Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

AusCert: Tax Office works to curb identity theft

Accountants and tax agents have hit the spotlight as the hot targets of identity thieves intent on harvesting personal data through social engineering tricks and malicious code because it is easier to steal an ID than create a false one.

ATO deputy commissioner Michael Monaghan said, "About 30 percent of all investigated cases by the ATO have identification as a major element and we see that about 74 percent of those are basically ID theft rather than creation. I believe the shift is because of the range of processes we have put in place to make it harder to create a false identity," Monaghan said yesterday at the AusCert 2006 conference on Queensland's Gold Coast.

The Australian Taxation Office (ATO) believes a mix of cross-agency data warehousing, alliances, and digital certificates for tax agents is mirroring the efforts of people seeking fraudulent identities; however, a balance still needs to be addressed for the ATO to "come out on top".

Monaghan said the federal government is conscious of this balance and is doing a lot of work into identity crime, but in terms of the ATO, developing strong relationships with organizations like the ACCC through the identity protection registry has created a great volume of suspect identities and has indicated it is now more useful to protect identities that appear to be stolen.

"In the ATO, a critical measure to the detection of fraud is the building of alliances within our organization. We have strong links to the IT area, particularly IT security, as well as computer forensic capability, and links with data warehouses for mining to track and agencies like AUSTRAC for the movement of large amounts of money or international transfers.

"Our relationship with AusCert has provided great value and identified some sophisticated identification crimes from trojans stealing tax agent data and we were able to intercept this before it was used against us."

Monaghan said the existing fraud detection system is, in some cases, becoming pre-emptive, adding that last year it saw one person deported within 12 hours after attempting to slip one past the ATO.

The ATO has released more than 300,000 digital certificates to tax agents in an attempt to create more stringent authentication procedures, but fraudsters are increasingly relying on social engineering tricks to circumvent them.

Monaghan said he has a grudging admiration for the effort the fraudsters are going to, stating there are often elaborate strategies in place to hide the trail of stolen identities that take a fair bit of time to unravel.

"Tax agents are a critical part of the system and we have found attempts being made, with some success, to steal details from accountants which are then used to take over their identity and other taxpayer's funds. An incident we saw was a trojan which appeared to steal tax data from a tax practitioner," Monaghan said.

"Often we see people putting a legitimate front on activities, using legitimate, unsuspecting accountants, and sophisticated phone answering systems. Like everyone, our concerns about online theft is where the information goes and then how it is used to defraud the ATO.

"We have done a lot of work around controls and improving the proof of identification framework and a huge amount of work around the tax file number database to make sure our information is as accurate as possible, such as if someone leaves the country without deactivating a tax file number. We also flag tax file numbers if we suspect they might be stolen or compromised because it is important to close the creation of identifications as a vehicle to commit fraud."

Education of call centre agents in social engineering tricks is also paying dividends.

Monaghan cited a recent example of a call centre operative who fielded a call from someone attempting to change an address and bank account details. The worker also heard voices in the background asking the same questions on other calls. A subsequent investigation found an operation "preparing fraud for the tax season".

Michael Crawford is at the conference as a guest of AusCert

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ACCC, AusCert, Australian Taxation Office, Office Works

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Best practices for a Data Warehouse on Oracle Database 11g
    Increasingly companies are recognizing the value of an enterprise data warehouse (EDW). A true EDW provides a single 360-degree view of the business and a powerful platform for a wide spectrum of business intelligence tasks ranging from predictive analysis to near real-time strategic and tactical decision support throughout the organization. Read on.
    Learn more »
  • The Big Six: The CIO Executive Council’s Frameworks for IT Value and Leadership
    This overview of six of the CIO Executive Council’s most important pieces of intellectual capital represents the thought leadership of literally hundreds of global CIOs spanning over half a decade. It is intended to convey the Council’s position on the current and future CIO role and the value that IT should be creating for the enterprise. We hope that it offers the IT community an intriguing and comprehensive roadmap for continued success.
    Learn more »
  • BPM Basics for Dummies
    This book helps you understand what BPM is really all about. We wrote it because BPM is so useful and so powerful — and because it is also very accessible. We wrote this book for you — the individual. You may be a business manager, or an Information Technology practitioner, or maybe an ambitious career individual who wants to know what BPM is all about and how to apply it.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments