By Iain Strutt
The advent of the COVID-19 pandemic has seen many of us working from home for extended periods. A corresponding rise in online fraudulent activity is attributed to the wider use of the internet and organised crime continues to adapt to these changes. The Australian Competition & Consumer Commission has reported a 55% increase in identity theft on last year’s figures [1] with criminals targeting superannuation payouts, & welfare relief benefits. Identity theft (IDT) is fraudulent and involves ‘the use of dishonest and deceitful conduct to gain an unjust advantage…it is not specifically defined in legislation.’ [2] IDT can be used to assume an identity with or without the consent of a living person. The stolen identity of a child can be kept for years, to be used when the identity matures. [3] IDT can be used for a practice known as ghosting, whereby a person assumes the identity of a dead person. [4] The methods range from theft and impersonation, [5] to theft and sale, the ‘renting’ of an identity [5] and the deliberate manufacture and sale of high-quality forged documents by organised criminal gangs. Once a criminal establishes a false ID they can use it to gain advantage by applying for financial services, defrauding superannuation accounts, money laundering and immigration fraud. Phoenixing, which is a more complex form of IDT is a process to rid companies of their debt and avoid taxes [6,7,8,9,10].
Obtaining false identity documents would generally be in cash and difficult to trace. Likewise, transactions are conducted on Deep Web sites which specialise in the sale of high-quality identities. [11] Transactions of this type would usually be conducted in Bitcoins or a similar digital currency. [12] Another untraceable way identity can be purchased is through the hawala network of Islamic financiers [13] and it is believed that Islamic terrorists use this system. Money transferred via a hawala banking system is extremely private and is unlikely to be reported or discovered by anyone other than the hawaladar, the transferor and the transferee.
The local market
A fraudulent Medicare card and a driver’s license can be bought relatively cheaply. A set of three; driver’s license, Medicare card plus a phone bill costs around A$500. [14] These three combined are enough to establish a primary identity. [15] High quality documents such as passports can range from A$1,500 up to A$30,000 for a genuine passport with false biodata details. [16] Secondary identification can be used to verify persons at international borders with no passport, with immediate entry denied until such times as the person’s identity can be positively verified. [17] Supporting secondary documentation would give greater weight to a false identity if supporting a passport. [18]
The hidden nature of offences
The Australian Criminal Intelligence Commission (ACIC) produced intelligence to improve the understanding of business email compromise scams; malware; anonymity features in cryptocurrencies; encryption on the Darknet; cybercriminal exploitation of government systems. [19] Whilst the ACIC has had success overall, IDT figures are estimates only, due partly to legitimate businesses not wanting to advertise data theft by reporting it to police, as this avoids a loss of confidence in their enterprise. Individuals may not report incidents due to the embarrassment felt by crimes committed in their name. [20]
The rate of reporting when it is combined with the incidence of offences does not give any more clarity to the issue as it is not possible to isolate these two features. [21] This leads to a conclusion that the uncertainty in increases are not just increases in reporting. [22] Another factor that was identified was that the courts were either unwilling or not sufficiently equipped to calculate how much has been stolen in largely civil proceedings. [23] Further, prosecutions can only give an indication of part of the picture and the extent of undetected IDT is still unknown. [24]
The big data problem
The trend for large businesses and corporations to retain data is one area that has not been adequately addressed. Whether as users or customers, data is retained by businesses and corporations for their own purposes on an industrial scale due to the low cost of collection and storage. [25] & the data farm concept has moved onto public networks which are being compromised. [26] Any personal data, along with Facebook posts, tweets, app usage, phone records, website visits, licenses can be stored indefinitely and used for commercial advantage. Such data is acquired, analysed, packaged, sold, further analysed and resold. This data has been labelled ‘data exhaust.’ Presumably, once the data are redefined as waste material, their extraction and eventual monetization are less likely to be contested.[27]
Data collection is now linked to computer networks and systems and the vulnerabilities to data storage now affects computer security. A huge data theft occurred recently due to a combination of ‘hacking, ransomware, remote server access and unauthorised access to email accounts’ with the finance company RI Advice group being held responsible. [28] What this indicates is that to hold data for some unspecified marketing purpose can be a liability, [29] and that companies are increasingly responsible for the data they hold, because for a technically proficient criminal, data is a cyber gold mine. Capping the retention time on certain data held by private enterprise would assist in the curbing of IDT. There must be a shift from permanent and perpetual memory to one of being able to be forgotten, to have the ability to erase personal metadata. [30]
Assessment
With the evidence available an accurate size of the IDT market due to its clandestine nature is still unknown. The methods to acquire, trade, manufacture and use false identification are known. IDT as a crime has increased along with the growth of the Internet and authorities have no real answer to the problem. An accurate assessment is not possible due to several factors, underreporting being one.. Cheap data storage and the value that a company gains by using the stored data indefinitely for market research purposes is also a significant factor if compromised. The fraudulent ID market in Australia and its’ negative flow on effects are, therefore, likely to continue. To mitigate the threat, the storage of metadata should have a time limit to counter the persistent and increasing threat posed by illicit data mining by criminal organisations. The indications are that IDT will be with us for some & the Australian false ID market is, and will continue to be, an income source for organised criminal enterprises into the future.
