The Optus, Medibank and MedLab data breaches have caused some re-thinking.
But not all of the thinking is clear enough.
It’s being touted that there’s a simple solution to driver licence data being compromised.
That solution is said to be the addition of a card-number.
So, instead of just the licence-number and expiry-date being used to authenticate a claim that a person is entitled to use that identity document, the card-number would also be required.
This was implemented recently in NSW, and it has now been announced for immediate implementation in Victoria, with about 1m of that State’s 5m licences to be urgently re-issued.
But will that achieve the aim?
Credit-cards have had a 3- or 4-digit ‘card verification code’ or ‘card security code’ on the back (variously called a CVV, CVC or CSC) since about 2000. Its function is identical to that of a card-number on a driver’s licence (on the front of the card in NSW and on the back in Victoria).
The MedLab attack gained access to credit-card details – including in some cases the CVV.
So the CVV was no protection against fraud, because it was accessed as part of the same attack.
If the next hacker gets the driver’s licence card-number, along with licence-number and expiry-date, the card-number provides no protection at all.
Organisations have to understand that the critical issue is:
The retention of authentication-data in databases creates an unmanageable vulnerability
For vulnerability to attacks to be reduced, security-sensitive data must either:
- not be stored at all – an application of the vital principle of data minimisation; or
- be retained only for the few seconds to a minute needed for the authentication process to be completed. Then that data must be expunged, to prevent access by future hackers.
Media Contacts for Australian Privacy Foundation board members:
David Vaile | 0414 731 249 | David.Vaile@privacy.org.au |
Roger Clarke | 02 6288 6916 | Roger.Clarke@privacy.org.au |