Optus cyber attacks: New scams could dupe victims for a second time

27 Sept

Written By SECedu

By Nadine Morton | The Canberra Times

How the Optus cyber attack could insight new scams on victims, cyber security experts say.

The ramifications of the Optus cyber attack with never really go away, a cyber security expert warns.

The data breach left almost 10 million Australians hugely vulnerable, and on Tuesday 10,000 customer records were shared on the dark web.

Hackers called for Optus to pay a $1.5m ransom or 10,000 new records would be released daily. The telco told ACM it did not pay the ransom.

The main concern for Professor of cybercrime, cyberwar and cyberterror at University of NSW, Richard Buckland, is that with millions of Optus customers on alert, it is easy for other scammers to take advantage.

The Optus cyber attack could insight new scams on victims, cyber security experts say. File picture

"There's so much publicity and they [Optus customers] know it's in the news, so they wouldn't be too surprised to get an email from Optus," he said.

Other scammers could now send you an email purporting to be from Optus.

Prof Buckland warned the telco's customers to be aware of identity theft risks and derivative attacks.

Professor of cyber crime, cyber war and cyber terror at University of NSW, Richard Buckland, has three main concerns with the data breach. Picture by Scimex

Derivative attacks are when innocuous information can be pieced together to commit a crime. It could lead to your social media accounts being hacked, your email password being reset, and your credit cards or driver's licence being reported stolen.

Prof Buckland said email addresses are often used to reset accounts, and hackers know this.

"You can leverage some information with other information," he said.

In an age of artificial intelligence, cybersecurity expert Professor Katina Michael, said data can be retained as "training datasets" used for the development of future AI algorithms.

You can leverage some information with other information.
- Professor of cybercrime, cyberwar and cyberterror at University of NSW Richard Buckland

"[This can] create new threat vectors and ultimately breach security defences of organisations and government agencies," she said.

"Data can also be used to reidentify de-identified personal data, including highly sensitive data like health and financial information, toward bringing once disparate data sources together."

Will your credit rating be impacted?

Your credit rating could be impacted if data is used by hackers. Picture by Shutterstock

Yes. If hackers can steal your identity, they can then apply for credit cards and mortgages in your name.

"A bad credit rating can affect your chances of getting a car loan or home loan," Prof Michael said. "It takes time to recover from such incidences."

Prof Buckland said banks will often let you overdraw on your account, but they will later chase you to repay.

"Anything you can do on the internet, a bad guy can do on the internet, if they can pretend to be you," he said.

"It's awful to see money being siphoned out of your account or to start seeing bills from creditors."

In Australia there is no legislative protection for any money siphoned out of your bank account, however credit card use can be different.

Does it matter if hackers have your phone number?

There's steps you can take to protect your mobile phone number being misused, cyber security experts say. File picture

Yes. If a hacker has your phone number they can SIM port - also called number porting or mobile number portability (MNP) - your details from a new phone.

"Once someone has your phone number, they can login as a pin number gets sent to them," Prof Buckland said.

He urged people to contact their mobile phone provider and for simporting to be barred from their account.

What you need to do

Never click on any links in any email, ever.

While there has been recommendations to change your password, Prof Buckland said this attack was not a password breach.

"Your passwords are no more vulnerable today than they were six days ago," he said.

However for ongoing added cyber safety, anyone with a weak password, or if you use the same password for more than one account, should update their password immediately.

Your passwords are no more vulnerable today than they were six days ago.
- Professor of cybercrime, cyberwar and cyberterror at University of NSW Richard Buckland

Prof Buckland urged Optus customers to monitor their own credit report via the federal government's Office of the Australian Information Commissioner website at www.oaic.gov.au.

The free service will show you if someone is creating a loan in your name, but the site should be monitored regularly as things can change overnight.

Stay vigilant is the advice from the cyber security experts.

"You can't change your date of birth, and you can't really change your address so it never really stops," Prof Buckland said.

"Identity theft happens all the time, it is a really hard problem and it rarely ends well."

SECedu https://sec.edu.au

Optus cyber attacks: New scams could dupe victims for a second time

Pathology lab, ACL, criticised for five-month delay in reporting patient data hack

Optus cyber attacks: New scams could dupe victims for a second time

Become a friend of the SECedu network