AUSTRALIA
Stolen ID
Tuesday, 13 May, 2008
Stolen ID
Police data show identity crime is on the rise. Meanwhile, popular social networking sites encourage users to create online profiles rich in personal detail. But do they offer a treasure chest of information for identity thieves to use?
This week, Insight examines whether social networking sites like Facebook and MySpace make us vulnerable to identity theft.
Have Your Say: Are we putting too much information online?
Watch a video of the show:
Part 1
Part 2
Part 3
Identity theft has become a lucrative business. The internet has opened the way for organised criminals to 'spy' on personal computers anywhere in the world. Some succeed in 'phishing' personal details or stealing internet banking login details by using fake email addresses.
Many victims of identity theft only become aware that their details have been used to obtain credit cards and loans when debt collectors come knocking.
Join Insight on Tuesday at 7:30pm as we look at identity crime and ask; how can we prevent it?
Identity theft - in the news
- Net users becoming too relaxed; survey
- Seven year-old hit with US tax bill
- Teen 'cyber crime kingpin' busted in NZ
TRANSCRIPT
How easily could someone steal your personal information and become you? A recent poll showed identity theft is top of the list of security concerns for most of us and computer experts say there's good reason to be worried. The Federal Government wants uniform State laws to tackle identity theft. Meanwhile, we're putting more and more personal information online.
JENNY BROCKIE: So could we be making ourselves easy targets, especially on social networking sites like Facebook and MySpace? Johnny Luu visited someone who's quite happy to put everything out there.
SHAUN HERONS’ STORY:
REPORTER: Johnny Luu
There are few waking moments Shaun Heron is not connected. Between fielding phone calls and emails at work, the 27-year-old is constantly uploading his life online. Shaun's a veteran of social networking sites.
SHAUN HERON: I actually lived in America a long time ago, in 2003 I moved there, and just when I moved over there all my friends were talking about this thing called Friendster, which was the original social networking site.
That was then, now it's all about MySpace and Facebook. Shaun has both.
SHAUN HERON: Then I've added a little slide show of me and my family. So my family, my mum, my brothers, our dog, that's my brother and I at a night out, meatballing in Bangkok.
REPORTER: How many friends do you have on MySpace?
SHAUN HERON: 40,000-something friends on MySpace.
REPORTER: That's a lot, isn't it?
SHAUN HERON: It's a few. Thinking about it, they're not my friends. I don't know them, they're just people who have added me. I've chosen to put on my status what I'm actually on the site for, what I'm looking for, the place where I grew up, a little bit more about me, my star sign, whether I want to have kids or not.
Shaun's showing us his MySpace page. He doesn't have to put his real information on there, but he's decided to anyway.
SHAUN HERON: My education level, what I've achieved and my occupation.
REPORTER: You've got your height on there. Is that your correct, accurate height?
SHAUN HERON: That's my correct height, yep, yep. So I haven't chosen to make myself a little bit taller.
Though his Facebook page is mostly public, Shaun's more discerning with who he adds as friends and because of this he feels it's OK to have more details on there.
SHAUN HERON: This is my contact information, so it has my correct email, my AOL instant messenger from when I lived in the States, my Skype, my mobile phone number and a website that I choose to call my own.
When you log on you see notation of what your friends are up to. So when they log in they type in a status update, saying what they're doing tonight - they might be watching TV, they might be hungry, they might be on their way to .. Sorry.
Hey. Hello. Hey, can I call you back? They're still here. That's alright, no worries. Bye. That's my boss, yeah. She wants the update.
What Shaun likes most about Facebook is that it keeps him and his friends in the loop.
SHAUN HERON: It helps me keep track of birthdays. When you put your birthday in there you get notation of your friends' birthdays not on the day but as they're coming up. So next Thursday it's John's birthday, next Thursday it's Phil's birthday.
Shaun doesn't think he's got too much information online, but he's still worried about Internet fraud and identity crime. In late 2005 unexplained purchases showed up on his bank statement. Shaun suspected he was the victim of credit card fraud.
SHAUN HERON: So I called my bank and said, "I think someone's using my card," and they said, "OK, we'll just monitor it for another 24 hours and if you see any more transactions that aren't yours, please let us know." So I let them know. And they cancelled my card, rushed me some new ones, fully refunded me the money, no questions asked. I had to sign a form but they were really good about it. I honestly didn't make the purchases, they believed that and it was all good. So that gave me probably a good taste of identity theft because I know if someone does use my card or does use my personal information I'm going to get my money back anyway.
Shaun knows he needs to be as cautious online as he is in real life, but he's not about to disconnect any time soon.
REPORTER: Would you consider setting your profile to private so no-one can see it?
SHAUN HERON: Never, no. What's the point?
JENNY BROCKIE: Welcome, everybody. Now, Shaun, I'd like to introduce you to Chris Gatford, who's sitting beside you. Companies actually pay Chris to hack into their computer systems to see how safe they are. Chris, how easily could you steal Shaun's identity based on that?
CHRIS GATFORD, IT SECURITY EXPERT: Quite easily. Shaun's put on there really significant pieces of information that would enable me to steal his identity. We have things like his date of birth, the area that he lives, the schools that he went to, the people that he works for, so he's empowered me as an identity thief to easily steal his identity.
JENNY BROCKIE: How quickly could you do it?
CHRIS GATFORD: Probably within a week.
JENNY BROCKIE: Within a week?
CHRIS GATFORD: Within a week to get enough background information, even start falsifying some documents to start impersonating Shaun.
JENNY BROCKIE: In a whole range of contexts, with what, credit and that sort of thing?
