Medibank, Optus hacks: QLD Premier Annastacia Palaszczuk two-factor authentication driver’s licences

Australians have ruthlessly mocked Annastacia Palaszczuk after she proudly unveiled a new cybersecurity feature for driver’s licenses following the Optus and Medibank hacks. 

The Premier tweeted on Thursday that Queensland driver’s licenses would have a ‘two-factor verification system effective from today’.

‘You will now need to provide the unique card number found on your driver’s licence, along with your licence number, for identification purposes for banks, telcos and utility providers,’ she said.

The feature is in response to 10 million Optus customers having their personal information compromised in the biggest cyber hack in the nation’s history, exposing one in three Australians to potential financial fraud.

This week a similar breach was reported by private health insurer Medibank. The scandals have forced thousands of Australians to replace their driver’s licenses.

The new security measure for Queensland driver’s licences will be in effect from Thursday

The Queensland premier announced the new cybersecurity measure on Twitter

But users quickly pointed out the very loose form of ‘two factor verification’

The new secondary numbers on Queensland cards means that if there is another breach a new card can be issued without needing to get a new licence number.

While the effort might cut down on bureaucratic red tape it’s not true two-factor authentication as many Twitter users quickly pointed out.

Proper two-factor verification uses a different identification method – such as a unique code sent via text or an app – and not two different numbers on the same card.

Best practice would be a one-off digital key such as a pin number or QR code that only works once and is impossible to replicate or steal. 

Also, not all hacks resemble the Optus and Medibank breaches with their very public ransom demands. Some breaches are covert and customers remain unaware they need to change cards.

With telcos, banks, and utility companies holding both numbers there’s nothing stopping hackers using stolen licences for fraud. 

Other states and territories will likely follow Ms Palaczszuk’s (pictured) lead

Twitter users were quick to criticise the security measure as falling short

‘Providing two different numbers from the same ID card does not qualify as a two-factor verification system,’ one person said.

‘The two numbers should not be together for security reasons, putting them on the same card fails the purpose of 2FA,’ another wrote.

‘Incredible the Queensland government/premier needed a lesson in two-factor authentication from Twitter,’ a third posted.

‘The other factor is also usually provided over a separate comms link. Who gives her this rubbish advice?’ a fourth added.

Some said the advice provided to government could have been better

Private health insurer Medibank was the victim of a cyberattack and the hacking group has made demands 

Medibank hackers who stole sensitive personal data and medical information demanded $US1 for each of Medibank’s 9.7 million customers and threatened to release the info on the dark web if the amount wasn’t paid.

The insurer refused and the clandestine group believed to be Russian, released the first batch of customer data on Wednesday morning.

This included names, birthdates, addresses, email addresses, phone numbers, health claims information, Medicare numbers for Medibank’s ahm customers and passport numbers for international student clients.

Operation Guardian by the AFP setup after the Optus hack is being expanded to include the Medibank breach.