Identity Fraud in Australia: A Bad Time Meets Poor Design
Let me start out by saying: I know am lucky compared to most who have had to deal with identity theft. The people who stole my identity were unsuccessful in using what they stole to seriously impact me. Many other people have had much worse outcomes happen to them because of much more successful or prolonged identity fraud. Even though I was one of the lucky ones, it still kicked off a long process of trying to claim back my identity. This process showed me our current infrastructure to deal with identity theft in Australia is not up to scratch and we need to do better.
Timeline of events
Fraudulent credit application: Out of the blue I received a letter advising me of my unsuccessful credit card application from a financial company I didn’t even know existed. When I contacted them, I discovered that someone has my driver’s licence, has googled my current workplace, (damn you Linkedin!), and used both to try and take out a credit card in my name. Luckily, they didn’t get past the final credit checks, but the fact that they had enough information to successfully submit the application is enough to know that my identity has been compromised.
- Side bar: On further investigation it turns out our mail forwarding didn’t extend to my licence renewal, and someone at our old address hds signed for my new driver’s licence. Neither Australia Post or the QLD Department of Transport and Main Roads (TMR) can tell me who signed for it. The whole thing makes a mockery of requiring signatures for delivery. It’s not secure or monitored so, why even bother?
Reporting identity theft to EVERYONE: This kicks off a cascade of actions. At the end of this article I note a number of links about preventing and dealing with identity fraud, which I strongly suggest you check out. Here’s what I immediately had to do, requiring me to take a full day off work:
- Report the incident to ACORN (Australia Cybercrime Online Reporting Network)
- Contact the three credit reporting agencies to place BANs on providing checks for me. I also requested a credit history report from each of them to see if there had been any other suspicious activity. Unfortunately, as well as the credit card application, there had been an unsuccessful attempt to take out a phone/internet service.
- Contact all my financial institutions to alert them to possible fraudulent activity. In the case of my bank, this required me to present myself in person at a branch to prove my identity
1st visit to TMR: Finally I went to TMR and asked them to reissue my licence. Unfortunately they couldn’t change my customer reference number (CRN) on my licence. For that I required an official police report, which was still pending. Even after all this my identity is still at risk. I can’t secure my driver’s licence until I can get a driver’s licence issued with a different CRN (when your licence gets renewed it keeps the same CRN). To get a licence with a new CRN I need to get a police report first.
...3 months pass...
Official police report: Finally I am able to make an appointment at my local police station and give a witness statement after which I am issued with an official police report.
2nd visit to TMR: My police report in hand, I submitted an application to TMR to get my licence CRN changed. This process takes half a day, and I am informed it could take anywhere from a week to a month for me to find out if that request is approved or denied. The police report requesting I be issued with a new CRN is not enough to proceed directly, as TMR has to assess and approve that request independently.
3rd visit to TMR > licence secured!: TMR then gets back to me in a few days saying that they’ve approved my new CRN on a Friday and the following Monday I’m able to hand in my old licence for my new one, complete with new CRN.
The problems the system has now
My situation was mild compared with a major case of identity fraud. Identity fraud is on the rise, and it’s very clear our current processes are ill-equipped to deal with it. Here are the worst offenders I witnessed working my way through the system we currently have.
Credit Reporting Agencies: A ban on your account is a good tool; it stops credit checks being made, which in turn shuts down any applications for credit or services which extend you a line of temporary credit (e.g. phone/internet provider). You can only request a ban of twenty-one days, after which you need to renew the ban by going through the whole process again. Compare that to the fact it took over three months from when I first reported an identity fraud attempt to when I finally got my driver’s licence CRN changed and you can see this isn’t fit for purpose. In fact, if we’re being brutally honest, it’s barely even protection.
On top of this, putting those bans in place is a confusing and messy process, and even then only IF you can find the details of how to do so. In each case you need to send an email to them (no standard web forms!?) and in the case of TCS it’s unspecified the exact identification needed in that email. I’ve added the deep links to each one’s BAN request forms/procedures (these were current at the time of writing: 15/7/19).
- Equifax: You need to search within the site for “ban” to then be directed to their FAQs (which aren’t linked anywhere in the site navigation). After that you need to find the relevant FAQ and get the details from there. Amazingly, this page appears to not be linked to anything else. https://www.mycreditfile.com.au/node/645
- iIlion: At least the FAQs are easy to find. Once you’re there, you’ll be directed to an online PDF form with all the details you need. Of the three iIlion is the best, but it’s a very low bar. https://www.checkyourcredit.com.au/Resources/Forms/BanApplicationForm.pdf
- Tasmanian Collection Service: Absolutely the worst. Not clear at all where you need to go; not even a site search available. When you eventually find the details, the form you are required to fill out doesn’t even bother specifying the exact identification you need to send. https://www.tascol.com.au/wp-content/uploads/sites/3/2017/09/Identity-Theft-ban-request-form.pdf
ACORN and the police: I am a huge fan of the work our police do; however they are ill equipped to effectively deal with identity theft. Reporting my identity theft through ACORN was easy, but the time it took to then have that turned into an official police report was unacceptable. Had I been fighting against a much more concerted effort to use my identity fraudulently my financial situation could have been well and truly compromised by the time I got a phone call to come down to the local police station to give a statement. When I did eventually get to the station to give a statement, the officer taking it didn’t have any materials to give me about identity theft, nor did he have any procedure to follow (even though I had submitted quite detailed information through ACORN). What ensued was him taking a fairly generic statement about what had happened. Luckily I had been taking extensive notes so the statement I gave was quite detailed.
The QLD Department of Transport and Main Roads (TMR): TMR was very helpful and supportive all three times I went to see them about my replacement licence. However they are ill prepared to deal with someone’s main form of identification, their driver’s licence, being compromised. First,they don’t have a procedure easily available to staff, even though they admit theft of a driver’s licenses is quite common. I had an email from ACORN instructing me to take the police report to TMR to get my CRN changed, yet when I presented the mail to the service desk along with the police report the staff member there, who was quite experienced, was adamant that I couldn’t change my CRN. I insisted they check with their supervisor. After they confirmed it could be done, they then had to search for the procedure on their systems, which took a while. Once they’d found it, it still took another two calls to their manager to figure out exactly what they had to do. That lack of understanding and knowledge is not good enough when identity fraud is becoming more common.
Let’s improve the process for dealing with identity fraud
It’s not a matter of convincing people of the seriousness identity fraud or even that identity theft is on the rise. All through this I’ve asked everyone I’ve dealt with if they are seeing instances like mine often and everyone has said a version of: “Yes, we’re seeing a lot more identity fraud cases these days”.
What we need is the processes for assisting affected individuals like myself to catch up to the problem. That’s where some better design can come in.
One source of truth: Identity Codes
I have had to prove my identity many times recently and each time was a little different from the last. The best one I’ve experienced was the TMR. As well as reviewing a full suite of documents they also took my picture with their licence cameras and did an image matching test to see if that image matched the drivers licence image they had on file. This was, by far, the most comprehensive identification process I had seen.
Let’s have one identification process to rule them all. That process can be through TMR. Once you have submitted an identity fraud report you can go to TMR to prove your identity (via a photo matching) and this proof of identity is then turned into a unique identity code which remains valid for ten days. Anywhere you need to prove your identity, you can use this identity code to verify it’s you.
TMR is already set up with the infrastructure to do both the photo matching and handle many customers, and we’d only need to expand their current capabilities a bit more to handle the increased demand resulting from this. After that it’s simply a case of having a web portal that each organisation can create an account on to verify the identity codes.
Through identity codes we significantly increase the validity of every identification process, get rid of lots of paperwork, and make it really easy and fast to take action to mitigate identity fraud. When your identity has been compromised this identity code will trump all other documents and so allow you to immediately access any service that has been fraudulently setup in your name. The identity code has a short effective period, so it has a very low chance of being fraudulently used.
One report = Many alerts
I shouldn’t need to report identity fraud to three separate credit reporting agencies and then to ALL my other financial services. That is not efficient and it’s not going to get my identity protected in a timely fashion.