- References
- [1] Bainbridge A., Clark E., (2020) Identity theft soars during COVID-19 as scammers target government payouts, superannuation. ABC Online. Accessed 17.08.2020.
[2] Williams R. [Interviewer] & Greycar A. [Guest] (2002) Identity related fraud: Risks and Remedies. Ockham’s Razor ABC Radio National. Transcript. Access ed 05.10.16.
[3] Levin A. (2015) Swiped. How to Protect Yourself in a World Full of Scammers. Public Affairs. New York. pp. 96 1033Ibid, p.144.
[4] Topsfield J. (2016) Australian facing drug charges in Perth arrested in Bali over fake identities. Sydney Morning Herald Online. Accessed 20.09.16
http://www.smh.com.au/world/australian facing drug charges in Perth arrested in Bali over fake identities 20160406 go05jj.html
[5] Rudner M. (2008) Misuse of Passports: Identity Fraud, the Propensity to Travel and International Terrorism, Studies in Conflict & Terrorism, 31:2, 95 110. DOI: 10.1080/10576100701812803, p.103.
[6] No Author (2016) Identity Crime. What is identity crime? Australian Federal Police homepage. Accessed 20.09.16 www.afp.gov.au/what we do/crime types/fraud/identity crime
[7] Irvine J. (2016) Money watchdog struggles against increasing fraud. Sydney Morning Herald. 30.09.16. Fairfax Media. Sydney. p.2
[8] No Author (2015) Organised Crime in Australia. Commonwealth of Australia. p.75.
[9] Oakes D. [Reporter] (2016) Unwitting clients signed up as directors to failing businesses. 7.30 Report aired 17.10.16. Australian Broadcasting Corporation. Sydney.
[10] No Author (2015) Organised Crime in Australia. Commonwealth of Australia. p.75.
[11] Onion Identity Services; ik3dw5whel252xnj.onion.
[12] No Author (2013) The Economist explains: How does Bitcoin work? www.economist.com/node/21576183/ Accessed 26.09.16
[13] The most common use for a hawala system is to send hawala money transfers to another person who is at a great distance from you. Goods can also be traded and bartered in this system.
http://www.howtovanish.com/2009/09/modern hawala/ Accessed 22.09.16.
[14] Ibid. p.7.
[15] Dept. Of Defence. Australian Government Security Vetting Agency. Version 1: May 2014.
[16] No Author (2015) Organised Crime in Australia. Australian Crime Commission. Commonwealth of Australia. p.22
[17] There have been cases of genuine refugee families presenting bona fide documents without passports and after processing, they’ve been allowed to remain in Australia.
[18] The Migration Act 1958 (Cth.) s. 243 & s. 234A sets out offences using forged or false documents without specifying what those documents are.
[19] No Author (2020) Australian Criminal Intelligence Commission Annual Report 2018-2019. Commonwealth of Australia. p.26.
[20] No Author (2015) Organised Crime in Australia. Australian Crime Commission. Commonwealth of Australia. p.21.
[21] Ibid. p.2.
[22] Ibid. p.3.
[23] Smith R. G. (2003) Serious fraud in Australia and New Zealand. Pricewaterhouse Coopers. Australian Institute of Criminology. Canberra. p.28
[24] Connery D., Murphy C., & Channer H., (2015) A web of harms: Serious organised crime and its impact on Australian interests. Australian Strategic Policy Institute. Canberra. ACT. p.7.
[25] Schneier B. (2013) Data and Goliath. The Hidden Battles to Collect Your Data and Control Your World. W.W. Norton Co. London
[26] Schneier B. (2003) Beyond Fear. Thinking Sensibly About Security in an Uncertain World. Copernicus Books. New York. p.99.
[27] Zuboff S. (2015) Big other: surveillance capitalism and the prospects of an information civilization. Journal of Information Technology. JIT Palgrave Macmillan. p.79
[28] Falk R. (2020) Cyber security has to be every company’s business. The Australian. 15.09.20 News Ltd. Sydney. p.10.
[29] Schneier (2016) Data is a Toxic Asset. http://www.cnn.com/2016/03/01/opinions/data is a toxic asset opinion schneier/index.html viewed 23.09.16
[30] Knott M. (2015) New metadata laws: Malcolm Turnbulls’ powerful case against data retention. Sydney Morning Herald online. Accessed 19.10.16.
http://smh.com.au/federal politics/political opinion/new metadata laws/
