Chapter 6

Navigation: Previous Page | Contents | Next Page

Chapter 6

Technology and identity crimes

6.1        Having examined the regulatory relationships between the private and public sector, together with some crime prevention tools and strategies, the committee now examines the increasing use of technology in financial related crime, together with the increasing incidents of identity crime.

6.2        This chapter examines some of the technological enablers of financial related crime, including the 'Darknet', alternative currencies and the roll out of 'tap and go' technology.

6.3        This chapter also examines the role of iDcare as the lead organisation responsible for providing assistance to victims of identity crime.

6.4        Identity crime and credit card fraud are also examined in the context of new technology. Law enforcement strategies for addressing identity theft, especially the Document Verification System (DVS) are also examined in this chapter.

Technology

6.5        Many submitters and witnesses discussed the significant role that technology plays in facilitating financial related crimes. While technology has always been used for nefarious purposes, many witnesses and submitters emphasised the increasing sophistication of criminals and their reliance on rapidly changing technology.

6.6        The ACC submitted that financial crime is becoming significantly more sophisticated, in large part due to advances in technology. The increased use of technology by financial service users is playing a decisive role in facilitating financial related crime.[1]

6.7        The ACC argued that in the international space, three factors shape the serious and organised crime environment:

...the infinitely complex, diverse and pervasive nature of serious and organised crime which is fundamentally enabled by globalisation, technology and cyber capabilities...[2]

6.8        The AFP emphasised its concerns with respect to the threat of cybercrime, where financial related crimes are perpetrated against individuals or corporations. The AFP argued that new technologies were allowing organised crime organisations to facilitate advanced and complex criminal acts against Australian interests:

Cybercrime that is undertaken for financial gain is a significant issue for Australia as it is complex, multi-jurisdictional and is generally considered an enabler for financial crime. [3]

6.9        Submitters also raised the increasing use of specific technological tools in financial related crime, like Bitcoin and Darknet, both of which are examined below.

Bitcoin

6.10      Bitcoin is a virtual currency which allows online payments via peer-to-peer transfers between computers, into 'real currency' and provides users with an alternative to traditional banks. Bitcoin transfers are made by online exchange houses that facilitate exchanges between virtual currencies and standard currency.[4] The ACC noted that peer-to-peer transfers of virtual currencies can occur instantaneously without the need for transfers via third parties:

This offers an entirely legitimate means of transferring value outside of the formal finance sector.

The anonymity that this process affords, and the ease with which virtual currencies can be exchanged within and across borders, make them attractive to serious and organised crime. Virtual currencies are also attractive to individuals seeking to engage in criminal activities and the 'darknet', such as the former Silk Road, which relied solely on Bitcoin for the trade in illicit goods, including illicit drugs.[5]

6.11      The AFP submitted that the increased popularity of online currencies like Bitcoin provides additional opportunities for criminals to hide their identities online due to the lack of regulatory oversight of online currencies.

6.12      The ACC explained that the extent of Bitcoin's use for criminal activities is as yet an unknown quantity:

Although virtual currencies such as Bitcoin are seen as vulnerable for exploitation by organised crime seeking to facilitate money laundering activities, evidence that this is occurring on a large scale is yet to be identified.[6]

6.13      AUSTRAC submitted that the evolution of digital currencies allowed internet based means of transferring 'real-world values' in lieu of using traditional currencies or physical commodities. AUSTRAC noted that digital currencies allowed individuals and entities to conduct both simple and complex international funds transfers outside standard regulatory arrangements:

The evolution of digital currencies has led to the development of internet-based, electronic means of transferring ‘real-world’ value. In contrast to traditional physical currencies issued by national governments, digital currencies (such as Bitcoins, SolidCoins and Linden dollars) are issued by commercial enterprises and are not backed by traditional currencies, precious metals or other physical commodities.

