Concerns raised over how Aussie telcos' staff handle customer data
- 03 April, 2018 10:45
Telstra and Optus have been called out over how their stores' staff have been handling personal customer information.
Local cyber security specialist, Troy Hunt, claimed in a blog post on 28 March that customer data is being carelessly handled in both telcos' stores.
Hunt detailed his own experience as a Telstra customer after visiting his local store in order to upgrade phone plans.
On 1 March, Hunt posted on Twitter a photo taken of a Telstra store terminal screen which contained details such as the account holder name, ACN, the network password, the mobile number and other information.
Hunt questioned the telco at the time, as he was left alone facing the screen displaying the information for some time, in an area where there were other people constantly walking past.
He wrote: "Is it normal for @Telstra to display customer passwords on publicly facing terminals in their stores? (You know, the same password people give their bank.) This is the user-selected password used for identity verification with store customers wandering past it".
According to Hunt, Telstra's response at the time was: "I want to make sure that this is fully investigated, it's definitely concerning".
The list of concerns is short but worrying, according to Hunt, with the password shown in full text, meaning anyone can see it; staff are also not locking out of the system when they walk away from a terminal leaving it vulnerable to anyone who wants to access it, he noted.
Hunt said he is still waiting, 27 days later, on an update about his complaint to the telco.
A Telstra spokesperson told ARN: "Protecting the security of our customers’ data is a top priority. In this instance, our team member did not follow proper procedure and this information should not have been left on the screen. We apologise and we have reminded everyone in the store of their responsibilities."
The telco also explained that the password is only one step in the verification process and the account cannot be accessed with the password alone.
"We strongly recommend our customers select a unique, strong password. We understand the importance of security and we are exploring options for system, process and store design improvements," the spokesperson said.
On 27 March, meanwhile, Hunt noticed that Geoffrey Huntley, a software developer and consultant at Telstra subsidiary, Readify, had found out that Optus terminals used an unsecured network.
This claim is based on Huntley's visit to one Optus store, of which he wrote on twitter: "Dropped into @Optus to do some billing enquiries on a mobile phone service @ericlaw. I'm like yo my credit cards and financial information you're entering into this internet system isn't even fully encrypted".
The photo showed the page containing a contract, with Chrome defining the page as "not secure", which raised Huntley's concerns.
On 27 April 2017, Chrome started marking HTTP pages as “not secure” if they have password or credit card fields. Six months later, this was expanded to also apply when users enter data on an HTTP page, and on all HTTP pages visited in incognito mode. Starting in July, Chrome will mark all HTTP sites as “not secure”.
The issue became more notable when Huntley received a request from Optus to take the photo down, as the telco considered it to be intellectual property. It did not address the security issue, however.
The next step Optus took was to block Huntley from following and viewing Optus' tweets.
"The alarming thing about the way our local telco stores are physically designed is that they result in way too much leakage of sensitive personal information. Not just yours and mine either, that also includes the operators' credentials," Hunt wrote.
When contacted by ARN an Optus spokesperson said: "Optus takes the privacy and security of our information and customer data seriously."
Optus then explained that personal and financial details, such as credit card information, are not stored on the platform photographed.
"This is an internal platform, and there are a number of safeguards that must be met internally for information to be accessed on this platform," the Optus spokesperson said.
Hunt wrote that his concerns are with the security of Australians' telco accounts, since phone numbers are often used in identity verification processes.
He suggests that, "store layouts need changing to protect customer privacy, customer password storage is obviously insufficient, operator practices need to evolve and let's face it, SMS is a very weak means of identity verification, largely because of deficiencies on the telcos' side".