CHRIS GATFORD: Online, perhaps we might try and apply for loans, maybe we might try and get some store credit at various places.
JENNY BROCKIE: Making you think twice, Shaun, about how much is out there?
SHAUN HERON: A little bit, but I guess I'm playing the odds. I've had that much information online for a number of years and I haven't had any remotely bad experiences with my online life. So I guess I know what information I've got on there and I may be slightly naive.
JENNY BROCKIE: Even though you had the credit card problem?
SHAUN HERON: Yeah, because that wasn't related to online, that was related to I used my card three times and gave it to three people.
JENNY BROCKIE: How do you know it wasn't?
SHAUN HERON: I don't have any credit card details online.
JENNY BROCKIE: Could you have been from information online, do you think, Chris, or not?
CHRIS GATFORD: Possibly. It depends where the information is stored. I suppose it's sort of a game of building a picture of a person and if you start going to outside sources to verify information you might be able to learn of that information. For example, I might want to ring up Shaun and pretend I was offering him a free service and he had to pay for the shipping charges, maybe that's a way I could
JENNY BROCKIE: So it could have been from the online information?
CHRIS GATFORD: It could be contributed towards it.
JENNY BROCKIE: Zoh, what about you?
ZOH MCENALLY: I guess about a year ago was thinking about applying for jobs and I'd heard that a lot of perspective employers will trawl through social networking sites and try and
JENNY BROCKIE: Check you out.
ZOH MCENALLY: Yeah, exactly. When I'm applying for jobs I'd rather be in control of what I'm presenting. So I have like my MySpace has my date of birth but it doesn't have my real name but my Facebook, where I have a little bit of information, my Facebook has my real date of birth and my email address.
JENNY BROCKIE: But that's more about employers not finding out how much you party or whatever else you do, is that the main reason?
ZOH MCENALLY: That was my main motivation, but it's got my bases covered, doesn't it?
JENNY BROCKIE: OK, so you feel protected. Ajoy, you're a private IT security consultant, you started your career with the New South Wales police specialising in e-crime more than 20 years. Do you think people are too trusting online?
AJOY GOSH, ONLINE SECURITY EXPERT: Absolutely. What I say to people is, would you put online what you have on a business card and if the answer is no then perhaps you've put too much information out there. Now, the information that you have online is one aspect of the problem. The other aspect is that the spammers have evolved now to use social networking sites to install malicious code onto your computer.
JENNY BROCKIE: What's malicious code? Explain that for people who may not understand.
AJOY GOSH: A computer virus or a Trojan, a piece of code that does bad things on your computer.
JENNY BROCKIE: What does it do?
AJOY GOSH: For example, many of the MySpace and Facebook users out here are probably like me and rather than filling out a paper form and faxing it in these days, what I do is I scan it in and email it back to the company and that contains much more information typically than you would have online.
JENNY BROCKIE: And that information, when you talk about Trojans or you talk about being able to get this malicious software - this malicious software getting into your computer can actually get that information, yeah?
AJOY GOSH: That's right.
JENNY BROCKIE: Graham Ingram, you analyse cyber crime. How else are criminals getting people's personal information and how big a problem do you think how much we're putting online could potentially be?
GRAHAM INGRAM, GM, AUSCERT: OK, let's take, for example, an average day for me at work. I get probably 100 to 150 per day. Probably about 90% of those will be spams. Probably 10 of those will have something that will want me to click on something and generally those ones will, if I am not careful, install something onto my computer. It varies. One of the things that we're seeing a lot more of is what we call the data exfiltration Trojans. What they're doing is that simply everything I type, everything I do is being captured and sent to criminals. Now, I'm not sure what you do, but I, for example, look at things like my tax return, my banking, my everything.. I do.
JENNY BROCKIE: You're starting to scare people at home, I'm sure, the mention of tax return. Keep going, yes.
GRAHAM INGRAM: Well, everything. Look at it.. Let's start with the motivation. The motivation is money and we started to see this activity in around about 2003. It started with the idea of these phishing sites and the phishing sites are simply emails sent out, spams, that tell a person that, "I'm your bank and that we're changing our systems and we need you to log on so that we can verify who you are." And what they do is they link you to a false website, it's an impostor, of which you type in your user ID and password and guess what, the criminals now have your log in.
JENNY BROCKIE: But who's at the other end? Who's getting all the information? Where is it all going?
GRAHAM INGRAM: It's been industrialised, and I really mean that, by organised crime. Initially it's eastern European based and Ukraine, Russian primarily, Romanian are also involved. But it's broadening. So we're now starting to see east African crime, typically the Nigerians and we're starting to see other elements get involved. You make lots of money without being caught.
JENNY BROCKIE: Bruce, you head the Computer Crime Squad in NSW. Is this all what you think as well? What you're seeing as well?
BRUCE VAN DER GRAAF, NSW POLICE FRAUD SQUAD: Absolutely. It's been going on for a number of years and you can see who's organising it by where the money trails are. It started off with money going overseas, but I tell you, now there are a lot of local syndicates who have picked up on it and in every Western country local organised criminals get their own Trojans, send out their own spam, organise their own phishing sites and
JENNY BROCKIE: And are people being really stupid falling for this stuff? I mean, do a lot of people fall for it?
BRUCE VAN DER GRAAF: You know, I wouldn't say people are stupid, because a lot of smart people get caught.
JENNY BROCKIE: What can these syndicates do once they've got that information? Once they've got your identity, what can they do?
