Digital Tyranny Is One Step Closer!

Remember the parable of the frog, who slowly gets cooked to death, in a pot as the temperature rises – well, the same in true for Australians, as civil liberties such as the use of cash, are removed, even as the digital architecture for future control gets put in place. You can see parallels elsewhere round the world, and aligned with the agenda of several high profile non-elected bodies like the World Economic Forum – of “you will own nothing and be happy” fame.

Australia’s Digital ID Bill 2023 was initially introduced to the Senate on November 30, 2023, and has since undergone a Senate inquiry and brief consultation period before this week being pushed through the Senate without debate. Despite assurances of voluntariness and promises to simplify citizens’ lives, the Labor government has faced backlash for the lack of scrutiny given to the bill.

And there is of course the wider, story here potentially linking digital ID with Central Bank Digital Currency and Social Scores, perhaps enabling the idea peddled by the World Economic Forum and other non-elected global entities, that we the people can be better controlled in terms of what we can, say, or even purchase. So you value your privacy, liberty and the rule of law, the Digital ID Bill must be defeated, time to put pressure back on the house of representatives when the amended bill comes back.

http://www.martinnorth.com/

Go to the Walk The World Universe at https://walktheworld.com.au/

The Future Of Cash – A Questionnaire

We look at the future of cash in the light of the emergence of a global digital currency, and the paper released for discussion by the Reserve Bank of New Zealand.

https://www.rbnz.govt.nz/notes-and-coins/future-of-cash

New Zealand viewers have until 31st August to make a submission.

Facebook Transcribed Users’ Audio Chats

Via Bloomberg.

Facebook Inc. has been paying hundreds of outside contractors to transcribe clips of audio from users of its services, according to people with knowledge of the work.

The work has rattled the contract employees, who are not told where the audio was recorded or how it was obtained — only to transcribe it, said the people, who requested anonymity for fear of losing their jobs. They’re hearing Facebook users’ conversations, sometimes with vulgar content, but do not know why Facebook needs them transcribed, the people said.

Facebook confirmed that it had been transcribing users’ audio and said it will no longer do so, following scrutiny into other companies. “Much like Apple and Google, we paused human review of audio more than a week ago,” the company said Tuesday. The company said the users who were affected chose the option in Facebook’s Messenger app to have their voice chats transcribed. The contractors were checking whether Facebook’s artificial intelligence correctly interpreted the messages, which were anonymized.

The social networking giant, which just completed a $5 billion settlement with the U.S. Federal Trade Commission after a probe of its privacy practices, has long denied that it collects audio from users to inform ads or help determine what people see in their news feeds. Chief Executive Officer Mark Zuckerberg denied the idea directly in Congressional testimony

Record losses expected as scammers target Australians

The ACCC says that Australians are set to lose a record amount to scams in 2019, with projections from losses reported to Scamwatch and other government agencies so far expected to exceed $532 million by the end of the year, surpassing half a billion dollars for the first time.

This year’s National Scams Awareness Week (12-16 August) theme is “too smart to be scammed?” and the ACCC, along with over 100 campaign partners from government and industry, is urging consumers to test their scams knowledge and refresh their scam protection and detection skills.

“Many people are confident they would never fall for a scam but often it’s this sense of confidence that scammers target,” ACCC Deputy Chair Delia Rickard said.

“People need to update their idea of what a scam is so that we are less vulnerable. Scammers are professional businesses dedicated to ripping us off. They have call centres with convincing scripts, staff training programs, and corporate performance indicators their ‘employees’ need to meet.”

Investment scams are one of the most sophisticated and convincing scams and continue to have the highest losses. Nearly half of all investment scams reported this year resulted in a financial loss.

These scams are prominent on social media, with ‘Facebook lottery’ scams, the ‘Loom’ pyramid scheme, and cryptocurrency scams particularly common.

Cryptocurrency investment scams have seen record losses, with reports to the ACCC alone of $14.76 million between January and July 2019. Many use social media platforms, fake celebrity endorsements or fake online trading platforms that are made to look legitimate.

Protection advice

“Our advice is to be wary of ads you see on the internet. Don’t be persuaded by celebrity endorsements or ‘not to be missed’ opportunities. You never know for certain who you’re dealing with or whether they’re credible,” Ms Rickard said.

“If you think you’re speaking to a friend on social media, call them, or find another way to contact them before acting on any advice that might result in you giving away your personal details or money.”

