Is privacy a quaint notion from a bygone era? Never has there been a generation so willing to reveal their most intimate details to complete strangers. We share our thoughts via blogs, our private pictures via online photo albums and our personal details via social networking site. We line up by the thousands to get onto Big Brother and Idol. We bare our souls to the world and really don’t care who is watching.
But watching they are. There are those who are not interested in what is happening in your life, they just want your life.
A few years ago, I worked in a team that implemented a new fraud system for a major bank. The person in charge of the Fraud department is extremely busy. When you walk into his office, he has mug shots about 5cm by 4cm, pasted on the wall of those who have tried to commit fraud against the bank. Two walls are covered and that is from fraud attempts from that year alone.
Advertisement
He showed me the photo of one person who had 30 different aliases. These aliases were not just made up names but had driver’s licences, passports, the works, for each alias. I asked him how it was possible that someone could get such documentation that was clearly fraudulent. With the right information and technology, you can reproduce these forms of identification.
Identity fraud is one of our biggest problems, a problem that has been exasperated by the rise of technology and by the decline in following protocols by persons required to check the authenticity of identification (such as store clerks who at best give your signature on a credit card a quick glance). Most do not know what to look for to ensure that a piece of document, such as a drivers licence, is genuine.
In October 2007, the BBC show Watchdog showed just how easy it was to assume someone’s identity by making contact via the popular social networking site Facebook. They created a fictitious person called Amba Friend with a cartoon picture on her profile page. They then contacted 100 random users of Facebook inviting them to become friends. 35 replied even though they knew nothing about Amba.
One person who accepted Amba’s invitation was Scott Gould, 23 whose profile contained his date of birth and hometown. With these details, the Watchdog team were able to research further information on other websites. With the information they were able to obtain, the Watchdog team were able to successfully open an online bank account and credit card.
But taking precautions to protect your identity is not enough when those who handle your private information fail to follow procedures. A good friend of mine was a victim of identity theft this year. A person had responded to an ad that he placed in the trading post to sell a car. He said that he wanted the car but couldn’t come around straight away. He asked if he could make a deposit in order for my friend to hold the car. He asked for bank account details in order to transfer the funds.
My friend, being wary, gave the account number for a loan offset account that you could not make withdrawals readily. He also immediately contacted the bank to inform them of what was to happen and to look out for any suspicious transactions - all duly recorded against his details.
Advertisement
The perpetrator, having done some other research, using a false name and false address contacted my friend’s bank (not the bank I worked for) and had the passwords reset and the address details changed. They were on their way to taking control of the accounts. The bank employees had not followed procedures.
My friend had the foresight to monitor the accounts and saw what had happened. What was disturbing was that after my friend had everything restored, the perpetrators were able to have everything changed a further two times. My friend had to be issued with whole new accounts and now has a permanent credit watch placed on his accounts. Although he was lucky in that he did not lose any money, he wasted a great deal of time and energy, not to mention the extra cost he now has for the credit watch and the post office box that he now has all his mail directed to.
A colleague was bemoaning the other day on the red tape he had to go through to get a change of address on his drivers licence. His wife who was a signatory was required to attend an RTA office to provide proof of identity. I pointed out that this was probably necessary, as the driver’s licence has become the de facto primary source of identification, mainly because it contains a photo. If someone had fraudulently obtained a change of address, they could then take over your drivers licence. With a drivers licence, they are well on their way to gaining access to all sorts of things, such as obtaining a mobile phone, which can be used for illegal purposes, obtaining an Internet account to view illegal sites or to open a video store account and then take off with a stack of DVD’s. And whom do you think the authorities will come after?
As post 9-11 has caused a significant rise in inconvenience when catching a plane, expect to see a significant rise in inconvenience in proving who you are. Many organisations are implementing steps to combat identity fraud. It will not be long before you will need to enter a PIN number to complete a credit card transaction. It will only be a matter of time before we will be required to have our photo displayed on our credit cards.
Banks are now issuing smart chip enabled credit cards. Don’t be surprised if you are asked the name of your favourite film in order to complete a transaction, the answer of which will be stored on your smart card. Also coming is two factor authentication where in order to complete a transaction, you will receive a code on your mobile phone via SMS that you will have to enter in conjunction with your PIN. This code will only remain valid for a few minutes.
The previous federal government under John Howard has also moved to combat identity theft with the implementation of the Anti Money Laundering (AML) legislation which all financial institutions are required to comply with. AML will monitor your transactions and flag anything out of the ordinary or suspicious. Making a transaction is about to become a lot more involved for this will be the price we will need to pay to secure our identities in the future.
So how can we minimise the risk of becoming a victim of identity fraud? Some things you can do are:
- shred or burn important documents you no longer require, including unsolicited applications for financial products. You will be surprised what can be gleaned from the recycle bin;
- minimise the amount of personal data you display on web sites.
- use a generic free email account such as yahoo or Gmail when asked to provide an email address from someone you are not sure about;
- ensure you have adequate firewall and virus protection installed on your PC;
- don’t enter personal information onto a public PC;
- don’t leave receipts behind;
- reconcile your bank accounts including your credit card. I do mine fortnightly;
- if you do need to engage in online transactions, open an account from another bank and only keep the minimum required amount to complete the transaction. Also ensure the online transaction is taking place via the secure hypertext transfer protocol (SHTTP://) connection;
- ask your bank what they are doing to protect your details. Do they have set limits on how much can be transferred? Do they ask previously entered personal question of which only you would know (for example, what was the name of your first pet) before transfers to other accounts or online change of details can take place; and
- banks will never ask you to provide passwords or other sensitive information via emails or letters. This is known as phishing. Just delete them. If you are unsure of an email, don’t open it just delete it. If it is genuine, the sender will find away to contact you.
Identity management is one of the biggest issues we face today. How do you confirm a person’s identity easily?
Current indications are that the process of identification will only become more involved. Current legislation requires you to pass the 100-point test when opening a bank account.
This is usually done by presenting your passport (70 points) and a driver’s license (40 points). There is also a push to extend the 100-point check to obtaining other items such as a SIM card for a mobile phone. However, it already seems that the 100-point check is faltering in the current technological environment. Three or four pieces of documents should now be required. This can be achieved by lowering the values of acceptable documentation required for the 100-point test. For example, make a passport worth 50 points, a drivers licence 30 points, which would require another form of identification such as a birth certificate.
One possible way to ensure identity without having to present documentation is via personal verification. My parents know who I am, my next-door neighbour knows who I am, my boss knows who I am and so do many more. If there was a way to store these relationships and authenticate them, you could have a trusted relationship network that others can tap into to gauge your identity risk.
One possible way is via public/private key encryption where only you know your private key, but others know your public key. By building on your network of relationships where you distribute your public key to those you know and they provide you theirs, then by cross referencing these public/private keys, you can authenticate your relationship network and an identity rating can be established. The higher the rating, the trustworthier the identity is.
However, the best way to protect your identity is through vigilance. And finally, remember the golden rule, if it sounds too good to be true, it probably is.