In The News

Identity crisis

The Age
24 February 2004
Sue Cant

John Grant hacked into a website he tracked through a suspicious email. He watched, amazed, as six people provided their banking details to the fraudulent site.

Grant (not his real name) was watching "phishing" in real time. Phishing - as it has been tagged - is where ghost sites and emails purport to represent real organisations to dupe people into handing over their personal details.

Grant rang the Internet Industry Association (IIA) to alert it to the fraudulent site and is now helping Australian Federal Police track down the site's owners.

Phishing is part of the growing problem of identity fraud, where technology solutions cannot keep pace with criminals needing only minimal technical skills.

Stealing an identity or creating a new one is not new but it has become much simpler with a personal computer, scanner and laser printer.

"What technology can do in terms of sharing information ... means that the impact of identity theft is far-reaching," says David Lacey, research manager at the Securities Industry Research Centre of Asia Pacific (SIRCA).

Last year, SIRCA produced the first report of its kind on the nature and extent of identity theft, estimating it cost more than $1.1 billion in 2001-02.

A Federal Trade Commission survey in the US calculated the cost to business and financial institutions to be $61 billion last year, with consumers losing $6.4 billion, while the British Cabinet Office estimates the cost of identity fraud to the British economy was at least $1.6 billion in 2000-01.

Identity fraud can range from fake university degrees to phantom beds in nursing homes occupied by non-existent patients and serviced by non-existent staff.

But concern over the use of false and stolen identities is growing because it is enabling major organised crime and terrorist activity around the globe.

In the US, the problem is rampant and has increased by 88 per cent in the past 12 months, says the IIA. Victims may end up with disastrous credit records, speeding fines or, worse, a criminal record for crimes they did not commit. "It's an epidemic in the US," says Barbara Etter, the director of the Australasian Centre for Policing Research.

While it is recognised as a growing problem in Australia, it has been the leading issue for the past three to four years in the US, says the president of the US Internet Industry Association, David McClure.

McClure experienced the effects first-hand after his 25-year-old son, Ryan, lost his wallet in a traffic accident. Eventually they convinced police to investigate after Ryan's identification was used to obtain finance. "It was difficult to convince the authorities he was the victim," McClure says.

McClure says some victims have become so frustrated by police inaction that they have stalked the houses of suspected criminals. "There is no physical protection that hackers and phishers cannot get around because people are basically trusting," he says. "It's so much easier to hide who you are on the internet."

In the US, several companies are being used to verify identities. Public databases are used to double-check the identity of a person at a ticket counter. They may be asked a series of questions related to their address, including the names of nearby streets or restaurants. "It's beginning to grow. People are using it more and more," McClure says.

But the pace at which criminals learn how to exploit technology, combined with the number of potential identities that can be stolen, is increasing.

In Australia each year, there are nearly half a million new residents as a result of births and new arrivals. There are 2.46 million new electoral enrolment forms, 1.4 million new passports and 4 million new Medicare cards.

The Federal Government is working on the adoption of a common set of proof-of-identity documents of higher integrity to be used by government agencies, including an online document verification service and enhanced data matching across agencies to detect fictitious identities. A feasibility study is under way into how online verification of identity documents can be introduced by linking state authorities.

The Government also hopes to involve organisations such as banks in online verification. An example would be if a teller is checking the identification required to open an account. With online verification, the teller could check if the identification was issued by the relevant authority.

"It's a pervasive issue (and) its affecting most government departments," says criminologist Russell Smith, with the Australian Institute of Criminology.

"We really do need some uniform act to cover it (identity theft) right around Australia."

Last year, the Australian Crime Commission set up a Special Intelligence Operation on Identity Fraud, allowing the ACC to use its coercive powers to assist identity fraud investigations.

"Identity fraud and theft has definitely increased over the past few years globally," the ACC's chief executive officer, Alastair Milroy, says. "Technology is having a major impact on the types of crime that people can commit. Organised crime groups are targeting document-issuing agencies and getting the help of professionals to produce high-quality fraudulent documents in bulk. Some of the production is easily done with commonly available desktop programs and scanners."

Milroy says credit card skimming devices - where information from a magnetic strip on a card is downloaded and then transferred to fake cards - are compact and capable of storing considerable amounts of data.

The ACC - which last year replaced the National Crime Authority, Australian Bureau of Criminal Intelligence and Office of Strategic Crime Assessments - has also updated its Identity Fraud Register, which provides intelligence to law enforcement agencies by keeping a register of suspected fake identities.

Another crime-fighting unit, the Australian High Tech Crime Centre, part of the Australian Federal Police, was also formed last year. It works with international counterparts such as the FBI Cyber Crimes Division to investigate computer-related crimes such as fake websites.

Recent activity in the area of identity fraud has been frenetic and networking on the latest information has even taken place at product launches. A few weeks ago, the IT security industry gathered for the launch of a security product that attracted the IIA; the country's top computer security group, AusCERT; the AFP's high-tech crime centre; and senior IT security staff from banks.

The co-operation of the banks and other affected industries such as retail is an about-face from a few years ago, when concern about security breaches being made public meant institutions were reluctant to share information with authorities.

Even with the outbreak of the phishing scams last April, the Australian Bankers Association concedes the banks had hoped they could resolve it by themselves. "We didn't want to frighten customers (but) that attitude has diminished," says a director of the ABA, Tony Burke. "Banks do need to tread carefully. There is a line between sharing information and frightening people."

Two weeks ago, the ABA had a teleconference with the British Payments and Clearance Association and European and Australian banks to discuss the phishing scams. While the ABA cannot reveal details of its discussions, the talks help banks identify new scams more quickly.

"We have stuff in Australia that hasn't happened in Europe," Burke says. For example, a phishing scam that took a different approach by routing through a different set of servers.

In another case, a scanned image of a new device to skim cards had been found in Brazil and was immediately sent to banks around the world.

This year, the IIA has made identity theft its priority. "When you think of the range of possible misuses of the internet ... and you get to the issue of identity theft, it stands apart from many of the others because of its victim impact," chief executive Peter Coroneos says.

"The capacity of people to do damage is far outstripping the knowledge of the end user, and we want to close that gap as soon as possible. People are too ready to trust when it comes through an email," he says.

Technical solutions including biometrics and unique identifying chips in PCs are being investigated, Coroneos says. "We are seeing a lot of investment in the area. There is no question that some level of biometric protection could provide users with a way of identifying themselves."

But hardcore criminals are already trying to get around biometrics. At a security conference last week, the director of investigations and forensic services at PricewaterhouseCoopers, Richard Batten, related a gruesome anecdote from a bank official he met recently.

The banker had told Batten that the bank's fingerprint identification had been compromised after a criminal chopped the finger off a wealthy individual. While heat-sensitive devices should have been alert, the criminal had warmed the finger before applying it to access the person's account.

Batten ponders: "How effective is it if villains are prepared to go to such lengths?"

NEXTSPEAK

Identity theft: Stealing someone's identity and using their personal details for criminal ends such as obtaining loans in their name.

Cloning: Adopting someone's identity and acting out their life through use of their personal details.

Phishing: Sending an email claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The email directs the user to visit a website where they are asked to update personal information, such as passwords and credit card, social security and bank account numbers, that the legitimate organisation already has.

Credit card skimming: Using a special skimming device to download information from the magnetic strip on a credit card and transferring it to a fake card.