Comment on Digital drivers licence anti-fraud technology only a 'cheap coding trick'
null_dot@lemmy.dbzer0.com 2 days ago
I think this article is a bit of a beat-up borne of a misunderstanding of security and the design requirements of the app.
Only an idiot would think that the “hologram” from the app is intended to be a real hologram. Of course phones can’t do that. The “hologram” is simply an image in the background that moves when you move the phone. It prevents people from taking a screen shot of their license and sharing that photo with their friend. That’s it. It prevents the most basic of attacks, and does so very effectively. It does not prevent other more sophisticated attacks.
In low risk situations looking at someone’s ID and confirming that it’s not just a screen shot of someone else’s might be satisfactory.
As they said in the article, if you want to be sure the ID is legit you can scan the QR code.
Zagorath@aussie.zone 2 days ago
Unfortunately at least for NSW, that seems like it probably isn’t sufficient. In 2022, some serious flaws with NSW’s QR system were uncovered. They might have fixed it since then, it’s really not clear. But given how they reacted to the original report by denying there even was a problem and pretending the criticism was about privacy, my guess is they never fixed it.
I think that this article is kinda trying to allude to this issue, but it throws it in as some tangential points about how Queensland implements the ISO standard good security with its QR, and no other state does, separate from the main conversation about the visual inspection. I agree with you that the visual inspection is basically fine as it is, for lower-priority situations.
But reading between the lines, it sounds like they’re saying NSW still does the QR codes wrong, and that Victoria and possibly other states followed NSW’s bad lead, with only Queensland doing it right.
null_dot@lemmy.dbzer0.com 2 days ago
Yeah, the article doesn’t really examine how the app is using QR and what a more appropriate approach might be, it’s just complaining that the hologram doesn’t confirm authenticity - which it’s not intended to.