How the ATO is promoting identity theft
The Australian Tax Office does a lot to promote data security. Their recent implementation of voice authorisation, once working, will make contacting the office a far easier process. They still have a gaping hole in their protection of the Australian Taxpayer — and it’s with their outbound calls.
The ATO has a perfect storm of no caller identification and a requirement that the receiver of the call provides several items of personal data before the ATO representative can proceed.
The “workaround” the ATO suggests for those receiving calls who want to protect their information is to request the caller’s extension number, and call them back directly — but very few staff at the ATO are prepared to provide that information.
No Caller ID
Although caller identification information is relatively easy to fake on the modern phone network — it’s still an important piece of information that when used together with other safe data practices helps protect people from identity theft.
Even if you are expecting a call from your bank; the ATO; or anybody else — you should never supply your personal information to establish your identity — they called you, and they should be identifying themselves, not the other way around. The days of people being honest and trustworthy are long gone, and the incidence of fraud conducted over the telephone network and The Internet is skyrocketing.
ATO calls start with “This is NAME from the ATO.”… then maybe a brief reason for calling. And then the part that puts all Australian’s data at risk…
“Before I proceed with the call — I need to verify you are the correct person. May I please have your Full Name, Date of Birth and any address that we would have on file for you?”
By having this requirement, the ATO trains Australians to provide this data when requested on receipt of any call that purports to be from the ATO.
The caller could then go on to ask other information, like your Tax File Number — or other personal information that could be used to impersonate you in the future or for sale on the data black market.
How to protect the ATO and the client?
Outbound calling fraud isn’t a new problem, and there are a lot of companies who have great solutions. Several businesses provide the called party a code to call back with on the phone number in the phone book or on their website — which immediately routes the person back to the agent they need to speak with.
American Express also has a great solution — their agents precisely introduce themselves and then ask a series of “general account knowledge” questions that don’t expose any personal data in either direction.
“Do you have a bank account linked to your credit card?”
“Have you spoken to us in the last week?”
“How long ago was the last charge made to your card?”
None of those questions in isolation or aggregate open the door for personal information theft — and the American Express agent can be confident they are speaking to the right person. Both parties are protected, and nobody exposed account or personal information in the process.
If the Australian Tax Office takes personal information security so seriously, why are they still asking questions that put our data at risk?
I’d love to see statements on the ATO’s website that clearly state “Our staff will never call you and ask for personally identifiable information.” It wouldn’t eliminate phone and Internet fraud — but it would significantly reduce the ability for fraudsters to call people and use the ATO’s policies and procedures for identity theft.