Counter fraud techniques
Guidance on additional steps that can be added to identification processes to increase their integrity and reduce fraud.
Help us create the best guidance possible
If you would like anything added to or clarified in this guidance, email the Identification Management team at email@example.com.
There is no ‘one-size-fits-all’ when it comes to identification processes. The reasons for this include:
- Not every Entity will have the same evidence for verifying information or binding to it. A set of uniform identification requirements may unnecessarily restrict the ability to complete processes.
- Each Relying Party has different contexts and objectives that need to be considered when designing appropriate identification processes.
- Identification-related risk could be at a variety of levels. Applying uniform identification processes to all situations could potentially mean over-engineering where there is lower risk or under-engineering where there is higher risk.
Counter fraud techniques are a way to apply additional steps to increase the integrity of a system especially where there are difficulties meeting the desirable level of assurance in identification processes.
Find definitions for key terms used in this guidance — Identification terminology.
This guidance will evolve and expand over time to meet the needs of users and is part of the wider Identification Management Standards.
Topics covered in this guidance
- Managing coercion and collusion
- Entities with limited evidence
- Weak evidence quality
- De-duplication of Entity information
- Counter fraud techniques for Binding
- Authentication analytics
- Dealing with discrepancies
- Reducing internal fraud
Managing coercion and collusion
Coercion refers to instances where an Entity is forcefully persuaded to do something they do not want to do. This could be enrolling for something they don’t need or to give up the Authenticator associated to an existing account.
Coercion is not the same as an Authenticator Holder being manipulated into disclosing or giving up their Authenticator without their knowledge. Use of biometric factors is unlikely to prevent coercion.
The less often interactions are carried out in person the harder it is to detect when this is occurring.
During enrolment, including the establishment of an Authenticator, the best defence against coercion is to carry out all or part of the process in person. Where this is not possible in a physical environment, it can be possible for an experienced staff member to detect the signs of coercion within a live video interaction or even over the phone.
Where coercion is a likely risk for authentication, it could be appropriate to enable the rightful Entity to enter a predefined knowledge factor that appears to be correct but activates processes within the system to limit the impact of the transaction and alert the system to the fraud.
Examples of limiting impactExamples can include:
- reducing the transactions available
- making transactions appear to have been carried out but holding them in the system for investigation
- signalling that secondary authorisation is required.
Consideration of the potential harm that could come to the Entity is needed prior to implementing these methods.
Collusion refers to 2 or more people working together to undermine a process or system. It is one of the hardest types of fraud to detect and prevent.
During enrolment segregation of duties can make collusion more difficult by increasing the number of parties needing to collude to successfully complete a process. This also provides an opportunity for the actions of the first party to be checked for accuracy before being finalised.
When it comes to authentication there is nothing about knowledge or possession factors that prevent them from being willingly shared by the Authenticator Holder. However, well implemented biometric factors can ensure that the Holder is a willing participant. This could aid with investigation and prosecution of the fraud.
Entities with limited evidence
Having insufficient evidence has the potential to weaken identification processes. Where an Entity claims to not be able to produce evidence when they should reasonably be able to, additional scrutiny will be warranted. Some additional guidance is provided for the following groups that are known to have less access to evidence.
Establishing evidence for the identification of children can be challenging as they have not always accumulated the documented or digital footprints of life. Children, particularly babies, do not usually possess the elements for binding — such as established shared secrets and stable photographic images, due to their developing memory and changeable appearance through growth.
Commonly there will be applicable legislation that provides for an Agent to act on behalf of a child. Organisations can use the following approaches when identifying a child:
- Ensure any agent — for example parent or caregiver is identified to the same level as is intended for the child, then collect evidence of the link between the child and their agent.
- Use a range of evidence to indicate the child’s use of any information as their own by looking at their wider interaction in the community — for example, evidence of the child’s engagement with the health and education sectors, or social service, religious, and cultural institutions.
- Use a declaration by a Trusted Referee.
Due to the nature of their departure from their home country, some refugees can have insufficient evidence for identification processes. Before being allowed to pass beyond the border-controlled environment a refugee will undergo extensive checking by Immigration New Zealand (INZ). Much like the Department of Internal Affairs carries out the anchor identification process for children born in New Zealand, INZ does the same for refugees being accepted into New Zealand and will issue a New Zealand Certificate of Identity.
Organisations can use the following approaches when identifying a refugee:
- Ensure any agent is identified to the same level as is intended for the refugee, then collect evidence of the link between the refugee and their agent.
- Use a range of evidence to indicate the refugee’s use of any information as their own by looking at their wider interaction in the community — for example, evidence of their engagement with the health and education sectors, or social service, religious, and cultural institutions.
- Use a declaration by a Trusted Referee.
Non-human Entity refers to any Entity that is not a human being — such as, an organisation, dog, tree, building, device.
Non-human Entities can pose difficulties to identification processes due to:
- having less recorded information relating to them
- some being less distinguishable — for example, there is less to distinguish between several identical devices than several trees or human beings
- knowledge and biometric authentication factors used for binding and authentication processes are less likely to be available.
Non-human Entities also rely heavily on Agents to act on their behalf.
Organisations can use the following approaches when identifying a non-human Entity:
- Ensure any agent is identified to the same level as is intended for the non-human Entity, then collect evidence of the link between the non-human Entity and their agent.
- Use a declaration by a Trusted Referee which in this case could include an authorised agent.
Weak evidence quality
There will be times when the quality of evidence, especially for information assurance, is less than desirable. In the first instance an investigation into the reasons for this is needed, as this could be an indicator of attempting fraud. There are 2 main approaches when evidence is weak.
The first, commonly used when the evidence is a physical document credential, is to seek to verify the information with the issuer of the document, in a subsequent data-matching process. The benefit of this is that it can also provide confirmation of the status of the credential, which can also indicate whether the information is to be relied upon. See Using document as evidence.
Permission from the Entity or through legislation will need to be obtained before data-matching can occur. In some cases, this verification can result in an increase in the level of information assurance. However, this action does not impact the level of binding assurance.
The second approach is to gather additional evidence to support claims. See also use of information over time. It can never be assumed that multiple pieces of evidence from the same or lower levels of assurance will add up to a higher level of assurance. The gathering of additional evidence is only to reduce the likelihood of fraud. To that end, when asking for additional evidence, consideration needs to be given to the additional effort on both the Entity and the Relying Party in relation to the benefit to be gained.
De-duplication of Entity information
There is a minimum requirement set in IA2.01 in the Information Assurance Standard that a Relying Party needs to ensure that they collect enough distinctive information to uniquely distinguish 1 set of Entity information from another in a context.
For some contexts, the risk can indicate that it’s also desirable to minimise the incidence that an Entity inadvertently or deliberately enrols more than 1 set of Entity information. This can occur as information about an Entity changes over time. Entities who are not regularly interacting with an organisation can be re-enrolled with new Entity information rather than connected to their previously collected Entity information, due to changes in the attributes that are part of that information.
Methods to reduce the multiple sets of Entity Information related to the same Entity:
- Collection of attributes that are less or not likely to change over time, taking care that there is a valid purpose for keeping these attributes.
- Where it’s allowable to collect a unique identifier from another context, checking that this does not appear in multiple records — for example, tax file number, bank account, registration or membership numbers.
If a duplication of Entity Information is discovered, the organisation will need to refer the case for further investigation and, if necessary, amend its records. It’s important to be aware that duplication of Entity Information will not necessarily be the result of a fraudulent application. For example, it may occur through legitimate matching Entity Information or administrative error.
De-duplication of Entity Information is not the same as de-duplication of enrolled Entities. There are very few instances where it’s also necessary to ensure that an Entity has only enrolled once. This is referred to as “1 only and only 1”, where an Entity can only enrol once and can have only 1 set of Entity Information.
An automated check of a biometric characteristic of a newly enrolled Entity against the same biometric characteristic for all existing enrolled Entities can also be used to ensure that an Entity has not enrolled more than once.
Counter fraud techniques for Binding
Entity is not deceased
The steps to bind an Entity to the Entity Information they are claiming determines that the Entity is alive. However, this does not always prevent an Entity from using information that’s not their own, such as a deceased person’s.
An organisation could verify against the New Zealand Death Register (administered by Department of Internal Affairs) that no death record matches the information being claimed by an Entity. Checking the New Zealand Death Register reduces the possibility of an Entity using the information of a deceased person.
Organisations need to be aware that only deaths that occur within New Zealand are recorded on the New Zealand Death Register. Entities who have died outside New Zealand or who have been recorded under different information will not necessarily be identified through that check.
A check against the New Zealand Death Register does not eliminate the possibility that an Entity is using the information of a New Zealand citizen who has died in another country, as their own.
Verification against the New Zealand Death Register requires legislative authority.
A Trusted Referee is a person who makes a statement to confirm that, to their knowledge certain attributes — for example, biographic details or biometric information such as a photograph, belong to an Entity. They will most commonly be used in meeting the control BA3.02 in the Binding Assurance Standard. Use of Trusted Referees can be a cost-effective way to provide assurance that an Entity is bound to Entity Information.
