NewsBite

Advertisement

This was published 8 months ago

The repo man presented Robert’s driver licence. But the picture was someone else

By Rachael Dexter

In late January, Victorian man Robert Cox got an unexpected knock at the door.

A man with a clipboard, sent by a Sydney-based lender Branded Financial Services, had come to find a grey luxury Audi SUV purchased for more than $111,000 in Robert’s name two weeks earlier.

Robert Cox has recently had his identity stolen, enabling thieves to buy a luxury vehicle in his name.

Robert Cox has recently had his identity stolen, enabling thieves to buy a luxury vehicle in his name.Credit: Penny Stephens

Cox knew nothing of the car – or the staggering loan taken out in his name. The man showed him a photo of a convincing-looking Victorian driver licence that was used during the loan process for the car.

It showed Cox’s correct name, address, date of birth and even the correct licence number in the top-right corner. But the photo on the card looked nothing like him. The young man in the licence photo had black hair and a thick black beard and moustache.

“I’ve thought, ‘Oh f---, this is weird’,” said Cox, a 41-year-old with light-brown hair. “I then showed him my real licence and said, nah man, this is the real me. I’ve been here forever.”

Loading

This bizarre interaction four weeks ago was the culmination of an increasingly common type of identity fraud following large-scale data breaches like Optus and Medibank hacks.

It also started Cox on his own path of investigation, which revealed an apparent loophole between state and federal systems where some Victorian licences are not being properly validated during loan applications.

Cox immediately notified police and took advice from Australia’s national identity and cyber support service, IDcare, which recommended imposing a ‘credit ban’ to freeze access to his credit file via one of three credit reporting agencies in Australia – Equifax, Illion or Experion.

Advertisement

In doing so, Cox accessed his credit report for the first time. It revealed a previously undetected history of activity by the fraudsters. “Turns out this started back in 2020,” he said.

Cox’s credit history – seen and verified by this masthead – revealed someone had attempted unsuccessfully to apply for a loan and a credit card in Robert’s name in 2020.

Nothing happened again until December last year, when two credit score check accounts were successfully opened with lenders WISR and Canstar to assess Cox’s credit rating. Then in January 2024, a fraudster attempted to take out loans with at least four different lenders for between $100,000 and $120,000.

They had success on January 15 when Branded Financial Services issued a loan of $111,651. The very same day, a 2023 model Audi RS Q3 was purchased with the fraudulent loan from Sydney-based car dealership The Auto Gallery from an online listing.

As of Friday, when police confirmed they were investigating Cox’s case, the whereabouts of the car remained unknown. Requests for comment from the dealership went unanswered.

Cox has no idea how fraudsters accessed all his personal details in the first place. But once they had them, they were able to make a convincing fake Victorian licence, which can be purchased online for around $300.

Screenshot of a car fraudulently bought in Robert Cox’s name.

Screenshot of a car fraudulently bought in Robert Cox’s name.Credit: carsales.com.au

Branded Financial Services chief executive Liesl Knox said that once her company detected the fraud – after the car had already been transported from the dealership – it began investigating, including sending the field officer to Cox’s home to confirm their suspicion that the ID was not real.

“We’ve been in contact with Mr Cox to support him through this stressful situation and ensure any impact on him is minimised,” she said in a statement.

“We will always absorb the cost of an incident such as that of Mr Cox’s identity thief and take steps to rectify the impact on the individual’s financial records which might otherwise prevent them from obtaining finance in the future.”

Loading

Knox said Branded Financial Services had an “industry-standard identity validation system” and that the company worked “with authorities and external partner organisations to detect fraud, as was the case here”.

She did not respond to questions about whether there were similar instances of fraud using Branded Financial Services or how much money the company had lost to such scams.

But Cox remains perplexed as to how the criminal was able to get as far as they did.

An email from Branded Financial Services to Cox confirmed that the person purporting to be Cox used the “licence” with a fake card number on the back, a forged rate notice with the insignia of Cox’s local council, his Australian business number and a fraudulent ING bank account in Cox’s name as evidence to secure the $112,000 loan.

