Cyber crime

Identity Verification: ID Points Leaving You Vulnerable?

Niek Dekker
7 Min

Since news broke of the Optus breach last month, many Australians have become acutely aware of the risks they face when their identity documents fall into the wrong hands. If there is a silver lining to the Optus breach, then this is it. For the first time, identity theft is a genuine, tangible concern for millions of people. They now understand how identity verification can quickly morph into identity theft.

Many Australians will now think twice before readily handing over personal information, such as their driver’s licence, Australian passport or Medicare card. The simple act of handing over 100 points of ID to anyone requesting it could set the scene for years of attempted fraud, destroyed credit ratings and financial anxiety.

Yet one fact remains: many organisations need to collect identity documents because they have a valid need to verify the identities of the people and third-party entities with whom they need to interact.

Perhaps the time has come for a new approach?

Is it time to shift away from relying on identity documents? Could there be a better way to carry out the identity verification process on an individual, or an entity, that does not rely on taking photos of documents and emailing them to strangers?

In this blog, we explore the question of identity verification in the context of Accounts Payable. In coming years, AP teams could lead the way in forging a new approach to identity verification.

What Does 100-Points of ID Mean?

Anytime we open a bank account, take out a loan, or pretty much undertake any type of financial transaction, we are asked to provide 100 points of ID.

It’s worth considering why this is the case.

The notion of 100 points of ID stems from the Financial Transactions Reports Act (1988), and the subsequent Financial Transactions Reports Regulations (1990).

The purpose of the 1988 Act, and subsequent 1990 Regulations, were to combat financial crimes, such as fraud, whether by individuals or other entities, in Australia. Below we will consider whether our current approach is still fit for purpose, considering the fact that fraud has inexorably shifted to online environments.

The 100-point system allocates a specific number of points to different types of identity documents. Identity is verified by adding up the point value of each identity document until it surpasses 100.
Identity documents are divided into Primary and Secondary categories. Different types of documents within the Secondary category have different point values.

Primary Identity Documents: 70 Points

  • Birth certificate
  • Birth card issued by a registry of births, deaths and marriages
  • Citizenship certificate
  • Current Australian passport
  • Expired passport which has not been cancelled and was current within the preceding two years
  • Other documents of identity, having the same characteristics as a passport including diplomatic documents and some documents issued to refugees

Secondary Identity Documents: 40 Points

  • Document issued by authorised deposit-taking institutions (ADIs), banks, building societies, credit unions or registered corporations. The signatory must be a known customer of at least twelve months standing
  • Written reference from one of the following institutions, verifying the name of the signatory and signed by both referee and signatory. The signatory must have been known to the referee for at least twelve months
  1. Another financial body certifying that the signatory is a known customer
  2. Another customer who has been verified as a signatory by the cash dealer
  3. An acceptable referee (refer to AUSTRAC Guideline No. 3 and Information Circular No. 3)
  • Any of the following, must contain a photograph and a name. Additional documents from this category are awarded 25 points
  1. Drivers licence issued by an Australian state or territory
  2. Licence or permit issued under a law of the Commonwealth, a state or territory government (e.g. a boat licence)
  3. Identification card issued to a public employee
  4. Identification card issued by the Commonwealth, a state or territory government as evidence of the person’s entitlement to a financial benefit
  5. An identification card issued to a student at a tertiary education institution

Secondary Identity Documents: 35 Points

  • Name and address of signatory verified from any of the following:
  1. A document held by the cash dealer giving security over the signatory’s property
  2. A mortgage or other instrument of security held by another financial body
  • Must have name and address on:
  1. A document held by a cash dealer giving security over your property
  2. A mortgage or other instrument of security held by a financial body
  3. Local government (council) land tax or rates notice
  4. Document from your current employer or previous employer within the last two years
  5. Land Titles office record
  6. Document from the Credit Reference Association of Australia

Secondary Identity Documents: 25 Points

  • Must have name and signature on:
  1. Marriage certificate (for maiden name only)
  2. Credit card
  3. Foreign driver’s licence
  4. Medicate card (signature not required)
  5. Membership to a registered club
  6. NRMA membership
  7. EFTPOS card
  • Must have name and address on:
  1. Electoral roll compiled by the Australian Electoral Commission and available for public scrutiny
  2. records of a public utility – phone, water, gas or electricity bill
  3. Record of a financial institution
  4. A record held under a law other than a law relating to land titles
  5. Lease/rent agreement
  6. Rent receipt from a licensed real estate agent
  • Must have name and date of birth on:
  1. Record of a primary, secondary or tertiary educational institution attended by the applicant within the last ten years
  2. Record of professional or trade association of which the applicant is a member

As you can see from this list, if the Optus hackers obtained your passport (70 points), driver’s licence (40 points) and Medicare card (25 points), they would have a total of 135 points of ID – more than enough to engage in comprehensive identity theft!

