Queensland smartcard rollout hampered by security limitations

Queensland smartcard rollout hampered by security limitations

Smartcard readers, incompatible security standards big obstacles to deployment

Australian state governments and even departments within the Queensland Government are unlikely to adopt the state transport department's new smartcard licensing technology, with a former consultant for the $110 million project citing incompatible security standards, delayed smartcard reader deployments and a fast pace on technology as reasons behind the slowed rollout.

The Queensland Department of Transport and Main Roads began developing the licence eight years ago to prevent forgery and counterfeiting of driver's, marine and taxi licences while also inhibiting opportunities for using a legitimate driver's licence for fraud.

Smartcards contain a chip with information about the user, along with a hologram, special inks, a watermark and shadowing to prevent counterfeiting.

The cost of individual licenses was expected to rise from $73 for a five-year licence to $152 over five years. It is expected to reduce frauds that have in the past cost Queenslanders up to $977 million in 12 months.

The new cards were trialed with Department staff in August last year before rollout to a Toowoomba service centre. The rollout was continued in Spring Hill at the beginning of March.

However, Cryptsoft technical director, Tim Hudson, who consulted on the project for 18 months, said the department's decisions on the project had reduced its potential long-term benefits.

“They picked a new standard, developed their own security protocols and performed their own implementation of smartcard resident code – this has effectively reduced the ability for anyone other than the department to use the smartcard,” he said.

Hudson said the technology chosen for the smartcard did not support the ISO 18013 international driver license standard used within Australia, and failed to follow approaches established for passports or credit card payments.

As a result, while state law enforcement agencies were positive about the cards, none yet had the capability or handheld readers needed to use the smartcards.

“All the plans for handheld readers for use by the Queensland Police Service got cancelled back in 2009 and none of the other departments have been provided with anything,” he said.

“The few police officers I've talked to knew the smartcards were coming but hadn't actually seen one until I showed them my smartcards. As they have been out for eight months and only 0.2 per cent of the state has converted that's not that surprising."

The challenge for success for any smartcard deployment, Hudson said, was deployment of the readers themselves.

Hudson revealed the department had deliberately chosen not to use the near-field communications (NFC) standard currently being trialed for contactless mobile payments by financial services and rumoured to feature in upcoming generations of Apple's iPhone and other smartphones based on Google's Android operating system. While potentially a security hazard, the choice not to use the standard limited the Queensland smartcard's possible uses.

While other states around Australia have been watching the investment by the transport department over eight years, Cryptsoft has not been directly contacted by Australian license issuing authorities.

“Despite the non-binding memorandum of understanding in place since November 2009, I seriously doubt any other department will actually roll out anything compatible with the Queensland smartcard license,” he said.

“Only proven and mature technologies should be deployed for that sort of context unless the issuer is prepared for substantial cost increases, time delays, and an inherent additional security risk,” he said.

So far, 8337 cards have been issued in the state.

Hudson is scheduled to present at the upcoming security conference AusCERT 2011 in May.

IDG Communications is an official media partner for AusCERT 2011.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags auscert 2011Queensland smartcardCryptsoft

More about AppleCERT Australiaf2GoogleIDGIDG CommunicationsIDG CommunicationsIDG CommunicationsISONFCQueensland Government

Show Comments