So.... SSL for phone calls? On Wed, Sep 28, 2022 at 10:32 AM Andrew Oakeley <[email protected]> wrote:
> Hi, > > > > > Providers also need to keep enough information to verify you are who > you say you are when you make contact though and are required to ensure > they don’t disclose information about your account to someone else, which > is why many providers keep things like your Date of Birth on file. > > > > This should also cut both ways. There needs to be some way consumers can > easily Identify that the provider calling them is actually who they say > they are. > > > > I am sick of my bank and teleco calling me and saying “Before we go any > further can you please tell me your date of birth so we can confirm we are > talking to the right person”…. Well how about you confirm who you are > before I disclose my DOB to someone who has randomly called me. > > > > Andrew > > > > > > *From:* AusNOG <[email protected]> *On Behalf Of *Jeremy Chequer > *Sent:* Wednesday, 28 September 2022 7:45 AM > *To:* James Murphy <[email protected]> > *Cc:* AusNOG Mailing List <[email protected]> > *Subject:* Re: [AusNOG] Optus Hack > > > > Hi > > > > There are specific rules for prepaid regarding ID validation and documents > which must be checked ( > https://www.legislation.gov.au/Details/F2017L00399/Html/Text#_Toc478627158). > As a Credit Provider, they are also required to validate you are who you > say you are before providing credit services. Additionally, telcos also > have specific provisions for customer protection requiring credit checks to > be run before certain services are provided. > > > > Providers also need to keep enough information to verify you are who you > say you are when you make contact though and are required to ensure they > don’t disclose information about your account to someone else, which is why > many providers keep things like your Date of Birth on file. The requirement > to hold PII is required to a degree and is even outlined in the TCP Code > with Clause 3.7 covering the storage and security of said information. > > > > Hopefully, this attack will result in some changes not just in our > industry but across the board. Maybe something like validating Licences, > Medicare, etc against DVS (already commonly done) but then just keeping the > Pass/Fail result and Check ID instead of keeping the full details on file > could be a way to minimise the amount of data available in a breach like > this, but I’m not sure if that would be enough to comply with some of the > obligations. > > > > - Jeremy > > > > *From:* AusNOG <[email protected]> *On Behalf Of *James Murphy > *Sent:* Tuesday, 27 September 2022 11:29 PM > *To:* Serge Burjak <[email protected]> > *Cc:* AusNOG Mailing List <[email protected]> > *Subject:* Re: [AusNOG] Optus Hack > > > > Looking over the Privacy Act and oaic.gov.au, I still can't see any laws > about a telco (or any business other than a credit reporting body) storing > this level of information - specifically a drivers license number or date > of birth (passport number isn't mentioned) > > > > "identification information" is the term that includes a drivers license > number and date of birth > > "Credit information" is the term that includes "identification > information" about an individual (therefor includes drivers license number > and date of birth) > > > > There are only laws about how long a credit reporting body stores this > information. A credit provider (ie Optus) doesn't need to store it, but > does need to provide it to the credit reporting body - so they need to > collect it and share it but they don't need to store it. > > > > For the data a telco does need to store - which looks to be added in the > "Telecommunications (Interception and Access) Act 1979", they all talk > about "personal information" (which doesn't specifically include date of > birth or drivers license number, so you would be complying with that law if > you didn't store those pieces of data - provided you can reasonably > identify a person with the data you do store) > > > > From the Privacy Act: > > > > *personal information* means information or an opinion about an > identified individual, or an individual who is reasonably identifiable: > > (a) whether the information or opinion is true or not; and > > (b) whether the information or opinion is recorded in a material form or > not. > > Note: Section 187LA of the Telecommunications (Interception and Access) > Act 1979 extends the meaning of personal information to cover information > kept under Part 5-1A of that Act. > > > > So the argument that they need to store this by law - to me (a software > developer/techy who sometimes can spend hours reading shit like this trying > to pick holes in it - so: not a lawyer) - doesn't seem valid. > > > > If this is required by law, I would love to understand how (ie which > laws/acts cover it) > > > > > > > > On 27 Sep 2022, at 16:46, Serge Burjak <[email protected]> wrote: > > > > https://www.oaic.gov.au/privacy/the-privacy-act > > Covers it pretty well. > > On Tue, 27 Sept 2022 at 16:36, James Murphy <[email protected]> wrote: > > > Does anyone know which laws cover the data they were keeping? > > Did a search for anything with "telecommunication" in the name (link), > found 71 results and downloaded 73 PDF files (C2022C00170 > Telecommunications Act 1997 had 3 files, all others had 1 file), and can't > find anything that mentions keeping this level of data. > > The closest thing I found was in the following: > > C2022C00151 - Telecommunications (Interception and Access) Act 1979 > C2015A00039 - Telecommunications (Interception and Access) Amendment (Data > Retention) Act 2015 > C2021A00078 - Telecommunications Legislation Amendment (International > Production Orders) Act 2021 > > which contained the following two sections that seem to cover > identification information - there doesn't seem to be anything that says > they need to collect or store to the level that Optus seems to have done.. > Almost reads like you could store name and address (without DOB?) and that > would be adequate enough (but I'm not a lawyer so who knows).. Am I looking > in the wrong place/at the wrong laws? > > 13 Identification of a particular person > For the purposes of this Schedule, a particular person may be identified: > (a) by the person’s full name; or > (b) by a name by which the person is commonly known; or > (c) as the person to whom a particular individual transmission service is > supplied; or > (d) as the person to whom a particular individual message/call application > service is provided; or > (e) as the person who has a particular account with a prescribed > communications provider; or > (f) as the person who has a particular telephone number; or > (g) as the person who has a particular email address; or > (h) as the person who has a particular internet protocol address; or > (i) as the person who has a device that has a particular unique identifier > (for example, an electronic serial number or a Media Access Control > address); or > (j) by any other unique identifying factor that is applicable to the > person. > > > and > > 187AA Information to be kept > (1) The following table sets out the kinds of information that a service > provider must keep, or cause to be kept, under subsection 187A(1): > Item > > 1 > > Topic > > The subscriber of, and accounts, services, telecommunications devices and > other relevant services relating to, the relevant service > > Description of information > > The following: > > (a) any information that is one or both of the following: > > (i) any name or address information; > > (ii) any other information for identification purposes; > > relating to the relevant service, being information used by the service > provider for the purposes of identifying the subscriber of the relevant > service; > > (b) any information relating to any contract, agreement or arrangement > relating to the relevant service, or to any related account, service or > device; > > (c) any information that is one or both of the following: > > (i) billing or payment information; > > (ii) contact information; > > relating to the relevant service, being information used by the service > provider in relation to the relevant service; > > (d) any identifiers relating to the relevant service or any related > account, service or device, being information used by the service provider > in relation to the relevant service or any related account, service or > device; > > (e) he status of the relevant service, or any related account, service or > device. > > > > On 27 Sep 2022, at 11:12, Nathan Brookfield < > [email protected]> wrote: > > They’re legally obligated to retain it but why it’s on the API and why > it’s not encrypted. > > Looking at the data some fields are hashed and then repeated in the bloody > clear :( > > On 27 Sep 2022, at 11:02, [email protected] wrote: > > My understanding was that the data included the 100 points of ID info. > Why are they retaining this? Surely after confirming the 100 points there > only needs to be a record "100 points provided"=true and not retain the > actual details. This goes back to only keeping the private data you need. > > regards, > Glenn > > On 2022-09-27 10:49, Damien Gardner Jnr wrote: > > Personally, I find putting Authentication on my API endpoints to be a > FANTASTIC first step towards API security. And then not even using > public IP addresses in test environments is a pretty good second > step.. </onlyhalfsarcasticherewhydoesthiskeephappening> > On Tue, 27 Sept 2022 at 10:46, Bevan Slattery <[email protected]> > wrote: > > Hi everyone, > Obviously a big week in telco and cybersecurity. As part of my work > I am on the Australian Cyber Security Industry Advisory Committee as > an industry representative. > I am keen to look at opening up a dialogue with more and more telco, > DC and Cloud CISO’s on what they are doing around this issue and > looking to take a proactive step towards best practice on customer > data and system security. > There will be some pretty serious consequences of this hack on the > industry and importantly we need to make sure we are as best placed > to help each other continually increase in security posture through > best practice, but also working with each other as an industry. > Are people keen on having a online/VC session sometime in the next > few weeks where like-minded industry participants get together and > discuss security, retention, encryption, threat detection etc.? If > so, just ping me directly and if there is enough interest I will > send out an invitation to the list for a call. > Cheers > [b] > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > > -- > Damien Gardner Jnr > VK2TDG. Dip EE. GradIEAust > [email protected] - http://www.rendrag.net/ > -- > We rode on the winds of the rising storm, > We ran to the sounds of thunder. > We danced among the lightning bolts, > and tore the world asunder > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog > > > _______________________________________________ > AusNOG mailing list > [email protected] > https://lists.ausnog.net/mailman/listinfo/ausnog >
_______________________________________________ AusNOG mailing list [email protected] https://lists.ausnog.net/mailman/listinfo/ausnog
