Telstra has boosted its security by introducing security codes. Photo: Peter Riches
Telstra is trialling a new service that requires customers to provide security codes sent to their mobile phones before they are granted access to their private details, including call and location histories, after it was revealed how easy it was to hack into any customer’s online billing account.
Called Telstra ID+, the service is being made available to a selected group of customers first, who are being given early access to a new version of the Telstra 24×7 app for Android smartphones, which will be used to deliver the codes.
In the future, Telstra ID+ will also comprise alternative methods for the delivery of the tokens, Telstra said, by introducing an app for the iPhone and making use of SMS for customers who don’t want to receive the codes using Telstra’s app.
Over time, Telstra said it intended to progressively roll out the codes more widely and introduce additional verification mechanisms to customer interactions on the phone and in retail stores.
As of September last year, all that was needed to access a Telstra customer’s details – including their call histories and the mobile towers they were connected to, as well as their billing address – through the company’s online “My Account” service was their name, telephone number and date of birth.
Following this revelation, Telstra boosted its security, requiring a fourth detail (a user’s account number) to be handed over before granting access to My Account.
But as early as this week, a Fairfax reporter was able to sign up to a new plan at a Telstra retail store in Sydney using only his name, mobile number and date of birth. No identification card was requested.
According to Telstra, the Telstra ID+ service uses components of TeleSign products and services, a company Telstra invested an undisclosed sum of money in in July last year following a $ US40 million financing round.
Telstra said it was introducing TelstraID+ because it took customer privacy and data security “very seriously” and was “always looking at ways to improve the security of the interactions” its customers have with it.
“We commenced the rollout of Telstra ID+ with selected customers on Android in December 2014 and will continue to rollout to other platforms (including iOS) throughout 2015,” a company spokesman said in a statement.
“Once completed, Telstra ID+ will be a suite of identification and verification options to provide our customers with greater security and peace of mind when interacting with us.”
The spokesman wouldn’t say whether the rollout was due to media coverage pointing out flaws in its security.
“It is part of an ongoing commitment to improving customer security,” the spokesman said.
Security experts have previously warned that only using a date of birth, name and phone number as a way of protecting a service is not enough. This is because the dates of birth of company directors are divulged in publicly accessible ASIC records for a small fee.
Birthdays are also readily available on social networking websites such as Facebook and are often announced on the day you were born in local newspapers.
Telstra isn’t the only company with lax security when it comes to authenticating their customers on the phone or online. A number of Australian companies also use dates of birth as the only form of identity check.
Telstra’s use of security codes comes after Fairfax revealed the federal government’s online myGov portal – which allows millions of Australians to access their private government tax, health and other records — also introduced security codes, which experts said were urgently required.
The Department of Human Services, which manages myGov, revealed on Wednesday that, as at January 5, 447,923 of the six million myGov account holders had opted to use security codes.
The cost of implementing and maintaining the service was “not available”, a DHS spokesman said.
The spokesman added that the security codes, which were implemented 30 months after myGov first went live, had “always been under consideration” since the launch of myGov in May 2013.