Scamwatch also suggests that people check ASIC’s list of companies you should not deal with. If the company that contacted you is on the list – do not deal with them, and even if they are not listed, continue researching and speak to a financial advisor before investing.

Be vigilant on social media, when shopping online and when answering the phone, and never give anyone who has contacted you out of the blue your personal details, banking details or remote access to your computer, no matter who they say they are. It’s best to assume scammers are everywhere, waiting for you to let your guard down.

“Remember, anyone could fall victim and no one is ‘too smart to be scammed’. Always ask yourself, ‘could this be a scam?’ and if you’re ever in doubt, decline the contact or hang up the phone – it’s often the safest option,” Ms Rickard said.

The ACCC has produced a series of videos with tips and tricks on how to spot a scam, and to test people’s awareness of scams. The full series is also available on YouTube.

Visit scamwatch.gov.au to report scams and learn how to protect yourself. You can also follow @scamwatch_gov on Twitter and  subscribe to Scamwatch radar alerts.

NAB Warns Of 13,000 Customer Data Breach

NAB late on Friday 26 July 2019 begun contacting approximately 13,000 customers to advise that some personal information provided when their account set up was uploaded, without authorisation, to the servers of two data service companies.

NAB’s security teams have contacted the companies, who advise that all information provided to them is deleted within two hours.

NAB Chief Data Officer, Glenda Crisp, said the compromised data included customer name, date of birth, contact details and in some cases, a government-issued identification number, such as a driver’s licence number.

“We take the privacy and the protection of customer information extremely seriously and I sincerely apologise to affected customers. We take full responsibility,” she said.

“The issue was human error and in breach of NAB’s data security policies.”

Ms Crisp said it was not a cyber-security issue. No NAB log-in details or passwords have been compromised – and NAB’s systems remain secure.

“Our number one priority is to support our customers. We are moving quickly to proactively contact every person affected.”

NAB is calling, emailing or writing to each impacted customer individually. A dedicated, specialist support team is in place, available to them 24/7.

If government identification documents need to be reissued, NAB will cover the cost.

NAB will also cover the cost of independent, enhanced fraud detection identification services for affected customers.

Importantly there is no evidence to indicate that any of the information has been copied or further disclosed.

NAB is advising impacted customers that they do not need to take any action with their account.

“We have reviewed these customers’ accounts, over and above our rigorous normal checks, and have not identified any unusual activity.  We will continue to monitor 24/7 to protect our customers’ accounts,” Ms Crisp said.

NAB has also notified and is working with industry regulators, including the Office of the Australian Information Commissioner.

Ms Crisp said: “We take full responsibility. We can assure you that we understand how this happened and we are making changes to ensure this does not happen again.”

Open banking officially launches

The open banking regime officially began yesterday with the four major banks offering data on a variety of products as part of the regime’s roll-out, via InvestorDaily.

The four major banks had a deadline of 1 July to make product data available on all credit and debit card, deposit and transaction accounts with more products to follow.

By February, first mortgage data will have to be available, with eventually all products being available for the major banks by 2020. 1 July 2020 is the start date for all other banks to begin offering their credit and debit card product data with an end date of 2021.

Customer data will be included in the regime by 1 February 2020, which will allow consumers to more fully control their data and enable greater transparency and competition throughout the industry.

Open banking has been sweeping across the world, with the most relatable example for Australia being the UK open banking regime.

The UK introduced theirs following an exposure of poor practice, not dissimilar to Australia. Where it differs though is that the UK regime applies to only nine banks, whereas Australia’s will apply to all ADIs.

The Australian regime only grants read-only access to data with reciprocal obligations and an eventual plan to open to other industries, such as utilities.

What it will eventually mean is that customers of a bank can request or give consent for their data to be shared with an accredited third party, such as a bank, financial services provider, utility provider or a telecommunications provider.

The regime will break down the barriers consumers have faced in finding the best banking products and eventually switching to that provider.

Commonwealth Bank’s general manager of digital banking, Kate Crous, told Investor Daily that the bank was supportive of the model that puts customers in control and had worked hard to ensure they were ready.

“We have worked hard with regulators and other industry participants to ensure the Consumer Data Right regime will be successful, particularly in building consumer trust and confidence around the use and exchange of their data.

“The first milestone is publishing product information via an application programming interface (API) from 1 July 2019. This will enable an easier comparison of banking products from financial institutions and allow the industry to test the APIs before sharing consumer data next year,” she said.

