Australia’s TEx digital verification system could be a ‘golden ticket’ for fraud, says industry
Australia’s plan to introduce a new digital verification system called Trust Exchange (TEx) continues to attract criticism from identity industry leaders and cybersecurity experts.
The AU$11.4 million (US$7.7 million) digital credentials scheme, which should allow Australians to store and share their identities through any digital wallet, has already been called a potential “honeypot” for cybercriminals. More complaints are now pouring in, including from academics, digital rights advocates and biometric identification companies such as IDVerse.
While the government’s TEx framework is a step in the right direction, it needs to be tightened – especially when it comes to validating identity documents, says Paul Warren-Tape, IDVerse’s general manager for Global Risk and Compliance.
“Right now, the system is far too vulnerable to document fraud—something IDVerse encounters all too often. The current checks are simply not enough; they need to be bulletproof,” he writes in a recent blog post.
IDVerse says the biggest issue for TEx is the initial registration process for digital identity. If fraudsters slip through the cracks during this phase, they will be handed a “golden ticket to commit fraud anywhere that accepts the new digital ID.”
The industry already has better practices to offer such as the FIDO Alliance’s Document Authenticity (DocAuth) Certification Program for Remote Identity Verification, Warren-Tape adds.
Australian Government Services Minister Bill Shorten announced the TEx last week, promising that the scheme would give more control to users over sharing data and sensitive information. The government would verify customer details for businesses and organizations through a smartphone app. Credentials will be stored in the myGov wallet, alongside personal data such as date of birth, address, citizenship, visa status, qualifications and other information held by the government.
Built alongside Australia’s national digital ID project, TEx is currently at the proof-of-concept stage and expected to be finalized by the end of 2024, followed by a pilot phase in early 2025. IDVerse, however, notes that the project’s details are murky at best while digital identification technology is facing rising threats such as deepfakes.
“Australians are essentially being asked to be the guinea pigs in an untested digital experiment. That should raise some eyebrows, especially given myGov’s less-than-stellar track record,” says Warren-Tape.
The myGov wallet, which allows Australians to access government services such as taxation, health, or social security, was hit by a scandal last year after it was discovered fraudsters used the platform to steal at least AU$557 million (US$373 million) in two years.
Minister Shorten said that TEx will work with the user’s preferred digital wallet, including one provided by MyGov. The system will be optional and decentralized while the government has promised additional protections that go “beyond existing privacy laws” to protect personal information.
But concerns over data privacy and security and trust in the system have been echoing throughout the industry. The most common complaint is that the TEx may turn into a honeypot, especially considering Australia’s history of data breaches.
While it’s “laudable” that the government is seeking to create a decentralized system with more user control over personal data, details on where and how this data is stored are still scarce, according to Toby Murray, University of Melbourne’s associate professor of cybersecurity.
“Rolling out a system that is the first of its kind is, of course, much more challenging than buying well-proven technology that’s already been shown to work and deploying it,” he told tech news outlet Information Age.
Other digital ID companies are pushing to introduce models similar to those in the UK and the EU, including allowing government-certified private companies and digital wallet providers to offer certain digital ID services, the outlet notes.
The market already has solutions such as TEx, says Ryan Bessemer, CEO of ID verification company ShareRing. Through the Digital ID Bill, passed by parliament in May, the government has decided to create a market for accredited digital ID providers. TEx, however, appeared to be a centralized government service, he says.
Others, such as Electronic Frontiers Australia (EFA), are raising concerns over government surveillance. Tech Council of Australia CEO Damian Kassabgi noted that the government has assured the industry group that officials would not be able to track where a digital ID had been used.
How will TEx work?
According to the Australian government, the TEx system will help businesses like telcos or banks verify identities while signing new contracts and creating new accounts. TEx will also be used in age verification, apartment rental and job applications, writes TechRepublic.
TEx will be able to verify the information by passing a digital token to a business, rather than private information such as a driving license, assuring that the details are correct without the need to view them.
The system will take the burden of verifying identities from businesses, streamlining the sale of products or services. Businesses will no longer have the risk of storing personally identifiable information (PII) as the government will hold identification data and the exchange of data will be limited to what is required. Any information verified by the system, however, will still need to be collected, stored, and managed.
Article Topics
Australia | biometrics | cybersecurity | digital identity | fraud prevention | identity verification | IDVerse | Trust Exchange (TEx)
Comments