Photo: Messages were sent to my mobile tipping me off about the fraudulent delivery. (ABC News: Rebecca Trigger)
“Ping” went my phone, late one night. A message from my phone company saying my order was on its way.
That’s weird, I thought. I didn’t recall ordering anything.
It was the first sign I’d lost control of my identity — and as it turns out I’m probably never getting it back.
Do you know where your driver’s licence is right now? It’s probably tucked away in your wallet or purse, safe from criminals.
But if you’ve ever hired a car, booked a flight or hotel online, registered for a government service or just left your mailbox unlocked, your details could already be in the wrong hands.
And in Australia, driver’s licences can be used to apply for tens of thousands of dollars in bank loans and telephone accounts, access government benefits, or even apply for more identity documents like passports — all in your name.
The scam starts with an Apple Watch
A regular online shopper, I thought the late night text was strange but I didn’t panic.
The following morning I rang my telco, who told me an Apple Watch with attached expensive data plan was on its way.
When the order was placed, it was assigned to my pre-existing account because some details married up with what they already had in the system.
I headed into a store to be identified and they managed to cancel the $1,000 order.
Just in time, it was returned to the warehouse and out of the clutches of thieves.
“Phew,” I thought. “That’s all sorted”.
Tracking down the scam house
But as a journalist, who likes to know why and how things happen, it was hard to let the fraud lie.
How had these people got enough of my details to trick my phone company into believing they were me?
My telco gave me a copy of the contract taken out in my name and — jackpot — it had the intended delivery address on it.
Records showed the house where the watch was heading was owned by the State Housing Commission, purchased in 2003.
When I arrived I found a nondescript brick house with a tin roof near Perth’s entertainment district of Northbridge. A chat to street residents let me know it was some kind of halfway house.
A bloke out the front on the veranda having a coffee and rolling a cigarette told me it was a place for people who have nowhere else to go — criminals just released from jail, hoping to get back on the straight and narrow.
He said three people were currently staying in the house, but lodgers came and went.
“Yeah, always, in and out all the time,” he said.
Another resident told me he did send back a package, addressed to a woman, that arrived at the house a while back.
He thought it was strange as it is a men-only residence.
So the scammer could have been someone who used to live there. Or someone who was living there, but has since moved on.
‘They’ll go for everything’
Someone from my phone company’s fraud department contacted me a few weeks after it happened.
They had looked into my case and determined I was a genuine victim. The Apple Watch contract was cancelled.
The helpful fraud investigator told me my driver’s licence number, name and date of birth were used by the scammer to place the order.
But when the phone company emailed the contract out to the person who placed the order, they gave the criminal my mobile phone number — another piece of my valuable personal data gifted to them.
The contract also contained my home address, which was disturbing. This person, or these people, now know where I live.
The investigator gave me some good advice — the criminals won’t stop.
“They’ll go for everything,” she said.
She told me to check my credit history to see what else they had tried.
Minding my own ‘Buisness’
Pulling a copy of my credit report revealed another account in my name with another phone company.
The address of the ex-prisoners’ halfway house had been added to my credit file, as had a former employer: Masters Buisness (sic) Support.
I was a little offended that people now would think I worked for a firm which misspelled its own name.
I tried calling the second phone company but they would not give me any details of the account — ironically because I couldn’t prove that I was Rebecca Trigger.
I had to submit a statutory declaration, copies of my police report and copies of my identity documents to prove I was the real me. Pretty surreal.
How did this happen, and can it happen to you?
I suspect, though I’m not certain, someone obtained my driver’s licence number by stealing a renewal notice from my letterbox.
The WA Department of Transport told me a reminder notice was posted out in late May. The fraud happened in early June.
Your licence renewal notice contains your driver’s licence number, date of birth and address.
But this whole saga also made me review where I had used my driver’s licence to prove my identity.
Some online flight and hotel booking systems, especially overseas, require you to provide an identity document such as a driver’s licence.
They are also used to hire cars, something I did regularly on a recent work transfer in Sydney.
And if the constant reports of data-breaches at major companies is anything to go by, this digital information is often far from secure.
How can I fix this?
Trying to claw back my identity has so far taken about 20 hours of my life, multiple trips to government departments and lengthy phone calls that all have to happen during business hours, when I’m at work.
Luckily, after writing this piece, I can tell my editor it’s all work-related. But it’s a hell of an inconvenience.
And it leaves you feeling vulnerable, something that for me is unlikely to change soon.
I’m going to remain exposed for the rest of my life, because in WA you are not allowed to change your driver’s licence number even if it ends up in the hands of criminals.
According to not-for-profit trans-Tasman national identity and cyber support service IDcare, the most common way criminals get your identity details is by stealing from your mailbox or your home.
IDcare recommends making sure your mailbox is locked and, where possible, arranging for alternative ways of receiving credentials and statements.
They also recommend:
- Get someone to collect your mail if you’re going away
- Make a note of when your important documents are likely to be delivered
- Check your credit report once a year (it’s free)
You also can and should get a ban on your credit file, which stops anyone from applying for bank loans, phone accounts and other types of credit in your name.
Although to do this you have to contact the three main credit information firms in Australia separately.
They also ask you to send in digital copies of 100 points of ID, which having just experienced identity fraud you might not want floating through the system in an easily transferrable format.
Victims who do not want to send the credit reporting firms their Medicare card, for example, are left unable to enact a credit ban.
The dark side of easy finance approval
The problem with the way the system is set up is it puts the onus on us, the consumer, to take some pretty extraordinary steps to stay ahead of the criminals.
The ease of applying for phone plans and loans online using just a licence number and date of birth likely helps telcos and financial institutions gain a lot of customers.
But as I found out, it leaves us consumers vulnerable to exploitation.
If your identity is stolen:
- File a report at the Australian Cyber Security Centre
- Contact the three major Australian credit reporting agencies Equifax, Illion and Experian, and obtain a free copy of your credit file
- Place a ban on your credit file with those agencies — this can stop criminals accessing credit in your name
- Advise your bank and review your security arrangements
- Update your online banking, email and other passwords — use unique passwords for each account
- Set up multi-factor authentication — where possible don’t just use SMS, use something like an authenticator app
- This is to limit the damage done by SIM swaps and phone porting
- Monitor your phone closely — if it suddenly stops working it may have been ported.
- Contact IDcare — they have trained counsellors who can support you
The Telecommunications Ombudsman has identified mobile phone number theft as a major problem and recommended providers strengthen identify verification procedures.
Banks and the credit reporting agencies could also make improvements so that lines of credit can’t be opened with a single identity document, or just the details from this document.
As more of our lives go online, identity crime is not going away and the statistics show it.
In 2007 3.1 per cent of Australians had experienced identity fraud of some kind, but by 2014–15 it had jumped to 6.4 per cent.
New stats are due out soon and I won’t be surprised if there’s another rise.
It might be time to invest in that padlock for your mailbox. Mine is already in place.