
National Australia Bank compromises thousands of customer details - GiulioS
https://secalerts.co/article/one-of-australias-big-four-banks-compromises-thousands-of-customer-details/889e814c
======
Sendotsh
It’s refreshing to see an actual acknowledgment, seemingly-sincere apology,
and clear details of what they’re going to do about it.

Their official statement:

[https://news.nab.com.au/nab-apologises-to-customers-for-
data...](https://news.nab.com.au/nab-apologises-to-customers-for-data-breach/)

------
nailer
I once worked as a contractor at NAB. The kickstart file with root password,
which was unchanged, for a 450M AUD corporate banking project was stored on a
SMB share accessible to everyone in the bank. Project leaders didn't care
(since it would involve work to fix). I eventually had to raise it as a hint
to a friendly pentester who included it in their report, finally getting it
fixed.

------
MRD85
Name, date of birth and contact details (phone and address) are often enough
data for a fraudster to commit some serious damage. If I call up my phone
company or bank that's probably going to cover the questions they ask me to
prove identity. Someone transferring my phone can then get past any 2FA I
hold.

At what point do we hold NAB liable for the potential damage they have caused?

~~~
dannyw
Name, DOB, and address is available via the Electoral Roll. While I don't
think NAB is blameless, at some point the blame lies with companies that
accept insufficient forms of authentication.

For example, to transfer funds with my bank, I get texted a 2FA code and this
is a mandatory requirement for online banking at CBA.

~~~
jeauxlb
Name and address is in the roll. DOB absolutely is not.

Further, suggesting the blame lies with companies accepting "insufficient
forms" of authentication obviously does not bear up in light of this. 2FA
texts, for example, are easily worked around by SIM-swapping. Performing a
SIM-swap in Australia generally does not require 2FA, and the details leaked
herein would get you well on your way.

~~~
dannyw
Ack. Still, the DOB is not difficult to access: just apply to work for the AEC
and your copy of the roll certainly includes DOB.

------
klauslovgreen
This is yet another example of the risks of requiring KYC if banks cannot keep
it safe. We need to start to do KYB!

------
elisharobinson
i hope the boffins who mandated weaker encryption take notice of this. The
congress members who supported the bill for weaker encryption should be
personally DOSed.

~~~
torified
But that's not a problem! The bill said that it wouldn't create any systemic
weaknesses!

So just let us do it, ok.

But we'll put you in jail if you talk about it.

------
schappim
Title should be: “National Australia Bank customers have had 'some personal
information' compromised”

