MY SAY: The security gap in our driver licence
A REVIEW of the identity theft statistics for the Queensland community over the past 12 months reveals overwhelmingly the identity credential of choice for identity thieves is the driver licence.
Despite this, few licence issuers admit the credential they issue is a form of evidence of identity.
It's a shame identity thieves don't agree with them. Driver licences, and in particular, driver licence numbers are targeted by identity thieves at twice the rate as the next most targeted credential: banking details. What's ironic about this situation, and quite harmful for the victim, is that the licence details are the target, not the physical card.
Of the 2124 Queenslanders who engaged our national identity theft support service, IDCARE, looking for help following the compromise of their licence details last year, 83% experienced the further misuse of their details by criminals within three days of the initial compromise.
First point to make is that not all Queenslanders who experienced the compromise of their licence engaged IDCARE. Second point to make is that the criminals in all occasions used the licence number, and not the physical document, to convince credit providers to provide credit, goods or services. Third point is that not one of these Queenslanders was issued a new licence number as a means to prevent the crime from occurring in the first place. Final point is that the only advice provided by the licence issuer about destroying your own licence was to "cut diagonally and ensure you destroy the chip" - nothing about destroying the licence number or personal details.
Should there be rules against businesses taking copies of customers' driver's licences?
This poll ended on 22 February 2016.
Yes. If a licence number is all it takes to steal my identity I don't want copies floating around.
No. It's not reasonable, often businesses need a copy of proof of identity.
They should be allowed to make a copy but made to black out the licence number.
This is not a scientific poll. The results reflect only the opinions of those who chose to participate.
Victims of identity theft involving a licence must obtain a police report number then a separate request must be made to the licence issuer for a new licence and licence number. On average these Queenslanders had to each engage with eight separate organisations in response to the one compromise. Unfortunately that's what it takes to properly mitigate future misuse, let alone try and prevent the immediate one that our licence issuers are waiting for before they take action. Surely we're smart enough now to be able to prevent things from happening when you know your clients are at risk.
What I can say is that all of these Queenslanders did not manage to get their licence number changed before further misuse occurred (despite their efforts). Changing the licence number would have made life a lot more difficult for our identity thieves. I'm often asked what can make the biggest dint in our identity crime epidemic. I'd have to start with our licence as by far it is the document number of choice for criminals, and by far it's the most broken prevention and response environment. This is not a Queensland only issue. It's an issue Australia wide.
Next month IDCARE will report on its findings on a feasibility study to create a national register of compromised credentials. The concept is simple: Have a mechanism where community members can register and report once their details that have been put at risk from identity theft or cyber crime or the like, so that when organisations go to respond to requests for credit or products or services, they can see whether someone's details are at risk and maybe ask a few more questions of the would be identity thief. There's a lot of water to flow under that bridge yet, but at least we're not waiting for the horse to bolt before we bother closing the gate.
Dr David Lacey is a Senior Research Fellow at the University of the Sunshine Coast and Director of IDCARE, Australia and New Zealand's national identity support service.