Hi Giles,
Don't even need to ask yourself "what if" as it already happened back in
the early days. Though the issue was XSS and so nowhere near as serious
as Optus' screw up but still inexcusable in this or the previous decade.
When the person who found this attempted to responsibly disclose it to
the government, he hit a giant brick wall.
Here's the blog article
https://nikcub.me/posts/multiple-vulnerabilities-in-mygov-australian-government
and subsequent press coverage
https://www.smh.com.au/technology/revealed-serious-flaws-in-mygov-site-exposed-millions-of-australians-private-information-20140514-zrczw.html
The sad part is that as poorly as Optus has handled user info, I've seen
worse and frankly I'm amazed that one company I had the displeasure of
working with a number of years ago hasn't suffered something similar.
They kept even more PII than Optus (if you can believe that!) and did an
appalling job of securing it for the 100s of thousands of unfortunate
souls in their DB.
I don't know what the answer is though. If you want to see a mature
digital ID system, look at Sweden where they have something called
"BankID" which is a similar concept except administered by the banks and
only available to residents with a personnummer (similar to a tax file
number). It's a system that is great for those who are born into it or
have gained access via long term residency, but if you're on the
outside, it makes everything extremely cumbersome as basically every
company asks for it.
On 27/09/2022 11:48 am, Giles Pollock wrote:
Had the same thought, and it's good in principle, until you get that
obnoxious little thought creeping into your head "yeah... but what if
MyGov got hacked too?"
I suspect we'll end up with something akin to that down the track, as
the information already exists across multiple government databases by
law anyway. Might get interesting for non citizens though?
(It probably will wind up all the sovcit types too who will start
throwing around their favourite catchphrases - NWO, world government,
UN control, etc)
On Tue, Sep 27, 2022 at 1:40 PM jay binks <[email protected]> wrote:
mmm I was just bouncing something like this around in my head.
In a perfect world, you could utilise MYGov infrastructure...
Carriers could get a UUID that represents a "Know your customer"
Data validation that occurred between carriers and "MyGov", where
the customer was MFA prompted (with the MyGov ID service) to say
"Confirm you want to identify yourself to XXXX".
Then the carrier would only be required to retain that UUID for
the MFA Verified auth transaction.
(and be explicitly instructed NOT to retain PII other than an
email address to send invoices)
Anyways... back to the real world.
On Tue, 27 Sept 2022 at 13:06, Nick Adams <[email protected]> wrote:
See the "Australia Card"[1] for why the Federal government
probably couldn't provide central identification/auth
services. It is politically very challenging...despite the
obvious benefits it would provide.
[1] https://en.wikipedia.org/wiki/Australia_Card
--
Regards,
Nick Adams
On Tue, 27 Sep 2022, at 12:39 PM, Michael Kahl wrote:
Is there any legal obligation to store sensitive ID
information in its original form? Storing a hashed version
only would be sufficient to prove the details had been
collected and verify any future ID verification requirements
without actually retaining the sensitive data.
Separately, should the government provide an opt in two
factor ID verification service for critical services such as
telco, utilities, banking, etc? There are privacy concerns,
however if implemented correctly they wouldn't be collecting
any further information than what they legally have access to
now.
On Tue, Sep 27, 2022 at 11:12 AM Nathan Brookfield
<[email protected]> wrote:
They’re legally obligated to retain it but why it’s on
the API and why it’s not encrypted.
Looking at the data some fields are hashed and then
repeated in the bloody clear :(
On 27 Sep 2022, at 11:02, [email protected] wrote:
My understanding was that the data included the 100
points of ID info. Why are they retaining this? Surely
after confirming the 100 points there only needs to be a
record "100 points provided"=true and not retain the
actual details. This goes back to only keeping the
private data you need.
regards,
Glenn
On 2022-09-27 10:49, Damien Gardner Jnr wrote:
> Personally, I find putting Authentication on my API
endpoints to be a
> FANTASTIC first step towards API security. And then
not even using
> public IP addresses in test environments is a pretty
good second
> step.. </onlyhalfsarcasticherewhydoesthiskeephappening>
> On Tue, 27 Sept 2022 at 10:46, Bevan Slattery
<[email protected]>
> wrote:
>> Hi everyone,
>> Obviously a big week in telco and cybersecurity. As
part of my work
>> I am on the Australian Cyber Security Industry
Advisory Committee as
>> an industry representative.
>> I am keen to look at opening up a dialogue with more
and more telco,
>> DC and Cloud CISO’s on what they are doing around this
issue and
>> looking to take a proactive step towards best practice
on customer
>> data and system security.
>> There will be some pretty serious consequences of this
hack on the
>> industry and importantly we need to make sure we are
as best placed
>> to help each other continually increase in security
posture through
>> best practice, but also working with each other as an
industry.
>> Are people keen on having a online/VC session sometime
in the next
>> few weeks where like-minded industry participants get
together and
>> discuss security, retention, encryption, threat
detection etc.? If
>> so, just ping me directly and if there is enough
interest I will
>> send out an invitation to the list for a call.
>> Cheers
>> [b]
>> _______________________________________________
>> AusNOG mailing list
>> [email protected]
>> https://lists.ausnog.net/mailman/listinfo/ausnog
> --
> Damien Gardner Jnr
> VK2TDG. Dip EE. GradIEAust
> [email protected] - http://www.rendrag.net/
> --
> We rode on the winds of the rising storm,
> We ran to the sounds of thunder.
> We danced among the lightning bolts,
> and tore the world asunder
> _______________________________________________
> AusNOG mailing list
> [email protected]
> https://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
--
Sincerely
Jay
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
[email protected]
https://lists.ausnog.net/mailman/listinfo/ausnog