BRUCE VAN DER GRAAF: Once they've got your Internet banking details that's easy. They'll use your - they'll steal money out of your Internet banking account or use your account to filter other money, other stolen money into it. They get your credit card details - that's just a shopping spree, no problems. Once they've got your identity and your date of birth, that's the key to the finance sector. So once they have that, they get a loan in your name or as sometimes happens, people come to us and say, "I've got this letter in the post saying I owe money on my house. I never had a mortgage," and next thing you know there's a $700,000 mortgage on their home.
JENNY BROCKIE: Roderic Graham, you're from the Gold Coast and you had your identity stolen. Just tell us quickly what happened.
RODERIC GRAHAM: Well, basically it wasn't online or anything like that. It was done by, I believe, a photocopy of a driver's licence. And pretty much there was only two people that had photocopied my driver's licence - one was an employer, another was a gaming shop. And basically by the next day I had bought a car, I had mobile phones, I had credit cards and some of the financial institutes that I already had loans and whatnot with gave this guy with totally different details credit cards. I mean, and I - they didn't really want to help.
JENNY BROCKIE: So overnight?
RODERIC GRAHAM: Overnight, it all started happening the next day.
JENNY BROCKIE: This is the man whose photo was on your licence.
RODERIC GRAHAM: Well, basically now he's up on murder charges and this guy also changed my driver's licence address, done from the computer. Changed it to a shop on the Gold Coast Highway. He had all my information and there's nothing worse than knowing someone like that has your information to come and pay you a visit and you might be victim number four.
JENNY BROCKIE: Did you know him?
RODERIC GRAHAM: Never knew him, never met him.
JENNY BROCKIE: And all up, before he was caught, how much debt had he wracked up in your name?
RODERIC GRAHAM: Thousand, tens, hundreds of thousands.
JENNY BROCKIE: And he was convicted of 40 fraud related charges.
RODERIC GRAHAM: 44. It wasn't me, the only one.
JENNY BROCKIE: And he did time in jail.
RODERIC GRAHAM: He did bugger-all time in jail. This is what really annoys me. You can go and rob a service station, get 200 bucks, do a few years in the clink, or you can go steal someone's identity, get well over 100,000 bucks and do four months.
JENNY BROCKIE: Did you have any idea how he got enough details to do what he did?
RODERIC GRAHAM: Photocopy of a licence, that's all he needed. Internet, like people going - I don't doubt that Internet fraud's out there and it is huge, but I tell you, it seems to take a long time to get all that information and do it. If you can just get a driver's licence thing.
JENNY BROCKIE: Aaron Kirby, you live in Canberra, what happened to you?
AARON KIRBY: Well, the start of 2006 I chose to travel for a year, so I packed everything I had in some boxes, put it in a friend's garage and went overseas. About halfway through the year I got an email from my flatmate saying, "Do you have a phone account with Telstra?" I said, "No." He said, "Well, I've got a bill for about $1,500." So I called up Telstra and I explained that I hadn't run up a bill, it wasn't me. I'm overseas, so I haven't been making many phone calls. And they agreed that they'd hold off on it until I came back to the country. So I forgot about it and then a couple of months later got another email from my old flatmate saying, "We've just got a letter for you from a lawyer saying that you have to go to court because of an unpaid debt." I said "Alright." So I called up the lawyers and found that another debt had been racked up. So the penny dropped and I checked my credit history and I found about $32,000 worth of debts and services and etc had all been accumulated in my name.
JENNY BROCKIE: Racked up in your name, and what sort of things had been bought?
AARON KIRBY: There were two credit cards both maxed out mostly in cash, $10,000 personal loan.
JENNY BROCKIE: Do you know who did it and why?
AARON KIRBY: Look, I have no idea how it happened, I really don't. I know all they had was they had a driver's licence number, they had a false birth certificate number and they had my work details like a phone number and a street address.
JENNY BROCKIE: Now your Facebook page is open, isn't it, with your birthday and other personal details for anybody to see. Do you think that makes you vulnerable still to identity theft, having that Facebook page?
AARON KIRBY: No, not especially. See, I see it as kind of a different issue. It shouldn't be so easy to obtain credit with such a small amount of information. I mean, I find it amazing that with three details, one of which was made up, they got $32,000. How did that happen?
JENNY BROCKIE: But it hasn't made you more cautious about putting stuff out there?
AARON KIRBY: No, because I shouldn't have to put a lock on my identity.
JENNY BROCKIE: Gerard Brody, you're a lawyer from Melbourne and you only found out that your identity had been stolen when you tried to apply for a credit card and your application was rejected. You then got a copy of your report, your credit report. Talk us through this, because I think we've got it here.
GERARD BRODY: Yeah, that's right. I did get a copy of my credit report and it showed that I had two large debts to credit card companies, one to Amex and one to BankWest.
JENNY BROCKIE: So are you on any social networking sites, just out of interest?
GERARD BRODY: Not at all. I'm actually a consumer lawyer and I guess that I know a bit about what your information's used for and marketing companies that can get information and therefore target marketing better towards you, and I kind of think, I don't want that or need that. I get enough marketing in my everyday life without having it more targeted at me.
JENNY BROCKIE: Brian Hay, you head the Fraud Squad in Queensland, one of the first police forces in the country to specifically target identity theft. Do we know how many people are having their identities stolen?
BRIAN HAY, QLD POLICE FRAUD SQUAD: In terms of reported criteria, no. In terms of anecdotal evidence you're talking millions around the world. If you look at major compromises to some large merchants in the US such as TJX, which occurred, I think, about 18 months ago, potentially there are 200 million compromises in that one data compromise. I think they admit to ..
JENNY BROCKIE: That's one instance.
