Banks accept Dubai assassins' stolen IDs

By Charis Palmer on Feb 26, 2010 5:38 PM
Filed under Security

Special report: Passport credentials still valid for identity fraud.

The stolen identities allegedly used in the assassination of Hamas official Mahmoud al-Mabhouh are still valid documents for the purposes of conducting business online in Australia, an iTnews special investigation revealed.

Our investigation has revealed that the Federal Department of Foreign Affairs (DFAT) has either failed to cancel the stolen passport credentials of the three Australian citizens used in the attack, or has failed to update the My Passport database used by some Australian financial institutions to verify the identity of new customers.

The investigation also showed that Australia's mass media had amplified the impact on those affected by the identifty theft by publishing their credentials in full online. Of those media outlets publishing images of the victims' passports, only the ABC and the Seven television network obscured sensitive information such as passport number and dates of birth.

The test

Today, we used the details of two victims to open transaction accounts online with Australian financial institutions.

The financial institutions offering these banking and trading accounts used an online verification system from identification company Edentiti. This company used information from public databases, including the telephone directory and Passport Office to confirm the identity of individuals, without the need for them to physically present proof of identity documents.

Edentiti's service is used by financial institutions and betting agencies. It checks the validity of the date of birth and other details on the passport, by accessing the My Passport feature on the department's website.

But although the department's site has the extra step of asking for a mother's maiden name and guarantor's name (presumably, the person who signed the passport photo and application), some implementations of Edentiti used by financial institutions simply check that the passport is valid and details are correct based on date of birth, full name and place of birth.

The application processes required the input of addresses, information easily obtained through simple online searches.

Edentiti founder and chief technical officer Kevin Cox admitted in some cases a passport number, name (at birth) and address would be enough information to pass the verification test, but argued in most cases more information is required.

"The thing about authentication is one source and one source only is not good enough," he said.

Cox said if the passports were cancelled [by DFAT] then they could not have been used to open the accounts.

He said the scenario presented by iTnews highlighted where governments needed to protect the citizens' identities.

"What we want to see in the long run is that whenever your identity is used somewhere, you are informed about it. If these people suddenly got a note saying 'Welcome to the United Arab Emirates' they would have known."

With the increase in online identification, Cox said it was inevitable that identity theft would become easier to perpetrate than identity fraud, which required the creation of a new identity.

"In this way, they've had to steal someone's identity rather than create a fictitious identity," he said.

ITNews is waiting for comment from the Department of Foreign Affairs and Trade.

Elton Cane contributed to this story.

Banks accept Dubai assassins' stolen IDs

13 comments in this discussion

"First class journalism. The integrity of the passport system is exposed. You or I would hang for the violation of the passport system. Governments and security services see it merely as a means to ..."

By ITrant

Tags

dubai, assassins, stolen, passports, identity theft, hamas, mossad, bank, dfat, edentiti

Budget 2013: Human Services, Centrelink to lead IT spending

ANZ to ramp up iPad rollout to bankers

ANZ denies report of Indian IT sale

BoQ nears full Salesforce implementation

Breaking Stories

Alacer Gold turns ERP refit project to Australia

NSW Govt bids for self-service analytics

NSW Police take aim at 3D-printable guns

Google faces new federal antitrust probe

US ISP to rip out Huawei equipment

Readers of this article also read...