Ms Crous said developers are now able to access information on how to integrate with the CBA APIs.

Westpac’s chief data and strategy officer, Jamie Twiss, said keeping data safe was crucial and the pilot was an important step.

“Westpac is focusing on creating a trusted open banking regime that is secure, flexible and easy to use for all Australians. The pilot program will lay initial foundations to test the performance, reliability and security of the system before any personal consumer data is shared. It will also give software developers and fintechs a network of financial institution’s data to build and improve financial services.”

Westpac will provide generic information on product data as of today, which will include interest rates, discounts, eligibility criteria, product features and descriptions plus fees and charges.

A NAB spokesperson told Investor Daily that their focus was on ensuring that, as an industry, open banking worked for the consumer. 

“This is a complex change to the industry and the timelines are challenging, but we firmly believe that speed shouldn’t compromise safety and customer experience; getting it right is paramount to consumer trust and confidence in the system,” NAB said. 

The spokesperson said NAB had actively started to develop processes since back in 2017 to be ready for open banking and would continue to work with Data 61 and ACCC. 

Fintech response

Deputy chief executive of neobanks Volt Luke Bunbury said it will mean that the incumbent banks will need to innovate to compete with newer entrants.

“This means the incumbent banks will have to innovate to compete, as there will be a long line of fintechs and neobanks like Volt wanting to harness this data to offer customers a superior banking experience.

“Customers will be the masters of their data, and third parties will have to earn it by being innovative and trustworthy,” he said.

Part of this was changing the narrative by offering an improvement to lives and not just the sale of products, said Mr Bunbury.

“Volt and other innovative banks will be able to help Australians find and secure better deals on a range of banking and even non-banking services, like utilities and travel.

“By enabling data to be shareable across financial institutions, it will be also possible for customers to manage multiple bank accounts from one mobile app, regardless of whether the accounts are held with rival banks,” he said.

Chief executive of Verrency David Link said the regime was going to eventually drive greater innovation.

“While 1 July 2019 will not drastically change the way Australians bank – as only product, rather than customer, data will be available until 1 February 2020 – this is a huge step towards that much more transformative change,” Mr Link said.

Banks would have to start to offer a personalised consumer offering, said Mr Link, and those that are agile were going to thrive.

“The effective use of data and access to new value-added services will slowly become a major decision-driver for consumers when it comes to choosing or changing who ‘owns their relationship’.

“Banks which don’t take this extremely seriously are going to slowly struggle to remain competitive. On the other hand, those which take steps to become more agile – especially in their ability to deliver value around the consumer relationship – are going to thrive in the post-open banking landscape,” he said.

Australians particularly at risk of financial deception

Amid the ongoing discussion around who should bear the responsibility for assisting vulnerable customers, recent data has revealed further need for targeted care and education, as Australians are falling prey to bank fraud and other financial scams at an alarming rate, via Australian Broker.

According to the KPMG Global Banking Fraud Survey, 61% of banks worldwide have reported an increase in fraud – both in value and volume – over the past three years, with Australia being among the countries hit the hardest.

“We are seeing a disproportionately high volume of scam attempts on Australians – there were 177,000 scam reports here last year, costing almost half a billion dollars. This compared to around 85,000 scam reports in the US and UK, with far bigger populations,” said Natalie Faulkner, KPMG global fraud lead.

KPMG’s survey found customer awareness is key for detecting fraud and reducing losses, and the firm called for more to be done to educate consumers. While branch staff in banks are a major point of contact, brokers – who now help six in 10 home owners to secure a mortgage – are naturally on the front line of this work.

“Education should be multifaceted to reach different audiences. For example, many scam victims tend to be the elderly or socially isolated, so education should not just be through digital channels but also through television, traditional media and even face-to-face sessions with vulnerable customer groups,” said Faulkner.

The data also revealed that cyber-related fraud is the most significant challenge faced worldwide, a reflection of the growth in digital banking.

“This is set in the context of a changing global banking landscape, where branch networks are shrinking, volumes of digital payments are increasing and there is less customer face time,” explained Faulkner.  

Open banking – which will be implemented next week – was mentioned as an emerging challenge in fraud risk, as it will see banks allowing third parties to access their customer data.

However, Faulkner noted, “On a positive note, having more transparency across accounts will enable the banks to know their customer more holistically and trace funds in fraud detection.”

