By Geoff Schomburgk, Asia Pacific & Japan Vice President, Yubico
The telecommunications sector has long been a high-value target for cybercriminals, as its infrastructure is used to
transmit and store large amounts of sensitive information, making it a lucrative target for bad actors. Whilst the
industry has invested heavily in cybersecurity, we still see large telcos falling victim to significant cyber-attacks
involving millions of customers’ highly sensitive identity documents being stolen.
The Australian Government has introduced new legislation so that telecoms carriers and eligible carriage service
providers are responsible for reporting asset and cyber security incidents, making their obligations similar to those of
other sectors of the economy defined as “Critical Infrastructure”. When it was initially established, the Security of Critical Infrastructure (SOCI) Act covered four major sectors (water, electricity, gas and ports). However, recent amendments to the Act included
expanding the list to 11 industries, including telecommunications.Insider threats for telcos
Insider threats are one of the most significant risks for the telecoms industry. There are two aspects to it; vindictive
behaviour by someone on the inside and lack of awareness about the risks involved with their actions. Cyber threats have
also increased due to many remote employees working remotely and connecting to corporate systems via unsecured WiFi at
home or while travelling.
The need for more technical knowledge and awareness within telcos and their third-party suppliers can and should be
addressed with employee education. Many organisations also rely on customers being vigilant about protecting themselves
from cybercriminals -poor password hygiene and data sharing often lead to account takeovers that could easily be
avoided. The Australian Cyber Security Centre recommends solutions on how organsations can better protect themselves,
though the expectation is for organisations to adopt these solutions, as they are not mandated.
The number of incidents involving Business Email Compromise (BEC) doubled in 2022, replacing ransomware as the most common type of financially motivated cyber threat to all organisations. This growth
in BEC was linked to a surge in successful phishing campaigns, accounting for 33 per cent of incidents where the initial
access vector (IAV) could be established, a nearly three-fold increase compared to 2021, according to Secureworks.
Hackers don’t ‘break in’, they login, with phishing attacks. According to Proofpoint’s 2022 State of the Phish, 92 per cent of Australian organisations suffered a phishing attack last year, a 53 per cent increase over 2021.Exploring more secure options
Recent events have shown that telcos remain an attractive target for cybercriminals due to the sheer amount of sensitive
financial information and customer data they are required by the Government to store, including credit cards, bank
accounts, driving licences, passports and email addresses. However, consumers are questioning whether a more secure
digital method of proving their identity exists here and whether there is the need to retain this information for long
periods.
Many countries have implemented national ID card programs to address rising concerns about cybersecurity. At the Prime Minister’s Cyber Security Roundtable in February this year, Australian Prime Minister Anthony Albanese said there was an urgent push to develop a national
digital ID (eID) card,a move backed by telcos.
As part of the Government's vision to make Australia a global leader in cybersecurity by 2030, the Government intends to
establish the proposed ID cards as a primary means of identification. By doing so, the government hopes to reduce the
amount of personal data telcos need to store for identification purposes and to minimise the risk of data breaches that
could compromise Australians’ personal information or digital identities.How ID proofing and strong authentication protects Digital IDs
Even when the eID card is eventually rolled out and mandated for all Australians, there is still a possibility that an
individual can have multiple digital identities to log in to accounts online. For instance, someone can have one digital
identity (think Microsoft or Google accounts) for their work email, a different one for a personal email account and
many others for social media accounts.
Ensuring that only the authentic user is given account access may require identity proofing. As the process for identity
proofing is done online, it is used in conjunction with identity federation and strong phishing-resistant authentication
to protect an individual’s digital identity. Identity federation securely exchanges identity and security information
between an identity provider (IdP) and a telco’s online service. Identity federation relies on strong authentication
like FIDO to protect against phishing, man-in-the-middle attacks and session hijacking.Mandating strong MFA in telecoms
The Australian Federal Government already stipulates in its Telecommunications Service Provider (Customer Identity Authentication) Determination 2022 that “Multi-factor identity authentication (MFA) processes must be used for all high-risk customer transactions in the
telecoms sector.” However, they have not defined the type of MFA that should be used.
By and large, telcos have only mandated legacy mobile authentication methods for employees and customers, such as a One
Time Password (OTP) sent as a text message or authenticator apps. These are quick and easy to deploy and are enabled by
the ubiquity of mobile devices. Yet today, telcos continue to experience cyber-attacks due to BEC or phishing, as most
are still using these vulnerable legacy authentication methods. Not all MFA is created equal. Cyber-attacks have
increased in sophistication to the point that these legacy methods are no longer secure. Phishing-resistant MFA is
something that needs to be taken more seriously and that mandating other options, such as security keys, for customers
and staff should be considered.The take-out
To effectively fight against cyber-attacks, telecom companies must implement strong phishing-resistant MFA to eliminate
BEC and phishing risks that will create a secure environment for their employees and safeguard their customers’ personal
information.
Whether a telco is already using mobile authentication or is actively considering adding an extra layer of
authentication, it’s essential to understand that MFA is a spectrum and that not all MFA is created equal. I would
strongly recommend adopting security keys or biometric authentication from the device they're logging in from to prevent
unauthorised access.