BRIAN HAY: One instance, and you've had other major ones since then. You've had other significant commercial operators in Australia that have been breached. We've discussed various ways about how you can lose your identity, but that by no means is the only way.
JENNY BROCKIE: So what other ways are there?
BRIAN HAY: Well, for example we heard about the phishing, but to make the phishing effective you need the muling part of the operation, and that's where you get the spam email.
JENNY BROCKIE: Now hang on, hang on. Slow down, slow down, there will be people - people at home won't understand. Phishing is where something is put out there for you to click on and you click on it and you give information trustingly and they reel in the fish. What is muling?
BRIAN HAY: Muling is the money-laundering side of the operation. Phishing allows you to get access to the money, but you cannot transfer the money overseas to predominantly where these offenders lie. So you need to recruit what we call a mule. So you see those other spam emails that offer employment - be their consultant, be their Australian representative - they're muling operations, they will also use social engineering sites to become your friend and ask if you could then assist them to send money overseas and that's the muling side of it. So what will happen is you will get employed. Now, to get employed people will submit their entire life history, their resume, copies of their passport, their bank account details, their driver's licence, photocopies, they send all that over to these criminals. So once they have your bank account as a mule, the money will be transferred from the compromised account, subject to the phishing attack, into your account, you will normally keep a 5% to 10% fee for your consultancy efforts and you will transfer that money in cash to a name at a destination overseas.
JENNY BROCKIE: Well coming up, Insight will talk to a British comedian who stole the identity of the then home secretary. How vulnerable are you putting personal information online and how easily could you find someone else racking up debts in your name? I'd like to talk to you now, Bennett Arron, in London. You're a comedian and you had your own identity stolen about a decade or so ago and it prompted you to make a documentary showing just how easy it is to steal someone's identity. Whose identity did you steal to make your point?
BENNETT ARRON, COMEDIAN: Well, when I set out to do it I tried to think of the best person to do and I thought the best person really would be to go after the home secretary, the person really, you know, responsible for matters of ID fraud. So that's who I went after was Charles Clarke at the time.
JENNY BROCKIE: And you went online to get Charles Clarke's birth certificate.
What did you need to apply for that birth certificate?
BENNETT ARRON: I needed a computer, that was about it, really. It was, it was pretty easy.
JENNY BROCKIE: How did you get the information you needed?
BENNETT ARRON: Charles Clarke's date of birth was already in the public sector, so that was easy to get, and I found out his address - again easy to find out, and that was basically, believe it or not, all I needed. There were a few other little tiny bits, but it was the easiest thing to do and within two days of applying I received it.
JENNY BROCKIE: Well, let's have a look at your film and what happened next.
BENNETT ARRONS’ STORY:
BENNETT ARRON: I want to steal one of Charles Clarke's most important pieces of ID - his driving licence. It's a 2-stage process.
Oh, yes, Charles Rodway Clarke. There it is, Charles Clarke's birth certificate, all the information on there, yeah, the first step.
Everything that I've been finding out what about what proof of identity is needed - the driver's licence and a passport are the two most important documents.
Date of birth, which is on here, which is 21 September 1950. I'm going to have to change the address to a false address, obviously.
On this occasion I'm choosing - trying to steal a driving licence, but real fraudsters also target other key documentation, like passport.
I'm going to sign the back of the photograph and I just need to put the photo on the form. That's that, ready to post. There's no going back now.
It's a few days later. I'm a bit nervous. How ridiculous is that? That is Charles Clarke's driving licence with my photo on it.
JENNY BROCKIE: Well, Bennett, once you had that driver's licence, along with the birth certificate, what could you have done?
BENNETT ARRON: With that, if I wanted to, I could have gone after a passport and from that, you know, the world is my oyster, really.
JENNY BROCKIE: And what happened after that? What happened when - what did you do once you had those documents? What happened next?
BENNETT ARRON: Well, I locked them up in the safe. I contacted the Home Office, told them what I had done. Told them my reasoning behind it, but I heard nothing at all for six months from them, and then six months later I had a knock on the door at 7 o'clock in the morning and was arrested by three CID officers who threw me into a cell.
JENNY BROCKIE: And what happened then?
BENNETT ARRON: I was told that the case was going to go to court and I could end up with a prison sentence and I tried to explain to them I had done it for a particular reason, that I had written to Charles Clarke to tell him what I was doing. I'd be a pretty rubbish criminal if I wrote to the person I'd stolen something from and said, "Look, this is what I've done," but they didn't seem at all interested and they threatened me with, you know, with prison. But eventually I conceded to accept a police caution, which I wasn't pleased about accepting but at least it meant that I didn't have to go to court or end up with a criminal record.
JENNY BROCKIE: And did anything change after that in terms of the laws or the regulations around identity?
BENNETT ARRON: What I've been told by those particular police officers is that the application process for a driving licence has now changed. It has now become stricter than it was.
JENNY BROCKIE: I'm interested in the legal situation here in Australia, Alana, because I know that you're doing a PHD around this whole area and you're looking specifically at phishing and malware, which is malicious software, ways people can get inside your computer and so on. But what's the legal situation in Australia, what is illegal?
ALANA MAURUSHAT, CYBERSPACE AND LAW INSTITUTE, UNSW: Well, it's not legal per se to assume someone's identity. The illegal part as long as providing you obtain that information through legal means. So, for example, if I was to go to your Facebook or your MySpace to the telephone directory or website, that information that's in the public, provided you've made it in the public, would be perfectly legal. It would be perfectly legal for me to do that. When you start to acquire personal information by illegal means you start to get more towards a grey area. And the black and white area, it tends to come with the actual offence that's committed afterwards. You steal the personal information and it's what you do with the information afterwards that attracts offences.
