Identity Theft

---

Almost daily, I receive a call from someone who has had their identity compromised. From Jade who lost 500k to sophisticated hacker to Matt who had his credit compromised by someone stealing his drivers licence. What is truly horrifying is that Identity crime is more common than robbery, motor vehicle theft, household break in or assault, and the impacts to individuals are horrific for those who have experienced identity crime.  

Case Studies

Case study 1: Apple account compromised

 An individual purchased an iPhone and had not used their Apple account for some time, so when contacted by scammers via email and told their account would be locked in 24 hours unless account information was updated, they believed the request was genuine. The individual confirmed their full name, address, email, date of birth and driver licence details. An hour later they received a notification from Apple that their Apple ID was being used on iMessage and Facetime on a new phone. As their new phone had not yet been connected, they became worried. They contacted financial institutions and others to change passwords. They went to the police but were not issued a police report because nothing (except credentials) had been stolen. They also contacted Apple to report the compromise and were told scammers were targeting people with Hotmail accounts like the victim.

Case study 2: Multi‑party breaches 

Under the Notifiable Data Breach scheme, only one entity is required to notify the OAIC in a scenario where multiple organisations were involved in a single breach. However, as an example, between April and June 2018 the OAIC received more than 50 notifications from an entity and its clients in relation to one incident. It was reported that individual consumers also received multiple notifications relating to the data breach, creating the potential for confusion. This incident highlighted the challenges involved in multi‑party breaches, in which there is a breach of data held by multiple entities, as is often the case in supplier arrangements. The incidence of multi‑party breaches is expected to increase in the coming years, given continued trends towards outsourcing and the use of cloud service providers.

Case study 1: Apple account compromised

An individual purchased an iPhone and had not used their Apple account for some time, so when contacted by scammers via email and told their account would be locked in 24 hours unless account information was updated, they believed the request was genuine. The individual confirmed their full name, address, email, date of birth and driver licence details. An hour later they received a notification from Apple that their Apple ID was being used on iMessage and Facetime on a new phone. As their new phone had not yet been connected, they became worried. They contacted financial institutions and others to change passwords. They went to the police but were not issued a police report because nothing (except credentials) had been stolen. They also contacted Apple to report the compromise and were told scammers were targeting people with Hotmail accounts like the victim.

Case study 2: Multi‑party breaches 

Under the Notifiable Data Breach scheme, only one entity is required to notify the OAIC in a scenario where multiple organisations were involved in a single breach. However, as an example, between April and June 2018 the OAIC received more than 50 notifications from an entity and its clients in relation to one incident. It was reported that individual consumers also received multiple notifications relating to the data breach, creating the potential for confusion. This incident highlighted the challenges involved in multi‑party breaches, in which there is a breach of data held by multiple entities, as is often the case in supplier arrangements. The incidence of multi‑party breaches is expected to increase in the coming years, given continued trends towards outsourcing and the use of cloud service providers.

Case study 3: Investment scams that mine identity credentials 

A client received an unsolicited email advertising an online trading platform (owned by a company registered in the British Virgin Islands, run out of Estonia). They clicked on a link to the registration page and filled out contact details. The client was contacted immediately and convinced to pay a deposit of €250 ($430) by credit card. This is similar to other investment scam behaviour observed, convincing victims to transfer small amounts, which then escalate over time as more trust is built and more exclusive benefits or opportunities are offered by scammers. The client changed their mind the next day but was told that because of anti-money laundering laws they would have to provide a copy of their driver licence, credit card and utility bill to close the account.

The client refused but was later contacted by another cryptocurrency firm and tricked into handing over credit card details. The client’s bank informed them that their money had gone to Eastern European accounts. Another client received continual emails from an online investment company featuring prominent Australians endorsing a Bitcoin trading platform. The client contacted the company (also based in the British Virgin Islands) and was convinced to invest an initial deposit of $400. They were immediately contacted by the trading manager via telephone and given a trading platform login and password. The client was unable to login using the provided information and allowed the trading manager remote access to their computer. 

