Call it coincidence, but I was in the midst of a domestic internet security overhaul when news of the Optus hack broke. As we know, what the press is calling the biggest hack in Australian history left the private information of up to 10 million Optus customers open to potential abuse. Optus customers are clamouring to have their drivers’ licences and passports re-issued and there is talk of class actions.
Like most of us whose lives are largely lived online, we are, or should be, aware of the threat posed by scammers. Any day of the week you will hear of pensioners who lost their life savings, falling for some elaborate call centre scam. The sophisticated level of social engineering being employed by scammers is such that even savvy older people are falling victim to seemingly plausible communications via mobile phone, social media apps and email.
Just as we all lock doors and windows and turn on security systems before going on holidays, we should all be thinking about security for our electronic communications. My IT adviser swears by password managers – that is, subscribing to a company that will encrypt all of your online logins and passwords. You manage things at your end with a master password. But wait, I ask, isn’t this putting all of your eggs in one basket? If someone nabs your master password you’re screwed, right?
The best protection against electronic fraud is to use a two-step authentication system. This may be as simple as: login, password (now enter the four-digit code we just sent to your mobile phone).
Last time I went to do some internet banking, I was informed that my security token would soon expire. This is a small gadget (most people call them dongles) which display six constantly changing numbers). The process is: logon, password (dongle code).
In theory it is unhackable, as the security codes are constantly changing. I decided to order another ‘dongle’, only to be told that the bank preferred me to use their secure phone app. Send me a dongle, I replied, via secure email. After jumping through a few security hoops, I ordered a new physical dongle. The bank employee I dealt with (online) said the bank would waive the $20 fee as I had been a valued customer for many years (Melbourne Cup, here I come).
As a result of increasing data breaches and scams, we can expect government organisations and others to tighten security. After thoroughly checking it out first, I found that the Australian Securities and Investment Commission (ASIC) now requires all company directors to apply for a ‘digital security ID number’.
The recommended method for applying for a director identification number is by using the MyGovID phone app. The app requires you to scan identification documents into a mobile phone app. They also want your date of birth, physical address, email address and mobile phone number. Then you have to scan any unique identifying marks (moles, birthmarks, tattoos) – no wait, I made that bit up.
It’s quite an exercise.
But what if some enterprising Black Hat (master hacker) breaks into MyGovId? In theory this will create a lot of work for people whose professions involves producing ID documents. Just as we are seeing now with the Optus hack, everyone who uses MyGovID would need to replace their ID documents,
This new requirement by ASIC (which only applies to company directors), will, as they say, “help prevent the use of false or fraudulent director identities”. Directors who were appointed prior to November 2021 have until November 30, 2022 to apply. ASIC adds, “it is a criminal offence if you do not apply on time”.
If you think about it, multiple government and non-government organisations hold all manner of confidential information on us. At the very least, many of them already have our date of birth, passport and driver’s licence numbers, credit card details, direct debit for bank accounts and so on. When was the last time you booked online for a concert? Credit card?
In August, I was required to fill in an online hospital admission form when signing up for elective surgery. They wanted to know everything about me – even my BMI. I had to ask Sister Dee to explain that one. It’s a number arrived at by squaring your weight with your height. Anaesthetists need to know.
“They’ve got my height and weight,” I said to the admitting nurse. “He can work it out.” (Ed: It’s 23.6)
Then they wanted a copy of my power of attorney. I didn’t have a copy so had to ask our lawyer to send me one, post haste. Now that’s online too.
But methinks I doth protest too much – I did after all wake up.
It’s a good thing I decided to sign up for the now-obligatory company director security number. In the process, I discovered my passport will expire next year. Since we have plans to go to New Zealand, Canada and maybe Japan, I’d best get on my bike and order a new one. I suppose how long it takes depends on the Optus backlog, eh?
In the meantime, everyone who reads this column on a regular basis should know about the Scamwatch website. The Australian Competition and Consumer Commission (ACCC) keeps a running tally of internet scams, pesky robot phone calls and phishing scams (someone pretending to be your internet service provider, bank, tax office – whatever). Currently Scamwatch is alerting Australians that fraudsters will seek to exploit the Optus data breach. Last month the ACCC warned people who use WhatsApp to watch out for the ‘Hello Mum’ scam. Briefly, someone who apparently knows you have a son or daughter overseas will start a text conversation.
“Hi Mum, it’s me. I lost my phone and got locked out of my bank. Can you help?”
The correct answer should be something like – “If you are my daughter, what was the name of our cat when you were 12 and what was her favourite food?”
It’s no laughing matter. On August 3 Scamwatch reported that consumers lost $20 million to imposter bond investment scams. These scams impersonate real financial companies or banks and claim to offer government/Treasury bonds or fixed term deposits. People often fall victim after searching online for investment opportunities. Watch out for fake third-party comparison sites and too-good-to-be-true returns.
I have had a few interactions with our internet service provider over the years about phishing emails. They would often arrive in my inbox on iiNet letterhead (the sender’s email address is always dodgy). The gist is usually, “There is a problem with your invoice (which I just paid). Please click on this link and update your credit card details.” My arse!
The last time I complained, I forwarded the fake email to iiNet as requested. iiNet (second largest ISP in Australia), must have had some success since, as these rogue messages appear to have stopped. Their customers are not the only target. There are myriad instances of bogus emails purporting to be from banks, finance companies, telcos, e-commerce companies etc. The best response is block/blacklist/delete and keep doing it until they move on. And always report it to the company being impersonated. Oh, and always log out of Facebook and Messenger. But you knew that.