Is an Online Police Check Actually Safe and Secure?
In Australia, the traditional way to get a Police Check was to fill out a paper form, visit a JP to photocopy and verify your 100 Points of ID, and then mail the documents out. It took almost 2 weeks to receive your Police Check provided you filled out the application form correctly. However, there are now online services that will deliver your Police Check within 2 days via email. But are these online services safe, and do they protect highly confidential information? I put it to the test!
My employee, after working there for over 6 months, decided they wanted a Police Check. My employee recommended National Crime Check, which is a service that I have heard advertise on the drive into work most mornings. Being a very cautious person about protecting my personal and online identity, I was very sceptical of providing high personal and confidential information to a third-party that is not an Australia Government Agency. Anyway, my employee needed one ASAP, and the 14 day wait to go through a Government Agency, such as the Police; and the time and effort involved, I decided to give National Crime Check ago.
I have to say, it was incredibly easy and quick to submit an application for a Police Check. I provided my name, current address, previous addresses, date of birth, and my credit card information to the make payment. To provide your 100 Points of ID was easy too. All you had to do was either hold your document (Passport, Driver’s License etc.) to your webcam; take a photo of it with your phone’s camera or scan and upload the document through your web browser. It’s then as simple to just sign a form with your mouse and you were all done. It probably took me no more than 15 minutes. Within 48 hours, I received a digital copy of my Police Check. There were problems with the image of my Driver’s License, so I was asked to resubmit it. The entire process was a very easy and quick, compared to what it used to be like.
However, I did come across a few security concerns during filling out my application, that I wasn’t too happy about discovering. After reaching out to National Crime Check’s Privacy Officer, I was somewhat put at ease.
Personal Information Accessible Just by visiting a URL
When I first started using National Crime Check, when you enter your basic information such as your name, email address and phone number, you receive an email and SMS containing a confirmation code. This is an 8-character alpha code. In most authentication situations, this is a random, one use only code with a time-limited expiry on it. However, with National Crime Check’s system, this is essentially your password, which when paired with your lodgement number that is also emailed to you; provides you access to all the specific areas of the site that you may need to access.
For example, you are emailed the following links, where ID is essentially your AccountID and CODE is essentially your password / confirmation code you where emailed. These documents contain very sensitive and contains personally identifiable information such as your name, address, drivers license number and more.
- To Download Your Invoice: https://www.nationalcrimecheck.com.au/consumer/invoice?id=123456&code=ABCDEFGH
- To Resume Your Lodgement: https://www.nationalcrimecheck.com.au/consumer/resume?id=123456&code=ABCDEFGH
- To View Your Police Check Result: https://www.nationalcrimecheck.com.au/consumer/result?id=123456&code=ABCDEFGH
You are also sent a lodgement PDF, which is only secured by the year and month for you applied for your Police Check, your AccountID and your last name.
- Lodgement Form: https://www.nationalcrimecheck.com.au/netverify/data/2016-07/lodge_pdf_123456_lastname.pdf
Luckily, your actual Police Check Result is only accessible for 3 months, the Resume link is only active if you’re still completing your Police Check Application Form, and your Invoice only accessible for 1 year as I was informed by NCC’s Privacy Officer. All links apparently automatically expire in one years’ time.
Now the actual concerning part was when you do a site search in Google, this actually returned the AccountID, Last Name and Confirmation Code of a user! Below is NCC’s response to this concern.
We want to assure you that we take matters of security and our user’s privacy very seriously, and have undertaken an internal investigation so that we are able to address the concerns you raised.
The URL you received in your email is a link to your police check lodgement application that contents of which is required to lodge a police check with NCC. So long as you do not make your individual URL publicly available, it is statistically highly improbable that someone would be able to guess and/or “manipulate” the NCC URL address in order to access your check/application. This is because each of NCC’s URLs that relate to a particular check are paired with a unique alpha code that must match the particular check. If the alpha code does not match the particular check, the link cannot be loaded. There are 208,827,064,576 different combinations a user would have to go through to guess your exact lodgement codes.
All URLs also automatically expire after one year, and links to the completed lodgement application are blocked after the police check has been completed.
We understand that you were able to access the applications of others by conducting a Google search for their URLs. Those instances are certainly anomalies and this was the first time that we have heard about this. After consulting our IT team, we understand that the anomalies you identified were due to those individuals copying and pasting online their URLs or otherwise making those URLs available publicly online. We understand that once those URLs are published online, search engines that index or scrape data would be able to collect such URLs such that they may appear on searches. Unfortunately, we cannot stop customers posting their URLs online, but as long as you do not post your URLs (with your check and/or alpha codes) – it would be statistically highly improbable that someone could manipulate the URL to reach your application.
We note the URLs that you accessed another customer’s application were lodged over three years ago. Since then we have further improved our security by introducing eight character alpha codes (previously five) and automatic expiry of URLs after one year, and blocking of URLs upon completion of police checks. That means it is even more statistically improbable that such instances would occur now.
