By Asha Barbaschow
The Digital Transformation Agency (DTA) has been working on Australia’s digital identity system for a number of years, going live with the myGovID -- developed by the Australian Taxation Office -- and accrediting an equivalent identity service from Australia Post last year.
The myGovID and the Australia Post Digital ID are essentially just forms of digital identification that allow a user to access certain online services, such as the government’s online portal myGov.
There has been conversation around extending digital ID to allow the private sector and state government entities to develop their own platform. Eftpos previously flagged its interest and according to the minister in charge of digital transformation, Stuart Robert, PharmacyID is also interested.
“Now I’m building up, on behalf of the government, a federated model, a trusted digital identity framework,” he said on Wednesday.
“We’ll have another Act through the Parliament, this year, all going well, that allows other digital identities to be created, so DigiID from Australia Post, Eftpos is interested, so is Pharmacy for PharmacyID, that the idea of replicating 100 point check-in paper form, like you do now at a bank or a telco, but doing that digitally with absolute and utter assurance, and you can get a PharmacyID and you’ll be able to use that seamlessly for government.”
Appearing before Senate Estimates in November, DTA CDO Peter Alexander said his agency is moving forward with the plan to bring in legislation to allow private entities onboard.
“It is important to note, today we’re using myGovID, but into the future, you’ll be able to use a choice of identity provider, there’ll be additional providers … it could be a bank, it could be a state and territory identity provider. So individuals and businesses dealing with the Australian government and national services will be able to make a choice,” he said.
The Trusted Digital Identity Framework sets out the operating model for digital identity. It’s essentially a set of rules that federal government agencies can follow, but they can’t be applied to states and territories, or to the private sector.
This is where legislation will be used
Robert highlighted there has been a number of impediments to data sharing over the years, saying while they all have meant well, it has prevented the use of data. “For example, I can’t use Medicare data to assist you with a simple inquiry. I can’t use disability data for a disability support payment to help you get on the NDIS,” he said.
The DTA is also looking to add a digital, biometrically anchored identity, which Alexander previously said would allow users to simply take a photograph of themselves for it to be matched to a passport.
“In time, that will be able to match the other biometrics that are held like driver’s licences, working with vulnerable children -- whatever biometric is held,” he said.
With concerns that law enforcement could have access to the data, particularly the biometric “anchoring” the service provides for, Robert said access would be denied in the coming Bill.
“We will bring a Bill to the Parliament that will allow the use of data about a citizen to be used only for service delivery and I’ll specifically deny the use for law enforcement or compliance,” he said. “That way if you tell us once you won’t have to fill in a multiple forms, because we’ll have your data once.”
The minister said 2 million Australians have a myGovID.
But minister says access should be denied to law enforcement
By Alessandro Mascellino
The Digital Transformation Agency (DTA) is working on a new bill to extend its myGovID digital identity service use to the private sector, ZDNet reports.
The idea was first announced last November when DTA said it intended to provide identity verification alternatives to the myGovID developed by the Australian Taxation Office or the Australia Post Digital ID.
Now, Australia’s minister in charge of digital transformation, Stuart Robert, confirmed he is working on a trusted digital identity framework on behalf of the government.
“We’ll have another Act through the Parliament, this year, all going well, that allows other digital identities to be created,” he explained.
According to the minister, a number of private companies are already interested in the scheme, including DigiID from Australia Post, Eftpos, and PharmacyID.
In Australia, the operating model and rules for the operation of digital identity systems provided by the federal government are established by the Trusted Digital Identity Framework.
If passed, the new legislation will now extend the Trusted Digital Identity Framework to state and territory governments and the private sector.
However, privacy concerns have been slowing down the adoption of the legislation by preventing the sharing of data, including biometrics, for fear that law enforcement could have access to it.
“For example, I can’t use Medicare data to assist you with a simple inquiry,” Robert explained. “I can’t use disability data for a disability support payment to help you get on the NDIS.”
These issues will be tackled in the upcoming bill, by explicitly allowing the use of data only for service delivery.
“We will bring a Bill to the Parliament that will allow the use of data about a citizen to be used only for service delivery and I’ll specifically deny the use for law enforcement or compliance,” Robert said.
“That way if you tell us once you won’t have to fill in multiple forms, because we’ll have your data once.”
