Consumer | Cyber Security | Network | Telstra News |

How we’re cleaning up SMS for scam safety

By Andrew Penn September 15, 2020

For years, Australians have been losing millions to scammers and in have already lost almost $100 million so far this year. The numbers keep going up and all indications point to 2020 being the worst year on record in terms of financial loss. As Australia’s largest telco we’re acutely aware of the serious threats faced by our customers from scammers and cyber criminals. We block more than a million malicious spam calls on our network each month and a growing number of SMS messages. With a new pilot program announced today, we’re about to do even more to keep our customers safe.

We have been working closely with the Australian Cyber Security Centre (ACSC) and Services Australia to keep scammers out of the SMS channel by introducing a new security measure to block malicious text messages from reaching Telstra customers.

A new pilot program to make SMS safer

In simpler terms, when a text message is sent over our network, using information called “metadata”, we can identify and reject illegitimate phishing text messages impersonating a specified senderID before they reach Telstra customers.

Working with the ACSC and Services Australia, we have created an approved list of official sources associated with particular SenderIDs, like myGov or Centrelink. It means any message with a SenderID that doesn’t originate from an approved source will be stopped from making it through to Telstra customers.

We are currently rolling out Phase One of a much larger project that we hope to scale up in the coming months to protect more organisations and their customers from scammers.

This work also aligns with Australia’s 2020 Cyber Security Strategy and the recommendations from the Industry Advisory Panel, which we look forward to helping implement in conjunction with the Government, business, and the community.

Spotting SMS scams

While the methods and techniques of cybercriminals constantly change, cyber risk in reality is just like any other risk. Behind the complexity, cyber-crime is just crime, cyber espionage is just espionage and hacktivism is just activism all by another name.

The challenge is the increasing sophistication and the scale; the ACSC believes that one in three adults has been a victim of cybercrime. The unfortunate fact is anybody who owns a mobile phone, anyone who sends or receives text messages, is now at risk, and that risk has never been higher.

Those who rely on assistance from Australian Government agencies are at particular risk as scammers often impersonate official bodies and agencies to increase their chances at appearing legitimate.

Take this example of a fraudulent text message designed to trick the receiver into thinking it’s a legitimate message from myGov.

The goal is to convince you to click on a malicious link or attachment that the scammers can use to try to steal your money, your personal data, or both.

The point is we are all at risk – anybody with a connected device is a potential target and scammers think nothing about using almost every brand in Australia – including ours – to try and pull the wool over a customer’s eyes.

Helping to keep the internet cleaner

At a time when scammers are taking increasing advantage of Australians experiencing difficulties and hardship due to COVID-19, it’s important that we have their backs.

This new pilot is part of our Cleaner Pipes initiative which includes a range of existing work designed to help keep our users safe from malicious activity online. In May we dramatically scaled up our Domain Name System (DNS) filtering to ensure that we’re proactively blocking and filtering out the millions of malware communications that attempt to cross our infrastructure.

Connected technologies increasingly sit at the very heart of the lives of most Australians. But as we move more rapidly to a digital economy, we need to be more and more cognisant of the growing cyber risks and those who seek to do us harm online.
For more information on staying safe from SMS malware, check out our best practice guide. You can read more cyber security tips on our Telstra Exchange Cyber Security Hub

Tech and Innovation |

Innovation and technology are the foundation of Australia’s new normal

By Kim Krogh Andersen August 24, 2020

There’s no doubt technology has helped Australians address the changes that COVID-19 has brought on. From working, learning, socialising, shopping, eating, being informed and entertained, technology has been the foundation as we attempt to continue with our lives as much as possible. COVID-19 has swiftly forced the uptake of digitisation and changed our behaviour forever.

As a nation, we have collectively invested time and resources into learning how technology can help improve our lives in 2020, and we expect it to continue to play a vital role in the years to come.

Looking forward, COVID-19 will change the way we live and work forever. Just like other times of significant change and disruption, we need to learn the lessons, adapt to a new norm, and come out of it stronger. We cannot miss this chance to ensure the pandemic becomes a catalyst for innovation and growth in order of a better future.

In the home this year, we relied heavily on a stable and fast internet connection to support our working-and-learning from home environments during the day, while depending on it for seamless video streaming and gaming in the evenings. Furthermore, Australians have increasingly realised the benefits of shopping for goods and services online. Even when COVID-19 passes, we expect our newly-formed habits to remain, having a better appreciation of a fast, strong, and reliable internet and Wi-Fi connection.

Outside of the home, innovation was also being developed and deployed to keep us safe when we leave the front door.

The Government encouraged Australians to download and use the COVIDSafe app in order to provide an easier way to automate contact tracing to reduce further infections.

