Michael, I like your suggestion about hashed versions. It would have
certainly saved some hassle.
For the last year and a half I have been working as a tutor in
information security and at this point, would like to thank the nice
folk at optus for allowing us to update some notes with a really good
example of what NOT to do. I get that we went through this period where
the terrorists would buy phones so we all had to be able to be tracked
to prove we weren't one. But that was during a time when the value was
in credit card information, not identify information. The public expects
a certain level of professionalism and care to be taken with personal
and sensitive information and especially with our identity information.
For them to make the mistakes they have, in this day and age is just....
wrong.
On 2022-09-27 12:39, Michael Kahl wrote:
Is there any legal obligation to store sensitive ID information in its
original form? Storing a hashed version only would be sufficient to
prove the details had been collected and verify any future ID
verification requirements without actually retaining the sensitive
data.
Separately, should the government provide an opt in two factor ID
verification service for critical services such as telco, utilities,
banking, etc? There are privacy concerns, however if implemented
correctly they wouldn't be collecting any further information than what
they legally have access to now.
On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield
<[email protected]> wrote:
They're legally obligated to retain it but why it's on the API and why
it's not encrypted.
Looking at the data some fields are hashed and then repeated in the
bloody clear :(
On 27 Sep 2022, at 11:02, [email protected] wrote:
My understanding was that the data included the 100 points of ID info.
Why are they retaining this? Surely after confirming the 100 points
there only needs to be a record "100 points provided"=true and not
retain the actual details. This goes back to only keeping the private
data you need.
regards,
Glenn
On 2022-09-27 10:49, Damien Gardner Jnr wrote:
Personally, I find putting Authentication on my API endpoints to be a
FANTASTIC first step towards API security. And then not even using
public IP addresses in test environments is a pretty good second
step.. </onlyhalfsarcasticherewhydoesthiskeephappening>
On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <[email protected]>
wrote:
Hi everyone,
Obviously a big week in telco and cybersecurity. As part of my work
I am on the Australian Cyber Security Industry Advisory Committee as
an industry representative.
I am keen to look at opening up a dialogue with more and more telco,
DC and Cloud CISO's on what they are doing around this issue and
looking to take a proactive step towards best practice on customer
data and system security.
There will be some pretty serious consequences of this hack on the
industry and importantly we need to make sure we are as best placed
to help each other continually increase in security posture through
best practice, but also working with each other as an industry.
Are people keen on having a online/VC session sometime in the next
few weeks where like-minded industry participants get together and
discuss security, retention, encryption, threat detection etc.? If
so, just ping me directly and if there is enough interest I will
send out an invitation to the list for a call.
Cheers
[b]
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
--
Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
[email protected] - http://www.rendrag.net/
--
We rode on the winds of the rising storm,
We ran to the sounds of thunder.
We danced among the lightning bolts,
and tore the world asunder
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