Mis-selling, fraud, 'out of control' identity theft and hacking are a growing threat to the nation's $1.7 trillion real estate sector, according to analysis by banking and technology specialists.
A mix of antiquated and inadequate digital processing, regulatory gaps, sophisticated hackers, fraud and absence of manual systems are creating unprecedented levels of risk to borrowers and lenders, they claim.
"It is so easy to steal identity that it has got out of control," said Geoff Stockton, managing director of The PRM Group, which provides systems and support for verifying ID.
Alex Tilley, a senior security researcher at SecureWorks, a listed digital security specialist, said email hacking between home buyers and estate agents, which is a big problem in the US, is taking grip in Australia.
Mr Tilley said local "mules" – who commit the original theft – are transferring the money out of Australia to southeast Asia where it is moved on to other unknown locales to avoid detection.
The scam typically targets the email accounts of estate agents, which are used to send emails with instructions for home buyers to deposit their money into the wrong bank account. Emails can include contracts of sale and trust account details for payment of the deposit to a selling agent.
Mr Tilley said an increase in detected offences suggests criminals are increasingly conﬁdent about the strategy and increasing attempts and varying strategies to other types of transactions.
"There is a massive amount of money being stolen often because money in being transferred without a telephone call to verify the account and conﬁrm transfer instructions," he said.
Cyber criminals are selling forged Commonwealth Bank of Australia and Westpac Group credit card, bank and investment statements for between $6 and $24 with the promise of delivery anywhere in the world within 24 hours, according to advertisements on the dark web, which has been compared to an e-Bay for criminals.
Accountants, solicitors and real estate agents are also exempted from tough anti-money and counter-terrorism laws, which creates a valuable loophole for laundering money, Mr Davies said.
Investment bank UBS is also warning that "factually inaccurate mortgages" are a "very signiﬁcant" risk facing the banking system that could expose lenders to credit risk and possible legal actions for mortgage mis-selling.
Fraudulent mortgage applications are the ﬁrst item on the agenda for the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry that starts next week.
A Federal Court case recently found that lenders relying solely on payslips to verify source of income may not be sufﬁcient because they are "easily falsiﬁed".
The case involved car loans but is considered to be equally applicable to mortgage applications where a mortgagor's income is veriﬁed to two or three payslips.
"We believe this could potentially leave the banks at risk of being found to have also not sufﬁciently veriﬁed customer income in the mortgage application process," according to UBS analysis.
The PRM Group have always been on the leading edge of Verification of Identity (VoI) technology. They were the first company in Australia to provide an online police check service over ten years ago. Managing Director, Geoff Stockton is sought after as a consultant to superannuation funds and government departments who are dealing with increasing attacks. He says, ‘We are aware Russian hackers are targeting Australian superannuation funds and we are working with superannuation companies to provide them with a way of securing documents and properly identifying superfund owners.’
Stockton, a former police officer, has seen people go to extraordinary lengths to obtain a ‘clear’ police check to gain employment or apply for a government grant. ‘We now use the Department of Home Affairs Document Verification Service (DVS) in our application process to ensure an applicant has legitimate government-issued documents, but it does not stop other people stealing genuine documents and then stealing another persons’ identity. It is all too easy for a person to sit behind a computer and open an Australian bank account using a copy of another persons’ driving license, passport or other personal documents.’
Innovative UK based technology company Byzgen may have an innovative solution to reducing identity fraud. Byzgen designs and builds private blockchain-based systems for the Defence and Security sectors. Their core blockchain system has been developed in partnership with the Swiss Technical Institute, EPFL, based in Lausanne, Switzerland. EPFL are world leaders in de-centralised and distributed systems research and development.
Byzgen was recently contracted to provide a bespoke private blockchain system to improve the UK Government’s Ministry of Defence security screening services. The result is a fully distributed and tamper-proof data management system that exceeds all current and planned personnel data-management legislative standards and requirements.
Byzgen’s CEO, Marcus Ralphs is meeting with The PRM Group later this month to finalise an international partnership with exciting potential for improving identity verification in Australia. Ralphs, a former member of the British Armed Forces, says, ‘This is a great opportunity to work closely with The PRM Group to deliver cutting-edge, proven technology services to benefit both government and corporate Australia, and of course to the PharmacyID network.’