Westpac Confirms Abuse of New Payments Platform PayID

Westpac has confirmed that the bank “detected mis-use” of the New Payments Platform’s PayID feature and “took additional preventative actions which did not include a system shutdown.” Via Computerworld.

Fairfax Media yesterday revealed details of the incident, citing a confidential Westpac memo that said around 60,000 NPP PayID lookups were made from seven compromised Westpac Live accounts. Around 98,000 “successfully resolved to a short name and this was displayed to the fraudster,” the memo said, according to Fairfax.

“No customer bank account numbers were compromised as a result,” a spokesperson for the bank told Computerworld in a statement. “Westpac Group takes the protection of customer data and privacy extremely seriously.”

The NPP was launched in February 2018. The platform enables real-time transfers between banks as well as a number of other features including data-enriched transactions. As of February this year, more than 75 financial institutions supported system, with 52 million account holders able to make payments via the NPP, according to NPP Australia, which maintains the platform.

PayID is the platform’s addressing service. It allows payments to be directed using an alternative identifier, such as an email address, ABN or phone number, rather than using a BSB and account number.

“NPP Australia has firm regulations in place that require participating financial institutions to monitor, detect and shut down any attempts to harvest data from PayID,” an  NPP Australia spokesperson said. “NPP Australia is working closely with Westpac on this matter.”

“No financial details or credentials are available from the PayID database, and therefore none of these details have been compromised,” the spokesperson said. “The only details obtained have been the account name which was designed to be returned to a legitimate enquiry.”

A PayID can’t be used to withdraw funds and “on its own cannot be used to create a false identity,” the spokesperson said.

“While this incident was unacceptable, the information obtained would be readily available in other public places,” the spokesperson said. “All participating financial institutions are on notice and may apply additional security controls if deemed necessary.”

“PayID was designed to provide more reassurance during the payments process; it enables a payer to see the name associated with a PayID to reduce the risk of a mistaken payments or scam,” the spokesperson said.

Finance sector one of the most at risk of data breaches

The inaugural review of the Notifiable Data Breaches Scheme has revealed that the finance sector is one of the most at-risk sectors when it comes to data breaches, via InvestorDaily.

The Notifiable Data Breaches Scheme was set up over a year ago when it became a legal requirement for entities to carry out an assessment whenever they suspected that there had been a data breach. 

The report, that looks back over the scheme’s last 12 months, found that the finance sector had the second highest number of data breach notifications under the scheme. 

In 12 months the NDB reported 964 notifications of which 134 were made by the finance sector with human error accounting for 41 per cent of the data breaches. 

“The consistent presence of the health and finance sectors at the top of the rankings throughout the year likely reflects the scale of data holdings, volume of processing activities and/or sensitivity of the personal information held by those sectors, as well as those sectors’ higher preparedness to report data breaches,” said the report. 

The scheme is clearly working given that data breach notifications went from 127 under the voluntary scheme in 2018-19 to 722 as a result of the compulsory scheme. 

The report also acknowledged that the finance sector had a great financial reward for cyber criminals which they attributed to the rise in attacks in recent years. 

“Accordingly, a high proportion of finance sector breaches—56 per cent—were attributed to malicious or criminal attacks,” it said. 

Despite this, contact information was the most common form of personal information disclosed through data breaches, with 86 per cent of notifications. 

Over half of all breaches (60 per cent) across the regulated entities were attributed to malicious or criminal attacks with phishing continuing to be the most common method. 

There was also 28 per cent of cyber incidents where credentials were obtained by unknown means as the entities had not detected any phishing-based compromise. 

Fortunately, 83 per cent of breaches affected fewer than 1,000 people with most attacks affecting just one person, but there were 19 attacks where an unknown number of people were affected. 

The Australian information and privacy commissioner Angelene Falk, who operates the scheme, said that many entities were actively engaged with the scheme to create better practices. 

“Many entities have taken a proactive approach in engaging with the OAIC, and we have been able to work constructively with those in their response. 

“As the year has progressed, some maturation has been evident in entities assessing the likely consequences of a data breach and in their subsequent notification processes,” she said. 

Moving forward Ms Falk said that she expected entities to take proactive steps to prevent breaches. 

For the finance industry, steps are already being taken with the introduction of APRA’s prudential standard on information security which will help ensure the finance sector’s resilience to information security incidents. 

