CyberWatch: Australia

Insight on how cyber risk is being mitigated and managed in Australia and across the globe.

 

1
Government committed to introducing Mandatory Data Breach Notification laws
2
Oracle’s Point-of-Sale division targeted by professional hackers
3
Sour Apple blasts the Banks for application to ACCC
4
Hackers to take the blame for Census?
5
The White House issues response guide to a cyber attack
6
Was Mickey Mouse hacked?
7
Big banks want a slice of the Apple Pay pie
8
What Pokémon ‘needed’ to know about you
9
Brexit and Data Protection
10
ATMs Remain Vulnerable Worldwide

Government committed to introducing Mandatory Data Breach Notification laws

By Cameron Abbott and Rebecca Murray

After much delay, a spokesperson for Attorney-General, George Brandis has said the government is committed to introducing the Mandatory Data Breach Notification laws this year. We will be sure to look out for it during the next term of Parliament. You can find more information on the proposed scheme and its regulatory impact on the Attorney General’s Department consultation for Serious Data Breach Notification webpage.

 

Oracle’s Point-of-Sale division targeted by professional hackers

By Cameron Abbott and Rebecca Murray

Oracle confirmed last week that its security was breached by a Russian organized cybercrime group infamous for hacking retailers and banks. Alarmingly, Oracle’s MICROS point-of-sale credit card payment system was one of the systems targeted in the attack. While the impact of the breach is still being investigated, the attack could have had wide impact. MICROS is one of the top three point-of-sale vendors worldwide and sells point-of-sale systems used at more than 330,000 cash registers globally.

It has been reported that Oracle became aware of the breach after its staff discovered malicious code on the MICROS customer support portal and systems. It is thought that the hackers installed malware on the troubleshooting portal in order to capture customers’ credentials as they logged in. Usernames and passwords could then be used to access customer accounts and remotely control MICROS point-of-sales terminals.

The attack has been linked to crime gang, Carbanak Gang, which has been accused of stealing more than $1 Billion from banks and retailers in the past. These guys clearly know what they are doing.

Sour Apple blasts the Banks for application to ACCC

By Cameron Abbott and Rebecca Murray

Last month we reported that three of Australia’s largest banks had collectively launched an application to the ACCC seeking permission to negotiate with Apple Inc. to install their own electronic payment applications on iPhones.

Apple has submitted a scathing response to the ACCC, warning that allowing the banks to negotiate will compromise the iPhone handset’s security, reduce innovation and blunt Apple’s entry into the payments market in Australia. Read Apple’s submission to the ACCC here.

Apple expressed particular concern about security risks, claiming that providing simple access to NFC antenna by banking applications would fundamentally diminish the high level of security of Apple devices. This concern is not unwarranted as it was recently revealed that hackers have found ways to intercept contactless mobile payments in Samsung’s latest Galaxy smartphones. While Samsung refuted this in a recent blog post, an attached Samsung FAQ revealed that it is possible for an attacker to skim a smartphone’s payment token and make fraudulent purchases.

Hackers to take the blame for Census?

By Cameron Abbott and Rebecca Murray

The Australian Bureau of Statistics (ABS) says that the 2016 online census form was subject to “four Denial of Service attacks,” which prompted the ABS to shut down its Census website as a security precaution on Tuesday night. Read the ABS’s media release here.

While the ABS maintains that 2 million forms were successfully submitted and safely stored, thousands of Australians were prevented from taking part in the Census due to the website crash. The ABS has revealed that it believes that the attacks came from overseas and were a deliberate attempt to sabotage the census. However, we are wondering if the entire Australian population accessing the website at the same time might look like a Denial of Service attack in its own right! If ever a system should have been robust enough to cope with such an attack it was this one.

Attorney-General George Brandis has stated that the security measures in place were “more than sufficient to protect individual privacy” and that “the cyber security operations centre has been engaged overnight…and is investigating the matter.”

The White House issues response guide to a cyber attack

By Cameron Abbott and Simon Ly

Last week, the White House issued the US government’s response guide to cyber attacks titled “Presidential Policy Directive – United States Cyber Incident Coordination”.

Billed to combat “malicious activity, malfunction, human error and acts of nature”, the Directive aims to provide a guide to handle significant cyber incidents while fostering the advancement of technology and innovation. The Directive has a five-level grading system. It has been reported that no hack attack has reached level 5 yet, with this being reserved for a “threat to infrastructure, government stability or American lives”.

If it wasn’t apparent already, this guide emphasises the growing risks of cyber attacks both to governments and companies. It will be interesting to see the Directive in action as the response to the Directive has been mixed, with some saying it doesn’t go far enough and that it simply codifies existing practices. This criticism seems a little unfair because you would hope that existing practices were relatively well thought through and thus not a bad standard to entrench.

