Catch me if you can
Catch me if you can
Identity-related fraud is big business. It is also an increasingly complex challenge for those whose job it is to spot the fraudster, Christine Gill investigates.
$5.88 billion. That's how much the Australian Institute of Criminology (AIC) estimates fraud costs Australia every year - nearly a third of the total annual cost of crime. In dollar terms, small business in Australia loses more every year to fraud than it does to employee theft, burglary, armed robbery and vandalism combined.
Identity-related fraud is a major part of the problem. Over a third of all serious crimes in Australia involve identity-related fraud. And with no shortage of information, particularly on the Web, about how to fake an identity (a recent search on the Google search engine - 'How do I fake ID?' - yielded 541,000 pages), for those whose job it is to authenticate the identity of individuals, identity-related fraud is fast becoming one of their greatest challenges.
Who are you?
At a recent series of AIC conferences, AIC director Dr. Adam Graycar asked the audience to consider the following questions:
n how should government agencies identify people when they issue official documents such as birth certificates and passports? Should people be interviewed before being given these documents or should they be asked to provide some biometric evidence, such as a fingerprint?
n should government and business share information on public and private sector databases in order to find counterfeit or altered documents used to verify identity? and should the police maintain a database of identities they believe to have been created for dishonest purposes?
n would a nationally-issued identity document solve the problem of identity-related fraud, or would this be just another document that could be counterfeited or abused by fraudsters?
n how do we prevent identity crime while protecting individual privacy and confidentiality?
To highlight the problem of identity-related fraud, Graycar cites one shocking example from the United States. In the aftermath of September 11, within days of the appearance of lists of those presumed missing in the rubble of the World Trade Center, hundreds of millions of dollars of goods and services were illegally obtained by people who had adopted the identities of the victims.
Such was the outpouring of public sympathy immediately following the September 11 attacks, that people intent on fraud were simply able to walk into government offices, into shops and banks, claiming that their identity documents had been lost in the rubble of the World Trade Centre and - on production of the flimsiest identification - were able to obtain identity documentation, such as replacement driver's licenses, which could in turn be used to procure further identification. From there, it was only a short step to illegally obtaining goods and services; for example, to opening lines of credit large enough for the fraudster to drive away an expensive new car.
In Australia, Image & Data Manager [18/12/2000] reported the case of a man whose Queensland farm was fraudulently sold by his family, after they forged the original mortgage documents. More recently, the Land and Property Information agency (LPI) posted warnings on its Web site relating to six incidences involving counterfeit certificates. These frauds were first uncovered by the LPI in late 2002 and are currently under investigation by the fraud squad. "Ultimately it gets down to buyer beware," says Brett Warfield, a senior manager at KPMG Forensic. "Professionals who rely on documentary evidence and signatures should seriously think about doing additional independent checks."
Teaching an old dog new tricks
In the tearoom at the AIC there is a cartoon of a dog sitting at a computer keyboard. He says to another dog nearby: "You know, on the Internet, nobody knows you're a dog." If identity-related fraud is an old scam, modern technology is helping to change the way the game works.
Reported cases of identity-related fraud have increased over the last 15 years, in line with the boom in modern technology. The advent of increasingly affordable computers, scanners, imaging equipment, colour printers and desktop publishing has made it easy for anyone who wants to become a fraudster to do so. But more than anything, it is the Internet that has become the fraudster's single most potent weapon.
And more, the Internet is not only a means of perpetrating fraud, it also makes the criminals much harder to catch - and even harder to prosecute. "There is no international law that governs the Internet across different jurisdictions," says Warfield. "There are different laws in different countries, with different servers."
But if modern technology is part of the fraudster's armory, it is also playing an ever more important role in the fight against fraud.
Concerns about terrorism have prompted governments to increase efforts to detect identity-related fraud. Biometrics, such as iris and face recognition technologies, are being developed for use in high risk areas like customs, defense and airport security. In 2002, Australian customs conducted a series of face recognition trials. Other security tools available include online identification and authentication, location-based security systems, knowledge-based security systems, neural networks, data analysis and profiling. As AIC's Dr. Graycar explains: "There's a race in progress by both the good guys and the bad guys to use technology to determine who's who and who is you."
Internal control policies
Technology is only part of the solution - fraud prevention is also about risk management. Following the collapse of HIH, Enron and Arthur Andersen, education, corporate governance and establishing effective internal security policies, are all equally important tools in combating fraud.
In a global survey of large organisations conducted by Ernst & Young, Fraud - The Unmanaged Risk, more than two-thirds of companies around the world reported being the victims of corporate fraud. Of those, 85 per cent of crimes were committed by employees, and of that group over half of the fraudsters were senior managers. Of managers committing the largest frauds, 85 per cent had been in their jobs for less than a year.
"Simply having a policy is not enough. Enron had policies. Internal policies need to be championed by management and appropriately communicated throughout the organisation," says Wayne Gilbert, Director, Fraud Risk Services (Sydney) at Ernst & Young.
Gilbert says there are definite employee warning signs, particularly among management, that indicate high-risk employees. These include managers who exert excessive control over their working environment; people who do not take holidays; gamblers and other addicts, and employees who undergo dramatic changes in lifestyle, such as purchasing expensive cars and clothes. "Education and training in fraud detection and prevention is crucial. Management should understand what fraud is, how to spot high-risk employees and high-risk areas within the organisation."
The AIC's Dr. Graycar points out: "Company policies should include specific codes of conduct for online behaviour of employees, such as security of user authentication systems (e.g. passwords), access to and use of the computers for private purposes, personal use of email, downloading software, and the use of copyright material.
"Principles also need to be established to ensure that those who report illegal conduct are not disadvantaged by their conduct".
Management must play its part
Part of the fraud problem comes down to senior management. People who run companies do not need to be IT savvy, they do need to know enough about their business to be fully aware of the risks that exist, "this is particularly the case with respect to information technologies," says Graycar.
Responsibility for securing systems often lies exclusively with the IT department. However, the fraud experts warn against this practice because although CIO's and IT managers have ultimate responsibility for managing IT systems, misuse of those systems goes across the entire organisation. To tighten security where it is needed, IT departments must rely on appropriate feedback from other departments within the organisation.
In his investigative role at KPMG Forensic, Brett Warfield has encountered seriously flawed IT decisions made by senior management due to a lack of understanding of the systems in place in the organisation. "Tens of millions have been lost through poor design and implementation simply because management haven't worked it right through. Managers should ask, "how is the new technology going to relate to existing systems and what weaknesses are going to occur because these systems overlap?""
KPMG Forensic has also found increasing problems investigating companies that have moved away from hard copy systems to an online environment. "Management demand faster solutions to streamline business processes, but what management fails to realise is the ability to process information quicker reduces the chances of fraud being picked up," says Warfield. "In an online environment, we often find there are no transactional listings to identify who had authorised anything because some companies turn off their electronic audit trails."
The growing trend for management to downsize departments has also played a part in allowing fraud to go unchecked. Management will often only look at savings in terms of the number of people on board. But what they do not look at is what effective controls are in place - "what is the business losing by not having those extra one or two people doing that role?" Warfield warns.
No one pretends that identity-related fraud is going to go away overnight, but the AIC lists four recommended fraud prevention strategies: improved corporate governance, dedicated fraud control policies, more rigorous procedures to monitor personnel, and more effective monitoring of computer usage. Implement those strategies and who knows? - You may not be able to tell if that's a dog on the Internet, but you just might be able to make it a lot harder for him to make an easy meal out of you.
Related Article: