CRB trial and identity cards (by )

This process starts off the same way, more or less, but rather than the applicant producing a passport, they produce an ID card. And the number from the ID card is put into the initial online form.

It starts to get interestingly different when they get home with their reference number and confirm their details. They have to confirm the number on the front of the ID card, then enter a smaller number printed on the back, then enter a four-digit secret PIN.

They're then presented, not with a blank form, but a prepopulated form with some of their details as on file; from memory, name and address. They still have to fill in some things, such as their date and place of birth.

Then when they see the countersignatory, their ID card is validated; it has to be inserted into a terminal, the PIN entered on the terminal, and two of their fingers scanned (in the trial, it requested my left index and right middle finger, suggesting they pick two fingers to scan at random). The countersignatory, as before, goes over any inconsistencies with their biographical detail, and visually checks their photo and signature match the card (and that both match what appears on their screen, pulled up from the database, to prevent tampering with the card).

If that all goes OK, then as before, the criminal record checks occur, and the results come by post later, again with your photo and national ID card number on to try and prevent you stealing other people's letters.

Now, technically, the system is quite well done. The real authentication step is when you meet the countersignatory, where you need to convince them (they visually check your photo and signature) as well as convincing the computer (with the fingerprint and PIN); the countersignatory gets to watch you to see if you look nervous or appear to be tampering with the fingerprint reader, and even if you bribe them, they can't make the computer pretend to accept your fingerprint and PIN if they're not valid.

However, there are weaknesses. Again, it places too much trust in the single ID card; how hard will it be to get one under an assumed name? What if you find somebody who looks like you, torture them for their biographical details and PIN, and copy their fingerprints (which, I gather, can be done with off-the-shelf equipment for a few hundred pounds)?

But then again, you could just find somebody who looks like you, steal their card for a visit to your potential new employer, and blackmail or bribe your friend into completing the online form (at knife point) then visiting the countersignatory (while you hold their children at knife point), then you turning up to work with the nice letter with their photo on.

However, I don't think it'd be practical to defend against that sort of attack, to be honest.

Pages: 1 2 3 4

3 Comments

  • By sarah, Wed 27th Jun 2007 @ 8:22 am

    Oh Alaric you are lovely - you just made me cry cos I know you mean that, any child in your care is an extremely lucky child as far as I'm concerned.

  • By David Cantrell, Wed 27th Jun 2007 @ 10:04 pm

    The biggest problem with the CRB checks isn't that nasty people might get through, but that nice people will be offended at the notion that they have to be checked, and so refuse to go through with it. This is already happening. And no amount of fiddling with the process will fix what is a fundamentally anti-civil idea.

  • By alaric, Thu 28th Jun 2007 @ 9:55 am

    Interesting... I didn't know CRB checks were so widespread! I'd heard of them being done for teachers and Scout leaders, where confirming you don't have a relevant criminal record seems fair enough, since you are left in a position of power over lots of children (and, more subtly, you get to handle a lot of personal information about them; my records include all sorts of information that I could probably make a lot of money selling to paedophiles to use in working their way into parents and children's trusts.

    But cricket umpires and library book deliverers? Hmmf. Looks to me like arse-covering. If somebody in such a situation did do something untoward, then the organisation could use the fact they did CRB checks to protect themselves. "But but but the government said she was nice..."

Other Links to this Post

RSS feed for comments on this post.

Leave a comment

WordPress Themes

Creative Commons Attribution-NonCommercial-ShareAlike 2.0 UK: England & Wales
Creative Commons Attribution-NonCommercial-ShareAlike 2.0 UK: England & Wales