The 2 key elements that should exist for a Trusted Referee process to be effective are that they:
- have the personal knowledge required to make the statement
- are trusted by the organisation according to the organisation’s own criteria.
Criteria for trusted referees
Organisations will need to determine who qualifies as a Trusted Referee for a particular service. The Trusted Referee needs to be able to identify themselves to the equivalent level being requested of the Entity.
- Adult — The Trusted Referee needs to be 18 years or older.
- Relationship exclusions — The Trusted Referee and Entity will not be immediate family, spouses, partners or live at the same address.
- Relationship quality — All Trusted Referees need to have interacted with the Entity face-to-face on multiple occasions within the last 3 months. If a single Trusted Referee is used, they need to have known the Entity for more than 12 months. Otherwise, multiple Trusted Referees are to be used if the timeframe is shorter. For example, 3 Referees to be used if they have all known the Entity for less than 3 months.
- Independent auditability — regardless of the contact information provided by the Trusted Referee in the process, the Relying Party needs to be able to contact them (by phone) independently to verify that they made the statement. It’s suggested that the Trusted Referee either be a previously enrolled Entity within the Relying Party’s context or belong to a trusted independent group which are publicly accessible. For example, Justices of the Peace, medical professionals, education professionals, law enforcement.
The primary attribute being bound will be the Entity’s name. However, there may be a disconnect between the name a Trusted Referee knows the Entity by and the name the Relying Party wishes to bind. Relying Parties will have to take this into account where they focus on official rather than legal names. Processes that check for sole claimant of a particular information set could offset this risk.
Organisations will need to ensure that the availability of Trusted Referees is wide enough that Entities can reasonably be expected to find 1 or more that meet the criteria without compromising the process.
The practice of using Trusted Referees does not necessarily need to be enshrined in legislation. However, consultation with legal advisors is desirable when considering implementing a Trusted Referee process, to ensure that it is legitimate under the legislation that the organisation operates within and enforceable where possible.
Where an organisation cannot justify contacting each Trusted Referee, it will at a minimum, contact a percentage of Trusted Referees to confirm their statement, as an audit that the statement was truthful, and that the process was carried out correctly. Organisations will also need to contact the Trusted Referee if any other discrepancy in the Entity’s application is detected and based on other risk indicators. Any Trusted Referee who made a statement relating to an allegedly fraudulent Entity will also need to be investigated.
Use of information over an extended period of time
A possible indication of fraud is a lack of history of the Entity’s use of information, as their own, over time. While Trusted Referees can contribute to evidence of use of information over time, it may be for a limited set of attributes.
Where indicated by the level of risk or the type of evidence produced, it can be appropriate to gather additional evidence that an Entity has used certain attributes over an extended period. It can also be helpful to look across different contexts for that evidence such as social, professional, financial and health.
Care needs to be taken not to assume more from the evidence than it is able to provide. For example, utility bills and bank statements can provide a link between a name and an address over an extended period. However, they provide little to link the Entity to this information.
There are several analytical processes that can be applied during or after an authentication process that look to detect anomalies in the behaviour of an Entity despite their successfully authentication. These analytical processes are often also called passive authentication and can form part of a zero-trust approach.
The outcome of any analytical assessment can be used to trigger investigation or apply limits to activity carried out within the system.
Analysis of location, often used in conjunction with time-based authentication, looks at various elements of location to determine if an Entity has incorrectly authenticated.
Location analysis that can be used to augment authentication processes:
- Flagging requests to access physical files not held at the Entity’s location.
- Matching online access to expected locations — for example using network connection, IP addresses or geolocation.
- Checking when different locations for access are used sequentially to determine if it’s physically possible to travel between those locations in the time between access attempts.
Analysis of the timing and duration of access can also be used to determine if an Entity has incorrectly authenticated.
Time analysis that can be used to augment authentication processes:
- Assessing if the Entity is attempting to authenticate outside any previously measured routine or agreed access windows.
- Assessing if the Entity has remained in the system for a longer or shorter time than any previously measured routine or agreed access windows.
- Ongoing assessment of biometric measurements relating to time such as keying speed.
- Assessing the speed of authentication responses which could indicate an automated Entity where a human is expected or vice versa.
Other methods of assessing behaviours that could indicate an incorrectly authenticated Entity continue to evolve. The following are a list of some known approaches:
- Examining the device characteristics of the Entity
- Activity analysis
- Device/Browser information.
If appropriate, organisations may use risk profiling as a tool to reduce identification risk in addition to the process requirements specified in the Identification Management Standards.
