SYDNEY: Telstra is trialling a new service that sends security codes to mobile phones before granting access to customers’ private details, including call and location histories, after it was revealed how easy it was to hack into any customers’ online billing account.
Called Telstra ID+, the service is being made available to a selected group of customers first, who are being granted access to a new version of the Telstra 24×7 app for Android smartphones, which will be used to deliver the codes.
In the future, Telstra ID+ will also comprise alternative methods for the delivery of the tokens, Telstra said, by introducing an app for the iPhone and making use of SMS for customers who don’t want to receive the codes using Telstra’s app.
Over time, Telstra said it intended to progressively roll out the codes more widely and introduce additional verification mechanisms to customer interactions on the phone and in retail stores.
As of September last year, all that was needed to access a Telstra customers’ details – including their call histories and the mobile towers they were connected to, as well as their billing address – through the company’s online “My Account” service was a customer’s name, telephone number and date of birth.
Following this revelation, Telstra boosted its security, requiring a fourth detail (a user’s account number) be handed over before granting access to My Account.
But as early as this week, a Fairfax reporter was able to sign up to a new plan at a Telstra retail store in Sydney using only his name, mobile number and date of birth. No identification card was requested.
According to Telstra, the Telstra ID+ service uses components of TeleSign products and services, a company Telstra invested an undisclosed sum of money in in July last year following a $US40 million financing round.
Telstra said it was introducing TelstraID+ because it took customer privacy and data security “very seriously” and was “always looking at ways to improve the security of the interactions” its customers have with it.
“We commenced the rollout of Telstra ID+ with selected customers on Android in December 2014 and will continue to rollout to other platforms (including iOS) throughout 2015,” a company spokesman said in a statement.
“Once completed, Telstra ID+ will be a suite of identification and verification options to provide our customers with greater security and peace of mind when interacting with us.”
The spokesman wouldn’t say whether the rollout was due to media coverage pointing out flaws in its security.
“It is part of an ongoing commitment to improving customer security,” the spokesman said.
Security experts have previously warned that only using a date of birth, name and phone number as a way of protecting a service is not enough. This is because the dates of birth of company directors are divulged in publicly accessible ASIC records for a small fee.
Birthdays are also readily available on social networking websites such as Facebook and are often announced on the day you were born in local newspapers.
Telstra isn’t the only company with lax security when it comes to authenticating their customers on the phone or online. A number of Australian companies only use dates of birth as a form of identity check.
Telstra’s use of security codes comes after Fairfax revealed the federal government’s online myGov portal – which allows millions of Australians to access their private government tax, health and other records — also introduced security codes, which experts said were urgently required.
The Department of Human Services, which manages myGov, revealed on Wednesday that, as at January 5, 447,923 of the six million myGov account holders had opted to use security codes.