The PRM Group has an established pharmacy network of who are trained to verify identity using the PharmacyID portal. ‘Pharmacies are trusted by the community to provide this service’, says Stockton. ‘Pharmacy staff are able to see the applicant in a face-to-face interview and ensure they are the person who is the rightful owner of the identity documents being used. It’s similar to going through Immigration at the Airport and having the Immigration officer check to see if the passport photo matches the person holding the passport. The simplicity of the PharmacyID digital system is that it’s fully auditable, from the start of the application to the end of the verification of identity process.’
It is ordinary Australians under threat of identity theft that will benefit the most from bringing Byzgen’s blockchain technology into the PharmacyID network. ‘We believe blockchain it is the next step to enhancing our already exceptional solution. We can already take an ICAO or Biometric photograph, and obtain a copy of a persons’ fingerprints digitally, in seconds. Adding a blockchain will deliver tamper proof and cyber resilient assured data governance that places the individual back in control of who actually has access to their data for as long as they see fit,’ says Stockton.
The PMG Groups, Head of Technical Sales, Neil Davies, is an ex-British Armed Services officer and sees many synergies between the two companies. Davies says, ‘Together we are talking with government and corporations. We honestly believe it raises the bar of identity verification significantly above what is currently in place across Australia.’
NEURAL networks can now mimic someone’s voice, and all they need for the feat is less than a minute’s worth of their speech.
Researchers at China’s search engine giant Baidu say the technology could create digital duplicate voices for people who have lost the ability to talk. It could also be used to personalise digital assistants, video game characters or automatic speech translation services.
“A mum could easily configure an audio-book reader with her own voice to read bedtime stories for her kids,” says Sercan Arik at Baidu Research, who led the work.
Voice cloning technology has improved rapidly in recent years. Adobe’s VoCo, released in 2016, could mimic someone’s voice using 20 minutes of audio. Last year, Canadian start-up Lyrebird launched a service letting anyone create a digital copy of their voice based on 1 minute of audio.
Baidu’s research builds on its text-to-speech synthesis system Deep Voice, which was trained on more than 800 hours of audio from 2400 speakers. It builds a model of human speech learning what sounds go with what text and also picks up the idiosyncrasies of each speaker it was trained on.
Now the software is able to synthesise a copy of a voice solely based on hearing snatches of the original. The best version needed 100 snippets, each no more than 5 seconds long, the Baidu team says. But one trained on just 10 snippets performed well enough to dupe a voice recognition system more than 95 per cent of the time, and human evaluators gave it 3.16 out of 4 for mimickry (arxiv.org/abs/1802.06006).
“Digital assistants and banks’ telephone services could be vulnerable to synthesised voices”
The team also tried a secondary method that trained a separate model on just the voice to be mimicked. This was less accurate, but Arik says it is also more efficient so could potentially run on a smartphone.
The output is still not totally indistinguishable from the human voice, says Arik, “but it does show a very fundamental breakthrough in that direction”.
Even the best synthesised voices contain telltale digital signals that are easily detected by advanced voice profiling algorithms, says Rita Singh, a voice forensic science expert at Carnegie Mellon University in Pennsylvania.
However, most voice authentication systems – used to secure everything from banking services to smartphones – can be fooled because they rely instead on picking up broad statistical features, she says.
In 2014, Nitesh Saxena, a security researcher at the University of Alabama at Birmingham, showed that a freely available voice morphing tool could trick voice authentication systems 80 to 90 per cent of the time. Unpublished research shows that leading digital assistants and even a major bank’s telephone service remain vulnerable, he says.
But while biometric systems can be improved, our own ability to detect fakes can’t. This raises the spectre of voice synthesis systems aping someone’s voice to commit fraud or sparking fake news by doctoring a politician’s speech.
“Humans will, over time, become even more vulnerable to such attacks,” says Saxena.
Combining that with approaches like the DeepFake algorithm recently used to transplant celebrities’ faces into porn videos could supercharge the problem, Singh says.
“Now the default status is that if there’s any video that sounds too bad or too good to be true, it’s probably a fake,” she adds.
This article appeared in print under the headline “AI hears snippets of you, then clones your voice”
A loophole for laundering vast amounts of cash into the nation's property market has been exposed by the Commonwealth Bank of Australia's money laundering scandal, according to security experts.
Stolen identities and illicit bank accounts used in the CBA scam to transfer money out of Australia are also the hallmarks of a sophisticated global network used to launder huge amounts into residential and commercial real estate, they claim.
The CBA action is also revealing regulators deep reliance on banks for intelligence on transfers of large amounts of money between accounts, which can result in cash transactions going unnoticed, they claim.
George Brandis, federal attorney-general, is expected to make an "imminent" announcement about boosting powers and resources of Austrac, the government agency that combats money laundering, according to a department spokesman.
But it is expected to fall short of extending existing laws to cover real estate agents.
"I believe the case for reform is compelling," said Malcolm Shackell, a forensic crime specialist and partner with global consultancy PwC. "Australia is under pressure from international agencies to broaden the scope of its regulations to cover industries outside of financial services, including real estate agents, jewellers, accountants and, potentially, conveyancing lawyers."
The government has to balance tighter controls with rising costs for business, he added.
Malcolm Gunning, president of the Real Estate Institute of Australia, also supports tougher financial scrutiny of buyers but wants it done in conjunction with the Australian Taxation Office and Austrac when property deals are settled.
Proposals to check at the point of sale, such as an auction, would be impractical and difficult to police, he said.
Under existing law, real estate agents and other businesses involved in buying and selling real estate do not need to identify where the money comes from or who is paying.
The law does not require real estate agents, lawyers, accountants or any other person involved in the deal to identify the beneficial owner of the deal. A beneficial owner enjoys the benefits of ownership though title is in another name, such as a company.
The Black Economy Taskforce is warning identity fraud is "systemically undermining" the nation's financial system and is expected to call for a new approach in its pending final report.
The scale of the problem has been highlighted by an alleged perpetrator of the CBA scam using 11 false identities to transfer tens-of-millions of dollars out of Australia, according to court documents.
Security specialists claim large amounts of money can be transferred into fraudulent bank accounts created with stolen identities purchased on the 'DarkWeb', which is like an eBay for criminals.
"Lenders have abrogated their responsibility to know and identify their client," said Geoff Stockton, chief executive of PRM Group, a risk management specialist. "People are taking advantage of being able to open an account, borrow and transfer cash from behind a computer."
Real estate agents report unprecedented numbers of overseas' buyers of residential and commercial property in Melbourne and Sydney paying cash, typically transferring payments from a local account.
Asians were last year the biggest investors in Australia, spending about $47 billion largely on residential and commercial property, according to the Foreign Investment Review Board.
An estimated 70 per cent of Chinese buyers pay in cash, according to Transparency International, an international non-government organisation targeting corruption.
Cyber criminals are selling forged Commonwealth Bank of Australia and Westpac Group credit card, bank and investment statements for between $6 to $24 with the promise of delivery anywhere in the world within 24 hours.
The documents, obtained on the dark web, are a passport into the nation's ﬁnancial services and banking system, including its lucrative $2 trillion of superannuation assets, the world's fourth largest pool of managed funds.
Stolen identities are used to set up bank accounts for personal loans, mortgages, credit cards, drawing-down a victim's superannuation funds or earning points towards a driving licence, police checks, renting an apartment or identiﬁcation cards for working in the nation's aviation or maritime industries.
Buyers can get identical replicas of super, bank or credit card statements for editing with the buyer's assumed name, address, statement summary, including deposits and withdrawals. Payments can be made over the web using untraceable 'bitcoin'.
There is also a thriving forged personal identity market – using anything from stolen driver's licences to passports – which the buyer can then use to create a new identity.
"This is absolutely on the increase," said Geoff Stockton , a retired senior Victorian police ofﬁcer and risk management specialist.
Mr Stockton claims the convenience of anonymously setting up bank and other ﬁnancial service accounts on the web have made it easier for local and overseas' fraudsters to supply services.
He has set up Personnel Risk Management Group and Pharmacy ID to advise private companies and public service on veriﬁcation of identity.
The dark web is an infamous source of state-of-the-art illegal weapons, illicit drugs and as a means for transferring money to unlawful organisations, including outlawed terrorist groups.
Other big four bank ﬁnancial documents are also obtainable using the same dark web, which is a network of websites that cannot be found by traditional search engines.
The Australian Financial Review located documents on notorious AlphaBay Market, which has since been closed by US authorities.
But within days replacement sites were offering the same range of illegal services.