Risk profiling involves using information collected by the organisation or other sources — for example, other organisations, overseas counterparts, and other intelligence sources, about previous cases where misuse or abuse of information (or other crimes) were detected. The knowledge is then used to highlight characteristics of cases that are more likely to involve fraud.
A risk profile highlights aspects about an Entity that may indicate an increased risk of their perpetrating an identity crime. If an Entity application or the service they are enrolling for fits within a risk profile, an organisation can undertake additional processes to further verify the Entity’s information.
These additional processes could include requiring the customer to attend an investigative interview. The type of additional processes an organisation chooses to undertake will need to be established as part of the overall identification process design.
Risk profiles need to be updated to ensure their ongoing currency. It is particularly important to update risk profiles to include details of relevant incident and/or intelligence information that contribute to the refinement of organisation risk profiles. Accountability mechanisms within organisations will be required to ensure updating happens in a timely manner.
Any risk profiling tool considered for adoption by an organisation will need to consider the human rights perspective. It is recommended that legal advice be sought before adopting a risk profiling tool, particularly any human rights issues that may arise from use of a particular profiling tool.
Dealing with discrepancies
General actions to take
If a discrepancy is detected in the information or evidence provided by an Entity or Trusted Referee, the following actions are recommended:
- Seek an explanation from the applicant for the service, unless it’s clearly apparent that it’s a fraudulent matter, in which case the matter will be forwarded directly to investigations staff.
- If the applicant’s explanation is not satisfactory, then the application needs to be investigated further.
- Discrepancies between documents/records regarding critical information need to be resolved before continuing with the enrolment — especially where a credential is to be issued on which others will rely.
- If discrepancies are identified in documentary evidence, organisations can refer applicants back to the issuing authority to seek amendment and/or replacement.
- It’s helpful if organisations consult with their internal teams who deal with investigating discrepancies about what information from evidence is useful to retain for investigative purposes — for example, date of issue and serial number.
- Unless it’s unlawful to do so, organisations are to withhold the documents that are suspected to be fraudulent, from the Entity that has presented them, until the discrepancy has been resolved.
Loss of evidence or notes about the evidence used could significantly jeopardise any action an organisation may wish to take against a fraudulent applicant.
Investigative interviewing processes
Investigative interviewing can offer a higher degree of confidence where the assurance level has not been able to be met.
An investigative interview involves the interviewer collecting information about an Entity before the interview and preparing questions that the person claiming that information could reasonably be expected to answer correctly.
Because of the cost to the organisation and the Entity, and the level of staff training involved, investigative interviews are best used only where all alternative identification processes have not achieved the required level of assurance for the risk being posed.
Handling individual exceptions
Organisations need to have exception-handling protocols in place to deal with cases where Entities are unable to meet identification process requirements. The nature of these protocols will be determined by the organisation in relation to the services, risk and Entities to be enrolled.
Where possible, exception processes will be as functionally equivalent as possible to the standard identification processes noting the objectives to be achieved.
If a level of information assurance of 3 (LoIA 3) is needed, the organisation can attempt to meet the objectives for LoIA 3 by requiring alternative evidence from the Entity. For example, if an Entity is unable to provide the prescribed documentation to meet LoIA 3 due to accidental destruction of all documentation, the organisation could get the Entity’s consent to contact the issuing organisation to verify the information.
Reducing internal fraud
Internal controls are an organisation’s first line of defence in safeguarding assets and preventing and detecting errors and fraud. Poor internal controls can jeopardise the effectiveness of any identification process.
Organisations can analyse their identification processes to determine the points at which internal controls need to be implemented to prevent process failure. Internal control activities are any policies, procedures, techniques, and mechanisms that minimise the risk that identification processes will not meet their objectives. They include a diverse range of activities, such as:
- employment recruitment process controls
- controls over information processing
- physical control over vulnerable assets
- segregation of duties
- access restrictions to, and accountability for, resources and records.
There are a range and variety of control activities that can be adopted, and they will vary between different implementations. Control activities need to be flexible enough to allow them to be tailored to fit particular contexts.
Factors to consider when determining which control activities to adopt can include:
- specific threats faced by the organisation and the services offered
- differences in organisational objectives
- size and complexity of the organisation
- operational environment
- sensitivity and value of information
- requirements for system reliability, availability, and performance.
Segregation of duties
Key duties and responsibilities can be divided or segregated among different staff members to reduce the risks of error and internal fraud. This includes separating the responsibilities for each of the following:
- authorising services
- processing and recording services
- reviewing the services
- handling any related assets.
No one individual should control all key aspects of a service’s delivery. This is especially important when issuing any record that may potentially be used as evidence for subsequent services.
The following resources are also related to this topic:
Department of Internal Affairs Te Tari Taiwhenua