Cyber security specialists say most of Australia’s digital driver’s licences don’t meet international security standards, putting people at increased risk of fraud and identity theft.

Victoria is about to become the fourth Australian state or territory to launch the new digital ID, with millions of fully licensed drivers and motorcyclists able to access their licences via myVicRoads and Service Victoria apps starting next month.

Director at cyber security company Dvuln, Jamieson O’Reilly, said digital licences were “great in theory” but its development in Australia had left the IDs vulnerable to fraud and hacks.

“It should reduce things like fraud, misuse, and identity theft – but that relies on a secure implementation, which as we’ve seen, hasn’t been happening,” Mr O’Reilly said.

Jamieson O’Reilly finds flaws in IT systems for organisations through lawful hacking.(Supplied: Jamieson O’Reilly)

Off to a messy start

In 2017, South Australia became the first state to launch digital licences, and in 2021 hackers accessed more than 2,600 mySA GOV accounts after obtaining passwords in a cyber attack on a separate, unrelated website.

New South Wales residents gained access to digital licences in 2019 and IT experts, including at Dvuln, used “brute force” on the app and modify details in minutes.

The Queensland state government urged people to delay downloading its digital license app when the technology crashed on the day it launched in November last year.

“The messier it is, the less standardisation there is, there’s much more room for error,” Mr O’Reilly said.

He wants governments to ensure digital licences are built to ISO 18013-5 specifications, which includes guidelines for how digital licences are used, how information is shared, and how data is stored.

Digital ID verification company IDVerse chief executive John Myers said standardisation was necessary for people to use their IDs across states and internationally.

John Myers says keeping people and their identities safe is the most important thing.(Supplied: John Myers )

“But we need to make that common standard extremely powerful,” Mr Myers said.

“There’s a massive increase in fraud with the digital licences primarily because they’re quite easy to modify, both to produce a fake and to modify the original source.

“With some of the breaches we’ve had it underscores a really urgent need for the government and issuing authorities to really enhance security measures.”

Queensland’s digital licence is the only ISO compliant app in Australia, though the standard was published in 2021 after South Australia and New South Wales had already launched their versions.

The ABC understands Victoria’s soon-to-launched digital licence has not been built to meet the ISO standard.

The statewide rollout comes after a trial in Ballarat saw more than 15,000 people access their digital licence since July last year.

The state government called the trial “successful” despite a rough start involving email invitations with incorrect surnames being sent to 57,000 Ballarat residents, prompting security concerns.

VicRoads issued a formal apology at the time and said the mailing system error did not breach any personal data.

An email sent out to Ballarat residents was addressed with incorrect surnames.(Supplied: Benjamin Sinclair)

When asked about the Ballarat digital licence trial and what safety features have been built into Victoria’s digital licence app, a state government spokesperson said it had “undergone a range of stringent security and penetration tests”.

“[It] will continue to undergo monitoring after the product has been released to all Victorian full licence holders,” the spokesperson said.

Potential for increased security

Mr O’Reilly said if done correctly, digital licences could be “far more secure” than physical IDs because they could potentially be updated instantly to circumvent data breaches, similar to locking a bank card.

More of our cards including banking and IDs can be carried on our mobile phones for easy access.(Unrecognisable ladies messaging smartphones, Tim DouglasPexels)

“With the last couple of major data breaches with Optus and Medibank, there were lines going all the way down the street to Service New South Wales,” he said.

“Because people were wanting to change their driver’s licence numbers but there wasn’t any infrastructure to handle such a large scale … it can take weeks.”

He said users could also limit which information on the licence was shared on a case-by-case basis.

But Mr O’Reilly said the standards “can only do so much” and a “very high level” of secure development practices and general data literacy were still necessary.

“Digital driver’s licences don’t exist in a vacuum — there can be attacks on other integrated systems,” Mr O’Reilly said.

“Hackers can gain access by calling citizens and tricking them into giving access.

“You’re only as strong as your weakest link.”

Posted , updated