Instead, once I confirm my identity with TMR and I’ve submitted an identity fraud report through ACORN that report should act as my virtual messenger to everyone who needs to know. The three credit reporting agencies will be pushed an alert to place an immediate ban on my accounts and will be required to send me my credit history report immediately. All financial institutions in Australia will be required to do a daily check for credit alerts from ACORN and if one of their customers match an alert, they will be required to contact that customer immediately.
For any credit application taken out under an alert without a corresponding a credit check, the institution providing the service will be 100% liable for any costs incurred and liable for extra fines on top of this and/or the removal of their financial services licence.
The best information highly available
The most disappointing thing in this whole process was how little support and information the front line staff at TMR and the police had in order to assist me.
Let’s have a centralised and regularly updated resource for procedures stored within ACORN and available to anyone who needs it. It will have guides on how to help people, like myself, work through the steps they need to secure their identity. There’ll be a standard set of resources they can provide to everyone going through this process. Having a central resource will make the best and most up-to-date information available at all times. Identity theft is a moving target so we need the front line staff to always have the best information at their fingertips to help combat it.
The answer isn’t increasing identification requirements
One of the first thoughts that came to mind when considering how to improve this process was: “We could stop this happening by increasing the identity verification requirements for all financial services!”. As much as this appeals on some levels, I don’t think it’s a viable solution.
While identity theft is on the rise, it still only makes up a tiny fraction of all the financial transactions each year in Australia. If we were to increase the cost of facilitating all those transactions we’d see everyone pay more in time and money just to potentially decrease the number of identity fraud cases by an unknown percentage. Until we have a cheaper and easier way to verify identity the current requirements are good enough, as long as we have adequate processes to deal with identity theft when it does happen.
However, we should always be looking to do better, to make improvements to both prevention and remediation.
That better probably isn’t blockchain.
“A 'BLOCKCHAIN BANDIT' IS GUESSING PRIVATE KEYS AND SCORING MILLIONS" Wired, https://www.wired.com/story/blockchain-bandit-ethereum-weak-private-keys/
Or maybe it is ...
“How to use blockchain to reclaim our identity” by TTM Agency, https://link.medium.com/QYNfDFCqHX
Identity Fraud 101
There’s a bunch of resources out there to help you protect your identity and protect yourself in the event that your identity has been used fraudulently.
The Australia Govt has produced Protecting Your Identity pamphlet that is a must read for everyone - https://www.homeaffairs.gov.au/criminal-justice/files/protecting-your-identity-booklet-what-everyone-needs-know.pdf. In it there’s a bunch of checklists to follow to make yourself more secure and for dealing with identity theft itself.
If you suspect you have been a victim of identity fraud then download and follow the steps in the identity theft checklist immediately.
There’s a heap more resources available which I encourage you strongly to review regardless of whether you think you are at risk of identity theft or not. We are all at risk of identity theft.
- ACORN (Aust Cybercrime Online Reporting Network) - is the place to report any instance of identity theft: https://www.acorn.gov.au/learn-about-cybercrime/identity-theft
- IDCARE - Australia and New Zealand’s national identity & cyber support service: https://www.idcare.org/
- Identity Security - Australian Govt: Office of the Information Commissioner - https://www.oaic.gov.au/individuals/faqs-for-individuals/social-media-ict-identity-security/identity-security
- Privacy fact sheet 37: Fraud and your credit report - Australian Govt: Office of the Information Commissioner - https://www.oaic.gov.au/individuals/privacy-fact-sheets/credit-reporting/privacy-fact-sheet-37-fraud-and-your-credit-report
- Privacy fact sheet 8: Ten tips to protect your privacy - Australian Govt: Office of the Information Commissioner - https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-8-ten-tips-to-protect-your-privacy
- Identity Crime - Aust Federal Police - https://www.afp.gov.au/what-we-do/crime-types/fraud/identity-crime
- Identity protection and recovery - Aust Govt Department of Home Affairs - https://www.homeaffairs.gov.au/about-us/our-portfolios/criminal-justice/cybercrime-identity-security/identity-protection-recovery
- Identity Fraud - Aust Securities and Investments Commission - https://www.moneysmart.gov.au/scams/identity-fraud