“I encourage entities regulated by the Privacy Act to review the report and use the learnings to enhance their prevention and response strategies for the benefit of all Australians,” said Ms Falk

Receiving a login code via SMS and email isn’t secure

When it comes to personal cybersecurity, you might think you’re doing alright. Maybe you’ve got multi-factor authentication setup on your phone so that you have to enter a code sent to you by SMS before you can login to your email or bank account from a new device, via The Conversation.

What you might not realise is that new scams have made authentication using a code sent by SMS messages, emails or voice calls less secure than they used to be.

Multi-factor authentication is listed in the Australian Cyber Security Centre’s Essential Eight Maturity Model as a recommended security measure for businesses to reduce their risk of cyber attack.

Last month, in an updated list, authentication via SMS messages, emails or voice calls was downgraded, indicating they’re no longer considered optimal for security.

Here’s what you should do instead.

What is multi-factor authentication?

Whenever we login to an app or device, we are usually asked for some form of identity check. This is often something we know (like a password), but it can also be something we have (like a security key or an access card) or something we are (like a fingerprint).

The last of these is often preferred because, while you can forget a password or a card, your biometric signature is always with you.

Multi-factor authentication is when more than one identity check is conducted via different channels. For instance, it’s common these days to enter your password, and an extra authentication code you need to enter is sent to your phone via SMS message, email or voice mail.

Lots of services, such as banks, already offer this feature. You’re sent a “one-time” code to your phone in order to confirm authority to enact a transaction.

This is good because:

  • it uses two separate channels
  • the code is randomly generated, so it can’t be guessed
  • the code has a limited lifetime

How could this go wrong?

Suppose a cybercriminal has stolen your phone, but you have it locked via fingerprint. If the criminal wants to compromise your bank account and attempts to login, your bank sends an authentication code to your phone.

Depending on how your phone settings are configured, the code could pop-up on your phone screen, even when it’s still locked. The criminal could then input the code and access your bank account. Note that “do not disturb” settings on your phone won’t help as the message still appears, albeit quietly. In order to avoid this problem, you need to disable message previews entirely in your phone’s settings.

A more elaborate hack involves “SIM swapping”. If a criminal has some of your identity details, they might be able to convince your phone provider that they are you and request a new SIM attached to your phone number to be sent to them. That way, anytime an authentication code is sent from one of your accounts, it will go to the hacker instead of you.

This happened to a technology journalist in the US a couple of years ago, who described the experience:

At about 9pm on Tuesday, August 22 a hacker swapped his or her own SIM card with mine, presumably by calling T-Mobile. This, in turn, shut off network services to my phone and, moments later, allowed the hacker to change most of my Gmail passwords, my Facebook password, and text on my behalf. All of the two-factor notifications went, by default, to my phone number so I received none of them and in about two minutes I was locked out of my digital life.

Then there is the question of whether you want to provide your phone number to the service you are using. Facebook has come under fire in recent days for requiring users to provide their phone number to secure their accounts, but then allowing others to search for their profile via their phone number. They have also reportedly used phone numbers to target users with ads.

This is not to say that splitting identity checks is a bad thing, it’s just that sending part of an identity check via a less-secure channel promotes a false sense of security that could be worse than using no security at all.

Multi-factor authentication is important – as long as you do it via the right channels.

Which authentication combinations are best?

Let’s consider some combinations of multi-factor authentication that have varying degrees of ease of use and security.

An obvious first choice is something you know and something you have, say a password and a physical access card. A cybercriminal has to obtain both to impersonate you. Not impossible, but difficult.

Another combination is a password and a voiceprint. A voiceprint recognition system records you speaking a particular passphrase and then matches your voice when you need to authenticate your identity. This is attractive because you can’t leave your voice at home or in the car.

But could your voice be forged? With the aid of digital software, it might be possible to take an existing recording of your voice, unpack and re-sequence it to produce the required phrase. This is somewhat challenging, but not impossible.

A third combination is a card and a voiceprint. This choice removes the need to remember a password, which could be stolen, and as long as you keep the physical token (the card or key) safe, it is very hard for someone else to impersonate you.

There are no perfect solutions yet and using the most secure version of authentication depends on it being offered by the service you are using, such as your bank.

Cyber security is about managing risk, so which combination of multi-factor authentication suits your needs depends on the balance you accept between usability and security.

Author: Mike Johnstone, Security Researcher, Associate Professor in Resilient Systems, Edith Cowan University