The client became nervous after this and requested to close the account. The client was instructed to send copies of their driver licence and a recent utility bill with their address as part of Know Your Customer requirements. The client was informed by their bank that the platform was a scam. Many clients report being lured to these scams by persistent and credible looking messages featuring prominent Australians or celebrities. The initial investment is around $400. Many individuals are being asked to install trading platforms on their computer, leading to further compromise. Losses in the tens of thousands to hundreds of thousands of dollars are common.

Further compromise occurs when clients attempt to withdraw money and are asked to provide copies of identity documents including driver licences, passports, utility bills and credit card details as part Know Your Customer or money laundering regulations. Misuse from these events includes the fraudulent establishment of transaction accounts, credit card accounts, personal loans and mobile phone accounts.

Case study 4: Australian Defence Force employee’s identity misused for used car sale fraud

In 2017–18, the Department of Defence was notified of six instances of a scam where a Defence Force member’s identity was stolen and used on multiple online used car sales trading platforms. In one instance the scam was successful and the victim made a payment amounting to $3,000. The complainant reported the incident to the local police, their bank and Scamwatch. In 2018–19, the Department of Defence received two additional reports about the same used car sales scam, using the same stolen identity. 

It appears that the perpetrator continues to repost advertisements on online trading platforms using the stolen identity. There is a possibility this Defence Force member’s identity will continue to be misused in the future.

Case study 5: Investigation into compromised myGov accounts 

DHS’s Identity Theft and Scams Helpdesk received a referral about multiple compromised myGov accounts. These were quickly profiled by intelligence and analytics teams against the department’s data holdings, leading to the identification of 277 data breaches. An analysis of Centrelink records identified 21 victims of unauthorised payment destination updates. Tactical intelligence officers identified the alleged perpetrator and produced an intelligence product for fraud investigators within three hours of the initial referral.

A search warrant was subsequently executed, leading to the seizure of a laptop and smartphone with identity information related to more than one million individuals allegedly acquired from the Null.to web forum. The alleged perpetrator was interviewed by police officers and admitted to the alleged offending. The admission included information about a number of open source sites on which account holders can access compromised usernames and passwords. One of those sites was the aforementioned forum.

Case study 6: Stolen Australian passports and human trafficking DFAT received reports in 2019 indicating people smugglers operating in the Middle East would charge up to €8,500 (A$14,100) for a genuine Australian passport and airline tickets to allow a person to undertake imposter travel to Europe. There is no information available on the specific components of this cost.

Case study 7: Identity theft and online fraud 

A 26 year old woman was looking for a room to rent and responded to an advertisement on a popular Australian website. The person who posted the advertisement informed her that they were currently overseas on holiday but would return to Australia in a week. In order to secure the room, she was told to provide her full name and date of birth, together with copies of her identity documents. 

The woman sent copies of her passport, birth certificate, driver licence and employment history. 

The advertiser then requested three months of rent in advance before they would provide a copy of the lease. At this point, the woman suspected that she might be the victim of a scam. A subsequent investigation discovered that the scammer had used the woman’s stolen personal information to apply for a credit card in her name and purchased over $10,000 worth of airline tickets, electronics and luxury items.

Case study 8: Obtaining a new driver licence number

In January 2019, an individual received two debit cards in the mail that had not been applied for.

The individual immediately spoke with the banks concerned—banks they had never previously interacted with. One bank said they could not share details about the case because of privacy concerns. The other said that someone had used the client’s driver licence and Medicare card details to apply for the debit card and that the account appeared to have been used by criminals based offshore for money laundering (in the victim’s name).

The Department of Human Services arranged for additional security measures on their Medicare account, including a new Medicare card. The individual reported the matter to their local police, who simply referred them to ReportCyber. Knowing their licence was being misused, and residing in one of two states that allow for driver licence numbers to be changed, the individual asked their bank for a letter to indicate that their licence had been misused to open an account. 

