Remember the parable of the frog, who slowly gets cooked to death, in a pot as the temperature rises – well, the same in true for Australians, as civil liberties such as the use of cash, are removed, even as the digital architecture for future control gets put in place. You can see parallels elsewhere round the world, and aligned with the agenda of several high profile non-elected bodies like the World Economic Forum – of “you will own nothing and be happy” fame.
Australia’s Digital ID Bill 2023 was initially introduced to the Senate on November 30, 2023, and has since undergone a Senate inquiry and brief consultation period before this week being pushed through the Senate without debate. Despite assurances of voluntariness and promises to simplify citizens’ lives, the Labor government has faced backlash for the lack of scrutiny given to the bill.
And there is of course the wider, story here potentially linking digital ID with Central Bank Digital Currency and Social Scores, perhaps enabling the idea peddled by the World Economic Forum and other non-elected global entities, that we the people can be better controlled in terms of what we can, say, or even purchase. So you value your privacy, liberty and the rule of law, the Digital ID Bill must be defeated, time to put pressure back on the house of representatives when the amended bill comes back.
http://www.martinnorth.com/
Go to the Walk The World Universe at https://walktheworld.com.au/
We look at the future of cash in the light of the emergence of a global digital currency, and the paper released for discussion by the Reserve Bank of New Zealand.
Facebook Inc. has been paying hundreds of outside contractors to
transcribe clips of audio from users of its services, according to
people with knowledge of the work.
The
work has rattled the contract employees, who are not told where the
audio was recorded or how it was obtained — only to transcribe it, said
the people, who requested anonymity for fear of losing their jobs.
They’re hearing Facebook users’ conversations, sometimes with vulgar
content, but do not know why Facebook needs them transcribed, the people
said.
Facebook confirmed that it had been transcribing users’ audio and said it will no longer do so, following scrutiny into other companies. “Much like Apple and Google, we paused human review of audio more than a week ago,” the company said Tuesday. The company said the users who were affected chose the option in Facebook’s Messenger app to have their voice chats transcribed. The contractors were checking whether Facebook’s artificial intelligence correctly interpreted the messages, which were anonymized.
The social networking giant, which just completed a $5 billion settlement
with the U.S. Federal Trade Commission after a probe of its privacy
practices, has long denied that it collects audio from users to inform
ads or help determine what people see in their news feeds. Chief
Executive Officer Mark Zuckerberg denied the idea directly in
Congressional testimony
The ACCC says that Australians are set to lose a record amount to scams in 2019, with projections from losses reported to Scamwatch and other government agencies so far expected to exceed $532 million by the end of the year, surpassing half a billion dollars for the first time.
This year’s National Scams Awareness Week
(12-16 August) theme is “too smart to be scammed?” and the ACCC, along
with over 100 campaign partners from government and industry, is urging
consumers to test their scams knowledge and refresh their scam
protection and detection skills.
“Many people are confident they would never fall for a scam but often
it’s this sense of confidence that scammers target,” ACCC Deputy Chair
Delia Rickard said.
“People need to update their idea of what a scam is so that we are
less vulnerable. Scammers are professional businesses dedicated to
ripping us off. They have call centres with convincing scripts, staff
training programs, and corporate performance indicators their
‘employees’ need to meet.”
Investment scams are one of the most sophisticated and convincing
scams and continue to have the highest losses. Nearly half of all
investment scams reported this year resulted in a financial loss.
These scams are prominent on social media, with ‘Facebook lottery’
scams, the ‘Loom’ pyramid scheme, and cryptocurrency scams particularly
common.
Cryptocurrency investment scams have seen record losses, with reports
to the ACCC alone of $14.76 million between January and July 2019. Many
use social media platforms, fake celebrity endorsements or fake online
trading platforms that are made to look legitimate.
Protection advice
“Our advice is to be wary of ads you see on the internet. Don’t be
persuaded by celebrity endorsements or ‘not to be missed’ opportunities.
You never know for certain who you’re dealing with or whether they’re
credible,” Ms Rickard said.
“If you think you’re speaking to a friend on social media, call them,
or find another way to contact them before acting on any advice that
might result in you giving away your personal details or money.”
Scamwatch also suggests that people check ASIC’s list of companies you should not deal with.
If the company that contacted you is on the list – do not deal with
them, and even if they are not listed, continue researching and speak to
a financial advisor before investing.
