Fraudulent identity credentials can be obtained in a variety of ways. The methods for sourcing fraudulent credentials can be grouped into two main categories:
identity theft/manipulation—instances where a criminal steals or otherwise acquires all, or parts of, a legitimate identity from another person; and
identity fabrication—where a fictitious identity is created and manufactured onto a credential.
To establish a fraudulent identity, the offender requires personal identifying information (PII). Criminals can obtain PII from a wide range of source documents such as bank statements or utility bills that are discarded into the rubbish (commonly known as ‘dumpster diving’—see Case Study 1), from malicious hacking of databases containing PII (data breaches), or PII can simply be made up (i.e. identity fabrication). There have even been cases where criminals have taken over the identities of people who are deceased (known as ‘Tombstone Fraud’—see the in-depth case study at the end of this report).
Case Study 1 (2012): Personal information stolen from mailboxes used in superannuation identity fraudMembers of an organised criminal syndicate stole cheques, superannuation statements and personal bank statements from the mailboxes of unsuspecting victims and used this information to produce high-quality counterfeit identity documents. These documents were then used to conduct frauds against superannuation accounts. After assuming the victim’s identity and setting up a Self-Managed Super Fund in their name, the syndicate member would contact the victim’s superannuation provider and request that they ‘roll over’ the funds from the legitimate superannuation fund into the new, fraudulent Self-Managed Super Fund that they had established.
Following a coordinated multi-agency investigation, a total of 25 syndicate members were charged with more than 2,500 offences involving the laundering of over AUD$8 million in fraudulently obtained funds. Source: AUSTRAC typologies and case studies report, 2012; 45
Key finding: Medicare cards and driver licences—and to a lesser extent birth certificates—are more likely than other credentials to be used to facilitate identity crime. This is due to a range of factors including Australians’ ubiquitous use of these cards as evidence of identity and the security features of the credentials. This emphasises the importance of verifying the information presented on these credentials with the issuing agency.
Just like narcotics, fraudulent identity credentials are an illicit commodity subject to the market forces of supply and demand. The price of fraudulent identity documents serves as an indicator of the availability of that type of fraudulent credential on the black market and the extent to which the credentials are used in identity-related crime.
The level of availability is, in turn, influenced by a number of factors: the financial value of the credential (e.g. credit/debit cards with an available balance); the qualityof the credential, including whether it uses fabricated or legitimate identity information and contains the required security features; and the utility of the credential in facilitating other crimes (i.e. the extent to which it is accepted in the community, and the benefits it enables).
There is a key difference between credentials that are completely counterfeit and those that are legitimately issued but contain fraudulent personal information (i.e. those issued in a fraudulent identity, or issued to a person fraudulently using another person’s real identity).
The pilot revealed two reliable sources of information for this indicator: DFAT’s Australian Passport Office (APO), which provided information on the price of fraudulent passports; and the Australian Federal Police (AFP), which provided intelligence on the price of various other fraudulent credentials (see Figure 5).
Figure 5: Price of fraudulent and genuine Australian identity credentials
a: For a 5-year genuine driver licence.
b: Cost to have a genuine passport altered by a professional document forger. A legitimately issued passport with fraudulent information retails for between $20,000-$30,000 on the black market.
Source: Australian Federal Police and Department of Foreign Affairs and Trade
The presence and complexity of the credential’s security features will also affect the price of a fraudulent document. For example, counterfeit documents that have been manufactured using readily available printing equipment are more likely to be detected than legitimate documents that contain fraudulent information. For this reason, the cost to acquire fraudulent identity credentials can be used as an indicator of how vulnerable they are to forgery. Credentials with stronger security features are more difficult to reproduce and are likely to cost more on the illicit market.
Intelligence indicates that the price of fraudulent identity credentials can vary from around: $80 (counterfeit Medicare cards), to $250–$350 (counterfeit birth certificates and driver licences), to $1,500 (legitimately issued Australian passports to be altered by a professional document forger) and up to $30,000 (legitimately issued passport containing fraudulently obtained identity information). In many cases, these were not the most recent versions of the documents in question, which contain state-of-the art security features, but rather they were older versions that are easier to alter or reproduce.
The fact that Medicare cards are the cheapest fraudulent credential on the black market suggests that they are relatively easy to reproduce, particularly in light of the fact that they contain very few security features, such as a facial image or hologram.
Another potential measure of the availability of fraudulent credentials is their price relative to the legitimate versions of these documents. As indicated above (see Figure 5), the cost of fraudulent birth certificates and driver licences is between two and six times the cost of the official versions of these documents. By contrast, the cost of fraudulent passports and Tax File Numbers (TFNs) is between six and 16 times the cost of these credentials respectively (TFNs are free for individuals to apply, though applications through a registered tax agent may involve fees of around $60).
Finally, as use of the DVS increases, particularly among the private sector, the likelihood of counterfeit credentials being detected will also increase. The expected result is a displacement effect; criminals’ use of counterfeit credentials will be replaced by legitimately issued documents containing fraudulent identity details. One potential avenue for criminals to obtain such legitimately issued fraudulent documents is to corrupt or exploit officials involved in the issuance of identity credentials (see Case Study 2). While there is not enough information about this case to ascertain whether any of the 650 licences issued contained fraudulent details, this case does illustrate the kinds of potential vulnerabilities that criminals could exploit to obtain ‘legitimate’ identity credentials issued with fraudulent details.
