It's an important ID, so why isn't the Medicare card chipped? Australia's Medicare data leak certainly won't be the last such, so why are so many expressions of digital identity so badly protected? To answer this question, The Register spoke to Lockstep Technology's Stephen Wilson about yesterday's discovery that numbers are being traded on Tor sites. It's a question he's been studying …
The info on the card is useful to criminals because it contains all the identity points necessary to port someone's mobile phone number from most Australian telcos.
Once this is done, the typical SMS code verification used by most Australian banks is compromised.
Compromise the victim's computer or mobile with malware, and you have all you need to empty their bank accounts.
You describe the status quo where the information on the card can ve replayed byID thieves with out anyone knowing. My proposal is different and uses Chip-and-PIN principles to safeguard the presentation of personal data. The idea is to digitally sign data in the chip card before it is presented, so that the receiver can tell freshly presented data from replayed stolen data. This is how Chip-and-PIN cards prove the provenance of cardholder details between card and merchant terminal. We should do the same thing with all critical personal data. Governments could provide citizens with identity-protecting infrastructure, by 'chipping' Medicare cards, driver licenses and other identifiers, and also opening up these devices as Personal Data Stores to hold other personal details. The form factor can be plastic card or smart phone.
Note carefully the proposal is not a new identity system let alone a national ID, but to use technology to preserve and safeguard the various IDs and relationships we have today.
For the most part, the medicare system already has 2 factor authentication: you need to have the number for the rebate, and you need to be physically present for the examination. Adding a third factor (chip and pin) addresses a small number of situations. Chip and Pin is NOT, for example, used when you present a credit card to authenticate your identity.
"I've never been asked to present my credit card to authenticate my identity. When does this happen? Do they ask you to match the signature or something?"When applying for the Old Age pension I was required to present my CC, but AFAICT the signature wasn't checked.
Signature is not really part of your ID. It's your argreement that you will pay charges made to your credit card. Retailers used to, of course, check that you actually agree to pay when you bought something using a credit card: this requirement has been relaxed by CC companies.
Your agreement to pay CC bills is not the same as using your CC as points to authenticate your identity when opening a bank account, getting a passport, drivers licence etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
