Relax! it’s not my first time! - DotSec

Oh for heavens sake! Can we all agree that the Optus event doesn’t really matter?

I mean, it really does matter, of course! But still, it kinda feels like deja view all over again [1] and I can’t help but think I should relax! It’s not my first time!

Once upon a time... [2]

Five years or so ago, a young friend of friend of ours wanted to buy a car with some hard earned savings and some finance to make up the balance. The process was no big deal; just fill out and sign these forms and then email them in, along with copies of your last pay slip, your current rental agreement and the front and back of your driver’s license (in colour please!). And that’s what she did.

The finance application was successful and our friend was so happy! Soon the car would be hers! Just a small hiccup: Within two hours a message popped into her in-box telling her that the deposit payment details had changed and she’d need to use this brand new bank account! Luckily, just before the money was excitedly paid into the ‘car dealers’ account, she mentioned the ‘car dealer’s’ speedy but unexpected response and we were able to warn her to check the change of payment details. Sure enough, the change-request was was fraudulent and her money was saved! It would seem that the attacker’s game was lost, but was it, really? Sure they didn’t get the bucks, but what about all that PII that was emailed in good faith by a youngster who was just trying to get a car?

It’s hard to put a value on that PII for a youngster with a lifetime of credit checks to come, but that info (and all the other records that were probably hoovered up from the car dealer’s system) is certain to be valuable and considered a win by the attacker.

And then

And then there’s the tale of my long-suffering wife and I, as we decided to escape the clutches of the Big 4 and refinance our home loan. It all happened just 18 months ago or so, when the person in charge of refinancing visited the salubrious offices of DotSec to have us complete the final loan-transfer forms. And unsurprisingly, as we completed the forms, the person (who was really nice and knew heaps about loans, BTW) said, “And now all I need is a copy of both of your drivers’ licenses, back and front, in colour please”. “No, no, no”, I said, “That’s not a good idea because one day your system will be breached and <cut to your happy place while a grumpy old man rattles on about insecure PII> and so I’d prefer not to”.

And with that, I disappeared into the copy room (my desk, actually; DotSec’s offices are not that salubrious!) and scanned the licenses and then proceeded to use the Gimp [3] to create a big fat “COPY” stencil over the top of the scans, carefully obscuring the last three digits of our license numbers and the year of our DOB, before printing out the final masterpiece and handing it over. “Why have you done that?” the loans person said, to which I replied, “Because one day you’ll be the victim of a data breach and <cut to your happy place while a grumpy old man rattles on about insecure PII> so this is a better idea. You can still certify that you’ve seen the original; you just don’t need to have the original copied on your laptop, in your email, on your backups, in the file system of the lender and <cut to your happy place while a grumpy old man rattles on about insecure PII>, you see?” There was some silence while the loans person deliberated and then finally said, “Well, no one has ever worried about that before!”.

And then, just last month, the wife and I decided to extend a car loan (yes, I know it sounds like we have a lot loans but we’re OK, really :-)). And yes, you guessed it: Forms, signatures, “And now all I need is a colour copy of both of your drivers’ licenses, back and front. You can just photograph it on your phone and message it to me if that’s easier”. Oh the pain, as my teeth chewed through my tongue, was indescribable! “I’d rather not”, I spluttered through the blood, “because <cut to your happy place while a grumpy old man rattles on about insecure PII> so here, have these (Gimp-altered images) instead”. To which the car-lease person replied, “Hmm… No one has ever worried about that before!”.

Is there a light at the end of the tunnel?

So while Deputy Prime Minister Richard Marles calls the Optus breach a “wake-up call for corporate Australia”, I’m concerned that we (in general) are not waking up; we are still sleep-walking and ignoring the reality: This is nothing new and without major changes, it will happen again.

I was not always so cynical and for one fleeting moment just yesterday I thought there was light at the end of the tunnel: You see, we were consolidating our life insurance (no seriously, we’re OK!) and the insurance company provides a user portal that allows us to do this quickly and easily. Although I’d already logged in, the insurer portal wanted further proof of my ID before going ahead with the consolidation and so I needed to type my driver’s license number into a form field. But that was all… No photos on my phone, no Gimp, no uploads; I just entered the number, pressed “Submit” and bang! Verified! I felt happy since presumably this insurer was on their game and had verified my details with the federal government’s Document Verification Service (DVS). They were not storing my sensitive PII at all!

But then I was sad (happiness can be so fleeting you know) because I remembered that across the whole country (don’t even think about off-shore call centres if you want to sleep tonight!) phone companies, finance companies, loan companies, job-search companies, real-estate agents, employers, pubs, nightclubs and restaurants have been needlessly, thoughtlessly and stupidly collecting copies of drivers licenses and passports (in colour, please) for years! That license number [3] that I typed into the insurance portal has not a shred of value as any kind of unique identifier; it could have been typed in by anyone who has or stole one of copies I’ve made over the years… Heck, I may as well distribute printouts of the damn thing at central bloody station!

And so I’m spent! While it’s lovely to see governments promising to provide free driver’s license replacements, such a move won’t really help in the long term if organisations continue the lazy habit of threatening to withhold services (like employment, super, financial, entertainment and investment services) if PII is not handed over first, with no promise or agreement regarding how the PII will be protected [5]. Nor will new licenses help if the reporting laws continue to have the teeth of a jellyfish, and if the new licenses are again frequently-copied and widely-shared while the license number continues to be treated as some pseudo-magical, unique and private identifier.

And so in closing I wonder: Why did the Optus breach cause the perceived value of an individual’s PII to escalate so quickly? I guess it’s got to do with the volume of information that has been lost but from the perspective of an individual who’s info is stolen, it doesn’t really matter if 1 or 10 million other people also lost their info as well. Ah well, whatever the case, I hope that the change in perception will be long-lived and will result in meaningful improvements; that would indeed be a good thing.

PS: My wife and I got through it; we’re still insured and we still live in our house and drive our car 🙂

PPS: I’m exhausted now… I need to get some Gimp images together so I can go to the pub and have a beer!!

[1] Kath and Kim… couldn’t find the clip but you get the idea 🙂 https://www.youtube.com/watch?v=2aqr7Ykxc4Y

[2] No, not Star Wars again! This time, it’s the Tale of the Crack Fox! https://www.youtube.com/watch?v=dCuUnTJgD9M

[3] The Gimp is the GNU Image Manipulation Program. You really need to use it ‘cause it’s free and brilliant! https://www.gimp.org/

[4] Of course, there’s no question that the actual, physical license itself still has value as a secure identifier, especially if an authorised official is reading the card chip details on a secure terminal, probably in some kind of secure (or at least managed) physical environment. But the more widely the number and photo on that license are copied and stored indefinitely, the less value those attributes (as far as being unique identifiers) will have.

[5] Yes, we all know about the APPs and about the rules associated with data collection, purpose and retention. I’ll write another post on the APPs some day but in summary, blah! I have personally assisted in breach containment and response assignments where years worth of PII has washed out to sea, and have been told very clearly by the corporate lawyers something along the lines of, “We have no evidence that ‘this is ‘likely to result in serious harm to one or more individuals’ and so we do not consider this to be a Notifiable Data Breach. And you’ve signed an NDA so…”.