounds that division by zero results in an arbitrarily large value) but were more likely to be "Unattributed, of course.  And I'll buy you a beer."  So I was sent the data set and got to work.

It was one of these bits of work that take far longer to write up than to do - in fact, it has probably taken me longer writing this blog post.  The ILA numbers were a linear series with a check digit.  Therefore, with one valid number, you could predict the rest in both directions.  So all you, assuming you were a fraudulent learning provider, needed was to get one recent number - yourself, friends, family - used or unused, it didn't matter and then generate away.  You could trivially check whether an account had been used (a security measure to prevent end-user fraud) and then enroll the number.  No database access needed - improper or otherwise, no trawling for unused accounts, none of it necessary.  All you needed to make sure you did was avoid registering accounts which were yet to be issued (which, I assume - and AITMOAFU - would have set off some fraud detection).

No comments:

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.