Australia Tax Office Works to Curb ID Theft

Accountants and tax agents have hit the spotlight as the hot targets of identity thieves intent on harvesting personal data through social engineering tricks and malicious code because it is easier to steal an ID than create a false one.

Australia Tax Office (ATO) Deputy Commissioner Michael Monaghan said, “About 30 percent of all investigated cases by the ATO have identification as a major element, and we see that about 74 percent of those are basically ID theft rather than creation. I believe the shift is because of the range of processes we have put in place to make it harder to create a false identity,” Monaghan said yesterday at the AusCert 2006 conference on Queensland’s Gold Coast.

The ATO believes a mix of cross-agency data warehousing, alliances and digital certificates for tax agents is mirroring the efforts of people seeking fraudulent identities; however, a balance still needs to be addressed for the ATO to “come out on top.”

Monaghan said the federal government is conscious of this balance and is doing a lot of work with identity crime, but in terms of the ATO, developing strong relationships with organizations like the Australian Competition and Consumer Commission through the identity protection registry has created a great volume of suspect identities and has indicated it is now more useful to protect identities that appear to be stolen.

“In the ATO, a critical measure to the detection of fraud is the building of alliances within our organization,” Monaghan said. “We have strong links to the IT area, particularly IT security, as well as computer forensic capability, and links with data warehouses for mining to track and agencies like Australian Transaction Reports and Analysis Centre for the movement of large amounts of money or international transfers.”

“Our relationship with AusCert has provided great value, and identified some sophisticated identification crimes from trojans stealing tax agent data,” he said. “We were able to intercept this before it was used against us.”

Monaghan said the existing fraud-detection system is, in some cases, becoming pre-emptive, adding that last year it saw one person deported within 12 hours after attempting to slip one past the ATO.

The ATO has released more than 300,000 digital certificates to tax agents in an attempt to create more stringent authentication procedures, but fraudsters are increasingly relying on social engineering tricks to circumvent them.

Monaghan said he has a grudging admiration for the effort the fraudsters are going to, stating there are often elaborate strategies in place to hide the trail of stolen identities that take a fair bit of time to unravel.

“Tax agents are a critical part of the system, and we have found attempts being made, with some success, to steal details from accountants which are then used to take over their identity and other taxpayers’ funds. An incident we saw was a trojan which appeared to steal tax data from a tax practitioner,” Monaghan said.

“Often we see people putting a legitimate front on activities, using legitimate, unsuspecting accountants, and sophisticated phone-answering systems. Like everyone, our concerns about online theft are where the information goes and then how it is used to defraud the ATO.

“We have done a lot of work around controls and improving the proof-of-identification framework and a huge amount of work around the tax file number database to make sure our information is as accurate as possible, such as if someone leaves the country without deactivating a tax file number. We also flag tax file numbers if we suspect they might be stolen or compromised because it is important to close the creation of identifications as a vehicle to commit fraud.”

Education of call center agents in social engineering tricks is also paying dividends.

Monaghan cited a recent example of a call center operative who fielded a call from someone attempting to change an address and bank account details. The worker heard other voices in the background asking the same questions on other calls. A subsequent investigation found an operation “preparing fraud for the tax season.”

Keep checking in at our Security Feed page, or subscribe via RSS, for updated news coverage.

By Michael Crawford, Computerworld Today (Australia)