Aussie Telcos are Failing at Some Fundamental Security Basics

Recently, I've witnessed a couple of incidents which have caused me to question some pretty fundamental security basics with our local Aussie telcos, specifically Telstra and Optus. It began with a visit to the local Telstra store earlier this month to upgrade a couple of phone plans which resulted in me sitting alone by this screen whilst the Telstra staffer disappeared into the back room for a few minutes:

This screen faces out into the retail store with people constantly wandering past it only a couple of metres away, well within the distance required to observe the contents off it. I've obfuscated parts of the screen above because no way, no how would I want to show this information publicly, especially my wife's password. She was pretty shocked when I showed her this as it was precisely the same verbal password as she used to authenticate to her bank. (Sidenote: she's an avid 1Password user and has been since 2011, this password dated back a couple of decades when, like most people still do today, she had reused it extensively).

I did raise this directly with Telstra to which they replied "I want to make sure that this is fully investigated, it's definitely concerning". Yet clearly, this is standard practice with the terminals the operators use specifically designed to face into the public areas of the store and the interfaces they use obviously designed to show the password (and equally obvious, the passwords are not stored as secure cryptographic hashes). That was 27 days ago and to date, there's been no follow-up from Telstra despite being told they'll "update me soon".

Then, just yesterday I saw this one from fellow Aussie techie Geoff Huntley:

As of today, Chrome will show a "Not secure" warning when an unencrypted page requests passwords or credit cards (which appears to be the case here) or when entering text into a form field. In the next few months, it will show all pages requested over an unencrypted connection as "Not secure". The risk this poses is that any intermediary able to intercept the traffic has the ability to read and modify the data (and yes, that applies to internal company networks as well).

Now, when a company is called on the presence of a glaringly obvious security omission, the correct response is to say "thank you for your feedback, we'll escalate this internally. The incorrect response is this one:

Rather than acknowledge the problem, Optus elected to send Geoff a DM asking him to remove the photo (and another similarly benign one of a terminal facing the public) because somehow, that URL in the address bar (which is merely an internal host name) constitutes their intellectual property. It's almost as though they don't want it being shown publicly...

If that was the end of it you probably wouldn't be reading this now, but rather than acknowledging that perhaps there's a problem that needs fixing, Optus stuck their fingers in their proverbial ears and started singing:

Alarmingly, this is not unprecedented and I've been blocked before myself for reporting a security incident. But it's totally unacceptable behaviour on behalf of any organisation, let alone one of our largest telcos.

The alarming thing about the way our local telco stores are physically designed is that they result in way too much leakage of sensitive personal information. Not just yours and mine either, that also includes the operators' credentials:

Just how much can you do with those credentials? Assuming you have access to an unattended terminal as I did earlier on (albeit one that was already unlocked), the mind boggles. These are not super-sophisticated security concepts either, they're fundamental basics that most organisations drill into their people: protect what's on your screen, don't allow other people to observe your password, always lock an unattended terminal.

Here's the bigger issue that concerns me in both the Telstra and Optus cases: the security of our telecommunication accounts is increasingly paramount these days. Our phone numbers are used for all sorts of identity verification processes with other services; weaknesses in telco security translate directly through to compromises of email, bank and social accounts; there are some absolute horror stories out there. Want to login to your myGov account using 2FA? They'll send you an SMS and yes, that's in addition to entering your credentials but the whole point of 2FA is that it should be resilient to credential theft!

These are not simple fixes: store layouts need changing to protect customer privacy, customer password storage is obviously insufficient, operator practices need to evolve and let's face it, SMS is a very weak means of identity verification, largely because of deficiencies on the telcos' side. But they're important issues in an era of increasing dependency on mobile and one would hope that at the very least, Telstra and Optus would seek to improve the situation rather than simply ignoring or blocking complaints from disgruntled customers.

Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals