Optus seems to be far from on top of their game.
Commonweatlh Bank is on the ball …
… not entirely sure which ball, but they are on it.
The ‘see more’ links to their site about ‘Cyber security, scams & fraud’.
The banks statement might be true in the literal (superficial) sense, but …
Who would have known if it was not questioned? What exposed customers don’t know shouldn’t hurt them?
Some are pointing at government legislation to retain data as The Real Problem but there are literally thousands of major companies world-wide that have not been hacked (yet). Maybe they have a clue about security that was lacking at Optus? Pointing at any one or any thing beyond Optus seems disingenuous.
1 Like
An interesting side effect could make using online or call center functions problematic going forward.
Many organizations have some form of official identifying document ID in their profile on you.
It is not just banks and Telcos that have the ‘100 point’ identification rule.
So you ring up a call center for some service. To verify that you are actually you, they may ask for a drivers license number after the usual customer ID, name, address, etc.
Knowing that lots of license numbers and associated user details have been exposed to the nefarious hacker world, can the call center use this as verification? What else could be used?
And if you were to get a new drivers license with new number, there would be a mismatch and the verification would fail. Better make sure the old license is retained for its previous number.
But, that license is no longer valid.
1 Like
Prompted by the Optus revelations, I tried to find out what data Telstra holds about me. I was unsuccessful.
Customers should have a right to know what information is held about them.
4 Likes
That “some” would include me. To be clear … forced to retain data makes this hack worse (e.g. affects former customers who would otherwise be in the clear) but forced to collect data is The Real Problem.
Who believes that Optus would collect your passport number and/or your drivers licence number and/or your medicare number if not forced to do so by the government? You can’t “misplace” what you don’t collect. Ditto banks.
That we know of … and ignoring the many major companies that have been hacked.
The 100 points of Id is typically only at sign up. To id you on the phone is usually a less onerous test. For example, when talking to the ATO they might ask me how much tax I paid in my most recent annual assessment.
Many places do ask for birth date - that is hugely problematic. Was problematic before. Is even more problematic now.
Indeed. All the compromised numbers must be deprecated for any kind of security check. It proves nothing for identification purposes when millions of these numbers are floating around in cyberspace.
When I ring my bank(s), they ask for a telephone password that I have previously provided them. By definition it is unique to that bank (so even if the bank is compromised, or indeed I am compromised, it won’t compromise any other organisations). By definition I can (easily) change it if it is compromised or just for the purposes of periodic change.
Everything that birth date or any of the above government document numbers are not!
Important recent clarifying comment from NSW Police (may or may not apply in any other state):
Your driver’s licence number will not change – however, the Driver Licence Card Number will change.
I think what that means is that in order to use a licence number to satisfy an initial identification check, you need to supply both numbers, but the organisation in question (in this case Optus) must not store the card number (only the licence number).
So even in the face of data hacks, you really need to be in possession of the card in order to use it for initial identification check purposes. (That doesn’t rule out criminal activity e.g. someone might have raided your letter box, but it does at least put a barrier in front of a random online hack.)
I don’t know whether use of the card number is a (recent) change. Credit cards made that change (i.e. a conceptually similar but not identical change) years ago.
Yours is a perspective I partly agree with but as someone once responsible for security of a significant site, when it is fairly obvious one has critically sensitive information and only goes through the motions or less, it is on them not the requirement. We thus disagree.
1 Like
Optus is offering a free 12 months subscription to Equifax Protect for it’s customers who were affected by the data breach.
Step 1 - You need to set up a new Equifax account using a different email address if you already have an account. Go right through the identity validation process.
Step 2 - Contact Optus customer service via their app and messaging service after your new Equifax account validation is completed. You need to be very patient, but I eventually got my unique code. (I had trouble registering because I had my old Equifax account open on the task bar, so ensure you close any other Equifax accounts before you try to use your code)
Step 3 - Request a ban on new credit check applications through the Equifax portal - Good Luck
2 Likes
This is the authoritative Optus page for eligibility.
1 Like
I’m now receiving e-mails from several finance and banking companies about the safety measures I could take. However, they all seem to assume “Mobile” activity, and advise using their Android or Apple app. I’ve no doubt this is well intended. But, what about using a PC/Desktop?
Is a Desktop inherently safer or less safe than Mobile? Whatever that answer, why aren’t they telling customers? Particularly if Desktops are safer, then why not simply say, reduce mobile use for xxx type transactions, instead use your desktop, etc.
I think this is bigger than just the Choice community sharing tips and advice. Choice experts need to be involved.
Optus now seems to be saying for NSW: They will credit your account automatically for the NSW government fee of $29 if it is appropriate for you to replace your licence.
If the licence number and card number on your driver licence has been exposed, we strongly recommend you apply for a new card. For all other customers impacted, including those that have only had their driver licence number exposed, a replacement card is not required.
Optus will be in touch with customers that have had both their licence number and card number exposed in the coming days with detailed instructions on how to replace your card. We will also apply a credit of $29 automatically to cover the cost of a new card to the Optus accounts of those customers that we have recommended update their driver licence.
If you don’t hear from us, it means that your driver licence doesn’t need to be changed. You can refer to Service NSW for more information.
Source: Cyberattack Support | Optus
Also Optus saying: they can’t tell customers at this stage what specific government document numbers have been leaked and they can’t tell you when they will be able to tell you.
I understand very well that they are all operating under difficult circumstances but at this stage they are leaving customers out to dry … just go ahead and replace your documents “in case” (and potentially wear the cost yourself) or delay until Optus is ready and take the risk that in the meantime your identity is used to “do things”.
