State governments are spruiking a "very cheap coding trick" as a high-tech anti-fraud measure for digital drivers licences, cybersecurity experts say.

New South Wales, Queensland, South Australia and Victoria have developed separate digital drivers licences.

An "on-app hologram" featured on the NSW and Victoria licences has been spruiked as an anti-forgery measure.

Cybersecurity professionals say the feature is not a true hologram, which requires significantly more advanced technology than phones can carry, let alone a secure way to validate a person's identity.

They have called for the hologram feature to be removed and for governments to implement best-practice standards for digital identity documents.

Vanessa Teague, an associate adjunct professor at the Australian National University and CEO of Thinking Cybersecurity, said the hologram was "complete nonsense" and advice to the contrary was wrong.

"It's a scam. There's no polite way of putting it," Dr Teague said.

"It's not a security feature. Someone has conned someone who has purchasing power with public money and not enough technical understanding to see that it's completely invalid."


Validating a digital drivers licence

The guidelines from Service Victoria and VicRoads instruct people checking the validity of a digital drivers licence to view the hologram.


The Service NSW website lists six visual elements for those checking licences, one of which is to ensure the "waratah hologram" moves.

Both governments instruct people checking licences to go beyond a visual check if they need "further verification", which is VicRoads' advice, or "extra reassurance" according to Service NSW.

Software developer Michael Uren called that "appalling messaging", which opened up easy pathways to forgery that could allow underage people to buy alcohol or cigarettes, or enter a licensed premises.

Earlier this month, a Mornington bar announced it would no longer accept digital IDs "due to way too many" fakes being presented.

Mr Uren said he was also concerned fake licences could be used for more nefarious purposes like sharing fraudulent identification details at car accidents, signing rental agreements or collecting items from post offices.

He said while the "pulsing Queensland government crest" featured on its digital drivers licence was not marketed as a hologram, it should not be considered a security feature.


States respond

The Queensland government website said visual checks should only be used for "low-risk verification", but did not define what that constituted.

The Queensland digital drivers licence does meet international standards, but experts say allowing visual checks undermines that effort.

The international standard, ISO 18013-5, outlines best practices about how digital licences are used, how information is shared and how data is stored.

"The app has gone through a range of security and penetration tests throughout its development and has passed these tests with flying colours," a spokesperson for Queensland's Department of Transport and Main Roads said.

A Victorian government spokesperson said anyone verifying the legitimacy of a digital drivers licence should always scan the QR code.

A spokesperson for Service NSW said the app has "multiple security features to prevent fraud" and the NSW government was running a pilot program of a verifiable photo credential to be built to international standards.


Easy to forge

Mr Uren said a key element of what makes physical drivers licences so difficult to replicate was the huge cost that would come with doing so convincingly.

"There's a whole bunch of little physical things they put on those which are very expensive for anybody to come up with a printing process to do, to the point where it's infeasible for somebody to do it," Mr Uren said.

He said the "on-app hologram" featured on digital driver licences in Victoria and NSW was cheap and easy to replicate using generative AI.

"It costs nothing to do this on five lines of code. It's not a security feature in any way, for that reason, because it costs nothing to make one," Mr Uren said.
He said scanning the QR codes on digital licences was the only way to verify their validity and called on the state government to remove the feature from app-based drivers licences, or at the very least, change the verification instructions.

"All it does is give people a false sense of security that when they wobble the screen around, that's somehow showing it's a legitimate drivers licence when it just isn't the case," Mr Uren said.


Calls to adopt international standards

Dr Teague agreed the current advice was wrong and visual checks were not secure.

"It definitely speaks to a total failure to run a good process for specifying, designing and building a secure app," she said.

"To me, it even raises the additional concern of whether the QR code scanning has been validly implemented.

"It's very, very unclear whether there's really any genuine expertise in even getting the basic cryptographic design elements right and there's no public scrutiny."

Dr Teague said implementing an international standard was the only way to ensure digital identification documents remained secure.

"There's really no excuse for Australia not to be adopting one of those transparent standards," Dr Teague said.

She said it was a far more secure approach than what was occurring in Australia.

"We have at least four or five different things going on, each one of which has just been made up by people who apparently believe in holograms," she said.

"In Australia, we insist on hiring some people who don't know what they're doing to make up their own thing instead of just adopting the secure standard from overseas.

"We did this with the COVID app. There was a perfectly good international standard that was reasonably secure; instead, we just made up our own rubbish that didn't work."

Written by Olivia Sanders, ABC News.