This is a requirement of the driver licence issuer, without which victims of identity theft cannot change a driver licence number. The bank initially refused. Individuals advocated on behalf of the client to convince the bank to write an email explaining that the licence had been used to apply for an account and that this account was believed to be fraudulent.

As part of their advocacy it was advised the bank that by assisting they were reducing the risk across industry and government service providers that the criminals would continue to misuse the licence. Next, the victim asked the local police station for a police report number and a letter, again indicating that the licence had been allegedly misused to create a fraudulent account. The police initially refused, instead referring the client back to ReportCyber. 

A Government case manager then accompanied the client to the same police station, where the same advice was given. When the police were informed that the licence issuer required the letter to change a licence number, they still refused to cooperate. This process took around 35 non-consecutive hours, time off work, the completion of around 10 different forms, and contact with Commonwealth agencies, state government agencies, banks, telecommunications companies and credit reporting bureaus. Like many victims of identity crime, this individual never knew how their credentials had been compromised.

Case study 9: Credit card skimming 

The NSW Police Force established a strike force to investigate a syndicate believed to be involved in credit card skimming, credit card cloning and the subsequent unlawful use of the cloned credit cards and credit card data to purchase goods or gift cards from major retailers and to withdraw funds from ATMs across Sydney. The investigation revealed the syndicate had used compromised EFTPOS devices, including a new brand of EFTPOS device that had not previously been detected in New South Wales. The syndicate stole gift cards from various retailers and encoded the details of the credit cards onto these gift cards.

The syndicate would also encode the details of certain credit cards onto expired credit cards in the name of syndicate members. That way, if stopped by police or questioned by retailers, they could show their legitimate driver licence in support of the card that had been used. Syndicate members would report up to six cards lost to their respective banks each year, in order to have sufficient cards to encode with specific credit card data.

Highlights

• Be careful what you share on social networks.
• Don’t give out personal information through the mail, by phone or online unless you have initiated the contact.
• Check your credit reports regularly to help detect suspicious activity.

Unfortunately, no individual can completely protect themselves from the sophisticated tactics identity thieves use to get their hands on sensitive personal and financial information. That’s why information that helps raise awareness about identity theft is important because being a victim of identity theft can be financially and emotionally devastating.

Here are some steps you should consider taking to help in your fight to protect your identity:

Don’t over share

Tech-savvy thieves can quickly gather what you share on social networks (your home or email address; children’s names; birth date and so on) to use for scams, phishing, and account theft.

Fight ‘phishing’ – don’t take the bait

Never give out personal information over the phone, through the mail, or over the Internet unless

you have initiated the contact.

Check your credit report 

Report problems immediately. You should review your credit report at least once per year. Consider signing up for ongoing monitoring of your credit file for potentially fraudulent activity. Take steps to detect identity theft early, which helps minimise its impact.

Use strong passwords online

You’re giving identity thieves a gift by using an easy password because they open the doors to your personal information. Make passwords more complicated by combining letters, numbers, mixing in special characters and changing them regularly.

Don’t trust public Wi-Fi

Be aware that your mobile device is vulnerable to viruses and hackers. Only download applications from trusted sources at home on a secure network.

Review your transactions

Check your credit card bills carefully for any unauthorised charges or withdrawals and report them immediately. Call if bills don’t arrive on time. It may mean that someone has changed contact information to hide fraudulent charges.

Safeguard personal information in your home

If you are having service work done there, employ outside help, or have a roommate.

Protect your mail

Bring in your mail daily. Forward or re-route your mail if you move, change your mailing address or are planning to be away.

Shred all documents 

Shred documents you are discarding, including pre-approved credit applications received in your name, insurance forms, bank cheques and statements, and other financial information. An identity thief can easily pick through your garbage or recycling.