Comments: 13

Stephen Wilson (Lockstep) Feb 26, 2010 9:35 PM	Sending customers a message every time their ID is exercised isn't really going to solve anything (and would create huge extra costs and counter-productive alert fatigue). What's the medium to be: SMS? Does anyone want their phone to go ping after every ATM, POS and Internet banking transaction? Anyway, it's not reliable enough: there is no delivery guarantee in the SMS standard. We need to face up to the core ID security weaknesses (chiefly the replayability of digital IDs and of alphanumeric identity data), and stop papering over the cracks. We wouldn't need to alert people everytime their ID is exercised if it was harder for thieves to take over those identities.
cscoxk Feb 27, 2010 3:08 PM	Stephen I agree that we should make it harder for id theft to occur. That can best happen if we make it easier for each of us to get electronic access to the information held about us. However, no matter how difficult we make it, someone somewhere will find a way to steal someone's identity if the payoff is big enough. The best protection against this happening is the same with most crime - you make it almost certain that it will be detected when it happens and the perpetrator leaves a trail so that they can be found and prosecuted. The first step is for any organisation that holds information about a person to be required to "tell" the person that the information has been accessed. We can be smart about how we "tell". In the case of the passport a computer program (perhaps on their phone) under the control of a person getting information about their activities can easily detect suspicious accesses and notify the person. Of course it would be an optin system and you would only do it if you wanted it done. However, we can be thankful that passport details are rarely published on the front pages newspapers. I find it incredibly irresponsible for the newspapers to publish such detailed copies and I hope they will prosecuted for their invasion of privacy and making it easier for people to attempt to steal these victims identity.
Ace Feb 28, 2010 2:22 AM	As is always the case, security is set to the lowest socially acceptable level. That is, a level that balances an average persons privacy, the usability of the security mechanisms provided, and the cost of the security implementation. As time goes by, security mechanisms get better and cheaper, but on at least one end of most transactions, is a human. And there lies the limitation. No matter how fantastic a security scheme is, it has to be usable by an average human bean. This is why usage of bio-security has been so much on the rise. It is the only way to increase security at the weakest link. If you had to provide a 5 finger scan, eye scan and one-time password for each secure transaction (immigration/bank/access etc), it would be quite difficult for the average crook to steal your identity. Of course, then you have even more personal data about yourself being stored somewhere - hopefully securely, and not on the front page of a newspaper!
gschenkel Feb 28, 2010 10:21 AM	Of course it would help if - the government didn't release passport details to the media - the media didn't publish complete passport details - the government invalidated passports it finds were compromised Hard to maintain ID security if the government/ media ignore privacy laws and common sense.
Stephen Wilson (Lockstep) Feb 28, 2010 11:52 AM	I do agree that the media ought not to have published passport pages. Yet we cannot have a security system that depends on passport details being kept secret. It is axiomatic for security professionals that security by secrecy or by obscurity is no security at all. The current crop of EV systems are seemingly locked into the cybercrime arms race. No end is yet in sight. EV tries to stay one steap ahead of the baddies by having slightly more up-to-date or slightly richer stocks of personal information against which to verify identity. The systemic concern I have is that EV has yet to provide any fundamental resistance to ID theft. Worse, it is likely to be adding to the extraneous third party stockpiles of personal information waiting to be raided.
cscoxk Feb 28, 2010 6:30 PM	Stephen, You are right, security that depends on secrecy alone will not guarantee anything and we are in a continual and never ending battle against people who wish to profit from our trust and good will. Electronic Verification is a big step in the right direction and will continue to improve. Your worry over more and more information being stored that is adding to stock piles of personal information is unfounded. Systems such as Edentiti do NOT store personal information such as id numbers, or passport details such as shown in the newspaper. Because we have computers to assist us we can do quite clever things. The end result, with properly designed systems, is that the more we identify ourselves electronically the less information about us will be stored. We will see the day when you will be able to open a bank account without revealing who you are. Banks do not want to know you. They want to know that you are trustworthy and will not break the rules. The only time you may need to reveal who you are will be when you break the rules and even then it may not be necessary unless there is an unresolvable dispute. Such things are when you stop paying your bills or break a contract. We need people and particularly governments to embrace electronic verification because the more it is used so the more secure, more private, and less open to abuse. However, initiatives like the student id number and the health id number are against this trend and although the motivation for their introduction are worthy they will - in fact - make it more likely for identity fraud to occur because they will create more unnecessary storage of identification information about a person. The objective of good electronic id systems is not to replicate existing data but to allow the individual access to existing data about themselves and through that access prove their identity. Ideally there will only be one copy of personal information about you that you control and that you allow others to access. That is the objective of Electronic Verification. If there was no paper passport but only an electronic one then the current problem would not have arisen. That is the objective to which we are moving. There are great advantages in terms of privacy and cost so we can expect to see a lot of progress in electronic verification over the next few years.