JENNY BROCKIE: Gary Gill, you surveyed 2,000 public and private companies on fraud and asked whether they'd experienced identity theft. What did you find?
GARY GILL, KPMG: The survey showed that a significant proportion of companies had experienced identity crime.
JENNY BROCKIE: What sort of proportion?
GARY GILL: I don't recall the specific numbers, but it was probably in excess of 50% of the respondents. What they told us is that identity crime is a significant and growing problem. The other thing they told us, more importantly, is that fraud generally is committed by people inside the organisation.
JENNY BROCKIE: How well equipped do you think companies are at dealing with it?
GARY GILL: Generally I would say that they are quite good at dealing with the response. So once something has happened they generally respond pretty well. When it comes to preventing it happening in the first place and detecting it at an early stage, I would say that they're not that good.
JENNY BROCKIE: Alastair MacGibbon, you're in charge of security for eBay and you speak for PayPal too. You used to run the High Tech Crime Institute unit for the AFP. EBay's a big target, obviously, for Internet crime, with more than 5 million users in Australia, I understand. How safe are your systems on eBay and PayPal?
ALASTAIR MACGIBBON, TRUST AND SAFETY DIRECTOR, E-BAY: Well, it's reasonably safe. My objective is to make it as safe online as it is offline, and in many respects we've accepted a certain level of criminality in the offline world. I was a police officer for 15 years and saw crime mostly offline and we should just try to make the Internet as safe as the offline world. It would be impossible for us to expect it to be nirvana, and nor is it a cess pool. Unfortunately the Internet is a reflection of broader society.
JENNY BROCKIE: Adem, what happened to you?
ADEM TOUNJEL: I was basically about to head to the airport to go overseas and the night before I logged into any Yahoo email account and I couldn't log in and I thought perhaps there was a problem with the Yahoo system. So I went to check my eBay account and I couldn't get into that either or my PayPal account and one of my bank accounts. And what had happened, somebody had managed to farm my username and password somehow and log in and change all the secret questions on my eBay and Yahoo accounts and managed to post a number of false auctions on eBay under my name - a bunch of Sony laptops. The problem is, there was I was using the same password for a lot of things online..
JENNY BROCKIE: Once they were in into one they were into the lot.
ADEM TOUNJEL: The lot, and I mean, PayPal is linked directly to my credit card and they can do a lot of things using my credit card and I've got a $25,000 limit. Well, back then I did, and they could have access to that amount of money. But luckily eBay detected everything before I even knew what had happened. I called them directly in Australia and they were aware of it already and Yahoo picked it up as well.
JENNY BROCKIE: And you work in IT security, is that right?
ADEM TOUNJEL: Yes.
JENNY BROCKIE: OK, alright, so now we're getting a bit of a picture and what do you do now with personal information?
ADEM TOUNJEL: I'm paranoid. For example, I mean MySpace and Facebook accounts, I do have those, and I mean, I've cut mine right back. I don't even have a photo of myself on it at the moment and I check basically everyone who asks to be a friend on Facebook. If I don't know you or have I haven't spoken to you in a number of years I don't want to be your friend on Facebook.
JENNY BROCKIE: Well, thank you for coming on Insight, Adem. I'm really pleased you decided to join us. Cameron Murphy, what do you think about the amount of information that's required to join some of these sites or to log on to have an account?
CAMERON MURPHY,COUNCIL OF CIVIL LIBERTIES: I think clearly there's a problem there, whether it's offline - you're ringing a takeaway food company and having something delivered or joining the local video store, or online operations like eBay and other companies, one of the main problems is they're all asking for far too much information and they're storing it and that's, I think, part of problem in that if they're breached or when people have their own home computer breached the information can then be misused and abused and they're the sort of transactions. I accept that eBay may require personal information for some transactions, it may for people like sellers, but if you're buying something that might be $3 or $4, all that somebody really needs to know is that you've paid for it and where to post it.
JENNY BROCKIE: Alastair, is that a fair enough point? Does eBay open its customers up to ID theft just by asking too much information to get involved in the first place?
ALASTAIR MACGIBBON: We will ask for a date of birth, for example, which we don't show to other people but so that we can know that you're over 18, for example, because that's one of the conditions of registering with eBay. But it is important that you collect data, that you secure that data if you collect it and then you use it appropriately to fight, you know, criminality on the Internet.
JENNY BROCKIE: Tim Cullen, you look after e-security for the NAB, the National Australia Bank, and like other banks you encourage customers to use Internet banking. We heard earlier - we've heard a lot tonight about Trojan and phishing. How safe is Internet banking?
TIM CULLEN, NATIONAL AUSTRALIA BANK: At the NAB, Internet banking is easy, it's convenient and it's safe. We do millions of transactions each week and we would have a very extraordinary low number of incidents of fraud.
JENNY BROCKIE: How many?
TIM CULLEN: We would do a million - we would have less transactions probably less than five transactions per million in terms of the number of fraudulent events that we experience and in fact if our customers take some of the measures that we recommend to them around prevention, like having the latest antivirus software, not responding to bogus emails and using our SMS payment security solution, which provides a second level of authentication - if they've used our SMS payment security solution we've had no incidents of fraud.
JENNY BROCKIE: What checks are there before you issue credit?
TIM CULLEN: Within the industry, that's the standard 100-point check initially, but we do a range.
JENNY BROCKIE: And what's 100-point check? That's 100 points of ID.
