Banking Review

Verified, not scrutinised

Clapping eyes on customers to enable them to open new bank accounts
and the like is no longer necessary, but what are the risks?

BY STEPHEN WILSON

Recent investigations by Online Banking Review editor Charis Palmer have shown that electronic verification services employed by online banks in Australia are susceptible to stolen identity details. Passport details for Australian citizens (exposed through media reports of the Dubai assassination plot) were used to successfully open bank accounts, within a window of opportunity before the compromised travel documents were cancelled.

This experience exposes limitations in the state-of-the-art in electronic verification (EV) of identity.

EV services have blossomed in recent years, driven by several factors. One is the heightened need to check identity under AML regulations. Another is the desire of online-only banks to be able to originate new accounts without ever having to sight their customers.

The primary means for verifying identity electronically is to match an applicant’s details against publicly accessible sources like the electoral roll, Australia Post mailing address lists, and DFAT’s My Passport database. Some services go further and try to engage the applicant in applying for third-party services like Medicare Online, the side effect of which is to confirm (or not) their claimed identity data. This is a clever trick, for ostensibly it means that the EV service is not collecting information without the applicant’s consent. On the other hand, it may be bending the Secondary Use and Disclosure policies of Medicare, DFAT and other agencies enlisted in the EV cause.

Seizing the opportunity
When it was found that stolen passport details could be passed as legitimate by EV services, it was proffered that is there naturally a window of opportunity for abuse before primary identity documents are cancelled. But then the fundamental question for EV must be: what are these services other than elaborate ‘black lists’?

In the recent stolen passport case, nobody (including the victims) could know when the identities were stolen, and therefore how long the window was open. But more generally, as some of the larger data breaches have shown, the lag between organised crime gangs installing malware in a database and detection of the intrusion can be weeks or months. And in the meantime, stolen ID data is traded and exploited at breathtaking speed. When digital identity data can be stolen so easily, without the victim ever being aware of it, what sorts of assurance can EV systems provide?

The EV promise probably boils down to this: “As far as we can tell, the identity document numbers as presented are not currently shown as cancelled”.

Identity EV services may also be operating at the margins of privacy law. Crucially, it is not clear that the traditional privacy policies of government agencies anticipate the re-use of personal information they hold for identify verification. These policies may need to be reviewed, and individuals informed if the agencies plan now to disclose information to EV services with implied consent.

Consenting adults
One of the EV services I’ve tried has the applicant open a Medicare Online account; if that succeeds, then the date of birth is passed back from Medicare. By way of a privacy disclosure statement, applicants are offered a copy of Medicare’s privacy and security page, but that page doesn’t actually contemplate the disclosure of data for identity verification. While disclosure to other organisations is generally allowed with the ‘permission’ of the applicant, consent is only implied in the way they click through the workflow. One would think that, given the risks and sensitivities, express consent would be sought.

One may also speculate about the metadata collected as a by-product of application processes. For example, all attempted and incomplete verifications are probably logged, for internal risk management and forensic purposes. That’s fair enough. There is room in the Privacy Act for metadata to be collected, since it may be necessary for the conduct of the business. However, the law also generally requires that individuals be notified when personal information about them is collected indirectly. So there is an argument that in the case of failed verifications, reasonable efforts should be made to contact the subjects involved, especially in case they are the victims of impersonation.

The current crop of EV systems seems to me to be locked into the spiralling cybercrime arms race. While it relies on identity data being replayed by unseen applicants, all EV can do is strive to remain one step ahead of the bad guys, by having more up-to-date or richer stocks of personal information against which to match people, and hoping that organised crime doesn’t catch up. But by investing more and more value in personal information stores, all we’re doing is increasing the incentive for ID thieves.

There is no end in sight if we continue down this path, unless we take extra steps to improve the inherent reliability of digital identities themselves. It’s ironic isn’t it? With all the more onus on banks to “know their customer” under AML regulations, electronic verification means that they might know reams of data, but not the customer after all.

Stephen Wilson, founder of the Lockstep Group, is an analyst, consultant and innovator in digital identity. Lockstep Technologies works on smart solutions to ID theft.