5.1 Number of identity credentials able to be verified using the DVS
Key findings: There are an increasing number of identity credentials that can be verified through the DVS, including four of the five credentials that have been identified through this project as being at most risk of misuse (i.e. Medicare cards, driver licences, birth certificates and passports).
The DVS enables user organisations to match the biographical data presented on identity credentials with the issuing authority, and is a useful tool for detecting fraudulent documents.
If a person presents an organisation with a document such as a passport or a driver licence as evidence of their identity, the organisation can use the DVS to check the authenticity of the document with the relevant issuing agency (AGD 2014a). As at February 2014, there are 10 core identity credentials that can be verified through the DVS: passports; citizenship certificates; registration by descent certificates; visas and Immicards; driver licences; birth, marriage and change of name certificates; and Medicare cards.
5.2 Number of government agencies using the DVS
Key findings: An increasing number of government agencies are using the DVS across Australia, although coverage amongst key government credential issuing agencies is not yet universal, with only a quarter of RTAs and RBDMs currently using or planning to use the DVS by the end of 2014.
As of 31 March 2014 there are 17 government and 151 private sector users fully approved to use the DVS (see Table 7). Data presented in Table 7 indicates that there is currently only limited usage of the DVS by government agencies. For example, only one of the eight RTAs and eight RBDMs currently use or are planning to use the DVS by the end of 2014.
5.3 Number of private sector organisations using the DVS
Key findings: There is strong demand for use of the DVS amongst private sector organisations, particularly those with legislative obligations to verify the identities of their customers. There is scope for significant further growth in the number of user organisations which have a reasonable necessity to verify a person’s identity in accordance with the Privacy Act 1988.
The DVS was originally only available to government agencies. However, in 2012–13 Australian governments decided that the use of the service should be extended to private sector organisations. Currently, those organisations that have an authority or requirement under law to identify their customers are eligible to use the service. This includes companies operating in the financial and telecommunications services sectors.
As at 31 March 2014, there have been around 250 new applications from private sector organisations to use the DVS and 151 of these private sector applications have been approved.
Although private sector access to the DVS has only been made available for a few months, the relatively large number of applications across various sectors demonstrates the utility of this service, as a cost effective means of strengthening identity verification processes.
Key findings: There has been rapid growth in the number of DVS verifications over recent years, albeit from a modest baseline, which is expected to continue into the future. This reflects growth in DVS user organisations and the range of documents that are able to be verified through the service.
In recent years the numbers of DVS transactions (i.e. validations of an identity credential) have steadily increased, from around 175,000 in 2011 to 1.8 million in 2013 (see Figure 31).
Figure 31: Number of DVS transactions, by year (2011–2013)
Note: These figures include repeat transactions, for example where data entry errors occur. Some validation attempts can involve numerous transactions.
Source: Attorney-General’s Department
Key findings: Most Australians adopt at least basic online security practices; and Australia’s experience compares favourably in relative, international terms. However, surveys suggest that almost half of Australians are not confident in their ability to manage security of personal information online; only just over a third educate themselves about the most current ways to protect against identity theft; and there are areas where behaviours could be improved to help protect against identity crime.
A range of sources across government and the private sector produce data on Australians’ online security practices. This provides a potentially rich source of information from which to develop indicators on the use of preventative measures for online identity crime. Unfortunately, this was not able to be completed in the time available for the pilot project. However, some general observations can be made. Further analysis of the available data is required in order to develop reliable indicators of the impact of the online security practices in preventing identity crime.
Available data on Australians’ online security practices presents somewhat of a mixed picture. Recent research by the Australian Communications and Media Authority (ACMA) indicates that just over half of Australian adults (54%) were confident in their ability to manage the security of their personal information online (ACMA 2013).
Australia was rated third out of 20 countries that were included in the latest global survey of online security practices by Microsoft. This survey of 10,000 people (including 530 Australians) measured individuals’ behaviour in relation to a range of online security practices (Microsoft 2014).
While good in relative international terms, Australia received a score of 39 out of a possible 100 (Malaysiarated highest with a score of 42—the global average was 34). A significant majority (over 80%) of Australian respondents reported using at least some protections such as anti-virus software. But just over a third of respondents indicated that they limit the amount of personal information that appears online (36%), or educate themselves about the most current ways to protect against identity theft (37%) (Microsoft 2014).
The latest results from the 2013 Norton Report show that a considerable proportion of adults experienced cybercrime in the previous 12 months (46% or 5 million adult Australians), with almost
two-thirds (60%) reporting having experienced cybercrime at some point in their lifetime (Norton 2013).
The survey also sought to examine the types of behaviours that may increase the likelihood of cybercrime victimisation (and potentially also identity theft), with results showing that:
one third (32%) of smartphone users experienced mobile cybercrime in the past 12 months
when using public or unsecured Wi-Fi, around one quarter did shopping online or mobile banking (27% and 25% respectively) (Norton 2013).
Some information is available on the online security practices of Australian businesses through the 2012 Cyber Crime and Security Survey: Systems of National Interest (the Australian Cyber Crime and Security survey), conducted by Australia’s national computer emergency response team (CERT Australia), located within AGD (see AGD 2014b).
This survey found that a significant majority (more than 80%) of businesses surveyed used anti-virus software, spam filters, firewalls and other access controls; with almost 60% also using more sophisticated measures such as intrusion detection systems (AGD 2012b).
The companies that took part in this survey were primarily the owners and operators of critical infrastructure (e.g. energy providers, defence industry, communications, banking/financial and water services) and other ‘systems of national interest’. These businesses receive information and advice from CERT Australia on a regular basis. They would be expected to have a greater awareness of cyber security threats and a greater capacity to implement the necessary protective measures.
These results are unlikely to be representative of the online security practices of the broader private sector, including many of the small to medium sized businesses that handle many Australians’ personal information. A comprehensive survey of the security practices of these types of business has not been conducted since the AIC’s Australian Business Assessment of Computer User Security (ABACUS) survey in 2006–07 (Richards, 2009).
Information on the online security practices of government agencies is collected for various purposes.
In November 2013, the Victorian Auditor-General released an audit report into the Victorian Government’s Information Security Management Framework (Victorian Auditor-General 2013). Overall, the report found that ‘agencies are potentially exposed to cyber attacks, primarily because of inadequate ICT security controls and immature operational processes’ (Victorian Auditor-General 2013). The audit also found that while the appropriate information security policy and framework is in place for the 20 agencies categorised as the ‘inner Whole-of-Victorian-Government’ (WoVG) arrangements, ‘the remaining outer WoVG agencies—of which there are more than 500—are not required to conform to any specific policy or standard’ (Victorian Auditor-General 2013) (For a discussion of some of the deficiencies in the Victorian Government’s Cyber Security, see Cowan 2013).
At least 85 percent of the targeted cyber intrusions that the Australian Signals Directorate (formally known as the Defence Signals Directorate, or DSD) responds to could be prevented by following the top four mitigation strategies listed in its Strategies to Mitigate Targeted Cyber Intrusions (DSD 2012).
However, comprehensive information on cyber security practices and incidents is not as accessible as information on the practices of individuals and businesses, in part because of the potential sensitivity of this information. Developing measurement indicators for the online security practices of government agencies requires further analysis and may best be done as part of any related work to measure the nature and extent of cybercrime and other cyber security threats.