Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
National

Queensland changes licence verification process after Optus hack

Queenslanders now have to provide banks, telecommunications and utility companies a second number on their driver's licence to confirm their identity.

From this week people will have to provide both the card number and the licence number.

Displayed on the front and back of the licence, the card number changes every time a licence is issued or replaced.

Queensland Premier Annastacia Palaszczuk said the move meant Queenslanders would have "a two-factor verification system" following the Optus data breach.

The card number is also displayed on industry authority, marine licence indicator, adult proof of age and photo identification cards.

State Transport Department Deputy Director-General Andrew Mahon said most people "probably didn't know" the card number was on their ID.

"When you go into a telco or a bank or something like that and you need to verify your licence and your identification, they'll ask for both those numbers," he told ABC Radio Brisbane.

"Why they do that, is there is a system called the document verification system in the background that's run by the federal government, and all of those major institutions and banks verify your numbers in that system, and it says, 'yes that's a legitimate licence' or 'no, it's not.'"

A true two-factor system?

Mr Mahon said requiring companies to ask for the card number went "a long way to resolving" the issues caused by the Optus hack and similar data breaches.

"When the data was released with the Optus hack, for example, the Queensland licences that were released were only licence numbers," he said.

"So that means in the old system you would have been able to just verify that number.

"But from this week, if you verify that second number, it means that authentication will be verified and they will know that you're the right person with that licence."

But when Ms Palaszczuk posted about the changed requirements on social media, people raised concerns that it was not two-factor authentication because the numbers were present on the same card.

Mr Mahon said while it was the same ID source, it was two different numbers.

"That [card] number changes every time a card is replaced, so if there's ever a release of information in the future, it's much easier for us to replace people's licences by replacing the card and not having to replace the actual licence number itself," he said.

"We've worked really hard to replace lots of driver licences over the last month — well over 170,000 people have come through our doors.

"In the future we may not have to do that, because this may reduce the risk, and we can simply send people a new licence in the post and get a new card number and that will fix a large portion of the problem."

Mr Mahon said the state government had mandated that customers would be required to provide both the card and licence number.

There are similar systems in place across some other states and territories.

'Great idea': Security expert

Managing director of global technology firm Waterstons Australia Charlie Hales said the change was a good idea.

"I think it's a great idea because then if data is hacked in the future, you can get a replacement card and then it's null and void," she said.

"They'll still have a pain of getting the replacement card, but they won't have that ongoing worry that the data is out there."

But Ms Hales said banks and companies still needed to ensure the information they stored was protected.

"So it's making sure that data is encrypted, protected, has the right cyber security around it, making sure they've got their monitoring on the data in place, so if anything does happen they know exactly what has happened," she said.

Ms Hales said requiring companies to delete the licence and card numbers if they were only gathering the information to verify a customer's identity would add an extra layer of security.

"If for any reason a company needs to store it because they need to do multiple verifications or something like that, or pass it on to third parties and things, they just need to make sure they're only keeping it for as long as they need it and then getting rid of it," she said.

"Hopefully laws are going to change around that, to mandate people delete things instead of just guidance on it."

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.