Be vigilant on social media, when shopping online and when answering
the phone, and never give anyone who has contacted you out of the blue
your personal details, banking details or remote access to your
computer, no matter who they say they are. It’s best to assume scammers
are everywhere, waiting for you to let your guard down.
“Remember, anyone could fall victim and no one is ‘too smart to be
scammed’. Always ask yourself, ‘could this be a scam?’ and if you’re
ever in doubt, decline the contact or hang up the phone – it’s often the
safest option,” Ms Rickard said.
The ACCC has produced a series of videos with tips and tricks on how to spot a scam, and to test people’s awareness of scams. The full series is also available on YouTube.
NAB late on Friday 26 July 2019 begun contacting approximately 13,000 customers to advise that some personal information provided when their account set up was uploaded, without authorisation, to the servers of two data service companies.
NAB’s security teams have
contacted the companies, who advise that all information provided to them is
deleted within two hours.
NAB Chief Data Officer,
Glenda Crisp, said the compromised data included customer name, date of birth,
contact details and in some cases, a government-issued identification number,
such as a driver’s licence number.
“We take the privacy and the
protection of customer information extremely seriously and I sincerely
apologise to affected customers. We take full responsibility,” she said.
“The issue was human error
and in breach of NAB’s data security policies.”
Ms Crisp said it was not a
cyber-security issue. No NAB log-in details or passwords have been compromised
– and NAB’s systems remain secure.
“Our number one priority is
to support our customers. We are moving quickly to proactively contact every
person affected.”
NAB is calling, emailing or
writing to each impacted customer individually. A dedicated, specialist support
team is in place, available to them 24/7.
If government identification
documents need to be reissued, NAB will cover the cost.
NAB will also cover the cost
of independent, enhanced fraud detection identification services for affected
customers.
Importantly there is no
evidence to indicate that any of the information has been copied or further
disclosed.
NAB is advising impacted
customers that they do not need to take any action with their account.
“We have reviewed these
customers’ accounts, over and above our rigorous normal checks, and have not
identified any unusual activity. We will continue to monitor 24/7 to
protect our customers’ accounts,” Ms Crisp said.
NAB has also notified and is
working with industry regulators, including the Office of the Australian
Information Commissioner.
Ms Crisp said: “We take full
responsibility. We can assure you that we understand how this happened and we
are making changes to ensure this does not happen again.”
The open banking regime officially began yesterday with the four major banks offering data on a variety of products as part of the regime’s roll-out, via InvestorDaily.
The
four major banks had a deadline of 1 July to make product data
available on all credit and debit card, deposit and transaction accounts
with more products to follow.
By February, first mortgage data
will have to be available, with eventually all products being available
for the major banks by 2020. 1 July 2020 is the start date for all other
banks to begin offering their credit and debit card product data with
an end date of 2021.
Customer data will be included in the regime
by 1 February 2020, which will allow consumers to more fully control
their data and enable greater transparency and competition throughout
the industry.
Open banking has been sweeping across the world, with the most relatable example for Australia being the UK open banking regime.
The
UK introduced theirs following an exposure of poor practice, not
dissimilar to Australia. Where it differs though is that the UK regime
applies to only nine banks, whereas Australia’s will apply to all ADIs.
The
Australian regime only grants read-only access to data with reciprocal
obligations and an eventual plan to open to other industries, such as
utilities.
What it will eventually mean is that customers of a
bank can request or give consent for their data to be shared with an
accredited third party, such as a bank, financial services provider,
utility provider or a telecommunications provider.
The regime will
break down the barriers consumers have faced in finding the best
banking products and eventually switching to that provider.
Commonwealth
Bank’s general manager of digital banking, Kate Crous, told Investor
Daily that the bank was supportive of the model that puts customers in
control and had worked hard to ensure they were ready.
“We have
worked hard with regulators and other industry participants to ensure
the Consumer Data Right regime will be successful, particularly in
building consumer trust and confidence around the use and exchange of
their data.
“The first milestone is publishing product information
via an application programming interface (API) from 1 July 2019. This
will enable an easier comparison of banking products from financial
institutions and allow the industry to test the APIs before sharing
consumer data next year,” she said.
Ms Crous said developers are now able to access information on how to integrate with the CBA APIs.
Westpac’s chief data and strategy officer, Jamie Twiss, said keeping data safe was crucial and the pilot was an important step.
