Recently, I've witnessed a couple of incidents which have caused me to question some pretty fundamental security basics with our local Aussie telcos, specifically Telstra and Optus. It began with a visit to the local Telstra store earlier this month to upgrade a couple of phone plans which resulted in me sitting alone by this screen whilst the Telstra staffer disappeared into the back room for a few minutes:
Is it normal for @Telstra to display customer passwords on publicly facing terminals in their stores? (You know, the same password people give their bank.) This is the user-selected password used for identity verification with store customers wandering past it. pic.twitter.com/KiaGNKhaig
— Troy Hunt (@troyhunt) March 1, 2018
This screen faces out into the retail store with people constantly wandering past it only a couple of metres away, well within the distance required to observe the contents off it. I've obfuscated parts of the screen above because no way, no how would I want to show this information publicly, especially my wife's password. She was pretty shocked when I showed her this as it was precisely the same verbal password as she used to authenticate to her bank. (Sidenote: she's an avid 1Password user and has been since 2011, this password dated back a couple of decades when, like most people still do today, she had reused it extensively).
I did raise this directly with Telstra to which they replied "I want to make sure that this is fully investigated, it's definitely concerning". Yet clearly, this is standard practice with the terminals the operators use specifically designed to face into the public areas of the store and the interfaces they use obviously designed to show the password (and equally obvious, the passwords are not stored as secure cryptographic hashes). That was 27 days ago and to date, there's been no follow-up from Telstra despite being told they'll "update me soon".
Then, just yesterday I saw this one from fellow Aussie techie Geoff Huntley:
Dropped into @Optus to do some billing enquiries on a mobile phone service @ericlaw. I'm like yo my credit cards and financial information your entering into this internet system isn't even fully encrypted. pic.twitter.com/NphRX2dnCv
— Geoffrey Huntley (@GeoffreyHuntley) March 27, 2018
As of today, Chrome will show a "Not secure" warning when an unencrypted page requests passwords or credit cards (which appears to be the case here) or when entering text into a form field. In the next few months, it will show all pages requested over an unencrypted connection as "Not secure". The risk this poses is that any intermediary able to intercept the traffic has the ability to read and modify the data (and yes, that applies to internal company networks as well).
Now, when a company is called on the presence of a glaringly obvious security omission, the correct response is to say "thank you for your feedback, we'll escalate this internally. The incorrect response is this one:
Geoff, this is an internal system not available to the public. We're making this request because this photo was taken without consent and is Optus' intellectual property, you are unable to photograph inside an Optus establishment without permission - Phil
— Optus (@Optus) March 27, 2018
Rather than acknowledge the problem, Optus elected to send Geoff a DM asking him to remove the photo (and another similarly benign one of a terminal facing the public) because somehow, that URL in the address bar (which is merely an internal host name) constitutes their intellectual property. It's almost as though they don't want it being shown publicly...
If that was the end of it you probably wouldn't be reading this now, but rather than acknowledging that perhaps there's a problem that needs fixing, Optus stuck their fingers in their proverbial ears and started singing:
And blocked... pic.twitter.com/aRwm8L0iEc
— Geoffrey Huntley (@GeoffreyHuntley) March 27, 2018
Alarmingly, this is not unprecedented and I've been blocked before myself for reporting a security incident. But it's totally unacceptable behaviour on behalf of any organisation, let alone one of our largest telcos.
The alarming thing about the way our local telco stores are physically designed is that they result in way too much leakage of sensitive personal information. Not just yours and mine either, that also includes the operators' credentials:
The operator had to log into multiple systems and after a few password authentication failure attempts in each one of these systems due to typos by the operator I was able to assertion exactly what their username and password is. No video recording or photos needed.
— Geoffrey Huntley (@GeoffreyHuntley) March 27, 2018
Just how much can you do with those credentials? Assuming you have access to an unattended terminal as I did earlier on (albeit one that was already unlocked), the mind boggles. These are not super-sophisticated security concepts either, they're fundamental basics that most organisations drill into their people: protect what's on your screen, don't allow other people to observe your password, always lock an unattended terminal.
Here's the bigger issue that concerns me in both the Telstra and Optus cases: the security of our telecommunication accounts is increasingly paramount these days. Our phone numbers are used for all sorts of identity verification processes with other services; weaknesses in telco security translate directly through to compromises of email, bank and social accounts; there are some absolute horror stories out there. Want to login to your myGov account using 2FA? They'll send you an SMS and yes, that's in addition to entering your credentials but the whole point of 2FA is that it should be resilient to credential theft!
These are not simple fixes: store layouts need changing to protect customer privacy, customer password storage is obviously insufficient, operator practices need to evolve and let's face it, SMS is a very weak means of identity verification, largely because of deficiencies on the telcos' side. But they're important issues in an era of increasing dependency on mobile and one would hope that at the very least, Telstra and Optus would seek to improve the situation rather than simply ignoring or blocking complaints from disgruntled customers.