Vodafone’s apparent information security breach, if it’s being described accurately, certainly suggests a botched approach. But corporate Australia’s blasé attitude to our personal identity information is as much to blame.
Fairfax’s Natalie O’Brien broke the story yesterday that anyone with a valid Vodafone dealer login could access every customer’s complete file — name, address, date of birth, driver’s licence number, credit card details, the PIN they use to operate their account and even the full history of their phone calls and text messages. It’s wrong to say this data was “publicly available on the internet”. You did need a valid login, after all. But the set-up seems deeply flawed, and valid logins are on the loose.
“Vodafone retailers have said each store has a user name and password for the system,” O’Brien wrote. “That access is shared by staff and every three months it is changed.” That for a start fails a fundamental principle of infosec auditing. With a single login shared by everyone within a store, it’s impossible to track who accessed which data or who leaked their login details to the bad guys. And if someone gets sacked, they could still be able to access the system for up to three months.
Being able to view a customer’s PIN is just plain wrong. Passwords — and a PIN is just a password — should never be stored in their unencrypted form. Standard security practice is to store an encrypted version of the password. When someone needs to supply their password, the same encryption process is applied and, if it matches the stored version, access is granted. But you can’t turn that back into the password itself without deploying spook-agency-grade computing resources.
Any system that can reveal the password or PIN itself is broken.
Any system that exposes customer credit card information to a shared login is also broken. The Payment Card Industry Data Security Standard (PCI DSS) requires access to cardholder data to be restricted on a “business need-to-know” basis, to assign a unique ID to every person with computer access, and to track and monitor all access to network resources and cardholder data.
All this, if true, is sufficient reason to slap Vodafone, and slap them very hard indeed.
But another part of the problem is the insistence — not just by Vodafone, but by so many companies — of compiling databases of personal information that simply aren’t required to fulfill the business need.
The idea that companies need to photocopy or scan a driver’s licence before issuing a mobile phone SIM card, for example, is “absolute rot” and “outrageous”, according to Paul Ducklin, head of technology for the Asia-Pacific region for global information security firm Sophos.
“I try to make a point that if people wish me to identify myself, for example checking into a hotel or dealing with a shop, and so I need photo ID, then I will hold up my driving licence for them to look at so that they can satisfy themselves that I’m who I say I am. They can write down my name if they wish,” Ducklin told the Patch Monday podcast. “Frequently they then just reach out and expect to take that licence and do something with it, and my response is always, ‘I’m sorry, you can look but you can’t touch’.”
The system only needs to record the fact that valid ID was sighted, not the ID itself.
Similarly, at least one ticket agency asks for and stores each customer’s date of birth. Why? Some performances have age restrictions, either because of their content or because they’re taking place on licensed premises. But this misses the point on two grounds.
One, you don’t need to record the date of birth, just the fact that the customer is of the right age. And two, as Ducklin points out, the age test is being conducted at the wrong point in the process. “It doesn’t matter what you say when you’re doing the booking, whether you’re over 18 or not determines whether you’re allowed to actually go in through the gates of the concert,” he said.
Vodafone is currently saying that they’re only aware of a single breach. One interesting question is whether that will turn out to be the case on their internal investigations are done. Another, in the absence of US-style laws requiring companies to disclose data breaches, is whether we’ll ever know.