Stephen Wilson (Lockstep) Feb 28, 2010 7:13 PM	Thanks Kevin. I find this fascinating. Could you elaborate please on a couple of things? If the student ID and health ID initiatives are against the proper trend, how should we identify students and patients instead? Also, I haven't got my head around an electronic-only passport. Are you suggesting some way to pass through customs in future with no document at all? There must be a physical artefact of some sort. How would an electronic-only passport be harder to replicate or take over than a physical one?
Digger11 Mar 1, 2010 7:57 AM	This is a pure political storm in a tea cup that Rudd is trying to use to distract us from the Garrett Insulation Debate. The media is acting like this is a personal attack on all Australian citizens - maybe it is just someone with a deluxe photocopier ??? If I was going to perform an assasination and needed to copy a passport -I would choose say a New Zealand one. Does this mean I am out to get New Zealand - of course not, I just would choose a passport froma country where I would be relatively unnnoticed at the airport. But don't worry - we are all safe - apparently Ruddy is looking into it !!!!
gschenkel Mar 1, 2010 8:36 AM	Stephen- we can only operate within the government Id framework. This is the same for electronic verification or otherwise. Lost or stolen Id s have always been a risk if left unreported.
Stephen Wilson (Lockstep) Mar 1, 2010 9:18 AM	While the threat of unreported lost & stolen IDs has always been with us, the liklihood, consequences and rolled-up risks are hugely worse in the new environment. Clearly, people can have their ID information stolen without being aware of it. And stolen ID data is traded and exploited at breathtaking speed. So we can no longer rely on self-reporting of lost IDs, and black-lists, to deal with ID fraud. Banks and government really need to work together in this space if the govt ID framework is limited.
bengrubb Mar 1, 2010 9:35 PM	Just saw this on Media Watch :) Nice work Charis.
cscoxk Mar 1, 2010 9:42 PM	Stephen, It is fascinating. It is too long a description to put up here but I can send you a draft of a submission I am currently working on for the Health ID Number Senate Enquiry. It should go up on their website next week. Send me a message to cscoxk at gmail dot com to get a preview. In the future you will establish your own electronic identifier (a data store) which you control and which you can "enable" when you want to be identified (or are required to be identified). There will be links between the physical you and your electronic identifier. Once this is established you can decide how and when you want to be identified. A very common one will be identification by presence so when you walk up to a passport check your electronic identification will let the passport people know you are coming and you will walk through. This will be common for sporting events, concerts, etc. However, it will not be mandatory and if you do not want to use it then you can use other methods. The technology is available today - and all without an id number in sight.
ITrant Mar 2, 2010 1:29 AM	First class journalism. The integrity of the passport system is exposed. You or I would hang for the violation of the passport system. Governments and security services see it merely as a means to cover their tracks and of no more value than a photocopied document. The old passports should have been cancelled and new passports issued AS A MATTER OF URGENCY, not least of which to restore public confidence in the integrity of the system. These people have been left hanging, subject to further fraud and identity theft. Secondly, the discussion of universal identity - which should be resisted at all costs. No matter how inconvenient and inefficient that seems, security is better served by maintaining multiple means of identification, so that identity cannot be hacked at a single point. The other point is that the convenience must cut both ways. Bureaucracy certainly benefits, but the citizen who gives up their identity should also benefit. We should be able to watch Big Brother in equal measure. Mandatory reporting of EVERY use of one's identity will allow the citizen to monitor its use and the integrity of the system. Naturally, political parties/police/national security will demand exemption from such reporting, but this passport incident is PROOF POSITIVE why they should not. Once they know they are being watched, they will become more circumspect in their intrusions on civil rights. And a curiosity - if you get to see a documentary 'Another 911' you'll see 9 of the 14 alleged hijackers alive and well, some having never even visited the United States. You will hear similar stories to those of the Australians' whose identities were stolen. Until this week, you might have been able to dismiss these stories as being preposterous and question the integrity of the documentary makers.