Sunday, 27 March 2011

So you think your personal and financial information is safe?


With governments at state and federal level still intent on gathering as much personal, medical and financial information concerning Australian citizens for the fledgling national data base and to facilitate inter-agency data sharing agreements, it was interesting to note yet another security breach.

The Sydney Morning Herald, 21 March 2011:

Hundreds of thousands of cryptographic tokens used by Australians who bank online, the Defence Force and other large corporations are vulnerable to a potential hack attack after a supplier revealed secret data it held had been stolen.
Customers of RSA, a security division of the data storage giant EMC, were on Friday told that the company had been the victim of "an extremely sophisticated cyber attack".
Federal government customers of RSA's affected SecurID service include the Department of Defence, Department of the Prime Minister and Cabinet, Australian Electoral Commission, Family Court of Australia, Department of Parliamentary Services, Department of Veterans' Affairs, Geoscience Australia, AusAid, Department of the Treasury and Crimtrac, according to closed tender documents listed on the AusTender website.

Open letter to RSA customers excerpt:

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

RSA Online Fraud Centre report February 2011:

The Trojan arms race continues in 2011. It appears that the more security features put in place to protect the online channel, the farther Trojan developers will go in their attempts to infiltrate the systems, compromise security, and better hide their activities within infected computers.

Some background on Australia's attempt to create a national database:

1 comment:

Dave Bath said...

Having written commercial software since late 1970s, and actually involved in projects expanding EFTPOS expansion in the late 1980s, I do not have internet-enabled banking - explicitly rejecting it every time I get a new card.

I'd actually expected it to be unprotected directly from individual institutions handling financial transactions.