Digital currencies potentially allow individuals and entities to conduct quick and complex international funds transfers outside the regulatory requirements of the traditional financial system. Digital currencies that are not backed, either directly or indirectly, by precious metal or bullion are not regulated by the AML/CTF Act.[7]

6.14      AUSTRAC noted that the anonymous nature of digital currencies may appeal to criminal individuals or groups, who may see the currency as an instrument with which to evade tax or to obscure the origin of illicitly obtained funds:

Criminal groups and individuals may increasingly use digital currencies, as opposed to online trading of real currency, due to the anonymity. These digital currencies present challenges for government agencies in following the money trail.[8]

6.15      The AFP agreed with the premise that the lack of AUSTRAC oversight of Bitcoin means it is an attractive method for money laundering or tax evasion in Australia:

...the use of these currencies may circumvent Australian Transaction Reports and Analysis Centre (AUSTRAC) reporting requirements regarding the movement of monies into, and out of, Australia.[9]

6.16      The ABA also noted in its submission the increasing availability of Bitcoin as an alternative currency. The submission noted the US Inland Revenue Service recognised Bitcoin as a currency and that it had been seized as part of their confiscations of the proceeds of crime program.[10]

Darknet

6.17      As outlined above, Darknet is often associated with the use of Bitcoin to enable financial related crime, including the use of stolen or misappropriated funds to purchase illicit goods or services.

6.18      SAPOL noted that with an 'onion router', an internet user could obtain access to the Darknet where they could access a variety of illicit material, including child exploitation sites or online drug markets:

These darknet sites are predominantly around child exploitation material. There are drug sites. They had identified their own drug sites. It is a bit like Gumtree—you put an order in, say what you want, you give an address and then it will be sent to you. But because of the way the site operates, it uses your IP address because it comes through what is known as the onion router. There is no way of identifying who the person is. Because it comes in through that piece of software, the actual identity is stopped.[11]

6.19      While law enforcement agencies can act to some extent against Darknet sites, SAPOL noted that it was difficult for law enforcement to keep track of purchasers and sellers of illicit substances through the internet and Darknet.[12]

6.20      Victoria Police agreed that Darknet was an issue, as it facilitated criminal access to firearms sales, drugs and child exploitation materials.[13]

Committee view

6.21      The committee shares the concerns of Commonwealth, state and territory law enforcement agencies about the use of Bitcoin to procure illicit products and services on the Darknet.

6.22      The committee believes it is critical to ensure that Australian federal law enforcement agencies have adequate strategies and tools for the detection and disruption of technologically enabled financial crime.

6.23      However, at the time of writing the committee notes the Senate Economics References Committee is currently undertaking an inquiry into digital currency. This inquiry, which is focussed in detail on the implications of the emergence of virtual currencies, was extended on 2 March 2015 to report on 10 August 2015.[14] Accordingly, the committee has decided not to make any specific recommendations in this regard, but will await the conclusion of that inquiry process.

Identity crime

6.24      The committee heard from numerous submitters about increasing incidents of identity crime in Australia. Identity crime takes many forms, including using a fabricated or stolen identity to commit offences.[15]

6.25      The AFP noted that identity crime is often linked to other forms of criminality, including illicit commodity movements, money laundering, fraud against the Commonwealth, people smuggling and human trafficking.[16] Additionally, the AFP submitted that the organised theft and sale of stolen identity information was usually for the purposes of manufacturing fraudulent identity documents, including credit cards, driver licences and Medicare cards. All of these documents can be subsequently used for criminal purposes.[17]

6.26      In relation to the level of identity crime in Australia, the AFP noted:

The extent and impact of identity crime in Australia remains difficult to establish definitively. The Australian Bureau of Statistics Personal Fraud Survey for 2010-11 estimated over 700 000 Australians were victims of identity fraud and over 44 000 Australians were the victims of identity theft.[18]

6.27      The AGD elaborated on this point noting that surveys by the Australian Institute of Criminology (AIC) and Australian Bureau of Statistics (ABS) indicate that around 4 to 5 per cent of Australians report being a victim of identity crime each year, and have suffered subsequent financial loss. The AGD quantified the financial losses experienced by victims of identity crimes:

The AIC survey indicated that victims reported an out-of-pocket loss of between $1 and $310,000, at an average of $4,101 per incident. However, just over half of respondents (55%) who reported losing money managed to recover or be reimbursed for some of their losses, at an average of $2,481 per incident, while the remaining 45 per cent did not receive any reimbursement or recover any losses. Overall, losses were relatively small, with 50 per cent of victims losing less [than] $250 and 75 per cent losing less than $1000.[19]