A cynic might suggest that it would be faster for me to get onto the dark web in order to find out what information Optus has on me. 
The only upside would seem to be that after I have replaced my DL, I don’t tell Optus (or any other telco) the new card number and so if any telco gets hacked, the information is hopefully useless to the hacker.
Well I agree that the lessons for Optus are obvious and I hope they learn them. It just feels like the government is positioning itself to learn no lessons because they are “blameless”.
I forget which member originally posted it, but he stated he was in some meetings trying to harmonise regulations nationally. The observation was it was very difficult when 7 groups went into the meeting, each already having it perfect, and no independent chair. They left the meetings with the same positioning. Nothing of value happened except enshrining how perfect each had it already.
No more so than EPA regulations, etc, etc, etc that are incumbent on businesses to learn how to work with. The alternative is a wild west. In Canberra and maybe the states most things take about 5 years from concept to delivery and if anything changes in the interim the 5 years starts again. Even when government realises it got it wrong and needs adjusting or a rethink it becomes a choice of delivering something or nothing while our ‘loyal opposition’ go into full attack mode for the duration.
Some insights into why Queensland and Victoria are the hardest hit regarding drivers licence number leakage: Optus breach: NSW drivers’ licences won’t be affected as much as those in Victoria, Queensland (probably paywalled)
Only 16,000 Optus customers in NSW will need a replacement driver’s licence […] thanks to a move to tighten document verification standards only weeks before the catastrophic cyberattack.
(I really really hope Optus is certain about the exact date that someone stuffed up and exposed all the customer records to the internet.)
information provided by Optus suggests around 700,000 Victorian drivers and 500,000 Queensland drivers will have to obtain a new driver’s licence number
NSW joined Western Australia, the ACT, South Australia, Tasmania and the Northern Territory in adopting new rules required to pass a national Document Verification Service (DVS) check on September 1.
Again, I think what we are saying here is that most states use both licence number and licence card number for verification, but Queensland and Victoria are not ready to implement that yet. Queensland will be ready in 2023.
This makes it similar to 2FA, with the licence number being the password (something you know) and the licence card number being the second factor (something you have, the physical card).
The whole thing is a farce anyway because every time I go to a club where I am not a member, I hand over my drivers licence number and my drivers licence card number.
At the very least this must raise serious questions about the use of the medicare number for identification. As I understand it, when a medicare card expires, it is reissued with the last digit incremented by one, which is hardly cryptographic standard of subtlety - and there doesn’t appear to be a card number at all. The security features are also way way short of a drivers licence.
If an entity also collects the medicare card expiry date then a stolen card number is going to be useful for identity theft for perhaps 6 to 10 years, maybe more.
When I bought the house where I live, all I needed to do that was drivers licence and medicare card (and they accepted a scan, thereby invalidating most of the physical security features of the drivers licence). I don’t know whether it has tightened up in the last few years but the Optus data breach has the potential to mean that someone could sell your house without your knowing it (which has happened from time to time).
Options available to the Federal government
- ban the use of the medicare number for “identification” purposes or, more robustly,
- make it an offence to ask someone for his or her medicare card number for any purpose other than in relation to legitimate provision of health services
and/or
- kick off a project to strengthen the medicare card
One needs to produce the originals or certified copies.
Eg NSW.
‘Verification of identity - Registrar General's Guidelines
Original or certified copies of documents produced must be current, except for an expired Australian Passport which has not been cancelled and was current within the preceding 2 years. Any doubts see Supervisor / Team Leader.
2 Likes
What has been exposed?
Ms Rosmarin said that of the 9.8 million customers whose details were exposed only 2.1 million had identity documents – such as passport numbers, licence numbers and Medicare details – taken by hackers.
Of those, about 1.2 million have had “at least one number from a current and valid form of identification” taken, while 900,000 have had expired information compromised.
A further 7.7 million customers have had personal data stolen, including email addresses, birthdays, names and phone numbers.
No mention of billing or service address details being part of the loss in the last point? Although these details are also requested when calling up Telcos for support.
2 Likes
The New Daily article could be one explanation of how real customer data came to be leaked out onto the Internet, or more likely a copy of that data.
My experience in supporting certain testing systems is that a copy of real data is needed for functional testing, regression testing, and particularly load and stress testing.
Since real data is being used, the test environment must be isolated from not only the external networks, but open internal networks. Access is only available through a special internal network and through that remote access via encrypted VPN using full multi-factor authentication.
Will Optus come out one day and tell us how the breach happened, or will it remain a secret known only to those who manage the IT systems?
2 Likes
Good to know. Looks like you butchered that link though so here’s the actual link: Verification of identity - Registrar General's Guidelines
According to that link, those rules came into force in October 2021, which is recent enough to be consistent with my experiences of great laxness in the past (i.e. greater than 1 year ago).
Edit: One problem with this though is the Medicare Card. It has such limited security features (i.e. anti-counterfeit features) that I suspect a criminal with your Medicare Card number could fairly easily produce an “original” Medicare Card.
2 Likes
Yes. Or to put the same thing the other way … it is almost impossible to have realistic but fake data that is on the scale and complexity of the real data … and without good data it is difficult to be confident that the testing has been comprehensive.
Not unless the law forces them to. I don’t know exactly what all the pros and cons of that would be but I always feel that everyone else would benefit if companies had to air their dirty laundry in full. That is, mandatory breach notification could cover more than just notifying people whose data had leaked out but also giving a full public account of what happened.
I always try to learn something from incidents like this for both my personal IT infrastructure and the IT infrastructure at work.
1 Like
