Name, date of birth and contact details (phone and address) are often enough data for a fraudster to commit some serious damage. If I call up my phone company or bank that's probably going to cover the questions they ask me to prove identity. Someone transferring my phone can then get past any 2FA I hold.
At what point do we hold NAB liable for the potential damage they have caused?
Name, DOB, and address is available via the Electoral Roll. While I don't think NAB is blameless, at some point the blame lies with companies that accept insufficient forms of authentication.
For example, to transfer funds with my bank, I get texted a 2FA code and this is a mandatory requirement for online banking at CBA.
Name and address is in the roll. DOB absolutely is not.
Further, suggesting the blame lies with companies accepting "insufficient forms" of authentication obviously does not bear up in light of this. 2FA texts, for example, are easily worked around by SIM-swapping. Performing a SIM-swap in Australia generally does not require 2FA, and the details leaked herein would get you well on your way.
I once worked as a contractor at NAB. The kickstart file with root password, which was unchanged, for a 450M AUD corporate banking project was stored on a SMB share accessible to everyone in the bank. Project leaders didn't care (since it would involve work to fix). I eventually had to raise it as a hint to a friendly pentester who included it in their report, finally getting it fixed.
i hope the boffins who mandated weaker encryption take notice of this. The congress members who supported the bill for weaker encryption should be personally DOSed.
At what point do we hold NAB liable for the potential damage they have caused?
reply