National Identity Security Strategy

6.28      The National Identity Security Strategy (NISS) was developed in 2005, following a Council of Australian Governments (CoAG) agreement to recognise that preservation and protection personal identity information 'is a key concern and a right of all Australians.'[20]

6.29      In 2012, the NISS was revised to 'support the development and implementation of the identity crime measurements framework.'[21] The AFP submitted that the NISS aims to develop conditions where Australians feel confident they enjoy the benefits of a 'secure and protected identity':

The scope of the NISS is shaped by the need to strengthen national security, prevent crime and enable the benefits of the digital economy. Commonwealth, state and territory Governments are working together to enhance national consistency, interoperability and opportunities (including for government service delivery) through nationally consistent processes for enrolling, securing, verifying and authenticating identities and identity credentials.[22]

6.30      The AGD submitted that the DVS was a key element of the NISS.[23]

Document Verification Service

6.31      The committee heard evidence from numerous witnesses, including the AGD, ABA and remittance industry participants regarding the DVS, which is used by financial service providers to validate the identity of customers. The feedback on the DVS was largely positive, however some witnesses, including the ABA, criticised the cost of access and the limited information available to financial service providers.

Background

6.32      The DVS is a secure, online system that 'provides for automated checks of the accuracy and validity of information on the key government documents commonly presented as evidence of identity.'[24] The AGD submitted that the DVS allows user organisations, like banks and other financial services providers, to check the information on identity credentials against the records of issuing agencies.

6.33      The DVS has been available to government agencies since 2009. Certain private sector organisations, which have requirements to verify identities under Commonwealth legislation, gained access in early 2014.[25] The AGD noted:

There has been strong private sector interest in the DVS, particularly from providers of financial services. As at 29 April 2014, 160 private sector applications had been approved and the service had 23 active private sector users. On 5 May 2014, the Attorney-General, Senator the Hon George Brandis QC, launched the DVS commercial service.[26]

6.34      The AGD was emphatic in its view that the DVS helps businesses protect themselves against identity crime while making identity verification mandated by legislation easier. Further, the AGD submitted that the DVS was not a database in that it did not retain personal information, and that all checks must be carried out with the informed consent of the individual. Finally, the AGD noted it was working with State and Territories (as joint owners of the DVS) to further expand the range of private sector organisations that have access to the service.[27]

Responses from private sector DVS users

6.35      The ABA argued that while the DVS was a step in the right direction in enabling private sector operators to access verified identity data, it suggested that government and industry should work together to create a 'secure digital identity' for Australians.[28]

6.36      Independent remittance industry representatives noted that there are costs to private sector users of the DVS, including being charged 67 cents to check identities (per successful check) and paying a $5000 set up fee.[29] The independent remittance industry association, subsequently known as the Australian Remittance and Currency Providers Association, submitted that the $5000 set up fee ought to be waived. The association argued that the removal of the fee would allow remittance providers of varying sizes access to the DVS.[30]

6.37      Similarly, representatives from Veda, a data analytics company with a background in identity security and fraud prevention, argued for easier access to the DVS. Veda representatives contended that the VDS did not include enough data and was not accessible to numerous stakeholders who require identity verification technology.[31]

6.38      Veda submitted that the DVS, while verifying the authenticity of government issued identification, is only available to organisations with a requirement under Commonwealth legislation to verify identities.[32] Veda submitted that 'the restriction on access must end,'[33] and was also critical of the fees charged for access, arguing that the high fees had resulted in low numbers of subscribers:

Fifteen months after opening, only 200 entities have applied. Consider the real estate agent letting a property or the utility providing energy. As the South Australian police submission points out, organised criminal syndicates are involved in cannabis-growing houses with rentals under false names. We ask that the committee recommend that the DVS should be open to any entity with a reasonable requirement to verify identity and have subscriber requirements similar to those used to subscribe to other government registers, such as ASIC's Personal Property Securities Register. We also note, reflecting the varying unreadiness of state registers, that the DVS cannot verify birth, death and marriage certificates online and in real time. This in the digital age needs remedying.[34]

6.39      Veda argued that a more widely available and cheaper DVS, together with changes to the restriction on access to electoral roll and credit reporting data would 'add integrity to the first layer of identity checking'.[35]