TIM CULLEN: You would need 100 points of ID, so that could be a driver's licence and a number of other pieces of information. Outside of that, we invest heavily in trying to not only detect when someone is doing a fraudulent application, but looking for changes in behaviour, looking for people who are transacting in ways that they didn't transact before.
JENNY BROCKIE: Is it costing you a lot of money paying back things like Aaron's debt?
TIM CULLEN: The incidence of fraud is extraordinarily low for us. We have..
JENNY BROCKIE: How much does it cost you a year?
TIM CULLEN: I'm not at liberty to say that. We have a steadfast guarantee, though, for our customers, called NAB Defence, and this is our security promise that they can interact with us through a range of different ways and if they are innocent, innocent of any fraud event then we will fully reimburse them.
JENNY BROCKIE: But don't we have a right to know how much money in involved in all of this? I mean, we trust the banks to put our money with the banks.
RODERIC GRAHAM: If it's so low why aren't they saying the figure and how are they recouping money? Are they putting fees up? Are we paying for it when they say they're paying for it because bank fees are going up all the time?
JENNY BROCKIE: Let's not start a discussion about bank fees, I don't think that's fair to Tim. But Tim, it's an interesting point. I mean, don't we have the right to know the extent of this problem with the banks in terms of the dollars involved, because our money's there?
TIM CULLEN: I don't believe so. We are continuing to invest to reduce the incidence of fraud. It's part of, I guess, the trade-off between providing customers with the convenience and that customer experience that they're looking for versus the risk.
JENNY BROCKIE: I just wonder, Tim, I'm interested, though, in this reporting issue, when a customer comes to you with a problem, you know, with a sense that their identity's been stolen, do you automatically then report that to the authorities?
TIM CULLEN: We report it in a number of ways. It depends on the particular case, but all fraud, certainly online fraud offences we would report into the Australian High Tech Crime Centre and then depending on the local incidents, if it was an application fraud we would definitely get the local police involved.
JENNY BROCKIE: But it's not mandatory? There's not a mandatory requirement that every one gets reported?
TIM CULLEN: I don't believe it's mandatory, but we do report to the Federal Police every online fraud incident.
JENNY BROCKIE: Brian, do you get enough of this stuff reported to the police so you can investigate it?
BRIAN HAY: There's research that indicates as little as 1% to 4% of fraud gets reported. There's no doubt that the majority of online fraud does not get reported to police and quite frankly we don't need to have that reported to police. What we need to do is engage industry in partnership, which we've done successfully on many occasions, such as with eBay.
JENNY BROCKIE: Chris Gatford, how well do you think large organisations in general are dealing with identity theft?
CHRIS GATFORD: I suppose I can talk more about case in point about how they protect the data in the first place. Unfortunately in my experience most organisations that do have millions of records about Australian citizens on the whole do a poor job of protecting that data.
JENNY BROCKIE: Why do you say that?
CHRIS GATFORD: Well, because and part of my role I go in there.
JENNY BROCKIE: You're a professional hacker, yes?
CHRIS GATFORD: And I gain access to that data.
JENNY BROCKIE: And you gain access to it easily in most cases?
CHRIS GATFORD: Typically quite easy, normally within a couple of days.
JENNY BROCKIE: And how easy is it to protect it properly from someone like you?
CHRIS GATFORD: It's not that difficult. It just comes down to sound policies and procedures inside their organisation and making sure that they follow them to protect that data.
JENNY BROCKIE: And so would you say that in general large organisations are behind the eight ball on this stuff? Are there notable exceptions?
CHRIS GATFORD: I can't talk specifics, but I would say 90% of organisations that I've walked into have had significant issues and those are probably in the top 200 companies in Australia.
JENNY BROCKIE: That leaves us with something to think about, and coming up we're going to look at how easy it is to clear your name and credit rating once you've been hit with identity theft and we'll look at what else we could be doing to protect ourselves. How safe are your personal details online and what happens once your identity has been stolen? Roderic Graham, we heard earlier how a man charged with murder stole your identity. How easy was it for you to get it back?
RODERIC GRAHAM: I don't think I've really got it back yet, to tell you the truth. Still today I have debts that he racked up, debt collecting agencies knocking on the door, saying, "We want money." It's a good thing I know the police and they're helping me out. I just give their phone number, but
JENNY BROCKIE: How long ago did it happen?
RODERIC GRAHAM: 4.5, 5 years ago.
JENNY BROCKIE: And you're still getting...
RODERIC GRAHAM: Still copping it. I mean, one thing that really, really bugs me is that every single transaction that he did, there wasn't enough ID to even open the account on one occasion and people are taking short cuts, people who need commissions, meeting deadlines, criteria, all sort of things and they're just prepared, "Yep, that will do, yep, we'll dodgy it up." I mean, myself I've gone and got finance before and they've said, "How much, oh we'll jack that up a little bit," and I'm like, "Well, it really is easy." I think a lot of the Australian people know what I'm talking about.
JENNY BROCKIE: Yeah, I'm sure we do. We did a show on it just last week, actually. I'm interested, though, to know how much of an affect that's had on you and your family, this ongoing, 4-year struggle?
RODERIC GRAHAM: Huge. The banks did, and finance companies, absolutely nothing. It was up to me to go see them and I was guilty until I proved myself innocent. I lost a job over it for needing the time off. The actual money it cost me, it cost me thousands of dollars driving around, time off work, all that sort of stuff.
JENNY BROCKIE: So you really had to be the one to regain your identity? You didn't feel like you were helped by organisations?
RODERIC GRAHAM: No-one really wanted to help at all.
JENNY BROCKIE: Aaron, what about you?
