Medicare data leaks, but who was breached? Medicare numbers in Australia became a lot less useful as a proof-of-identity, with the Australian Federal Police investigating how an unknown number of records ended up for sale on a Tor site. The report first surfaced via The Guardian's Australian site, with journalist Paul Farrell reporting he purchased his own record for …
We've all seen or heard of exploits captured via poorly secured systems containing backups or SQL injection via havij, but I find it interesting that they claim to be able to extract on demand. Normally, they would just be monetising something that they already grabbed, but this is claimed to be a permanent back door. That is both interesting and frightening because they can't just spend 3 months sending out new cards to everyone.
Two points:
1. Hon. Tudge, a bit more time securing your systems and a bit less time taking pot shots at "activist judges" and releasing Centrelink records of citizens who dare speak out to the media, eh?
2. Hon. McCormack, remember that whole #censusfail thing and how you were brushing off the concerns about your census retention changes and cross dataset matching? You were more or less accusing anyone who disagreed with you as tinfoil hat wearers. This breach was inevitable. Unfortunately, so is the census data. Don't worry though, we can all just move house, change our family living arrangements, employment, etc if that ever happens.
Of the many issues that arise, I'm most surprised at the idea that someone would accept a Medicare card as proof of ID. That's almost asking to be defrauded.
For non-Aussies, a Medicare card is like a 40 year old credit card - no hologram, signature, chip or other anti-fraud measures. I just imagine credit card fraudsters have been literally dusting of the machines they used to make fake cards back in the day and trying a new trick.
@Phil Kingston
a Medicare card is like a 40 year old credit card - no hologram, signature, chip or other anti-fraud measures
Well then, strangely enough, it counts for exactly the same number of points in an identity check as a credit card - 25.
When doing some activity that requires positive proof of identification - opening a bank account, getting a drivers license, and so on - a '100 point identity check' is required. Various types of documents are given a point-weighting, and the combined point value of the various documents must equal or exceed 100 points.
Some examples:
70 Points
Only one of the following may be claimed:
Birth certificate
Birth card issued by a Registry of Births, Deaths and Marriages
Citizenship certificate
Current passport
40 Points (must contain a photograph and a name)
Driver licence issued by an Australian State or Territory
Licence or permit issued under a law of the Commonwealth, a State or Territory government - (e.g. a boat licence)
25 Points
Credit card
Foreign driver licence
Medicare card (signature not required on Medicare card)
FWIW, there's no more security with the "Medicare Card" that the USofA issues. It is really just your SSN with the letter A or B suffixed. And everyone knows that SSNs are a dime a million.
I'm just wondering who the stupid blokes who actually purchased some 60+ of these are. I can't imagine any real (read non-gov't) person handing over any real money and expecting to get something real in return. And how would you complain? Is there a warrantee period.
No, I bet that all of the purchases have been done by the perps themselves (you know QA testing) or the authorities poking around.
Not following your line of argument. The US equivalently named card is easy to guess if you have the SSN, which is a apparently cheap. Therefore people must be crazy for paying 30 bucks for it? They aren't buying a US card, so the fact that you can get a US version cheaply is irrelevant. From your subject line you seem to know this.
When you apply for a loan or a passport or a birth certificate, phone contract, lease, etc, they request that you provide a copy of some quantity of documents from list 1, some quantity from list 2 and so on. A Medicare card goes a long way towards passing that test.
"When you apply for a loan or a passport or a birth certificate, phone contract, lease, etc, they request that you provide a copy of some quantity of documents from list 1, some quantity from list 2 and so on. A Medicare card goes a long way towards passing that test."When I applied for the Old Age Pension last year, my Medicare card was not accepted. I needed a State photo ID card as my Australian passport was deemed insufficient. The only additional ID I needed to obtain the required State ID card was my Medicare card. Go figure... Oh, my birth certificate was worthless for ID purposes also.
>I'm just wondering who the stupid blokes who actually purchased some 60+ of these are.<
Drug abusers getting repeat prescriptions on false ID, but mostly drug abusers getting medicare rebates (money from the government) on a false ID.
For these purposes, the medicare card is (??was ??) the accepted and required form of ID.
"Drug abusers getting repeat prescriptions on false ID..."But then the prescription needs to be filled at a pharmacy. Dunno about other places, but I've been at my pharmacist on a number of occasions when known drug users have come in and been refused service. The pharmacist also telephones other pharmacists nearby to warn them that Mr or Ms X is on their way.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