Telstra’s Track and Monitor asset-tracking platform was used by a healthcare industry customer as they swiftly deployed COVID-19 triage clinics across the east coast of Australia. This helped ensure there were no misplaced expensive and in-demand equipment, especially during a time of constant change.

We also saw the fragility and our dependency on delivery and supply chain systems, exposing the lack of end-to-end visibility. As an example, we are working with major suppliers to accelerate the development of Telstra’s Connected Supply Chain product and are also negotiating with transport companies to help increase supply chain visibility with domestic deliveries.

Quick, transparent and interactive communication was also very important. Victoria’s Department of Health & Human Services needed technology to help ensure compliance to the mandatory 14-day self-isolation period for close contacts of COVID-19 and chose Whispir’s mass communication platform to perform this function with great success.

It is more imperative than ever to ensure the country does not encounter a second wave of nation-wide infections and the respective lockdown as a result. If it were to happen, the OECD has said the Australian economy could decline by 6.3 per cent this year, which would take us back to where it was in 2016.

The technology pioneered to help manage the pandemic will continue to help us live in the ‘new normal’.

Travellers passing through Canberra Airport may notice new Temperature Screening solutions at the security check-in. This allows the airport to increase its protection against COVID-19 and includes thermal cameras to detect travellers with high temperatures. The key goal is to help reassure passengers transiting through public spaces like airports. We may see more of this type of technology installed at other public spaces like train stations, shopping centres, and maybe even at some workplaces where thousands of people pass through daily.

Traditional offices will also evolve as a result of COVID-19. Employees will demand to be allowed to continue working from home after the forced experiment pressured companies to change their flexible-working mindset and accelerate the required digitisation. This also meant the need to evolve the cyber security, technology processes, and communication and collaboration tools to enable successful remote working. The pandemic has pushed CIOs and IT departments (no matter what size) to finally modernise various procedures and systems.

Telstra’s Smart Building product already measures people’s movement through infrared sensor data to deliver insights on desk usage, meeting room usage and general occupancy levels. The product is now being expanded to measure social distancing and hygiene compliance, and will be highly relevant to all industries, especially retail, transport, health, and commercial offices.

Elsewhere, video analytics will be deployed to assist critical industries with real-time thermal scanning to ensure the ongoing safety of staff and the public. AI will help deliver insights such as people flow and count, movement analysis, alerts, and more.

There is also set to be a widespread acceleration of automation (as robots can’t contract COVID-19) which has several drivers. One of the interesting opportunities I’ve seen is robots that can clean, disinfect, help detect fever symptoms, and monitor mask and social distancing compliance.

In the home, we’ll see faster internet enabling more advanced entertainment and educational technologies. I expect further innovation in television, gaming, smart home, and communication devices will be front and centre in consumer electronics R&D in the next 12-24 months.

I have no doubt these examples of technology and innovation will be scaled even further.

COVID-19 has reinforced how critical technology is for our daily lives, specifically dependable and fast connectivity. The swift need for network reliability and resiliency when we first moved to working from home, was an early indication of how vital connectivity will be in the future.

The world is slowly exploring ultra-reliable low latency use cases like autonomous driving, remote surgery, robotics, smart cities and smart homes. 5G, Edge Computing, IoT and AI are critical technologies for us to enable these advanced scenarios, but we can’t forget security, privacy, customer experience, and operational excellence are equally as important when we embark on this journey. Because it’s people that will give purpose to technology.

COVID-19 has meant new cultural and workforce transformation for the better. We strongly believe technology plays a central role in these shifting and accelerating trends and will be the foundation in what the new normal looks like for Australians – in the home, at the office, and anywhere in between.

Woman working at home on laptop with mobile phone
Cyber Security |

Invisible security at your fingertips

By Darren Pauli August 21, 2020

Consumer cyber security has become much more user friendly and effective in recent years with technical complexity hidden behind seamless usability and easy-to-use apps. Yet a whole suite of largely invisible cyber security defences too numerous to list are available, often for free, by applying software updates.

This week we’ve covered some of the most important defences as part of Scams Awareness Week; password managers and the adoption of passphrases instead of jumbled codes; free and easy multifactor authentication; updated advice on spotting phishing attacks, and locking down your sensitive data.

Scams Awareness Week: five ways in five days to free and easy cyber security

Set your devices to automatically update. Search online for ‘end of life’ and your device make and model to see if it is still supported and secure.

An update is available

Many modern apps and devices are set by default to automatically update. Updating can apply new features, improve stability, increase security, and close dangerous flaws.

Security researchers continually find and report vulnerabilities in hardware and software. No product is immune. Good vendors will produce fixes, or patches, for these flaws and distribute them in software updates.

Many consumer products from phones to routers and gadgets will receive updates for a period of time before the manufacturer deems them end-of-life, stops fixing security flaws, and recommends customers buy a new product.

