On November 10, 2017, Melbourne resident Niel Fulton applied for a new driver's licence. It never arrived. Two weeks later, someone used a form on the VicRoads website to change the registered address.
Fulton assumes his licence was stolen from the post, either in transit or from his letter box. The thief would then have had everything they'd have needed to submit the change-of-address form: the licence number, and the driver's name, address, and date of birth. Then, as per standard procedure, VicRoads would have posted them a sticker with the new address, to attach to the physical licence.
As Fulton told ZDNet, the thief is then free to use this licence as a verifiable form of ID, at least until the change is noticed by the legitimate licence holder, particularly with services that don't require a photo -- and that includes many if not most online accounts.
"What does this mean? Anyone in possession of a licence not their own is free to use it as a form of ID, paving the way for deeper identities to be built," Fulton said.
"What's more, once the actual owner of the licence notices the change, and changes the address back, there's nothing to stop the original problem happening again, as the unknown party still has enough details to change the address, thereby still leaving opportunity for fraud."
Fulton eventually contacted VicRoads on January 15, but they seemed unconcerned.
VicRoads can't track the user IP address or any other details of the illegitimate change beyond the date it was made, Fulton said he was told, and VicRoads won't issue a new licence number until they see tangible evidence of fraud having been committed.
"A new licence issued with the same number means the one held by unknown parties is still valid and usable for ... whatever," Fulton said.
VicRoads declined to confirm any of these specifics, but told ZDNet that the agency "takes the security of our customers' personal information very seriously".
"We process more than 24 million licensing and registration interactions each year and the number of licences replaced due to fraudulent activity each year is one in 1 million," said Paul Santamaria, the acting executive director of VicRoads' Registration and Licensing division.
"We encourage customers to set up a myVicRoads account as the most secure way to manage their interactions with VicRoads."
myVicRoads is a password-protected portal allowing customers to complete a range of transactions, including change of address. Once an account is created, the customer is sent a follow-up letter to confirm the accuracy of their details.
The agency currently has 315,000 registered myVicRoads account holders, and said it plans to decommission the change-of-address service from the website as more myVicRoads accounts are created.
However there's no indication on the change-of-address form that a myVicRoads account would be more secure, only that it provided the option of short-term vehicle registration.
"We understand the issues associated with identity theft and we encourage customers to contact police if they believe they are the victim of identity theft ... Licence theft and fraudulent activity is [sic] dealt with as a Victoria Police matter."
Fulton did file a report with Victoria Police, but there was little they could do.
"I get the feeling they deal with it semi-regularly since the constable I spoke to said, paraphrasing, 'We really can't just rock up to the address and ask if they know anything because they'll just deny it', which I completely understand."
Victoria Police was unable to provide any statistics on licence theft. A spokesperson told ZDNet that "isn't a box to tick" in their crime reports.
Victoria's recently-established Crime Statistics Agency (CSA), an independent body along the lines of the highly-respected NSW Bureau of Crime Statistics and Research, was also unable to provide any numbers, as their statistics derive from Victoria Police reporting.
"We don't really have much coming up in the detailed offence codes that isolates fraud and deception offences relating to driver's licences, and if any cases have been recorded by Victoria Police, it is probably hiding in the more generic categories," said the CSA's chief statistician, Fiona Dowsley.
The morning after ZDNet contacted VicRoads, they called Fulton to apologise, reassure him they're looking into it, and confirm that they're issuing him with a new licence number.
"They can't comment about the vulnerability specifically, but they are aware of it from the language they used," Fulton said. But he's still far from happy.
"What makes this worse for me is that I understand the difficulty that all parties have in this matter ... I'm exhausted, worried about my future, pissed off, and wondering how many other people are in the same situation here -- some of whom surely do not know."