Case Study 2 (September 2012): Exploiting a corrupted employee to obtain an identity credential
Between 2005 and 2012, a Victorian man employed as an accredited tester for heavy vehicle licencing was alleged to have signed 650 fraudulent heavy vehicle certificates in return for cash payments. These certificates are used as evidence of passing a heavy vehicle driving test and are required to obtain the appropriate driver licence.
Source: The Age, 21 September, 2012 http://www.theage.com.au/victoria/truckies-face-retest-amid-licence-fraud-probe-20120921-26acr.html
It may also become more likely for criminals to obtain legitimate documents by purchasing them from individuals that are unlikely to need or use them. For example, criminals may look to target vulnerable members of the community (i.e. people in hospitals, nursing homes or serving long sentences in prison) and convince them to sell their identity credentials.
Finally, the joint AFP/NSW Police Identity Security Strike Team indicated that some organised criminal syndicates are now manufacturing high quality fraudulent credentials. Upon raiding the premises used by these syndicates, the strike team seized commercial grade printing equipment, batches of blank cards containing holograms and other security features, along with thousands of stolen images and personal details.
Conclusions about the cost to acquire fraudulent credentials
With the exception of DFAT, no credential issuing agency (such as an RTA or RBDM) was able to provide information on the estimated price of fraudulent versions of their credentials. If state and territory police agencies were to regularly collect intelligence on the cost to acquire fraudulent credentials, this would provide credential issuing agencies with a valuable indication as to the vulnerability of their credentials. This information would be useful as a measure of the extent to which these credentials are being used to facilitate identity crime—information that should inform any future changes to the security features or issuing processes for these credentials.
1.2 Number of reported data breaches
Key finding: There is limited reliable data on the true extent of data breaches in Australia. Nevertheless, data breaches, whether accidental or deliberate, will continue to present significant opportunities for obtaining personal identifiable information that is used in identity crime. The types of personal information used to commit identity crime are increasingly being collected and stored in databases held by a variety of government agencies and private sector organisations. The aggregation of this information, particularly in electronic forms that are accessible online, increases the risk that they may be acquired through data breaches, either accidental or through deliberate attempts to steal personal information.
Case Study 3 (May 2013): Data breach affecting a major telecommunications provider The owner of a marketing business was searching Google when he discovered that several large spreadsheets containing information about customers of a major telecommunications provider were freely accessible. One spreadsheet contained 1,677 records, including customer names, phone numbers, telephone plans and home addresses. Three other spreadsheets contained 8,201 records with names and telephone numbers. On 11 March 2014, the Office of the Australian Information Commissioner and the Australian Communications and Media Authority found that the telecommunications provider had breached privacy laws by failing to protect the personal information of 15,775 customers. Source: Sydney Morning Herald, 16 May 2013
http://www.oaic.gov.au/news-and-events/media-releases/privacy-media-releases/telstra-breaches-privacy-of-15-775-customers The Office of the Australian Information Commissioner (OAIC) collects data on the number of reported data breaches, as well as the number of own-motion investigations the OAIC initiates into privacy matters or information protection issues. The number of OAIC-initiated investigations has steadily declined over the four years from 2009–10 to 2012–13 (see Figure 6). This does not necessarily indicate there were fewer serious incidents involving suspected privacy breaches during that time. These figures provide no indication of the scale or complexity of these investigations, which can extend over more than one reporting period.
Figure 6: Number of own-motion investigations initiated by the OAIC, by year (2009–10 to 2012–13)
Source: Office of the Australian Information Commissioner 2011a, 2012a & 2013a
Another measure of the availability of information that can be used to facilitate identity crime is the number of reported data breaches. The OAIC has developed guidelines that encourage organisations to report serious data breaches involving personal information (OAIC 2012b). However, Australian organisations are not obliged under law to report data breaches, so the number of incidents reported to the OAIC is likely to be significantly less than the actual number of breaches in Australia.
On its own, the number of data breaches reported to the OAIC has limitations as a measurement indicator. Aside from being only a subset of total data breach incidents, the number of reported data breaches does not distinguish between the number of records involved in each breach, or their significance. This level of information is not available from the OAIC as it does not uniformly require or capture this amount of detail when it accepts a complaint regarding identity crime or theft.
However, other research by the Ponemon Institute provides some further insights into the nature of data breaches experienced by Australian organisations. The Australian data breaches (n=22) examined by the Ponemon Institute between 2009–10 and 2011–12 involved estimated average losses of between $123 and $145 per record (see Figure 7).
Figure 7: Number of voluntarily reported data breaches to the OAIC and the average cost per lost or stolen record, by year (2009–10 to 2012–13)
Source: Office of the Australian Information Commissioner 2011a, 2012a & 2013a; Ponemon Institute 2012 & 2013
Further detail is available on the 22 incidents examined in the 2011 Ponemon Study (see Figure 8). Analyses show that these incidents involved the loss or theft of an average of 19,000 records per incident, at an average cost of $138 per record. The average total financial impact on the organisation or agency involved was $2.2m (Ponemon 2012).
Figure 8: Size of data breaches (records lost) and total cost to the organisation, 2011
* Includes the costs associated with detection, notification, post-incident response and loss to business activity.
Source: Ponemon Institute 2011
Based on the data above, which indicates that an average Australian data breach costs $2.2 million and involves 19,000 records, the annual impact of reported data breaches alone could be over $100 million in costs and could involve the compromise of almost 100 million records.
It is likely that a considerable proportion of data breaches involve the loss or theft of personal information that is ultimately used in identity crime. Recent American data suggests that one in four data breach notification recipients in the US became a victim of identity fraud (Javelin Strategy & Research 2013).