“Westpac
is focusing on creating a trusted open banking regime that is secure,
flexible and easy to use for all Australians. The pilot program will lay
initial foundations to test the performance, reliability and security
of the system before any personal consumer data is shared. It will also
give software developers and fintechs a network of financial
institution’s data to build and improve financial services.”
Westpac
will provide generic information on product data as of today, which
will include interest rates, discounts, eligibility criteria, product
features and descriptions plus fees and charges.
A NAB
spokesperson told Investor Daily that their focus was on ensuring that,
as an industry, open banking worked for the consumer.
“This is a
complex change to the industry and the timelines are challenging, but we
firmly believe that speed shouldn’t compromise safety and customer
experience; getting it right is paramount to consumer trust and
confidence in the system,” NAB said.
The spokesperson
said NAB had actively started to develop processes since back in 2017 to
be ready for open banking and would continue to work with Data 61 and
ACCC.
Fintech response
Deputy chief
executive of neobanks Volt Luke Bunbury said it will mean that the
incumbent banks will need to innovate to compete with newer entrants.
“This
means the incumbent banks will have to innovate to compete, as there
will be a long line of fintechs and neobanks like Volt wanting to
harness this data to offer customers a superior banking experience.
“Customers
will be the masters of their data, and third parties will have to earn
it by being innovative and trustworthy,” he said.
Part of this was changing the narrative by offering an improvement to lives and not just the sale of products, said Mr Bunbury.
“Volt
and other innovative banks will be able to help Australians find and
secure better deals on a range of banking and even non-banking services,
like utilities and travel.
“By enabling data to be shareable
across financial institutions, it will be also possible for customers to
manage multiple bank accounts from one mobile app, regardless of
whether the accounts are held with rival banks,” he said.
Chief executive of Verrency David Link said the regime was going to eventually drive greater innovation.
“While
1 July 2019 will not drastically change the way Australians bank – as
only product, rather than customer, data will be available until 1
February 2020 – this is a huge step towards that much more
transformative change,” Mr Link said.
Banks would have to start to
offer a personalised consumer offering, said Mr Link, and those that
are agile were going to thrive.
“The effective use of data and
access to new value-added services will slowly become a major
decision-driver for consumers when it comes to choosing or changing who
‘owns their relationship’.
“Banks which don’t take this extremely
seriously are going to slowly struggle to remain competitive. On the
other hand, those which take steps to become more agile – especially in
their ability to deliver value around the consumer relationship – are
going to thrive in the post-open banking landscape,” he said.
Amid the ongoing discussion around who should bear the responsibility for assisting vulnerable customers, recent data has revealed further need for targeted care and education, as Australians are falling prey to bank fraud and other financial scams at an alarming rate, via Australian Broker.
According to the KPMG Global Banking Fraud Survey, 61% of banks
worldwide have reported an increase in fraud – both in value and volume –
over the past three years, with Australia being among the countries hit
the hardest.
“We are seeing a disproportionately high volume of scam attempts on
Australians – there were 177,000 scam reports here last year, costing
almost half a billion dollars. This compared to around 85,000 scam
reports in the US and UK, with far bigger populations,” said Natalie
Faulkner, KPMG global fraud lead.
KPMG’s survey found customer awareness is key for detecting fraud and
reducing losses, and the firm called for more to be done to
educate consumers. While branch staff in banks are a major point of
contact, brokers – who now help six in 10 home owners to secure a mortgage – are naturally on the front line of this work.
“Education should be multifaceted to reach different audiences. For
example, many scam victims tend to be the elderly or socially isolated,
so education should not just be through digital channels but also
through television, traditional media and even face-to-face sessions
with vulnerable customer groups,” said Faulkner.
The data also revealed that cyber-related fraud is the most
significant challenge faced worldwide, a reflection of the growth in
digital banking.
“This is set in the context of a changing global banking landscape,
where branch networks are shrinking, volumes of digital payments are
increasing and there is less customer face time,” explained Faulkner.
Open banking –
which will be implemented next week – was mentioned as an emerging
challenge in fraud risk, as it will see banks allowing third parties to
access their customer data.
However, Faulkner noted, “On a positive note, having more
transparency across accounts will enable the banks to know their
customer more holistically and trace funds in fraud detection.”
Westpac has confirmed that the bank “detected mis-use” of the New Payments Platform’s PayID feature and “took additional preventative actions which did not include a system shutdown.” Via Computerworld.
