Telstra has warned mobile users to be wary of service providers touting cheap SIMs and data rates because the savings may come at the expense of security protections.
Speaking at CeBIT, head of security services Jacqui McNamara said that users “get what [they] pay for” when it comes to mobile.
“Telstra maintains the fifth largest security team in the country,” she said.
“We spend a lot of money on data security and we have a lot of things in place to monitor the network and scan for faults.
“If you are buying a SIM card from a carrier that is very cheap, has very cheap data rates, doesn’t live in this country and doesn’t necessarily comply with [data protection] regulations you just have to be conscious that you get what you pay for.
“They’re not scanning the network for mobile malware possibly or really doing a lot to advise you if you’ve got a data breach and they may not even need to comply with regulations in Australia, depending on where you purchase the SIM card.”
McNamara said that Telstra had invested in improving cyber security for users, including by increasing its use of verification codes to authenticate the identity of users.
“In security we tend to be a bit down on users,” McNamara said.
“There’s a bit of user-bashing that goes on which I find unfortunate. Security people say things like ‘if I had a dollar for every time users clicked on a link…’.
“Users are both our last line of defence and our first line of defence, so educating them is hugely important - not to click on things, to think about things when they do them, and to actually consider being suspicious by default.
“I would never get annoyed - and our customer service teams don’t get annoyed - when people say ‘I don’t trust that, you need to give me a number to check that on, I’m not giving you that information’ [over the phone].
“Telstra’s call centres now will find another way to authenticate you if you don’t want to pass that data out.”
McNamara said that all organisations should avoid processes that “consistently ask your customers to provide data and information which is sensitive” to authenticate themselves, particularly for the purpose of customer service transactions.
“Because what you are doing is training your customers to respond to phishing attacks,” she said.
McNamara said that Telstra regularly tested fake phishing campaigns on its own staff.
“One of them was to say there was a parcel to be picked up and there was a link to click on and if you clicked it said ‘naughty, don’t click on links, there’s no parcel for you’,” she said.
“Everyone likes to have a present so the number of people that clicked on it was incredible” - though she added this was the “first round” of testing and that “not many people are clicking on them now”.
The parcel phish test also produced some interesting results, with five staff turning up to Telstra’s mailroom to pick up the parcel, despite nothing in the email to suggest that was where the parcel was.
“Actually, the user we found that was the most educated and helpful was the mailroom worker, because they reported they’d had five people in to get a parcel they didn’t have,” McNamara said.