Stealing the Census

Over the next month an army of 29,000 workers will swarm across Australia to collect the 2011 Census. But how do you know the person knocking on your door is a collector and not an identity thief?

According to the Australian Bureau of Statistics, you can tell by the yellow satchel slung over their shoulder and their ID badge.

But that's about it.

The agency in charge of collecting, safeguarding and processing the Census also said that to date, no attempt as been detected to steal the sensitive documents.

However on Friday, one thief posed as a collector and demanded cash and jewelry from a 57 year-old woman in Clayton, Victoria before he fled.

The bureau has not noticed phishing or phone scams relating to the Census, either.

It took only days for scammers to exploit the Federal Government's Carbon Tax announced in June.

Yet with the rise of identity theft, the opportunity to steal part of the largest repository of verified Australian identities was an attractive one.

By some reports, verfied identity information would fetch a higher price than credit card details. Last year, a lone hacker from Eastern Europe sold access to 1000 Facebook profiles, each linked to more than 10 accounts for about $50.

A glut of stolen credit card details reportedly dropped drove selling prices to their lowest, at about $4.

The cost of identity theft is hard to pin down, but was estimated to cost Australia around $3 billion a year

Social engineering expert Chris 'L0gan' Hadnagy said the Census was a perfect opportunity for identity theft.

"Imagine this - I have your name, address and other identifying info. I call your bank, a charity or some other organisation looking for you financial information," Hadnagy said.

"Maybe it will only work on two out of every 10 [attempts], but that is 20 out of 100, or 200 from 1000. The numbers grow and it can become devastating."

Collectors are employed by the bureau and bound by the Census and Statistics Act which imposes heavy penalities including a $13,000 and two years imprisonment should personal information linked to Census douments be stolen.

"They are bound by confidentiality and fidelity, even after they finish working for us," said Census Field director Dave Nauenburg.

"We have great trust in and from the Australian public."

However, public trust and a high profile event create opportunities for exploitation.

"It is an unfortunate aspect of this world that whenever something like this is going on, the chance  of social engineering attack goes on the rise," Hadnagy said.

The bureau hoped to make collectors a thing of the past, replaced by its online Census.

"We expect to have about 30 percent of Census collected by the eCensus," Nauenburg said. "It is our preferred method of collection."

About 10 percent of the population answered the Census online when the eCensus was launched in 2006.

A unique token was generated for every person in Australia to be used to validate eCensus lodgements. The number string could only be used once, and the name and address of the respondent was then locked. An SMS is sent to collectors to notify them of houses that had lodged forms online.

The information was sent to the bureau over a 128-bit SSL encrypted channel. If SSL was disabled, the system will deactivate.

But it did not contain functionality to check whether a users' machine was compromised.

Nauenbrug said the bureau security staff were "on alert and constantly monitoring for suspicious activity".

Each paper Census form will be collected over the next month and driven down to a 3500 square metre Melbourne warehouse to be stored in some 2500 pallets.

The facility is under constant guard, Nauenburg said. Data is then de-identified and processed by some 750 staff. 

The first trove of public statistics will be released in June next year.

The only those who opt to have Census data stored in the National Archives will have their responses linked to their name and address after 99 years.

Copyright © SC Magazine, Australia