Fairfax Media yesterday revealed details of the incident,
citing a confidential Westpac memo that said around 60,000 NPP PayID
lookups were made from seven compromised Westpac Live accounts. Around
98,000 “successfully resolved to a short name and this was displayed to
the fraudster,” the memo said, according to Fairfax.
“No customer bank account numbers were compromised as a result,” a spokesperson for the bank told Computerworld in a statement. “Westpac Group takes the protection of customer data and privacy extremely seriously.”
The NPP was launched in February 2018.
The platform enables real-time transfers between banks as well as a
number of other features including data-enriched transactions. As of
February this year, more than 75 financial institutions supported
system, with 52 million account holders able to make payments via the
NPP, according to NPP Australia, which maintains the platform.
PayID
is the platform’s addressing service. It allows payments to be directed
using an alternative identifier, such as an email address, ABN or phone
number, rather than using a BSB and account number.
“NPP Australia has firm regulations in place that require
participating financial institutions to monitor, detect and shut
down any attempts to harvest data from PayID,” an NPP Australia
spokesperson said. “NPP Australia is working closely with Westpac on
this matter.”
“No financial details or credentials are available
from the PayID database, and therefore none of these details have been
compromised,” the spokesperson said. “The only details obtained have
been the account name which was designed to be returned to a legitimate
enquiry.”
A PayID can’t be used to withdraw funds and “on its own cannot be used to create a false identity,” the spokesperson said.
“While
this incident was unacceptable, the information obtained would be
readily available in other public places,” the spokesperson said. “All
participating financial institutions are on notice and may apply
additional security controls if deemed necessary.”
“PayID was designed to provide more reassurance during the
payments process; it enables a payer to see the name associated with a
PayID to reduce the risk of a mistaken payments or scam,” the
spokesperson said.
The inaugural review of the Notifiable Data Breaches Scheme has revealed that the finance sector is one of the most at-risk sectors when it comes to data breaches, via InvestorDaily.
The
Notifiable Data Breaches Scheme was set up over a year ago when it
became a legal requirement for entities to carry out an assessment
whenever they suspected that there had been a data breach.
The
report, that looks back over the scheme’s last 12 months, found that the
finance sector had the second highest number of data breach
notifications under the scheme.
In 12 months the NDB reported 964
notifications of which 134 were made by the finance sector with human
error accounting for 41 per cent of the data breaches.
“The
consistent presence of the health and finance sectors at the top of the
rankings throughout the year likely reflects the scale of data holdings,
volume of processing activities and/or sensitivity of the personal
information held by those sectors, as well as those sectors’ higher
preparedness to report data breaches,” said the report.
The
scheme is clearly working given that data breach notifications went
from 127 under the voluntary scheme in 2018-19 to 722 as a result of the
compulsory scheme.
The report also acknowledged that the finance
sector had a great financial reward for cyber criminals which they
attributed to the rise in attacks in recent years.
“Accordingly, a
high proportion of finance sector breaches—56 per cent—were attributed
to malicious or criminal attacks,” it said.
Despite this, contact
information was the most common form of personal information disclosed
through data breaches, with 86 per cent of notifications.
Over
half of all breaches (60 per cent) across the regulated entities were
attributed to malicious or criminal attacks with phishing continuing to
be the most common method.
There was also 28 per cent of cyber
incidents where credentials were obtained by unknown means as the
entities had not detected any phishing-based compromise.
Fortunately,
83 per cent of breaches affected fewer than 1,000 people with most
attacks affecting just one person, but there were 19 attacks where an
unknown number of people were affected.
The Australian
information and privacy commissioner Angelene Falk, who operates the
scheme, said that many entities were actively engaged with the scheme to
create better practices.
“Many entities have taken a proactive
approach in engaging with the OAIC, and we have been able to work
constructively with those in their response.
“As the year has
progressed, some maturation has been evident in entities assessing the
likely consequences of a data breach and in their subsequent
notification processes,” she said.
Moving forward Ms Falk said that she expected entities to take proactive steps to prevent breaches.
For
the finance industry, steps are already being taken with the
introduction of APRA’s prudential standard on information security which
will help ensure the finance sector’s resilience to information
security incidents.