Following our investigation, we are satisfied that the instances you have identified are due to the relevant customers disclosing their URLs or otherwise making them public. We are also very comfortable that with our increased security measures since those instances, and customers that keep their URL private and secure, those instances would not occur.
So yes, it is “more secure” and “statistically highly improbably” to manipulate URL, but it is still somewhat insecure in terms of the way of access. Why not use an alphanumeric code using upper and lower case letters; increase it from 8 to 20 characters; or use a hashing algorithm? That would make it even more secure! Also, maybe think about putting in place brute force protection to limit the use of guessing and incorrect attempts combinations.
Another suggestion National Crime Check could implement is to say that this link is confidential, and to not share the link or confirmation code with any third party, or post the code online. Only one email said “This email is private and confidential”, and that was the email containing my Lodgement Form.
Upon talking to National Crime Check about the situation, they informed me that they will investigate the implementation of numbers, however, the do not wish to implement case sensitivity as it will affect usability. Where do you draw the line between security and usability?
Your Documents and Confidential Information Is Sent and Saved Overseas
There are 4 Services that I have discovered that National Crime Check users, with one only being Australian.
- Location: Singapore
- Provider: Linode
After conducting an IP Address Lookup for National Crime Check, I found that their web server was hosted by Linode, and located in Singapore. I am unsure why they chose an Overseas service provider as there are plenty of good Web Hosting Providers in Australia.
The response I received from National Crime Check was:
According to our IT team, our Linode server is based in Singapore. We feel that the Singapore data security and privacy policies are in line (or in some instances more thorough) that the Australian ones.
- Location: Various
- Provider: Mandrill, now MailChimp
Mandrill is a transaction-based email delivery service, which is owned by popular email marketing service MailChimp. Mandrill/MailChimp however, does save the content of each email that is delivered for 30 days (or say they say). As links are not encrypted, we are relying on the security of a third party product to ensure they are not compromised, because those emails contain links to highly personal and confidential information.
We may view, copy, and internally distribute content from your Emails and account to create algorithms and programs (“Tools”) that help us spot problem accounts. We use these Tools to find Members who violate these Terms or laws. For example, We study data internally to make our Email Genome Project smarter and create better experiences for senders and subscribers.
ID Checking Service
- Provider: Jumio
To allow Police Checks to be conducted in a relatively short time frame, National Crime Check has partnered with Jumio to provide it’s NCC’s InstantID ID verification system. Jumio’s Netverify provides real-time online ID verification and more. I am not 100% sure how the system technically works, or how their data is stored with NCC platform, however, another concerning thing is the fact that Jumio filed for bankruptcy in March 2016 according to TechCrunch. Assets would be sold to Eduardo Saverin, who was a co-founder of Facebook.
According to National Crime Check:
Jumio filed for bankruptcy due to the need to restructure the company. This has now been completed and Jumio was purchased by a private equity firm. There was zero disruption to services, and they continue to operate business as usual.
- Location: Australia
- Provide: Anittel
Upon looking where their office emails are hosted, it is good to see that they are using an Australia IT Firm.
How Trustworthy are you?
This article is not here to marginalise National Crime Check against it’s competitors. Fit2Work, which is backed by Australia Post doesn’t even enforce the use of a SSL Certificate when filling out your application form. I can’t comment in detail on other Online Police Check services as I have not used them.
The main point I want to make is about online privacy and to spread awareness with how you use website services. I also want people to think of these questions when providing a website with personal information:
- Who can access your data?
- Where is your data stored?
- How long is that data accessible for?
- Where do you drawn the line between security and usability?
Everyone has concerns about the data we provide Facebook and who can access it, yet we all use it because the benefits outweigh the privacy concerns. The same goes for a Police Check. A 48 hour wait for a Police Check using a third party compared a 2 week wait using an Office Government Agency. What option will you choose if you need to land that job you’ve always wanted?
I believe National Crime Check has addressed the majority of my concerns, and I will probably recommend them as they provide an incredible easy-to-use service at a competitive price. However, it’s always up for you to decide what service you use.
We may disclose personal information to overseas recipients for the purposes of using or liaising with verification sources as well as monitoring our emails sent and received. This information may include you or your applicant’s name, address, date of birth, contact details, drivers licence details, passport details, or such other information we notify to you. As at the date of this policy the recipients will be located in the United States of America although the countries in which these recipients are located may change over time.
One final note by the Privacy Officer at National Crime Check:
Again, thank you for raising these concerns with us.
Concerned because they dont want JP signed documentation and for some reason they want it in colour – it could be copied without the JP info on it
I have tried to forward ID now twice to them and they are still saying it is not sufficient. They did not tell me that I had sufficient ID the first time – i had to ask them what was going on – this makes me think they are not a legitimate company because the service is poor
I noticed too they dont put their physical address on their invoice.
I would like to pull out and find another company to do my check instead but now they have a lot of my ID – tempted to contact the fraud squad to see if they are above board
The good thing is i have an extra password on my bank account and my accounts are not attached.
Your article is excellent – what would you do in my situation????