Routers

Your router, if it is relatively new and produced by a major vendor, is likely set to automatically check, download, and install updates on a regular basis.

To check if it is, load your router’s administration page. Connect your computer via an ethernet cable to your router, likely through the socket at the back labelled WAN, and type in the router’s IP address into a web browser window.

The IP address is likely underneath your router and should look like a sequence of numbers and full stops in a sequence like 192.168.1.1. The username and password required to access the admin page (not your Wi-Fi network) may also be on the underside. If not, search online for ‘default login’ followed by the make and model of your router.

Once inside, feel free to navigate around without saving any changes. You should find your software update status under general settings or admin.

Set your updates to automatic if possible and click a button to manually check for updates if it is available.

Look for a date of the last update – this might be next to or contained inside the update (firmware) file name such as tplink_abcxyz_20.03.2020.

Your router might be end of life if that date is more than a year old. You can verify by searching the internet for ‘end of life’ and the make and model of your router.

End of life routers should be replaced to ensure security. You may wish to consider replacing the router operating system instead with supported open source firmware like OpenWrt. These systems, while popular, generally have a highly technical interface and their application is a complex process that if done incorrectly could render your router inoperable.

Mobile

Modern mobile phone operating systems such as Android and iOS, along with their apps, are set by default to automatically update.

You can check by going to settings and searching for updates. Open your app store and apply any updates and check any boxes to activate automatic updates.

Apple supports its line of iPhones for much longer than other manufacturers but most provide updates for their phones for two years or more. Some updates may occasionally be issued beyond that for highly critical security issues.

Computer

Microsoft now only supplies updates for Windows 8 and Windows 10 in its regular consumer operating systems, although it too occasionally issues updates for older platforms to fix the most pressing rare security issues.

Windows 10 contains a suite of built-in security controls that make computers significantly harder to hack than older Windows versions. It also offers well-performing built-in antivirus eliminating the general security requirement to purchase third party antivirus.

Apple will as of November no longer support macOS 10.13 High Sierra and instead cater to newer versions including macOS 10.15 Catalina which sports Activation Lock that helps prevent unauthorised use and erasure of disks in devices that have the Apple T2 security chip.

Explore

Additional security settings can be often found by looking around your settings. You may find options such as backups that help in the event of data loss or ransomware, a type of malware, and others that increase your security at the expense of some convenience. Try them out; you may find the new barriers worth the additional piece of mind.

Microsoft Office has similar security settings. Most malware utilises document macros as an initial step in attacks. These can be turned off if not needed to significantly increase security.

Consumers may also consider using a suite of tools called HardenTools, produced by Claudio Guarnieri, a highly-respected cyber security expert with Amnesty International. This Windows suite turns off many legitimate default features that cybercriminals commonly abuse to launch attacks. The process is reversible with the click of a button.

Organisations meanwhile can consider the deployment of Application Guard for Office, which protects macro use. It is in preview mode and available to customers who apply for access from Microsoft.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser

Woman on laptop
Cyber Security |

Secure your sensitive data for free

By Darren Pauli August 20, 2020

Open your email account and search for ‘driver licence’. Then search for ‘passport’, ‘Medicare’, and ‘payslip’. Now think about your email account password; do you use the same password for other accounts? When did you last change it? The sensitive personal information contained in your inbox is at risk if your password is used across other accounts.

That risk is higher still if you are like the 90 percent of Google users who in 2018 did not make use of a simple additional security check, known as multi-factor authentication, to protect their accounts.

Here’s how to take small steps for big security gains.

Scams Awareness Week: five ways in five days to free and easy cyber security

Start by making your email password unique, then switch on multi-factor authentication. After that, delete your attachments.

Lock shop

Your email password needs to be unique, so change it if you have reused the same one anywhere else.

The best way to do this is through a password manager. These can help you change all your passwords to long and unique combinations that you can set and forget. All you need to remember is your one master password which is the key to your password vault.

Another option is to use phrases for your passwords (also known as a passphrase). A sentence that means something to you, not taken from a book or movie, is a great choice. You’ll remember it since it is a phrase, rather than a random combination of letters and symbols, and it’ll be harder for an attacker to guess or crack. You still can’t reuse passphrases across accounts, though, so a password manager would again come in handy here.

Next, deadbolt your email account with multi-factor authentication. It is supported by most major email providers and can be usually found under your account settings within the security or privacy tab.

This security control, which requires an extra code usually when you first log in, is simple and makes hacking your email account extremely difficult. It also means an attacker will not be able to access your account if they steal your password.

Purge

Find and delete any attachments that contain your driver licence, passport, and other highly sensitive personal information you would most like to keep out of hackers’ hands.

Most email services allow you to check a box to return search results with attachments, or you may be able to search the phrase ‘hasattachment:yes’ along with any keywords like ‘driver licence’.

