15 August, 2025

Why Companies House Director Identity Verification is not reliable

 The current approach by Companies House to Id Verification is to have the Director's email address cross checked by GOV.UK One Login System. If that process checks out with the supporting identity documentation, the Director is issued with a personal identity code. It is sent to the Director's registered email address. The Director is then supposed to tell Companies House the detail of the personal code  tied to the director's registered email address.

Here's the problem; the email address is not proof of identity. It can be hijacked, and the "Personal Code" can be learned by social engineering over the phone. The Companies House system should use a physical token, such as a Yubikey to store an encrypted digital certificate to identify individual people. The token should be plugged into the PC/Phone and verified when the Director is filing documents on the Companies House website.


Here's a story:

The Day the CEO’s Email Wasn’t the CEO’s Email

It started with a routine request.
Our client needed to verify the identity of a company director. Nothing unusual — just send a secure link to the director’s official address, ceo@bigco.com, and wait for the confirmation click.

A few minutes later, the “CEO” replied. The system marked the verification as complete. The paperwork moved forward.
Everything looked fine.

Except it wasn’t.

The Silent Switch

What no one realised was that, a week earlier, the company’s domain name — bigco.com — had been quietly hijacked.
The attacker had gained access to the registrar account where the domain was registered. With just a few clicks, they redirected the company’s email hosting to their own server.

Now, when someone sent a message to ceo@bigco.com, it didn’t go to the real CEO. It went to the attacker’s freshly created inbox.
From the outside, nothing looked suspicious. The address matched. The email arrived. The link was clicked.

The attacker had just passed identity verification with flying colours.

Why Email Alone Isn’t Enough

Email verification checks one thing:

Can this person receive a message at this address right now?

It doesn’t check:

  • Whether they’ve always owned that address

  • Whether the domain has been compromised

  • Whether someone inside the company created a fake account

If the domain itself is taken over, email verification becomes a rubber stamp for the attacker.

How to Stay Ahead of the Trick

Here’s how to make sure you’re not fooled by the same move:

  1. Don’t rely on email alone — Combine it with phone verification, government ID checks, or live video confirmation.

  2. Monitor domain history — Flag sudden changes in registration, transfers, or name servers.

  3. Use domain security — DNSSEC, SPF, DKIM, and DMARC make some attacks harder.

  4. Bind identity to a digital certificate — Once verified, use cryptographic keys instead of just email for ongoing trust.

The Lesson

In this case, we caught the problem — but only because another system noticed the domain had been altered days earlier. Without that extra layer, the attacker could have slipped right through.

When it comes to verifying someone’s identity, email is a useful tool — but it’s like a lock on a screen door.
If the whole doorframe can be lifted off, the lock isn’t doing much.

.

Posted by at

No comments:

Post a Comment

We automatically delete any SPAM comments. All comments are subject to moderation before publishing. Any SPAM is individually reported to Google as such, this reduces the offending site's Google Ranking.

Subscribe to: Post Comments (Atom)