How to protect yourself from inevitable Optus-style hacks

Data breaches like the one affecting Optus customers prove that there’s no guaranteed way to keep your data safe. You can be as vigilant as you like, but you still have to give over your details to prove who you are and one day that data may end up in the hands of crooks.

But whether you’ve been affected by the latest breach or not, there are still things you should know to keep yourself, your accounts and your credit as safe as you can.

Whether you’re an Optus customer or not, there are things you can do to protect yourself from identity theft.Credit:Cole Bennetts

Why do telcos keep this much data about their customers?

Australia law requires that telcos retain certain information for at least two years after collection, and this includes details used for identification purposes. That means that if you provide a piece of data for the purposes of proving your identity to a telco, it will be retained for two years or potentially longer. This does not include passwords, PINs or answers to secret questions, but it does include addresses, passport numbers and driver’s license details.

What happens if this data ends up in the hands of criminals?

While a single piece of identity data on its own may not be much use to criminals, having a matching set of various data can be exploited for identity theft, SIM jacking or breaking into online accounts. A criminal with access to your name, date of birth and several identifying documents for example could apply for credit in your name and spend up big while the bill goes to you.

With your phone number and a collection of other data they could get a copy of your SIM card, so that when they break into your bank account the verification SMS goes to their phone instead of yours. Data can also be used to craft convincing phishing attacks, where you (or others) are tricked into handing over more data via email or text.

How did this breach happen, and what’s an API?

The details are still unclear, and Optus said it is limited in what information it can give since the breach is under police investigation. Home affairs minister Clare O’Neil has suggested Optus failed in its duty to protect the data, while the telco claims it was victim to a sophisticated attack that would have been difficult to defend against.

You may have heard the term API being used in relation to Optus’ breach. It stands for application programming interface, but you can think of it as a way for websites or programs to talk to each other and exchange data. So in this case, an API could have been designed to provide customer data to internal Optus systems.

Reports have suggested that the person who stole the Optus data merely exploited a poorly designed Optus API that handed over the details, a claim which Optus CEO Kelly Bayer Rosmarin has rejected.

How do I know if my data’s been caught up in this breach?

As of Monday morning, Optus said it had sent out emails or text messages to all customers and former customers whose ID document numbers — such as passport or driver’s license numbers — were compromised. It then moved on to customers whose other details, such as email addresses, were compromised. So if you haven’t heard from Optus, it’s likely the telco doesn’t believe you’ve been affected.

What should I do if I get an email from Optus?

As ever, criminals are looking to take advantage of any widespread panic or concern, so you should be vigilant to make sure any communication claiming to come from Optus, actually is from Optus. Check the “from” address ends in optus.com.au, and remember, there should be no links or requests for information in any Optus emails.

The email will let you know what kind of data is affected. Importantly, it will indicate whether ID document numbers such as passports were affected, but it will not explicitly say which documents. Obviously, there’s nothing you can do to remedy your name, date of birth, or residential address being distributed, and it can be very difficult to proactively change your driver’s licence or passport number before fraudulent activity occurs.

So the best course of action may be to secure your accounts and identity as best you can, and keep an eye on your credit.

How do I secure my accounts?

Optus says no passwords were compromised in the breach, but if you use the same password across multiple sites that may not matter. Criminals for example could match their set of data from the Optus breach with a password from a previous breach, and have enough to do a lot of damage. Best practice is to use a password manager like BitWarden, LastPass or 1Password, which generates strong passwords automatically for each of your accounts.

Any service that has payment information saved, like bank apps, Amazon or eBay, will be prime targets. Change your passwords, and while you’re there check to see what happens if you try to log in without knowing the password. If all it does is send you an email, make sure that email account is also locked down and investigate whether the account offers more secure protection.

Many accounts allow two factor authentication, so if you log on from a new device you have to prove your identity with a code. Doing this by SMS is somewhat secure, but as explained above is vulnerable to SIM jacking, so using an app like Authy or Google Authenticator is better. Just be sure to keep any provided backup codes in a safe place so you don’t get locked out in the event you forget your password and lose your phone.

As for your phone account, your telco should allow you to add extra security with a password you have to give verbally, although Optus’ phone lines are reportedly quite busy at the moment. Criminals with enough personal information can also potentially bluff their way around these requirements.

What about my credit?

Credit reporting companies like Equifax, Experian and Illion can put a freeze on your credit, if you’re worried about criminals taking out money in your name. But this will, of course, make it difficult to take out credit yourself, and it’s only temporary so won’t stop attacks far down the track.

For Optus customers whose identity documents were accessed, Optus has promised to provide a 12 month subscription to Equifax’s paid credit alert service, which will notify you of any credit checks that may be suspicious. It’s currently unclear how to redeem this service.

Is there anything else I can do?

It’s easy to feel powerless in situations like this, given proving your identity is necessary and data breaches are all but inevitable. However, while there may be little you can do to keep crims away from your data, you can always tighten up your digital hygiene to make it tough for it to be used against you. This applies equally to Optus customers and everyone else.

Check all your email addresses against HaveIBeenPwned, a website that will tell you if they’ve been included in any known data breaches. It can be a good reminder that data about you may have been circling the internet for decades now and is being collected by criminals. Regularly change your passwords to email accounts, social media and any service that has vital or financial information about you. Or better yet use a password manager, and two factor authentication.

Always be vigilant with emails, text messages or calls asking you for any information. Don’t click any links. If you think the contact is legitimate, find the appropriate phone number or website address and contact them there.

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.

Most Viewed in Technology

From our partners

Source: Read Full Article