Experts doubt DIAC bio-database can stop ID fraud

Fingerprint sharing a small step for IT security.

Australia, New Zealand, Canada and the UK have started sharing the fingerprints of unknown criminals in the hope of cracking down on ID theft.

Senator Chris Evans, the Minister for Immigration and Citizenship, said in a statement that the agreement would "greatly improve" Australia's ability to detect identity fraud.

"The Australian Government's ability to detect and immigration and identity fraud will be greatly improved as a result of new biometric data-sharing arrangements with partner agencies in Canada and the United Kingdom," the Senator said.

However, security experts believe the system is unlikely to reduce ID theft.

Nick Ellsmore, chief technical officer of security consultancy Stratsec, and representative of the Australian Information Security Association (AISA), told ITnews he doubts this kind of information sharing will reduce instances of ID theft.

"Is this going to materially impact on identity theft? I doubt it."

IBRS security analyst James Turner suggested the system could be exploited by criminals and questioned how it would deal with false positives. 

"If I was a criminal interested in getting my fingerprints removed from the system, previously I might have had to find someone to bribe within the country," he said. "Now I've potentially got more people in other countries I can target. However, I suspect that much like the TSA's [The United States Transportation Security Administration] no-fly-list, it may prove tricky to get even legitimate fingerprints out of this system. Time will tell."

Stratsec's Ellsmore, who was presenting at the Security 2009 conference in Sydney today, said that user awareness of the problem is a start but in order to have a real impact, users need to change their behaviour accordingly.

"People need to have security awareness, which has been a mantra in the industry for some time. But is that enough? If you ask people if ID theft is a problem, most people would say, 'yes, it is,' but does that necessarily translate into their actions in how they give out their personal information, what they put on their Facebook profile, or whether they shred their credit card statements?"

Another factor increasing the problems of reducing ID theft is the popularity of social networking, said Ellsmore.

"The people most comfortable with giving out huge volumes of personal information are younger generations because they have grown up on it.

[Combating ID theft] is something that is getting harder rather than easier.

"As long as people see a return on providing their personal information, they will. Until they start experiencing a cost from providing that information they will [continue] to do it."