Response from AGD

6.40      In answers to Questions on Notice, the AGD detailed its proposal to the Law Crime and Community Safety Council (a council of COAG) that the DVS should be open to any organisation that has a reasonable requirement to identify a person to conduct their business and obtains that person's consent. According to the AGD, this would be consistent with the Privacy Act 1988, including the revisions that came into effect in March 2014.[36]

6.41      The AGD advised that it expected to implement the new access policy for all jurisdictions that have agreed to the arrangements, in March 2015.[37] The AGD has also reviewed the process to access to the DVS:

The Department will implement a substantially simplified application process in March 2015. The per user access fee will be significantly reduced as a result.[38]

6.42      Expanded access to the DVS became effective on 31 March 2015. The DVS website notes that 'businesses with a reasonable need to use a Commonwealth identifier to verify their client's identity may now be eligible to access the DVS.'[39] The changes made to DVS access include:

Table 1—DVS fees schedule, as at 10 June 2015[41]

Annual Volume

Per calendar month

Per query charge

< 400 000

<33 000

$1.40

>400 000  <600 000

>33 000  <50 000

$1.20

>600 000  <800 000

>50 000  <65 000

$1.00

>800 000  <1 million

>65 000  <85 000

$0.80

> 1 million

>85 000

$0.65

Committee view

6.43      The committee acknowledges the ongoing threat of identity crimes.

6.44      The committee welcomes the major reduction in the DVS registration fees and is satisfied with the efforts of the AGD to broaden access to the system. The committee is confident that over time this will lead to many more private sector organisations accessing the DVS facility, and in turn improve personal identity security in Australia. In the committee's view the DVS will become a keystone for government agencies and private companies who require verification of a client's identity.

Support for victims of identity crime

6.45      In 2014, the Minister for Justice launched iDcare, a national support centre for victims of identity crimes.[42] iDcare argued that since 2003, financial crime in Australia has evolved rapidly and mirrors developments in commerce, government services and mobile communications.[43]

6.46      iDcare argued that the previous ten years has also seen the advent of technology-based identity crime, where motives have expanded from traditional financial gain and theft of personal or financial information, to political or ideological statements, known as Hacktevism. iDcare submitted that it viewed Hacktevism crimes as more personalised than 'traditional' identity theft, and that it had responded to over 800 individual clients since September 2013, some of whom had been victimised by Hacktevism, 'the consequences of which can have quite different impacts to individuals.'[44]

6.47      Critically, iDcare estimated that 1.1 million Australians and New Zealanders are impacted by identity theft and misuse of information every twelve months.[45]

6.48      iDcare raised specific issues relating to Commonwealth victim certificates, which are designed to support claims for victims of Commonwealth identity crime. iDcare noted that under the current scheme individuals must satisfy three criteria:

6.49      iDcare argued that these criteria were difficult to fulfil given that less than six per cent of identity crime perpetrators are arrested or prosecuted successfully.[47] iDcare contended that the certifications are not working to support victims of identity crime:

iDcare is not aware of any successful issuance of a victim certificate for identity crime, within either relevant State equivalent measures or the Commonwealth. This is not from a lack of interest. iDcare receives a number of calls from individuals that express interest in obtaining such certificates, but in all instances fall at the first hurdle of the essential element – someone has been successfully convicted of an identity crime offence.[48]

Committee view

6.50      The committee is concerned with the evidence from iDcare about the prevalence of identity crime in Australia.

6.51      The committee is also greatly concerned with the evidence that Commonwealth victim certificates appear to be difficult to obtain due to evidence that an arrest and successful prosecution being required to satisfy the first eligibility criterion. Given the seriousness of the problem, the significant personal impacts suffered by the victims of identity theft, and the likelihood of increasing incidences of identity crime, the committee believes there is further work to be done to both deter identity crime and to assist its victims.

6.52      The committee commends iDcare for its work in assisting the victims of identity crime, and is persuaded by its advocacy that the scheme for issuing Commonwealth victim certificates needs to be examined.

Recommendation 11

6.53      The committee recommends the Attorney-General's Department review the arrangements for victims of identity crime to obtain a Commonwealth victim certificate.

