Identity is authenticated for each interaction
Customer or third party identities are authenticated for each interaction.
NB: This is a process undertaken to confirm the person we are engaging with owns the record they are trying to access.
This control is underpinned by:
In particular, it involves testing the credentials supplied by the person making the claim.
The three types of authentication are:
- Something you know (e.g. a password)
- Something you have (e.g. an ID badge or cryptographic key)
- Something you are (e.g. a fingerprint or other biometric data)
Some examples of this type of countermeasure include:
- All customers or providers must pass an identity authentication check prior to servicing.
- Staff must enter their log-on ID and password to access systems.
- Customers or providers must pass a two-factor authentication to access their online account.
- Customers must enter a unique PIN to access the mobile app.
- Voice or facial biometrics.
Purpose of this countermeasure
Someone can provide false or misleading information or stolen evidence of identity to support a request or claim.
Providing false or misleading information or forged documents to commit fraud are offences under the Criminal Code Act 1995.
Whole-of-Government policies require us to have a high level of confidence in the identity of a customer when providing government services and payments.
Providing services to someone without authenticating their identity can lead to fraudsters impersonating customers or third parties to receive fraudulent payments or gain access to information.
This type of control is supported by:
- Legislation or Policy
- Procedural instructions or guidance
- Help and support
- Staff are trained to apply correct processes and decisions
- A specific form, process or system must be used
- Evidence must be provided to confirm identity
- Mandatory information is required to complete the request or claim
- Prompts and alerts
- Internal escalation procedures
- Sensitive information controls
- Information is verified
- Data matching
- Duplicates are prevented, identified and corrected
- Data loss protections
- Staff are trained and supported to identify and report fraud and corruption
- Quality assurance checks
- Internal or external audits or reviews
- Automatic notification of high-risk activities and transactions
How do I know if my countermeasures are effective?
You can apply the following methods to measure the effectiveness of these types of countermeasures:
- Review authentication controls and policies to see if they conform to national guidelines and frameworks.
- Review the information threshold for authenticating an identity. What level of information is publicly available, e.g. could be found on social media?
- Confirm the existence of reference and guidance material.
- Confirm processes are consistently applied both within channels and across channels.
- Review a sample of completed transactions to confirm correct processes were undertaken.
- Ask staff about the authentication processes to ensure they have a consistent and correct understanding.
- Undertake vulnerability testing or a process walk-through to confirm that processes cannot be circumvented.
- Identify how the requirement to authenticate identity is communicated to staff.
- Review identified cases of fraud involving the use of a false or stolen identity.