Information security in action (or not) after theft

A few days ago someone broke into my car and pinched a bag with a bunch of my stuff in it (wallet, phone, iPod, books, journal, clothes etc). Bah. It’s a right pain, yet as I’m getting my affairs back in order I find a pleasant, technical distraction in seeing contrasting approaches to information security and prevention of identity theft and loss.

Scenario 1 - Commonwealth Bank of Australia

Having cancelled my stolen cards, I dig out my spare credit card and go to get out some money for the next few days. I keep a spare credit card tucked safely away for occasions such as this but sure enough I can’t remember the PIN so I go into the nearest branch…

  • Teller: Hi, what can I do for you?
  • Me: I had my wallet stolen yesterday. This is my spare credit card but I can’t remember the pin.
  • Teller: OK, I’ll need to ask you a few questions about your account to verify your identity. Do you also have some other ID?

Tick for CBA - Verify an identity based on something a person knows AND something a person has (two factor authentication)

  • [I pull out my passport and the teller asks me some non-obvious questions about my account like my previous address, my current credit limit as well as some more standard questions]

Tick for CBA - don’t ask questions that thieves could easily answer based on information found in the articles they stole

  • Teller: Your PIN can be from 4 to 12 characters using letters or numbers. Please excuse me for a moment, I need a second staff member with me to authorise the reset an unknown PIN.
  • [Teller talks with her colleague and they both swipe their identity cards before I reset my PIN]

Tick for CBA - Minimise the chance for internal fraud by requiring two people to authorise potentially lucrative operations

Outcome: I’m affirmed that the CBA care about their internal security as well as my account security. CBA rises in my eyes.

Scenario 2 - Optus Communications

I use my phone lots and while it’s nice not to be able to receive work calls, there’s a weekend coming up with things to organise :-) I’ve borrowed a mobile handset while I decide what handset I’ll buy so all I need to do now is get a replacement SIM card from the Optus branch.

  • Shop attendant: Hi, what can I do for you?
  • Me: I had my phone stolen yesterday. I’d like to get a replacement SIM, please.
  • Shop attendant: Sure. Can I get the phone number, please?
  • [I tell her the phone number, she looks up my account from the phone number, presumably sees that the phone has been reported stolen and then makes a call to activate a new SIM. I wait while she's on the phone, half expecting to have to pull out my passport to do an ID check]
  • Shop attendant: OK, that’s all done. Here’s your new SIM. It’ll be active in about 20 minutes.
  • Me (a little concerned but not showing it): It’s that easy?
  • Shop attendant (with a naive smile as she thinks I’m paying her a complement): Sure is.

No complement for Optus - There was no ID check that I was the account owner. Zero. Zip. Nada.

Outcome: I now think that Optus doesn’t take account security seriously. I also now start thinking about swapping carriers.

Phone theft - double for nothing

If you don’t think such ID checks are necessary, take this situation:

  1. Thief steals wallet and phone.
  2. Thief looks at the phone right away, knowing that it’ll be locked in a matter of minutes or hours. Thief finds the number of the phone, either by a listing in the phone itself or business card in the wallet
  3. Thief continues to use phone for as long as practical
  4. Owner calls carrier to have the phone locked. Thief’s call goes dead.
  5. Thief waits an hour after the phone is locked, goes to the carrier’s shop and gets a new SIM re-issued, needing to only know the number of the phone and the fact that it was stolen earlier in the day and locked about an hour ago
  6. Shop attendant smiles naively as the thief leaves quickly and efficiently with a new SIM
  7. Profit! at someone else’s expense (hmm)

I’ve written this scenario to show how easy it is to take advantage of lax security. I’m sure thieves are smart and creative so I really doubt this is anything new. In the meantime, I’m going to call Optus and CBA to tell them how important account security is and how this experience has affected their image in my eyes. Once they know that customers take real account security seriously (and not just marketing speak about security) perhaps they’ll take it seriously too.

I sure hope companies take my account security seriously… especially Optus -they have a bit of work to undo!