Create and use unique and random identifiers to avoid misuse, such as: unique and random account numbers, claim references or asset numbers.
Why this countermeasure matters
Unique and random identifiers may help:
- prevent fraudsters from guessing identifiers due to them being sequential
- indicate if a document or identifier is forged.
How you might apply this countermeasure
Some ways to implement this countermeasure include:
- using randomly generated numbers to avoid fraudsters guessing identifiers
- having codes or sequences in numbers to link the identifier to the person’s identity such as, including their birthdate or date of initial application
- using check-sums – if the number doesn’t pass the check-sum then it may be fraudulent.
How to check if your countermeasures are effective
Here are some ways to measure the effectiveness of this type of countermeasure:
- check how identifiers are issued
- conduct a quantitative or trend analysis of misuse of identifiers
- review sample of identifies to confirm sequencing is random
- confirm identifiers are stored securely in accordance with the Protective Security Policy Framework
- review identified cases of fraud involving false or stolen identifiers
- check identifiers can be matched back to verified identity documents.
Develop clear instructions and guidance for activities and processes, such as instructions for collecting the right information to verify eligibility or entitlements, procedures to help staff apply consistent and correct processes and guidance to help staff make correct and ethical decisions.
Legislation and policy can help prevent, detect and respond to fraud, such as by outlining clear rules, regulations and criteria, allowing entities to collect, use and disclose information and allowing entities to enforce penalties and recover fraud losses.
Confirm the identity or attribute of the individual. Evidence of identity should be collected and verified using policies, rules, processes and systems to make sure only known, authorised identities can gain access to information stored in networks and systems. This control is supported by the National Identity Proofing Guidelines and the Trusted Digital Identity Framework.
Authenticate customer or third-party identities during each interaction to confirm the person owns the identity record they are trying to access.