AARON KIRBY: I totally agree with Roderic in the sense that it's very much a case of being guilty until you prove yourself innocent. When I came back from my trip I had to spend two months - I was unemployed, I was waiting for university to start - I had to spend two months solely getting in front of people with my passport, saying, "I couldn't have done this, I was overseas." It was very difficult to get them to realise in a lot of cases that it can't have been my debt.
JENNY BROCKIE: Did you have to see everybody? Did you have to go through every single
AARON KIRBY: Absolutely. No help, there is no government department that can help you with this, the police weren't much help. I never heard back from them once I gave my report. I mean, it wasn't difficult because I did have indisputable proof it wasn't me because I was out of the country so I didn't have the same trouble that Roderic did.
JENNY BROCKIE: How long did it take?
AARON KIRBY: It took a couple of months of just work.
JENNY BROCKIE: Brian.
BRIAN HAY: One of the things - this has emerged as a real issue in the last number of years and one of the things we identified quite quickly from a law enforcement perspective, I mean, Law Enforcement Australia formed the Australasian Identity Crime Working Party, which has sought to nationalise standards and get consistency across all jurisdictions and territories, including New Zealand. And in the absence of specific identity crime legislation, what happens is you have a victim who was not legally a victim, because who lost the money? It was the financial institutions or the merchants. So in the terms of a victim of crime, I'm sorry, Aaron, you never were one.
AARON KIRBY: No, I agree.
BRIAN HAY: But South Australia was the first and we've introduced specific identity crime legislation in Queensland to give the Roderics and the Aarons of the world a voice and through ..
JENNY BROCKIE: But it's still a long way from being perfect, yeah?
BRIAN HAY: Look, we're always working. There's no such thing as utopia. As soon as we change and catch up, something else changes and I think law enforcement today tries to be part of game or ahead of the game rather than just be reactive.
JENNY BROCKIE: Gerard, you're a lawyer. Did you have any more luck in your case as a lawyer getting your identity back?
GERARD BRODY: Well, I'm a consumer lawyer at that. Not much different to Aaron's. It took much a couple of months at least with numerous phone calls. I originally found mine through the credit record, so I contacted Veda Advantage, the credit reporting agency, and they told me to go to the credit provider. I go to the credit provider and they said, "You need to provide some evidence for this, go to the police." I went to this police office and they said, "Well, you don't have any evidence, we're not giving you a criminal report or any sort of report," so they wouldn't help me at all. So I think for consumers you're bounced around between these different people and there's no easy way into the system to get your problem sorted out.
JENNY BROCKIE: Chris, you're have Veda, you have the records of 14.5 million Australians so people who find themselves victims like Gerard there contact you to clear their credit record. Why does it take so long from for this process to happen?
CHRIS GRATION: Well, because we hold credit records on 14.5 million Australians and if you're a Romanian who wants to get access to people's identities we'd be a first port of call. So we need to be very confident that the claims being made to us are correct, and one of the problems we've got - this is not like any other crime.
JENNY BROCKIE: How many corrections a year to people's credit records are there?
CHRIS GRATION: The incidents of identity fraud is pretty low. We give out about 250,000 credit reports a year. The number of corrections for a serious matter like this is about 1,000, but that, that just means
JENNY BROCKIE: But any one of those 1,000 people could be like going through what Roderic's going through, yeah?
CHRIS GRATION: That's right.
JENNY BROCKIE: You wanted to make a point, Gerard.
GERARD BRODY: Well, I think the extra assistance from Veda Advantage is a great one, but for a consumer it takes you time. In my experience, in my situation, I didn't have any evidence that I didn't rack up these debts, like Aaron did. There was nothing that I could point to, to prove these weren't my debts. It was my word. So it took me a long time to prove that word and for the person that got the credit to begin with it took seconds. They made an application online so it took a long time.
JENNY BROCKIE: Yeah, there's something wrong - there's something wrong with that balance, yeah.
CHRIS GRATION: Jenny, I think it says what we've got here, this is a systemic problem. We've got online economy growing and the online economy connecting the entire world to stores of money in banks and other credit providers, and so it's created a very powerful incentive for people to get at that. Now, our systems just haven't caught up. You know, 20 years ago there were armed hold-up squads because there were crooks holding up banks. Now, they're sitting in Romania and doing it online, and we need systems, you know, portable digital identities that are secured across the economy that can help us protect those stores of value.
JENNY BROCKIE: Stephen Brown, Dun and Bradstreet has millions of credit details too from people. How many do you correct every year?
STEPHEN BROWN, DUN AND BRADSTREET: Look, we're similar to the Veda experience that Chris has talked through. It's actually a very small number of people that actually have these problems and challenges with identity theft.
JENNY BROCKIE: But how long does it take for them to get their credit rating changed?
STEPHEN BROWN: Again, it can really vary. We've got some examples where it be remedied very quickly where the evidence is very clear that in fact the person has been the victim of identity theft. Other cases are much more complicated, and there probably needs to be a much greater awareness amongst consumers to protect their identity. I do think there's a level of responsibility that we need to recognise there.
JENNY BROCKIE: And do you two share records over this sort of stuff?
CHRIS GRATION: No, we don't, but what we both do is we allow consumers to monitor their own credit file. If you can't protect yourself, the best way you can do is monitor what's happening on your credit file.
JENNY BROCKIE: But it still means they've got to go to both of you.
CHRIS GRATION: That's right.
JENNY BROCKIE: If somebody has a problem with their credit rating they have to go to both of you.
CHRIS GRATION: If somebody comes to us and they've had a problem then we will deal with that problem for that consumer and we will talk directly to Dun and Bradstreet.
