Inner Joined Data Breaches
Optus Breach and Medibank Breach: A Breach Made in Hell
Problem:
In the past few weeks there have been a whirlwind of data breach news from Optus and then Medibank. Anyone in Australia knows that these are two gigantic service providers in the country serving a huge portion of the population. Therefore the data stolen are horrendously massive, and when combined, extremely deadly.
Let's have a look at Optus vs Medibank data stolen according to news:
As we can see, either data from Optus breach or Medibank breach alone provides ONE PRIMARY ID which is sufficient for a hacker to:
- Register a new phone number
- Open Buy Now Pay Later account
- Open crypto account in Centralized Exchange
- etc (not going to list all of them for security reason)
To make things even worse, if someone got their hands on both of them and join them together:
Basically they will produce a complete identity of a person with TWO PRIMARY ID documents. With those documents, a hacker can:
- Access the victim bank account and change details
- Access the victim credit cards
- Take personal loan
- etc (not going to list all of them for security reason)
What's worse, they can also do the following:
- Open bank account under victim's identity and use it for money laundering
- Open credit card account and spend it all on crypto or gift cards
- Take unsecured loan
In short, a malicious attacker can, for example,open bank account, take various loans, buy gift cards or crypto and get away with it. Or use the accounts to do international money laundering.
Proposed Solution 1: Replace your Medicare number ASAP
So far, Medicare is the fastest and easiest to change (pretty much instant via Mygov website). Once your leaked medicare number is invalidated, there will only be 1 valid Primary ID document exposed from Optus breach. Although not 100% effective (as you can see below), this will reduce your risk level to only one primary ID document.
My attempt to register for a new AfterPay account using my leaked Medicare details failed
| My attempt to verify CoinBase account using my leaked Medicare details succeeded |
Note: For the purpose of the above attempts, I am using my own Medicare number that I have replaced since it was leaked
Proposed Solution 2: Flag and push to randomised facial identification and verification
To combat the fraud, all financial and critical service companies could maintain a database of all primary documents that have been identified in the data breach, and flag those for special verification. This special verification could be online MLAI based photo of user posing randomly while holding the primary documents, or in person to post offices or pharmacies.
However, in person to post offices should provides better security as it provides geolocation deterrence as well as higher risk of exposures and less susceptible to determined spoofing compared to MLAI (not going to explain in depths for security reason)
Proposed Solution 3: Centralised digital ID System
A better strategic solution would be to have centralised digital ID system, The central digital ID service would act like a SSO, whereby any ID verification needed by any company will be done via the centralised system and a unique identification token would be passed on to them. This ensures the private information of the customer does not ever leave the central Digital ID server.There are a few of such system such as Digital ID and IDYou
However this will also paint a big red "hack me" sign on those centeralised digital ID system and a single breach could have far more devastating consequences.
Comments
Post a Comment