Hobson’s choice: corporate reputation, secrecy and identity theft

Corporations rarely fess up to data-breaches and identity theft. To do so might invite a public relations disaster, a run on their customer base. Do they have a choice, and will victims continue to receive secret settlements? This is an edited text of an address on identity theft prepared for the Legal Services Commission of South Australia’s annual conference on Friday.

When first thinking about this subject and any useful contribution I might make, I felt I was perhaps better suited, as a journalist, to addressing the next session on cyberbullying and trolls.

I’m an expert in being cyber-bullied, a veteran of being trolled. It used to happen more. In earlier days of the internet, people had little feel for the consequences of their actions. Now, they know they leave a digital footprint. They have learned the hard way, for instance, that Twitter and alcohol don’t mix.

On the subject of identity theft however, while I have little to contribute by way of behavioural biometrics or encryption technology, there is one dominant theme which emerges in the way companies handle data-breaches. And that is reputation and the spectre of media.

I have had many stories of data theft come cross the desk, yet only written a few of them up. And, like everybody in this room, have either been victim personally, or heard plenty of stories, about identity theft.

Most companies simply don’t want news of data breaches breaking. They are loath to report them. It is bad for business.

I will go into two cases shortly: one of a farmer in Western Australia whose personal documents were found by the side of the road in Victoria. The perpetrators got his money, even procured a gun licence with his stolen papers, but the bank blamed the customer for the theft of his own identity. He has finally got justice but only after coming to the media.

Farmer denies CBA claim that he stole his own identity

A second example is the story of a law student whose phone security appears to have been breached. The theives got her bank details, apparently from mobile phone plan provider, Amaysim, and helped themselves. I received a carefully-worded response to questions from the company itself.

The theft happened last year. Had it gone broadly public that Amaysim had suffered a data- breach, it might have disaster for the company.

It is preferable therefore for companies to just pay up and work out who foots the bill behind the scenes – rather than report identity theft or even concede a breach. Corporate reputation, indeed even survival sometimes, is on the line.

Controlling the media

Earlier this millennium, I had a clandestine meeting at which a document fell into my possession. On investigation, it appeared to be the scoop of a lifetime. It was an internal report dealing with data security and detailed quite clearly how the Commonwealth Bank’s online banking system, Netbank, had been routinely hacked.

There were myriad problems with the firewall. One uni student from Western Australia had been stealing customer money, crowing to the bank about it, then putting it back in. He teased them about how hopeless Netbank was and even asked the bank for a job.

The young reporter scurried off to the editor in chief of the newspaper, pumped up, document in hand. We had to run it by the bank before publishing however.

The next day, I found myself in in Wentworth Chambers, wall to wall lawyers, two QCs, junior barristers and solicitors everywhere, for both “parties”, News Corporation and the CBA. The story never ran.

A couple of years before, Citibank had gone public with the news that Russian hackers had stolen $10 million. Citbank’s share price fell by billions. Since then, large institutions have opted to keep their data-breaches to themselves.

Some observations then about identity theft. The data is rubbery. There is no register of ID thieves. If there were, they would be putting somebody else’s name on it.

The latest numbers I could find were Australian Federal Police estimates by the Attorney-General’s Department which claimed identity crime cost Australia upwards of $1.6 billion each year, with the majority (around $900 million) lost by individuals through credit card fraud, identity theft, and other scams.

Yet, this is a because the police are often not told about it. Banks and businesses often don’t report it. I talked with cyber-crime industry types for this conference; people who have a vested interest in making the numbers as big as possible. They say it is more than 700,000 instances in Australia per year.

What do we know?

1. Identity theft is huge.
2. It’s growing. Criminals are often a step ahead of authorities.
3. It is often not reported.
4. It is often the fault – if that is the right word – of the victim (lost cards, slack passwords, victims duped via bogus telephone calls or emails).
5. It has many forms:

• “Phishing” – you may provide personal information over the phone or internet to what appears to be a legitimate business, but is actually a scam,
• Hacking into your online accounts,
• Retrieving your personal information from social media, and illegally accessing information about you which is stored on a business database.

