Is VHA a security penny-pincher?

Is VHA a security penny-pincher?

Summary: If post-mortem auditors find that Vodafone Australia did indeed lose millions of customer records to thieves, can it blame penny-pinching for its security?

SHARE:
TOPICS: Security, Telcos
4

analysis If post-mortem auditors find that Vodafone Australia did indeed lose millions of customer records to thieves, can it blame penny-pinching for its security?

Vodafone

(Credit: Suzanne Tindal/ZDNet Australia)

The telco is facing the grim prospect that either an internal staff member or a dealer may have sold access details to its customer database. The details include names, addresses, driver licence numbers and phone records and were used in blackmail, according to Fairfax newspapers.

One of the factors which could have enabled such a breach is that the telco issues retail stores with a single shared log-in to its Oracle Siebel customer database. While Vodafone refreshes the passwords monthly, it is still slack security, according to experts.

"To allow common user IDs in stores access to a full database is just reckless," former telco security professional, now consultant for BlackSwan Consulting Group, Keith Price said. "They must have conducted a [security] audit and accepted the risk."

Allowing shared passwords not only increases the risk of unauthorised access, but can encourage leaks because it is difficult or even impossible to identify the offender.

"Telcos today have almost as much information as the banks," HackLabs director and network penetration tester Chris Gatford said. "They need at least two-factor authentication, smart card access. The fact that they didn't use two-factor, or a one-time-password, is very surprising."

Reports initially claimed that credit card details were compromised and stored in the database as plain text, which would constitute a massive breach of the Payments Card Industry Data Security Standard (PCI-DSS), but this now appears unlikely.

Vodafone has told ZDNet Australia it encrypts its customer credit card details so they can only be viewed by "senior financial managers" who have unique — and therefore trackable — log-in details. This reduces the impact of the loss significantly, but does not quell the risk of identity theft and the prospect of blackmail through the use of phone records.

The telco is at the time of publication still waiting on the results of an internal audit and cannot confirm or deny that the breach has happened. But security sources say Vodafone's internal security team are experienced, with one claiming, under the condition of anonymity, that they would have likely flagged the security risk and "expected the breach".

Penny pinching?

If the risk was raised in a security assessment, does it mean cut-rate telco Vodafone penny-pinched? Experts' opinions on the matter are mixed.

"People are the last line of defence but also our weakest link — you can have policy, good technology and background checks, but it's almost impossible to stop a rogue employee," Price said.

Yet security is about risk mitigation, and Gatford speculates that Vodafone may have been cheap.

"Even a private VPN [Virtual Private Network] could help, with each store using a VPN connector. It is not infallible but it would limit abuse," he said.

Vodafone is staying mum on its security policies, pending results of its "preliminary audit", which was slated for completion yesterday, and did not confirm if it uses VPN or other authentication technology. ZDNet Australia understands that other carriers use two-factor authentication, and have tight access control policies.

However, security is a department that will gobble up every dollar thrown at it, and return nothing to the bottom line. Likewise, it will continue to operate if it is starved of cash.

"They should encrypt their communications channels, and the database, but that is expensive," Price said. "You must appreciate the cost-benefit analysis of going through security controls — [security] is a complex technology that is costly to acquire the brains to support — and you have to get it right because if you screw it up, you've lost everything."

Price sees how it was possible for a company built from "switching and router people" to view security as an expense rather than a potential cost-saver. "They may say 'we have great physical security, we have passwords and we monitor usage' and that's enough."

However, security can also pay itself off by steering businesses well clear of bad publicity like this incident. Unfortunately, quantifying the risk can be difficult.

Data breaches are catalysts for reform, and it often takes an incident to pry open company coffers, or push for government crackdowns. Data breach regulations are on the Federal Government's agenda, albeit a way off it this week announced a panel to consider a new credit reporting code of conduct.

Security analyst for IBRS, James Turner, said that security is inevitably dictated by budgets.

"Good security is about achieving the appropriate balance between accessibility, practicality and security," Turner said.

So where does it leave Vodafone?

"Because they have such poor security controls … for the sensitive customer data, from my experience I would infer they have poor internal controls for monitoring for abuse," Gatford said. "It would be an impossible task to establish the extent of damage." If his assumption proves correct, then Vodafone will not find the offender, and may never know to what extent it has been breached.

Worse, there could be further breaches that have gone undetected.

"This is one instance of one guy showing a journalist," Gatford said. If there were more, he believed that detecting them "would be an impossible task".

Topics: Security, Telcos

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • @DarrenPauli,

    I assume that the reason for not issuing each store employee with 2FA or OTP is due to high staff turnover and the tight time turnaround to solve the customers issue instore which could be delayed to authentication.

    It would be possible to identify a list of possible suspects based on who was working at that particular store for the month in question.

    A VPN solution would increase the residual risk due to the cryptosystem, replication of cheap VPN hardware offsite and distribution of the static credentials for a site to site VPN.

    Establishing that customer information should not have been accessed is impossible with monitoring as it would only be accessed once, not multiple times within business hours.
    cmlh
  • cmlh,

    You failed to see the point. There would have been other breaches that have occurred over the months and years due to the poor/no controls. Whilst you can find one store who showed it to a jurno, you're not going to find all the instances where it has been abused since running. VPN solutions don't have to be cheap (Site to Site Cisco VPNs? or a Private WAN). Also glad you're not running IR for my company, You'd look for a pattern of abuse ie. Store A is doing 100x more queries but sells the same $$ value as Store B. Or Store A have incrementally requested Account numbers 1000 to 2000. Which good system/DB logging an alerting should be looking for.
    CMLH your comment seemed like that of the vodafone CEO focusing only on the one event thats not the point of this breach.
    olditsecguy
  • @olditsecguy,

    I would assume that there would be other minor incidents but only one has been confirmed by their CEO.

    VPN technology is based on IETF standards and therefore not vendor specific.

    Incidents would only be detected after the fact i.e. requesting five (5) entries of 10 days for a total of 50 records at random time intervals during business hours would not be detected via a linear pattern. In addition, the requests are *not* for linear blocks of records, i.e. 1000 - 2000, rather for that of a specific individual(s).
    cmlh
  • @olditsecguy,

    Based on the reference to being old within https://twitter.com/#!/ChrisGatford/status/6760723237 (along with pathetic attempt at corresponding with yourself so to create the appearance that you don't control the other socket puppet @m00chieNorris on twitter) and the capitalisation of "CMLH", which only you do, that @olditsecguy is yet another sock puppet of yours Chris?

    If your not Chris then perhaps you would provide your identity then but this is doubtful considering you are yet to reply to my comment above?
    cmlh