ING could not explain how the fraudster was able to open a bank account in Cox’s name, but a spokeswoman said the bank’s staff: “... apply, and continuously review, stringent and legislated identity validation measures to ensure we’re doing all we can to help safeguard customers from identify fraud”.

The other lenders that allowed the criminal to access Cox’s credit file and hoover up more useful information – Wisr and Canstar – said they used both the licence number and card number provided by the fraudster in Cox’s case to validate them against details stored in the federal government’s Document Verification Service (DVS), which stores all Australian licence details.

Cox last week tested that theory and tried to open a new Wisr account for someone else using a correct licence number but an intentionally fake card number as the fraudster had done with his identity. “And lo and behold, I got in,” he said.

Asked how this was allowed, Wisr admitted: “In the case of some Victorian driver’s license holders, the Australian Government DVS system will return a driver’s licence as ‘verified’ to our credit bureau based on verification of the driver’s licence number only.”

Loading

Paul Warren-Tape, general manager of risk and compliance at IDVerse – which provides biometric identity verification to major lenders – said this was a known limitation to the DVS method of validation.

He said before the Optus breach in 2022, the DVS only stored licence numbers – not card numbers. Since that time, VicRoads has uploaded card numbers for customers caught up in the Optus and Latitude Finance hack, but not everyone else.

“[VicRoads] are still going through everyone else slowly as their licences expire,” Warren-Tape said. “So what that means is for all those remaining Victorian licence holders, that card number will be ignored for the purposes of validation against the DVS currently even if you supply it.

“This is a very common style of kind of fraud attack where someone’s got someone else’s real information and then processes a licence with someone else’s face on it.”

The DVS also does not check facial images. A forthcoming face verification service will.

The federal government says making Victorian driver licence numbers available to the DVS is a matter for VicRoads.

The federal government says making Victorian driver licence numbers available to the DVS is a matter for VicRoads.Credit: Penny Stephens

A spokeswoman for Victoria’s Transport Department said VicRoads was “in the process of ensuring all Victorian licence holders have their unique card numbers loaded into DVS”. But she did not say how many licence card numbers were yet to be uploaded, or how long that would take.

The federal Attorney-General’s Department, which oversees the DVS, confirmed that only some Victorian card numbers were in its system and being included in its validations for lenders.

A spokeswoman for the department said “a decision as to whether, and if so when, to make Victorian drivers licence card numbers available to the DVS is a matter for VicRoads and the Victorian government”.

Independent cybercrime investigator Simon Smith called for VicRoads to immediately transfer all Victorian card numbers to the DVS, as some people could be waiting up to 10 years – the normal length of a licence expiry – during which time they could be vulnerable to identity theft.

“They can’t have a half-half system where they only enter new people in as they renew – it’s crap,” he said. “It’s very inconsistent and irresponsible.” But Smith said lenders could not solely blame VicRoads or the DVS for what happened in Cox’s case.

“I know that it’s easy for everyone to point their finger in this situation... but the simple reality is it’s the responsibility of the lender to identify that the person that they’ve got is actually who they say they are,” he said.

Warren-Tape, from IDVerse, agreed and said lenders should use a range of additional tools to verify customer identities, including AI technology that can detect fake or tampered IDs, and require selfie videos of a person showing they match the ID they submitted.

Loading

“The DVS does have a place, but it’s not the be-all and end-all,” he said. “It isn’t going to stop an identity take-over, which has happened in Cox’s case.”

While Cox’s matter is under investigation, he holds concerns about what the criminal could still do with his identity, and worries about other potential victims who aren’t yet aware their identities are being used.

“We’re minutes away from the next data breach, and what my case shows is this wasn’t actually that sophisticated to carry out,” he said. “Identity theft is only happening because governments are allowing it to happen.”

Most Viewed in National

Loading

Original URL: https://www.theage.com.au/national/victoria/the-repo-man-presented-robert-s-driver-licence-but-the-picture-was-someone-else-20240221-p5f6qz.html