Can you trust your telco?

Telcos are some of the most regulated entities in the world, not only to protect consumers against corporate fraud and infosec negligence, but also because these companies are entrusted with our most private personal details and communications.

But nefarious activities still occasionally slip through the cracks, as we've seen in recent weeks with Vodafone's illegal access of Fairfax reporter Natalie O’Brien’s phone communications and text messages.

To recap, four years ago O’Brien revealed that Vodafone’s customer database was insecure and open to leaking sensitive information to unauthorised parties. 

This week, the public learned of Vodafone’s response to O’Brien’s story - that it had decided to ferret out her source by snooping on her phone records. 

This spying was extensive: Vodafone reportedly copied over a month’s worth of text messages to a hard drive, in full, and handed them to professional services company KPMG, which had been hired to conduct the witch hunt to find who had leaked to O’Brien. 

That’s a gross invasion of privacy, not just towards O’Brien but also for those who contacted her. It also begs the question: what other detail and personal information did the Vodafone and KPMG investigators see that they were not meant to?

Vodafone chief executive Inaki Berroeta was right to apologise to O’Brien for the unacceptable and potentially criminal activities of his underlings, but there also lessons to learn for telco customers.

The first thing to consider is how to wean yourself off SMS.

Not only can the security of your personal messages within an SMS no longer be certain, if telcos are also snooping on the text messages sent as two-factor authentication, it's time to find another source of security.

Banks and other financial institutions, social networks, email and web services providers, among others, use text messages for two-factor authentication for added protection.

But knowing that telco staffers could potentially be accessing these texts - which could theoretically also help them break into your accounts - means it's time to look at other options, like RFC 623 time-based one-time passwords (TOTP) as per Google Authenticator or alternatives.

Another question that arises from the Vodafone revelations is what if telcos are sharing information they have illegally accessed between each other?

There's no current evidence to suggest this is the case, but those worried about privacy may want to look at moving to a trusted, vetted and strongly encrypted over-the-top voice and chat app for sensitive stuff.

It's also harder for interceptors to capture sought-after data if it's not stored on the telco provider's servers.

Ultimately, any amount of technological measures to protect your communications can and will be broken by determined adversaries.

What happened to O’Brien is a salutary reminder not to take using telco services for granted as a secure method of communications, even when you take steps to ensure that telcos are no more than dumb pipes punting your encrypted packets around.