Is the Current 100-Points System Fit-For-Purpose?

The 100-point system outlined above was developed at a time when financial crime, such as fraud, was primarily analogue.

However, we now live in a digital age.

Fraud has shifted to the online world. Cybercrime now represents a far greater threat to people and organisations. In an age of global cybercrime syndicates, it is time to seriously question whether 100 points of ID is up to the task of satisfying document verification requirements.

After all, if all our identity documents are being digitally collected and stored by a myriad of different organisations, each with varying levels of encryption and security, it stands to reason that the risk of a malicious actor gaining access to them is significantly higher. Once a criminal is armed with 100 points of ID, the path is clear for them to engage in serious cyber fraud using their identity.

The time has come for a new approach to identity verification.

The Challenge for Accounts Payable

When it comes to identity verification, Accounts Payable (AP) are particularly at risk.

In our digital economy, many AP teams are tasked with processing hundreds, if not thousands, of invoices each year. Yet, AP staff face the very difficult challenge of knowing to whom they are sending money. This is because cybercriminals regularly target AP teams by engaging in invoice manipulation scams.

They hack into email systems, identify supplier invoices, and manipulate the BSB and Account Number information in the invoices. Unsuspecting AP staff end up sending payments to bank accounts controlled by cyber fraudsters.

Even if AP staff had the resources to obtain 100 points of ID from everyone they needed to pay, how would they be able to trust that the documents were authentic? How could they be certain that the digital ID documents weren’t stolen or fabricated by the cyber fraudsters?

In theory, AP staff could request each supplier provide them with a document issued by an ADI, such as a bank, stating that the supplier is a known customer of at least twelve months standing. The letter could confirm their BSB and Account Number. Such a letter would be worth 40 points of ID. Once the AP team receives such a document, they could proceed with processing the invoice.

However, not only would this be highly inefficient, it wouldn’t offer any real protection. Cyber criminals could easily steal or fabricate such documents, leaving the AP team exposed to theft.

Multi-Factor Verification: A Superior Approach to Identity Verification

Eftsure is committed to empowering Australian organisations.

Our approach is to equip AP teams with the information they need to determine with certainty the true identity of the entities they are paying.

We don’t do this using antiquated approaches such as 100 points of ID, which was developed for a pre-digital age. We do this using our unique approach called Multi-Factor Verification.

How does Multi-Factor Verification work?

Put simply, we aggregate bank account data from thousands of Australian organisations. In fact, data from over 90% of active Australian corporate entities are aggregated into our proprietary database.

When data from multiple independent sources aligns, it provides a very strong level of assurance that the data is accurate.

In other words, when your AP team is paying a supplier, they crossmatch the supplier’s bank account details against our database. In real-time your AP staff will see whether other organisations have been successfully paying the same supplier using the same banking details without encountering any problems. If so, you can rest assured that you are sending funds to a legitimate bank account.

The Eftsure Approach

Our approach is the way of the future for identity verification. It is not reliant on a single source of truth. Instead, it embraces a distributed approach that pulls together data from many different, independent sources.

When all the information aligns, we can have confidence that the information is accurate.

Multi-Factor Verification makes it almost impossible for cyber criminals to fraudulently assume the identity of another person or entity because identity verification no longer depends on a passport, driver’s licence or Medicare card.

Identity verification is achieved by bringing together many thousands of sources of information, which cybercriminals are powerless to steal.

To learn more about Eftsure and how we can safeguard your AP team at a time when identity theft and cyber fraud are rampant, download our Multi-Factor Verification Guide.

Multi-Factor Verification
With digitalisation transforming the ways organisations transact, new opportunities are emerging for criminals to engage in digital identity theft and fraud.

In this guide, we outline our unique approach to solving several challenges.
Contact Us
Get in touch to find out how eftsure can help secure your accounts payable team.

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.