24 Jan 2017
News George A. Romero, the creator of the modern zombie phenomenon with the 1968 cult classic Night of the Living Dead, has died (for now) of course brings the undead to mind.
The financial services sector has its own silently stumbling zombie hoards: ‘zombie’ companies are those which have no vital signs of viability but have not been closed down by their creditors or regulators.
But another hoard roams the world: ‘people’ who are not who they claim. Or more precisely, fake identities created for the purpose of illegally obtaining credit. (Actually perhaps Invasion of the Body Snatchers is an even better analogy but the director of that one, Don Siegel, died 25 years ago.)
Identity theft is a global problem which costs individuals and institutions, private and public, tens of billions of dollars a year.
"Two weeks is the bureaucracy idea of immediate action – where 'immediate action' translates as 'do nothing but ask for more information'." - Andrew Cornell
According to Deloitte’s latest Responsible Business Report an estimated one million Australians were victims of online identity theft and cybercrime in 2014. Illegal activities such as these cost the nation more than $A1 billion annually.
Those numbers are growing. In the US, the Insurance Information Institute reported a 2017 Identity Fraud Study, released by Javelin Strategy & Research, found $US16 billion was stolen from 15.4 million US consumers in 2016, compared with $US15.3 billion and 13.1 million victims a year earlier.
In the past six years identity thieves have stolen over $US107 billion, Javelin said.
Having recently had my own identity stolen, both the crime itself and the bureaucratic process to halt the digital zombie are infuriating. Despite the scale of the problem, agencies such as licence issuers seem to have little idea how to rapidly respond when their documents are used illicitly.
Two weeks is the bureaucracy idea of immediate action – where ‘immediate action’ translates as ‘do nothing but ask for more information’.
Having now spoken to a range of fraud officers, it is frighteningly easy for a fake identity to be created. Often the information required is already public; where it’s not it can relatively easily obtained.
Where a vehicle licence is involved, apparently the information has often been illegally obtained from car rental or leasing companies.
“Someone might simply photocopy a bunch of application forms which have all the details,” one bank officer told me.
A broader question then emerges: how secure are the custodians of critical identity information? And how aware are they of the sensitivity of the material they demand?
Not very, according to Jessica Sier at The Australian Financial Review, in a paywalled article called “Real estate requirements an identity thief’s dream”.
We’re all too aware of mass hackings, of security wall collapses releasing vast torrents of private information, but there is also the sort of mundane, every day, never considered threat of poor information security.
Sier begins with the question “do you trust your local real estate agent?” and goes on to detail the information she was a told was “required” from each would-be tenant: current drivers licence, birth certificate, proof of age card, passport (visa if applicable), Medicare card, credit card, motor vehicle registration certificate, bank statement and telephone account statement.
“AND: last four rental receipts, print out of tenancy history, utility statements, three previous pay slips or a bank statement and a minimum of two written references,” she writes. “Birth certificate?! With that amount of information on me, you could dead-set pretend to BE me. Do you know how valuable all that stuff is?”
Now it seems a stretch all that is needed but even if it is, what followed was even more alarming. Being a technology writer, Sier asked about information security, password policy, retention policies etc. The response? Silence and incomprehension.
In a recent case, a major organisation accidentally released personal information – including passport numbers - to “third party suppliers”.
Given what I learned from the fraud officers in my own experience, far too many businesses which collect private information don’t protect it.
The police officer I spoke to said it was increasingly common for fake identities – often created with stolen passports or licences but sometimes created from scratch – to be used to obtain funds illicitly.
Too often these identities replace real ones and unsuspecting individuals have their accounts cleaned out. In other cases it is the financial institution which advances money or has to reimburse the victim who loses money.
Convincing organisations to take the security of client information seriously is one challenge but cybercriminals are always moving ahead. Organisations too have to be proactive.
For example, Australia's largest banks are supporting a shared industry "utility" for customer identification and verification. While this was once seen as a competitive advantage, the banks now recognise cooperating on “know-your-customer (KYC)” protocols is better for all – including customers.
Such a utility should help prevent financial crime, reduce costs and benefit the sector as a whole. AUSTRAC, Australia’s financial transaction invigilator, is supportive of the idea according to Thomson Reuters' Accelus Regulatory Intelligence service.
ANZ’s head of financial crime Guy Boyd told the publication there were significant economies of scale which could be achieved if banks collaborated.
Peter Clark, acting chief executive of AUSTRAC, said technology-based utility solutions offered the promise of capturing data once and re-using it many times, as participants would be able to access the same customer identity database. This could have the additional benefits of improving the integrity of customer data and reducing compliance costs.
Boyd said “anything that can assist in … making it as streamlined as possible for the customers that you want to bank, and identifying those that are a risk to the institution, is something that we support”.
Banks actually already do a relatively good job of protecting customer information; it’s a core business. They are far from the most insecure custodians of data.
Indeed, while trust in banks overall has taken a battering in recent years, their confidentiality is still something in which the public has faith. It can even be a competitive advantage.
Safeguarding identity in a digital world however is a challenge which goes beyond one sector, beyond the private sector.
The World Economic Forum currently has a project running, coordinated by Deloitte, investigating A Blueprint for Digital Identity.
As the project notes “identity enables many societal transactions, making strong identity systems critical to the function of society as a whole”.
“Physical identity systems currently put users at risk due to overexposure of information and the high risk of information loss or theft; they also put society at risk due to the potential for identity theft, allowing illicit actors to access public and private services. Digital identity would streamline and re‐risk completion of these public and private transactions.”
Road traffic authorities and real-estate agents might be among the first to adopt them.
Andrew Cornell is managing editor at bluenotes
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
24 Jan 2017
27 Jul 2015