Contactless payment technology

6.54      As outlined above, the DVS is an effective tool for both law enforcement and financial service providers for checking and verifying the identities of customers accessing financial services. Critically, the related issue of technology-enabled credit card fraud was raised by numerous submitters, including law enforcement agencies, who argued that new technology had effectively expanded the scope for credit card fraud from more traditional credit card fraud, to multiple low value purchases to evade detection. This, they argued, was largely due to the rollout of contactless payment technology.[49] This section addresses some of that commentary in detail.

6.55      Contactless payment technology enables customers to pay for products and services under $100, by 'waving' or 'tapping' their card to payment terminals. Benefits for customers include faster transactions and in some cases, the ability to pay through the use of 'near field communication' technology in mobile phones.[50]

6.56      Victoria Police raised as an area of concern a 'significant increase' in deception offences in Victoria, arguing that new technology had enabled offenders to commit multiple low value transactions with stolen credit cards.'[51]

6.57      Victoria Police argued that increased technology, lack of guardianship and the perception that credit card fraud is a victimless crime, is 'driving [deception] offences'.[52] Victoria Police also argued that 'tap and go' technology, provides motivation for the physical theft of credit cards, with little risk of capture by police or of physical identification. Further, Victoria Police noted:

The major banks provide a Zero Liability Policy to customers who are victims of fraudulent transactions. This policy is clearly advertised in conjunction with ‘Tap and Go’ technology. Widespread promotion of the Zero Liability Policy is expected to motivate offenders who are likely to see that the victim will not be at a personal loss. Anecdotal information from the Victoria Police Fraud & Extortion Squad and Victoria Police E-Crime Squad suggests that financial institutions factor fraudulent activity into their profit and loss margins and currently the loss associated with ‘Tap and Go’ is far [outweighed] by the profits generated. If losses are budgeted for, Victoria Police are likely to find it difficult to develop strategies in partnership with financial institutions to improve guardianship. As part of a recent intelligence gathering exercise, National Australia Bank, Commonwealth Bank, ANZ, Westpac and Visa were all contacted via email and/or phone for consultation during recent analysis of this issue by Victoria Police. No responses were received prior to the finalisation of a recent intelligence product. Without engagement by financial institutions it is difficult to understand the full extent of fraudulent activity and the impact new technology and policies have on the criminal environment.[53]

6.58      Broadly, Victoria Police were highly critical of the lack consultation between financial institutions and the police, especially as it relates to the introduction of new, higher risk technologies, such as contactless payment systems:

Engagement with police prior to such initiatives would greatly assist in having standard practises across industry. Simplicity of structures and processes is essential and “bureaucracy” is often a barrier to effective joint action.[54]

6.59      The committee is aware of the commentary regarding the roll out of contactless payment technology, including media articles detailing police concerns about the security of the systems. Victoria Police have also raised this issue publicly, arguing that it was likely to be behind the rise in 100 extra credit card deceptions per week.[55]

6.60      Representatives of the banking industry disagreed that contactless payment technology poses a significant fraud threat. Mr Boyd argued:

But the PayWave mechanism itself is not a large driver of fraud losses for consumers or the banks. It is actually very popular with consumers too, because it is very convenient, and it is popular with merchants because it is fast. And at the moment with the low thresholds on that mechanism I do not think it is a realistic large threat to fraud losses. I think some of the other issues we have been discussing are much bigger threats in terms of financial loss and customer inconvenience.[56]

Committee view

6.61      The committee shares the concerns of law enforcement agencies that the rollout of new technology without consultation with law enforcement agencies has the potential to become a driver of financial related crime. The committee believes that banks and other financial service providers ought to consider law enforcement issues more carefully, and to facilitate discussions with law enforcement about new technologies prior to rollout.

6.62      As discussed in Chapter 5, the committee is persuaded of the advantages of close private and public sector collaboration in addressing financial related crime.

6.63      While banks have argued the fraud risk of new technologies is accounted for in their banking systems, the committee believes that consumers should have the option of disabling contactless payment features.

Recommendation 12

6.64      The committee recommends that financial institutions which issue debit and credit cards create an 'opt in' function that requires customers to consent to contactless payment technology features being activated on their cards.

Navigation: Previous Page | Contents | Next Page

Facebook LinkedIn Twitter Add | Email Print
Back to top