Documents obtained by the Financial Review include forged Commonwealth Bank of Australia statements for about $6 with a guaranteed delivery within one day.
CBA is the nation's biggest mortgage and credit card provider.
An editable template for a Colonial First State bank statement can be purchased for $24, also payable in US dollars and delivered worldwide within a day. A template is a facsimile blank statement that can be completed by the buyer.
Colonial First State is a fund management group and superannuation specialist with more than $113 billion under management. It is also a major player in the nation's superannuation sector.
Risk management consultants are working with major superannuation funds to combat the growing risk of asset theft by using stolen identities.
Lenders are struggling to keep up with changing technologies and the need to balance improving customer online experience with fraud prevention, according to security experts.
But many transactions are being veriﬁed by Victorian-era 'justice of the peace' and other identiﬁcation stamps for manually processing applications that can be bought by anyone on the internet for $16 with no questions asked.
There is no suggestion companies offering the stamps are aware of their unlawful use.
Westpac and CBA said they have specialist cyber security teams and are using sophisticated technologies to combat the threat.
"Westpac has no tolerance for fraud and has various procedures in place to validate paper-based documentation," a spokesman said.
"We have an extensive cybersecurity team that monitor external sites and we invest heavily in technology to protect our customers' data, drive growth and enhance the customer experience."
A CBA spokesman said cyber-criminals use a variety of methods to obtain and use sensitive information.
"This information is being sold on the dark net on a regular basis, and in many instances is not up to date or just incorrect," the spokesman said.
"We have invested in world-class cyber-security capabilities, which include intelligence teams and monitoring solutions that detect for any suspicious activity online that might risk our customers' data," he said.
"We also work closely with law enforcement to prevent these activities."
The Financial Review recently disclosed that foreign real estate buyers pay about $200 each for forged Bank of China income and spending statements, employment records and income testimonials.
One 25-page loan application, which had been submitted to a lenders, had been approved by the Foreign Investment Review Board.
Equifax, the global fraud and identity theft specialist, estimates identity theft is increasing by 80 per cent a year, the fastest growing source of fraud for ﬁnancial institutions
A former police officer who plans to compete against Australia Post for major government contracts on identity checks has warned that Australia’s verification system is outdated, raising the risk of identity theft.
Geoff Stockton, who clocked up more than 22 years’ experience with the Victorian Police Force, has designed a new digital system to partner with pharmacies to provide a personal identification service.
“Australia’s current system of verifying a person’s identity is largely a paper-based system which has more holes than Swiss cheese and is open to serious problems such as identity theft, fraud and misrepresentation,” he said.
Mr Stockton’s company, the PRM Group — the largest online provider of police checks in Australia — launched PharmacyID about one year ago. It has signed up more than 1500 pharmacists, with plans to take that beyond 2000 by year’s end.
Brian Woodham, director of national sales at PRM and PharmacyID, said Australia Post had a monopoly on identity checks but had never offered a full digital service.
“No one is doing this service to the scale we are talking about with digital technologies,” he said.
“We are here to be competition for Australia Post. We have been in discussions with the government about various aspects of our business and the direction the government is preparing to go with this sort of stuff.
“There is a big passport application tender coming out at the end of this year, beginning of next year, and we are going to compete with Australia Post.”
Mr Stockton added that the Pharmacy Guild had previously approached him to see if it could win back the tender for passports, which pharmacies used to process.
“They are the most trusted organisation in Australia,” he said. “ If we went head to head with Australia Post on things like passports, we know where people would rather go.”
Mr Woodham said Australia Post offered a “good enough” service but he said he believed that PharmacyID had the perfect vehicle to move into the 21st and 22nd centuries.
Mr Stockton said the ability for people to create a digital identity was now unparalleled because of the power of applications such as photoshop, which allowed people to easily create or alter digital images.
He said many people had had their identities stolen, with significant impacts on their lives and that of their families.
The PharmacyID head said that through the service he had created, he had a chance to make a dent in identity theft through the electronic ID service.
The system he created sees PharmacyID pay the pharmacist about the cost of a script.
Mr Stockton said the service had started with online police checks. A person would apply online for a police check and then print out a receipt with a bar code and take that to the pharmacy to be scanned.
“The original documents don’t need to leave the person’s hand and the pharmacist is now getting paid for something they never traditionally got paid for.”