Your account is unlikely to be compromised when protected with both a unique password and multi-factor authentication, but there are phishing attacks that can steal both.

By deleting searchable records of your personal information in your email, you’re minimising the potential damage should it be breached.

Protect

You, like me, may choose to store a copy of your personal information (like your driver licence, passport, and Medicare info) in one easy to access location. You can do this whilst also ensuring it is secure.

I store mine within Google Drive inside of an encrypted archive file – most commonly known as a zip file – using an entirely unique password. I use the 7zip extension with powerful AES encryption, both which are set as default options within the free open source 7zip software.

This control means hackers who breach my Google account will be unable to find a copy of my sensitive documents within my thousands of emails. They will also be unable to open the archive containing my personal information because the password is different from any they have stolen.

If you need more regular digital access to things like your driver license, try an app.

Tap of an app

I have not carried a wallet since 2017. My phone is my wallet, allowing me to pay and provide proof of identity.

So making fast and easy access to my driver licence is essential. I store a second copy of my driver licence and Medicare card, two items I often need in a pinch, in the Sync.com cloud service.

This is a secure so-called ‘zero knowledge’ service which is protected with multi-factor authentication. This combination makes compromising my data very difficult, yet access convenient through an app on both Android and iOS.

Many identity providers are starting to offer identity services digitally. Apps like Australia Post’s Digital ID, Services Australia’s Express Plus Medicare mobile app, or if you’re in NSW or South Australia, your state government’s digital driver license apps, make it easy to access your identity documents quickly, backed by the government’s security chops.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser

Woman working on laptop at home
Cyber Security |

Make hackers give up with multi-factor authentication

By Darren Pauli August 19, 2020

Burglars and cybercriminals have the same philosophy: when a target is secure, pick a softer victim. Using multi-factor authentication is like getting a free and easy deadbolt on your online accounts to go from a soft target to a hard target.

Two in three arrested burglars told police and academics they would avoid a home with a barking dog, while half would avoid one with a working alarm system.

Cybercriminals and professional hackers paid to test defences have said accounts protected with multi-factor authentication are an obstacle they would rather avoid.

It could be said then that adequate security is a matter of being more secure than your neighbors.

Scams Awareness Week: five ways in five days to free and easy cyber security

Most hackers are after quick money. Multi-factor authentication helps protect against these attacks.

The first step to securing your online accounts is to use a password manager and change any passwords that you have reused. Start with your most valuable accounts.

Next turn on multi-factor authentication (also known as two-factor authentication and two-step authentication).

Deadbolts for your accounts

Most hackers are after quick money. They blind fire phishing emails in an all-too-successful bid to snare usernames and passwords while others feed huge lists of hacked logins published online into automated password-guessing tools to break into accounts at scale.

Multi-factor authentication helps protect against these attacks with a deadbolt in the form of a check that is required after your password.

Most of the big technology platforms from Google to Microsoft, Instagram to Reddit offer it for free under user account settings and security or privacy. A directory listing services that allow multi-factor authentication is available at twofactorauth.org.

It is often a six-digit code generated in a special app or sent over SMS. It may, in the case of Google and other services, be an easy notification that appears on your phone asking you to tap to approve access. It can also exist as fingerprint readers and special USB devices.

Attackers who have managed to steal your password must also steal these checks to gain access to your account.

But they have a short window to do it. The checks expire usually after 30 seconds to a few minutes placing a tight time window on any attempt to steal them.

It is a hurdle that for most cybercriminals proves too hard.

Multi-factor authentication is easy for you, however. It is usually only required once, provided you use the same device or web browser and remained signed in. Some sensitive services like online banking that log you out after inactivity require the code be entered on each login.

Super thief

Phishing works because people are at times inattentive and generally trust what they see.

It stands to reason that those who are willing to enter their details into a login form they believe is legitimate will also enter their multi-factor authentication codes.

Basic phishing sites store stolen passwords in databases that can be used in subsequent attacks.

Advanced phishing sites immediately send captured usernames and passwords to the legitimate services they mimic and log into the victim’s account in real-time. The sites then prompt victims to enter their multi-factor authentication codes which, when supplied, allow the criminal to access the victim’s account.

Other dedicated criminals can steal SMS-based multi-factor authentication by abusing phone porting, a feature that allows consumers to churn their mobile number to new providers.

Criminals need to have enough information on their victim to pass identity checks in order to gain control of a victim’s phone number and receive any SMS-based authentication.

New industry security controls make this attack very difficult. Pre-port verification codes must now be entered before phone porting can take place.

Scams Awareness Week runs from August 17 – 21. Make sure to check out our Cyber Security Hub for the latest info on staying safe from threats. Also see the ACCC’s ScamWatch podcast series on identity theft by the team at the ABC’s The Chaser