For more information, you can access the White House’s press release here.

Was Mickey Mouse hacked?

By Cameron Abbott and Rebecca Murray

Disney Interactive has notified users of its Playdom Forum that hackers have stolen personal information, which could put their privacy and online security at risk. The hackers acquired usernames, email addresses, and passwords for playdomforums.com accounts as well as IP addresses. Disney has not disclosed how many users have been affected, although the forum is said to have over 350,000 members. Read Disney Interactive’s statement here.

Big banks want a slice of the Apple Pay pie

By Cameron Abbott and Rebecca Murray

It is not often that any one of Australia’s ‘Big Four’ banks find that they are too small to influence the shaping of new payment technology in Australia. However, three of Australia’s largest financial institutions have chosen to join forces in applying to the ACCC seeking authorisation to enter into joint negotiations with Apple Inc to install their own electronic payment applications on iPhones. The application to the ACCC can be seen here.

As yet, Apple, which operates its own lucrative Apple Pay electronic payment application, does not allow third-party electronic payment apps to be loaded onto iPhones. The applicants, National Australia Bank, the Commonwealth Bank of Australia, Westpac Banking Corp and the smaller Adelaide Bank and Bendigo Bank contend that restricting the technology through which iPhone mobile wallets function, known as Near Field Technology, equates to anti-competitive behaviour.

In a joint statement, the banks state that they ‘want to ensure that Australian consumers can make payments easily through their choice of mobile wallet providers, have access to the latest developments in contactless payment technology, and can benefit from common security standards across the mobile payment system.’ The joint statement can be seen here.

ANZ is conspicuously absent from the joint application having ‘blinked first’ by agreeing to give Apple a nice cut of the action in Australia by using Apple Pay.

What Pokémon ‘needed’ to know about you

By Cameron Abbott and Rebecca Murray

The hugely popular Pokémon GO app is at the centre of privacy and security concerns after recent media reports noted that its installation required access to a significant amount of users’ personal information. This prompted Australian Privacy Commissioner, Timothy Pilgrim to make enquiries with the developer of the app, Niantic Labs, to “ensure the personal information of users is being managed in accordance with the Australian Privacy Act.” Read the OAIC statement here.

Available on iOS and Android platforms, the smash-hit game uses augmented reality technology and your smart-phone GPS and camera to display fictional Pokémon which users then aim to find and capture.

Privacy concerns arose after users noted that installing the iOS version of the app required full access to users’ Google accounts. In response, Niantic Labs reported that the access was requested erroneously and that Google would reduce Pokémon GO’s permission to only the basic profile data that it needs. Niantic and Google have since corrected the permissions. Read Niantic’s statement here.

Commissioner Timothy Pilgrim warned that the security scare was a “timely reminder that people need to read the privacy policies of all smartphone apps before signing up. This way people can make an informed decision about if they want to use an app.” However, we will wager that 99% of people just click “accept”.

Brexit and Data Protection

Linked article by Andrew W. Gilchrist, Arthur Artinian, Andrew R. Danson, Philip J. Morgan, Daniel L. Clyne

As part of K&L Gates continued coverage of the issues raised by Britain’s exit of the EU (see our dedicated Brexit Hub here), our European colleagues have made an assessment of the post-Brexit landscape with respect to UK’s data protection laws.

Although there will be no immediate impact (given it is expected that it will take at least 2 years before any Brexit is finalised), companies should begin to consider what legal framework may apply in the post-Brexit world. For more information, please see here.

ATMs Remain Vulnerable Worldwide

By Susan Altman

Bank ATMs worldwide remain vulnerable to security hacks according to Bank Info Security®.  A recent large theft of cash from dozens of ATMs in Taiwan using malicious software highlights the continuing problem.  Investigators suspect two Russian nationals were behind the hack.  Three types of malware were reported to have been used, which may have enabled the bad guys to command the machines to dispense large amounts of cash simply by sending a text message.

ATMs are considered vulnerable because of their aging software.  According to Kaspersky Lab, about 90% of the world’s ATM machines still run Window XP, the software operating system Microsoft generally stopped supporting in April 2014.  Most ATM manufacturers continued to use Windows XP, layering on other security software while trying lock down the operating system to protect account data.  In addition to using old software, some ATMs are physically accessed by a single key that opens up an entire fleet of the physical boxes holding the machine’s computer—a triumph of human convenience over security.  Finally, ATMs need a network connection in order to communicate with banks, so like all IoT devices and machines, they are vulnerable to remote hacks.

Copyright © 2016, K&L Gates LLP. All Rights Reserved.