The Latitude Financial attack clearly shows that criminal groups are moving to a business model of selling Australian’s highly sensitive personal information, including biometric information, on the dark web. What’s most disturbing about the Latitude Financial attack is that at least 100,000 facial images, matched with full drivers’ license details, were stollen.
Aussies can change passwords and monitor credit reports, but they can’t change biometric markers on their face! Losing control of this information which is matched with govt issued identity documents like driver’s licenses, is worrying in the age of “AI” and “Deep Fakes” and could result in a steep increase in future fraud. Let’s face it, criminals are targeting this type of data with the hopes of further financial gain through theft and fraud against Australians.
Early evidence of ineffective cybersecurity controls
So far, the company has made public statements that the information was accessed by “compromised credentials used by their third party vendors”. Although, investigations are still underway, this public statement does indicate that some really important cybersecurity controls were either missing or weren’t sufficiently and continuously tested for effectiveness.
Examples of standard cybersecurity controls that would have helped to prevent a cyber attack like Latitude Financial where “third party credentials are compromised” include:
- Encryption coupled with strong key management of sensitive information like driver’s license and facial biometrics, meaning that third parties could not access sensitive data ‘in the clear’.
- Ensuring Multi-Factor Authentication is effectively in place and not just relying on username and passwords for third party access.
- Application Business Logic can be designed limiting a third party’s access to sensitive data in the first place as well as preventing mass-exfiltration of such data.
All of those standard cybersecurity controls above can be tested for in an automated and continuous manner using a Dynamic Application Security Testing Managed Service like White Hat Dynamic, combined with Threat Modelling techniques and expert-led Penetration Testing.
What should your company do to prevent a similar attack?
Before sharing any data or information with a third party, a Threat Model or Architecture Review should be conducted on the project to map out exactly how the data flows will work and the security controls that will need to be in place to prevent such attacks.
There are many frameworks for identifying the range of security controls that need to be in place including Australian Government resources from the ASD (Australian Signals Directorate). Threat Modelling techniques will help identify the appropriate controls for each project and are especially important where data is shared between third parties.
Penetration Testing ensures the chosen controls are effective and can withstand sophisticated attack techniques. Automated and continuous Dynamic Application Testing can ensure that important controls remain effective between manual, expert-led penetration testing.
Phillip Ivancic is the Head of Solutions Strategy for APAC at Synopsys.