One of the major solutions to cybercrime is education. This is an organic process. Everybody is becoming more savvy with the internet. Companies and customers are using increasingly effective passwords and authentication systems. Consumers are ever wary for phone and email scams.

There will never be enough vigilance though. Even Equifax, a US company which is an expert in data-breaches, and which took over Australia’s Veda Advantage, itself suffered a massive breach in the US. It transpired the password on its system was admin/admin.

One of the major problems is corporate secrecy and failure to report. Identity thieves are rarely prosecuted. In the world of the criminal therefore, this crime, if by no means perfect, is an attractive proposition in terms of risk and reward.

Its practitioners range wildly in sophistication; from the dodgy novice who somehow gets somebody’s driving licence and credit card and manages to buy some liquor at the bottle shop, to highly skilled hackers taking the round-ups from a bank.

Another story is that of law student Jasmine Chilcott and Amaysim – mentioned previously – who set up a CBA savings account several years ago in which she saved money, without withdrawals.

She woke up one Sunday morning to find her SIM card out of service. She then tried to contact her provider Amaysim via their online tech support, who told her to do restarts, change sim to other devices.

Eventually, after the 11th online tech chat she was told she would have to get a new SIM card and set it up. She did that.

The following day she tried to use her online banking and found it did not work. She then called CBA who told her they had locked her account due to suspicious activity.

They said they had tried to contact her, asked her if she had dropped out of service. She said yes. They said “did you make any cardless cash collections?” and she said no.

They then asked if she owned an Android phone and had downloaded the app the previous day. She said no. They said there were suspicious charges. The fraud department then got involved. They asked for a telco report.

Amaysim refused to provide this report and only provided the time the when Jasmine had dropped out of service (and a new SIM on the Android Phone had been activated).

Now it gets interesting. For the year previously, Amaysim was being paid for on one of Jasmine’s fathers’ – Dr John Freeman – credit cards. ANZ noticed unusual activity on this card and blocked it. Amaysim were then given details of his new card. Last night the ANZ noticed further unusual activity and blocked the new card.

Dr Freeman contacted ANZ who told him “A provider had had their database compromised”. There are only two possibilities where this new card and the old one were on record are Amaysim and Uber, however some of the details required to effect the changes seen are only known to Amaysim.

The details required to effect the SIM duplication/change at Amaysim included her birthday (which is not correctly recorded by Amaysim). That is, in order for the duplicate SIM to have been made the thief would have  have known the faked birthdate. So, the is no concrete evidence but all signs point to a hacked Amaysim database.

A few points:

If you hack a phone company you can hack two-factor authentication as the confirmation codes can be redirected to the new device.

If you are a bank like CBA which does not use challenge questions, but instead sends text messages to confirm ID then if item one happens you can get access to all client accounts.

The unanswered question is how a linkage from Amaysim to Jasmine’s CBA account was made. Dr Freeman thinks his daughter’s other CBA account may have been linked as the payment method.

Being a mostly online company, Amaysim is susceptible to a cyberattack. While unlikely, a breach of data security could have massive implication on its customers and therefore the company itself.

Solutions

As, unlike in the old days when bank robbers went to jail even when using fake guns, cyber-criminals are rarely prosecuted, identity theft will only grow.

Better password security, both by companies and their customers, is a no-brainer, particularly as so many victims are themselves to blame for inadvertently giving their personal details to thieves. Don’t use your birthday, or the same password for all functions!

At a corporate level, it seems the culture of failing to report crime is totally entrenched and demonstrably tolerated by authorities. But for corporations, disruption is vulnerability. It was the BankWest takeover, perhaps disaffected employees, which set the scene for what happened to WA farmer Barry Lakeman.

There will also always be rogue employees. It is hard to police for this, particularly when such large financial rewards are available in cyber-crime.

So, this is not going away and perhaps only intolerable laws which are invasive of privacy could eradicate the problem.