Malicious Activity Prevention System (MAPS) - FAQ

Owned by Sharmeen Hussain
Last updated: Oct 04, 2022 by lisa.jackson
3 min read

This FAQ has been updated as a result of GBG monitoring the impact of the MAPS lockout. Please review the customer impact section for more details.

What is Malicious Activity Prevention System (MAPS)?

Home Affairs have introduced a Malicious Activity Prevention System (MAPS) that will monitor for repeat verification attempts against the same document by a single User Originating Agency Code (OAC). MAPS is an added security measure aimed at improving the detection of fraudulent activity.

When does it take effect?

MAPS has been turned on by DVS at 08:00 on 1 June 2022 (AEST). 

How does it work?

MAPS will use the documents unique number to monitor for repeated verification attempts against the document number from the same User Originating Agency Code (OAC).

If the number of verification attempts within 30 minutes reaches a set threshold, the OAC will be locked out of further identity matches on that specific document for 20 minutes. See below for threshold information.

What are the DVS threshold limits?

Document Type

Lockout Threshold

Driver Licence 

4

Passport 

4

Medicare Card 

8

Visa 

5

Citizenship Certificate 

5

Centrelink Concession Card 

4

ImmiCard 

4

Registration by Descent

5

Birth Certificate 

5

Marriage Certificate 

10

Change of Name Certificate 

8

Death Certificate 

4

ASIC/MSIC 

5

Commonwealth Electoral Roll

10

How is DVS MAPS different from greenID lockout?

The greenID lockout threshold rules apply to a registration in greenID and will take affect when a user has reached the configured lockout limit.

Standard greenID lockout threshold rules are: a user can attempt 1 data source 3 times or 5 data sources overall. There is no time limit associated with standard greenID lockouts.

The table below describes the differences between the DVS MAPS lockout and the greenID lockout.

 

greenID Lockout

DVS MAPS Lockout

 

greenID Lockout

DVS MAPS Lockout

Application

Multiple attempts in a greenID registration.

Multiple attempts by a particular identification document from an OAC (or a DVS User).

The timeframe for the attempts to trigger a lock out is 30 minutes from the last recorded attempt, this is a rolling window.

Conditions

Lockout applies to failed data source attempts.

MAPS applies to document identification attempts whether they are failed or successful.

Time period of lockout

Once a user is locked out, an administrator must unlock the verification.

DVS will prevent further identity matches for a 20 minute period.

The lock out only applies to that particular document and does not prevent other identification documents being attempted.

End user impact

greenID will display appropriate messaging or hand off - depending on customer implementation and part of the workflow.

DVS will send an ‘N' response to greenID which translates to 'no match’.

Thresholds

Standard threshold:

  • 3 attempts - 1 data source

  • 5 attempts - overall

Customers may have custom configurations for this setting.

See above for thresholds.

Customer Impact

For the majority of greenID customers there is no impact because the greenID standard lockout rules will stop a suspicious verification from proceeding before it can hit the DVS MAPS lockout threshold.

However, we have seen that some API customers have implemented greenID in such a way that bypasses the standard greenID lockout rules.  The good news for these customers is that DVS MAPS is likely stopping suspicious verifications which were previously going undetected.

Has my greenID account been impacted?

GBG will be contacting all customers who have been impacted by the MAPS lockout by 29 July 2022.  If you haven’t heard from us by then you have not been impacted.

What happens if my account has been impacted?

If your implementation of greenID is resulting in transactions bypassing the greenID lockout rules, then once the DVS MAPS threshold is reached the expected result will always be no match.  Ideally customers will want to stop making additional DVS calls after hitting the MAPS threshold. 

However, GBG understands that technical integration changes can take a lot of time and resource to make.  So, GBG has lobbied the Department of Home Affairs to not charge for DVS requests that result in a no match after the hitting the MAPS lockout.  Home Affairs have agreed to this.

Credits for any transactions that hit the MAPS lockout will be processed a month in arrears (e.g. June transactions will be credited in the July invoice).

GBG is also developing a new feature to pass back an ‘expanded response’ from the DVS to provide a reason why a transaction resulted in a no match – this will include DVS MAPS as a reason.  In the future this could be used to guide better user experience. We look forward to announcing more details about this feature soon. 

Summary

DVS MAPS is an initiative by the DHA to reduce fraud.  In most cases customers are already protected by the standard greenID lockout rules.  However, there are a few customers who are hitting the MAPS lockout rules.

After lobbying by GBG, Home Affairs has agreed not to charge for transactions blocked by MAPS.  If you’ve been impacted GBG will notify you and process credits one month in arrears.

Further Information

If you require further information please contact your Account Manager or our Customer Support team at customer.support@gbgplc.com