“I encourage entities regulated by the Privacy Act
to review the report and use the learnings to enhance their prevention
and response strategies for the benefit of all Australians,” said Ms
Falk
When it comes to personal cybersecurity, you might think you’re doing alright. Maybe you’ve got multi-factor authentication setup on your phone so that you have to enter a code sent to you by SMS before you can login to your email or bank account from a new device, via The Conversation.
What you might not realise is that new scams have made authentication
using a code sent by SMS messages, emails or voice calls less secure
than they used to be.
Multi-factor authentication is listed in the Australian Cyber Security Centre’s Essential Eight Maturity Model as a recommended security measure for businesses to reduce their risk of cyber attack.
Last month, in an updated list, authentication via SMS messages,
emails or voice calls was downgraded, indicating they’re no longer
considered optimal for security.
Here’s what you should do instead.
What is multi-factor authentication?
Whenever we login to an app or device, we are usually asked for some
form of identity check. This is often something we know (like a
password), but it can also be something we have (like a security key or
an access card) or something we are (like a fingerprint).
The last of these is often preferred because, while you can forget a
password or a card, your biometric signature is always with you.
Multi-factor authentication is when more than one identity check is
conducted via different channels. For instance, it’s common these days
to enter your password, and an extra authentication code you need to
enter is sent to your phone via SMS message, email or voice mail.
Lots of services, such as banks, already offer this feature. You’re
sent a “one-time” code to your phone in order to confirm authority to
enact a transaction.
This is good because:
it uses two separate channels
the code is randomly generated, so it can’t be guessed
the code has a limited lifetime
How could this go wrong?
Suppose a cybercriminal has stolen your phone, but you have it locked
via fingerprint. If the criminal wants to compromise your bank account
and attempts to login, your bank sends an authentication code to your
phone.
Depending on how your phone settings are configured, the code could
pop-up on your phone screen, even when it’s still locked. The criminal
could then input the code and access your bank account. Note that “do
not disturb” settings on your phone won’t help as the message still
appears, albeit quietly. In order to avoid this problem, you need to
disable message previews entirely in your phone’s settings.
A more elaborate hack involves “SIM swapping”. If a criminal has some
of your identity details, they might be able to convince your phone
provider that they are you and request a new SIM attached to your phone
number to be sent to them. That way, anytime an authentication code is
sent from one of your accounts, it will go to the hacker instead of you.
This happened to a technology journalist in the US a couple of years ago, who described the experience:
At about 9pm on Tuesday, August 22 a hacker swapped his or her own
SIM card with mine, presumably by calling T-Mobile. This, in turn, shut
off network services to my phone and, moments later, allowed the hacker
to change most of my Gmail passwords, my Facebook password, and text on
my behalf. All of the two-factor notifications went, by default, to my
phone number so I received none of them and in about two minutes I was
locked out of my digital life.
Then there is the question of whether you want to provide your phone number to the service you are using. Facebook has come under fire
in recent days for requiring users to provide their phone number to
secure their accounts, but then allowing others to search for their
profile via their phone number. They have also reportedly used phone numbers to target users with ads.
This is not to say that splitting identity checks is a bad thing,
it’s just that sending part of an identity check via a less-secure
channel promotes a false sense of security that could be worse than
using no security at all.
Multi-factor authentication is important – as long as you do it via the right channels.
Which authentication combinations are best?
Let’s consider some combinations of multi-factor authentication that have varying degrees of ease of use and security.
An obvious first choice is something you know and something you have,
say a password and a physical access card. A cybercriminal has to
obtain both to impersonate you. Not impossible, but difficult.
Another combination is a password and a voiceprint.
A voiceprint recognition system records you speaking a particular
passphrase and then matches your voice when you need to authenticate
your identity. This is attractive because you can’t leave your voice at
home or in the car.
But could your voice be forged? With the aid of digital software, it
might be possible to take an existing recording of your voice, unpack
and re-sequence it to produce the required phrase. This is somewhat
challenging, but not impossible.
A third combination is a card and a voiceprint. This choice removes
the need to remember a password, which could be stolen, and as long as
you keep the physical token (the card or key) safe, it is very hard for
someone else to impersonate you.
There are no perfect solutions yet and using the most secure version
of authentication depends on it being offered by the service you are
using, such as your bank.
Cyber security is about managing risk, so which combination of multi-factor authentication suits your needs depends on the balance you accept between usability and security.
Author: Mike Johnstone, Security Researcher, Associate Professor in Resilient Systems, Edith Cowan University