- Upload failed. Please upload a file larger than 100 x 100 pixels; We are experiencing some problems, please try again. You can only upload files of type PNG, JPG or JPEG.
- Sep 08, 2014 A demo of the brand new Telstra TV 2 - new UI, search and more - 23 Oct 2017 - Duration: 13:06. Alex on Tech 7,007 views.
Go there and fill in your mobile number, name and e-mail address, and Telstra will give you $200.
I hacked a friend's Telstra mobile account with their permission late one night this week, using just one trivial piece of information.
Once in, I was able to see who they called, from where (down to the suburb), at what time and date and the duration of calls. I was also able to see their home address, account number and chosen plan. I was essentially able to see their phone's metadata, although not who called them.
Up until Wednesday morning Telstra, like many other companies, protected its customers' data using just one key piece of information: a subscriber's date of birth. Arguably it was three pieces of information – their name, number and date of birth – but as I already knew the person's name and mobile number, all I needed to access their account was their date of birth, which was on Facebook.
Armed with this information I signed up as my friend to Telstra's online portal and was in. They were notified via text message and email that a new account had been created in their name but as it arrived while they were asleep it was too late for them to do anything about it.
In all my years of reporting on IT security, this was a doozy of a flaw to find. For a journalist who uses a mobile phone to contact numerous sources, this was alarming. It should also be alarming to Telstra subscribers, as it is believed private investigators use similar techniques to gain access to telephone records when checking if wives or husbands are cheating.
How exactly is someone's date of birth a secret? It's not. Take for example the Telstra chief executive, David Thodey. His birth date is May 14, 1954 according to his Wikipedia page and numerous news profiles.
Combine that with Mr Thodey's mobile or landline number and one would have been able to get in. It's much harder to know the mobile number of David Thodey, of course – unless you know him personally – but there are many who do.
Dates of birth are not secret. Heavens, my parents outed my birthdate in my hometown newspaper when I was born and this is now accessible for a small fee through online newspaper archives.
The dates of birth of company directors are also divulged in publicly accessible ASIC records for a small fee.
And then there are birthdays, when your milestones are inevitably shared with friends and colleagues.
Given this, you'd think organisations would stop using dates of birth as a way of proving identity.
Two years ago I raised this issue with Telstra publicly on its Facebook page. Back then its response concerned me.
You should ensure 'that your details aren't made quite so public', a Telstra representative said.
'It is a digital era, which of course makes information a lot easier to retrieve, however there are ways certain things can be kept sacred.'
It said its procedure was 'the same for almost every company'.
It is right there. But that doesn't make the practice a good one.
Telstra took the opportunity to make changes to its identity verification procedures, following Fairfax Media's enquiries. Fairfax waited for the security to be upgraded before publishing this story.
The company said it planned to implement the changes later this year but has now brought them forward. It will now ask for account numbers, in addition to name, phone number and date of birth. Telstra's contact centres are also adding further security questions for transactions that carry a higher risk, such as change of account ownership or mobile number porting.
I accessed my friend's account to test the flaw after a reader contacted me complaining their account had been accessed in a similar way. Had I done this without permission I would have committed a computer crime punishable by up to two years' jail. But hackers flout the law all the time.
In 2012 Mr Thodey said 'customer privacy is not negotiable' and that the company had 'to do better' for its customers. I'm glad Telstra decided to listen to that sage advice this week.
I still worry about other companies which are yet to figure out a way to verify the identity of customers other than using dates of birth.
The same should be said about the ease with which mobile numbers can be ported to new SIM cards on a variety of telcos in Australia. At present, a mobile phone number or account number and date of birth is all that is needed in most cases to move a mobile number from one telco provider to another.
The Communications Alliance, which represents Telstra, Optus and Vodafone, has previously argued that adding more security to this process would slow it down for the more than 170,000 Australians porting their services each month.
And although industry participants trialled adding security questions in 2011, they removed the added protection for reasons of competition and database performance.
Ben Grubb is a Desk Editor/Locum Homepage Editor for The Sydney Morning Herald.
Mar 21, 2018 - We ship embroidered flag patches anywhere in the world. Over 1000 flag patch designs are available including over 600 country flag patches,. American flags coupon code.