Very interesting, also because here in Australia our second largest Telco suffered a data breach late last year through an unsecured API. Which was I believe our largest data breach in history.
Managed to steal very similar information, but also included drivers license numbers and some people's passport numbers. Interestingly, for a while there was a post that allowed us to query the suspected API once authentication with our own accounts, which pulled down our drivers license numbers.
It's prompted a major investigation into identity legislation and data security. Our government bodies started allowing people to change their driver's license online. Furthermore the breached Telco started providing free credit monitoring services.
I wonder if the success from that hack has prompted attackers to pay more attention to unsecured API's. Not that it wouldn't have been a topic before.
I am not sure if it changes the difficulty of implementing something like this (which is/was undoubtedly a massive task) but the drivers licence number hasn't changed. There is an additional number on the back of the card called the Card Number.
There was already a process before hand to allow people to change their drivers license numbers, it just required more reasoning and there were barriers to entry having to call etc.
They've just made it an online form within our government identity portal.
Ah I wasn't aware. I was caught up in the breach like pretty much everyone, and was issued a new card with the additional Card Number on the back that I didn't have before, but my licence number stayed the same.
Are you saying I can change my actual license number too? Is this government identity portal you speak of myGovID?
Ahh yes. Lets play the victim card. I could care less. Lets not forget that T-Mobile was storing passwords on TXT formats back in the day. Their infosec is either clueless or understaffed.
Credit monitoring might as well be free & unlimited. Nobody really cares about their data being leaked. Too abstract of an idea for folks. But people care if you go through their trash for less data
12 comments
[ 2.3 ms ] story [ 35.0 ms ] threadManaged to steal very similar information, but also included drivers license numbers and some people's passport numbers. Interestingly, for a while there was a post that allowed us to query the suspected API once authentication with our own accounts, which pulled down our drivers license numbers.
It's prompted a major investigation into identity legislation and data security. Our government bodies started allowing people to change their driver's license online. Furthermore the breached Telco started providing free credit monitoring services.
I wonder if the success from that hack has prompted attackers to pay more attention to unsecured API's. Not that it wouldn't have been a topic before.
Wow. Virtually never heard of. Most countries I suspect can't pull this off even if the intention is there.
They've just made it an online form within our government identity portal.
Are you saying I can change my actual license number too? Is this government identity portal you speak of myGovID?
Have tried to get them to stop with no success!