JENNY BROCKIE: Gary Gill, do you think it's too hard for people to clear their names?
GARY GILL: In my experience it does take a long time, anywhere from a couple of months to a couple of years and the issue is how quickly you discover that you've been a victim. That can take a lot of time. You take a young person who's on Facebook or whatever it could be a couple of years before they realise they've been a victim.
JENNY BROCKIE: Graham.
GRAHAM INGRAM: I'd just like to add, we're talking here about restitution. There's only so many points of identity that you can have, date and place of birth, mum's maiden name. Once they're gone, you know, it doesn't mean it stops. There's so much beyond the credit card and the bank that we're talking about. And I think the fact that you can't restitute an identity, really, and I think the discussion about that we are not equipped as a society to deal with the online and offline components of this problem is probably a pretty fair assessment and I think in some respect, you know, there's discussions about whether or not how close we're getting to a national security issue, for example, border control where people can get passports, visas, all these sorts in your name. So I think this is a national issue and I think the sooner the Government, for example, I'll point to them because some of these issues when they're beyond the individual institution, where they're beyond the actual people involved, we need something to bring it together and possibly plot the way forward.
JENNY BROCKIE: Well, Alana, there is this push for uniform laws. What is that
going to do, do you think, having had a look at them?
ALANA MAURUSHAT: Well, I'm not a police enforcement agency, but the problem that I see is that it fills in the gap where yes, it makes it a crime to deal, possess or to have any kind of equipment that will be used to appropriate personal information. But the bigger issue is we're framing the actual question wrong to begin with in the first place. We're focusing on identity thieves instead of focussing on prevention of insecure architecture, and that is the real problem.
JENNY BROCKIE: Cameron.
CAMERON MURPHY: I think there's also a larger problem there where it in a sense shifts the burden away from the businesses and organisations that collect the data in the first place where if there were specific identity theft and fraud offences a lot of the businesses may choose to think, "Well, we don't really have to take it that seriously or deal with a problem because the law will deal with it and the police will go and prosecute the people who commit the crime at the other end of the process." I think we already have a problem where businesses don't do enough and don't take data seriously and having these offences in place, I think, may increase that problem where they think it's the police's problem, not ours.
JENNY BROCKIE: Graham, what do you think? Having looked at this, what do you think we should be doing? How do we balance our love of being online with protecting our identity?
GRAHAM INGRAM: Two things, I think. First of all is I would like to know better what we're dealing with. For example, we have no understanding of the penetration of this issue into society, how many PCs are compromised, how long they've been compromised, why they've been compromised.
JENNY BROCKIE: But how are you going to find that out?
GRAHAM INGRAM: Hard work and we need to do that. The second thing, though, is I was recently overseas and I believe the Belgium experience has solved a lot of these problems, but in a way that will cause havoc in Australia.
JENNY BROCKIE: What's the Belgian experience, quickly?
GRAHAM INGRAM: What they have is an ID card and the ID card is a chip-enabled card and here we have a European country that's privacy driven have instituted a very robust card solution
JENNY BROCKIE: Single piece of identity - oh boy, we're opening up, there's a whole new discussion and Cameron I can see your face as that's being suggested.
CAMERON MURPHY: The problem with any of those solutions whether it's more sophisticated documentation or it's an ID card is that it's just keeping up with the Joneses. However good we are at producing something it's only a matter of time before criminals can hack into it, manipulate it and produce their own.
JENNY BROCKIE: So what do we do, Cameron?
CAMERON MURPHY: We need to deal seriously with victims of identity theft and fraud so they've got a mechanism where they can go to court or somewhere, they can ensure they go to one place, get their identity corrected or have a document they can produce to every bank, credit company and so on to make sure that they from then on have their identity secure.
JENNY BROCKIE: So that's really after the horse has bolted. It's treating people well once it's all happened.
CAMERON MURPHY: That's right, and I think the second part is to treat people properly before it happens by ensuring we hold businesses particularly and government to a much higher standard and we also reduce the amount of information that they keep about people. A lot of the transactions can be performed without requiring the sort of information that businesses regularly ask.
JENNY BROCKIE: Chris, the checklist of what not to do from a professional hacker's experience?
CHRIS GATFORD: OK, what not to do. Don't put anything online that you're not prepared to stick on the front letter box of your house. I would also say practice safe computing, educate yourself and your family members and try to ensure that you look after your PC.
JENNY BROCKIE: Anyone here who's online a lot thinking twice about the amount of information they might put out there? Zoh, what about after all this?
ZOH MCENALLY: I honestly think that a lot of the situations discussed today, not yours obviously, but a lot of them have a real life component that seems to have been the real thing that tipped it over. Like for me it seems like - especially from a social networking perspective - like it's all being demonised a little bit. I'm not sorry, I'm not terrified as a result of
JENNY BROCKIE: I don't want you to be terrified, Zoh, I really don't. Aaron, what do you think? Is it making you think twice, just quickly?
AARON KIRBY: No.
JENNY BROCKIE: No?
AARON KIRBY: No.
JENNY BROCKIE: No. Shaun.
SHAUN HERON: I have so much information on my profile, but it's harder for me to apply to rent a washing machine than it was to get my car loan, so a lot can be said for what the banks and what the big organisations are doing. If I can't get a washing machine because I can't produce three addresses that I've lived at, where I can get a car loan with one phone call.
JENNY BROCKIE: That's a very interesting point and I'm sure that's something we'll talk a lot more about. We are going to have to wrap up. Thank you all for joining Insight tonight, it's been very interesting.
