CommBank CIO flags security issues with NBN migration

Commonwealth Bank's CIO David Whiteing has warned that there are a number of security risks associated with migrating ATM and Eftpos banking services from Telstra's network to the NBN fibre.
Written by Josh Taylor, Contributor

NBN Co's network terminating device allowing access to CommBank's network without authentication was just one of many issues highlighted by the bank's new CIO David Whiteing about the migration process from the Telstra fixed-line network to the National Broadband Network (NBN) fibre.

One of the most complex issues with the move onto the National Broadband Network is moving existing services from the legacy copper network onto the new fibre network. In addition to moving over all broadband and fixed-line phone customers onto the NBN, other services such as medical alarms, security alarm systems, and banking systems will also need to move their services onto the new network.

In the Commonwealth Bank's submission (PDF) to Australian Communications Minister Malcolm Turnbull's review of the NBN migration practices, Whiteing said that the bank had experienced significant issues in migrating its branches, Eftpos machines, and ATMs to the NBN in the first switch-off locations.

Where NBN Co would connect non-branch ATMs in multi-dwelling units such as shopping malls to the network, Whiteing said the bank had discovered that access to the Commonwealth Bank network was "possible without authentication".

"As the [network terminating devices] are commissioned in common areas for complex sites (eg shopping centre MDF and communication rooms) and are shared by multiple RSPs and customers, there is a potential security threat to anyone using the CBA services passing through this junction," Whiteing said.

"A tactical solution has been developed for this problem by Telstra, but a long-term solution is required."

There was a 10 percent failure rate with Eftpos dial terminals being incompatible with NBN fibre services, and 90 percent of dial terminals failed when needing to connect longer for software upgrades. Whiteing said that while this could be resolved with a move from dial terminals to IP services, not every customer would want to move over.

CommBank CEO Ian Narev flagged the Eftpos issue with Turnbull in a letter to the minister in April this year, also included in CBA's submission to the review, and said at the time that NBN Co had compounded the issue by implementing an emulated voice service that only supports low transmission speeds.

"The bank passed these observations and a test report onto the NBN Co team in October 2013. We request that you tune the NBN Co supplied voice service or provide alternative arrangements to increase the Eftpos terminal reliability," Narev said.

There are also physical and security risks with installing NBN services in bank branches. Construction contractors will be required to drill through security walls and walls potentially containing asbestos, and may need to be in the branch after operating hours to ensure that the branch is back and operational during working hours.

Whiteing said that the notices for disconnections are sent to the branches, rather than the CBA IT department, which means that often, the notice is sent to the wrong department within the bank when it is received.

The Commonwealth Bank would also face a significant cost increase if the low-bandwidth services such as non-branch ATMs and Eftpos terminals move to the basic 12Mbps NBN service, where the bandwidth is much higher than those machines require to operate. Whiteing said that there is no process for requesting non-residential fibre services in place today.

Editorial standards