Expert advice to get ahead of the hackers

 GongTalks - Beating the hackers 16 July 2024 Town Hall Recording 720.mp4
 
[Tania Brown] Joining us on this cool night. Honoured guests, one and all. Can I welcome you to Gong Talks. And thank you all for joining us. Tonight we're discussing how we can help our community beat the hackers and scammers that are plaguing our lives. My name's [Tania Brown]. I'm the manager of UOW local and honoured to be your emcee this evening. I start by acknowledging that country for Aboriginal peoples is an interconnected set of ancient and sophisticated relationships. The University of Wollongong spreads across many interrelated Aboriginal communities that are bound by this sacred landscape. An intimate relationship with that landscape since creation. From Sydney to the southern Highlands to the south coast, from fresh water to bitter water to salt, from city to urban to rural. The University of Wollongong acknowledges that custodianship of the Aboriginal peoples of this place and space that is kept alive, the relationship between all living things. The University acknowledges the devastating impact of Colonialisation on our campus' footprint and commit ourselves to truth telling, healing and education. By way of housekeeping, I let you know that we have closed captioning over here on the side. So if you want to avail yourself of that, please jump up and move closer to the screen because I think it is quite a small font, so please avail yourself of that. Can I also acknowledge our other special guests who are here this evening? We have, Professor John Dewar AC our interim vice chancellor and president, UOW Deputy chancellor, Warwick Shanks, O&M Professor Sue Bennett, one of the deputy vice chancellors, other university dignitaries, faculty staff, all one and all. Canio Fierravanti, I should get my boss's name right! UOW director of government and community relations. We welcome, particularly to Wollongong our new interim vice chancellor and trust you enjoy your time in our city. I should note, Warwick is also the chair of the Merrigong Theatre Company, who, along with the UWU luminary series, have partnered with us to deliver Gong Talk. So thank you to Warwick, Merrigong and the team at iPAC for their supportJoining me on stage is our esteemed panel of experts, the Honourable Stephen Jones, federal member for Whitlam, Assistant Treasurer and Minister for Financial Services, Professor Katina Michael, Arizona State University and University of Wollongong. We're proud to still have her as part of us. And Professor Shah Akhtar from the University of Wollongong. I'll share more fulsome bios as we move through, so be advised that tonight's talk is being recorded and will be posted on social media channels, so you'll be able to watch it over and over again and add it to your favourites. But we want to be able to continue to share this conversation with a wider audience. And we've chosen our topic tonight, in recognition of the frustration that I and I see many in our community are feeling it, the infestation of scams that have risen and are impacting our daily lives. Last year, Australians lost 2.7 billion to scams and more than 600,000 scams were reported. So it seems I'm not the only one feeling this anxiety every time my phone beeps, or I get a call a come up that I don't know. I did just say to someone, if you don't leave me a voicemail, I'm not ringing you back because I'm assuming you're a scammer. And it certainly appears that my Coles reward points and my Telstra points on my e-toll account and now my Australia Post parcels, I'm getting besieged by these text messages constantly telling me, and they come in at all hours of the night, that something's going wrong. So it's gotten to the point where I don't know what's real or what's not. So, we know that the scammers are getting smarter, with the intent to deceive us. And any wonder older people. Of course, that's none of us see tonight are in that category. But a falling victim to these type of scams and many with a significant financial impact. So I'm very much looking forward to tonight's conversation and getting some pointers and how we can tackle this. We're privileged to have our panel with us tonight, and help us get a handle on this and how we can arm ourselves against the hackers. So for tonight, each, panellist is going to give a short presentation. Then we'll move quickly to Q&A. And I do encourage you to get your questions ready. We want this to be interactive and answering the questions that you have. If not, of course, I'll have plenty to fall back on, but, we want you to be engaged. So our first panellist, as I said, is, well known to our community, the Honourable [Stephen Jones]. Prior to his role in federal parliament, Stephen made it his life's work to help people, including working as a research officer. For the Australian Quadriplegic Association. Disability support worker. Youth worker, branch secretary and communications division secretary for the CPSU in New South Wales and a lawyer for the Australian Council of Trade Unions. He was first elected to the Federal Parliament in 2010, and as a representative of the Whitlam electric electorate and a Commonwealth minister. He's dedicated to representing his community and protecting Australians from scams, a role for which we very much appreciate his efforts. Welcome, Stephen. 
 
[Stephen Jones] Thanks so much Tania. Thanks for organising this important conversation, the second time I've done one of those forums today. The first time was at about 10:00 today, in a hall in Burwood. I've done about 55 of them so far around the country talking about the issue, attempting to use that as an opportunity to provide, people with the tools to help protect themselves and obviously explaining what the bloody government's doing about all of this as well. Two things. What does it matter? Well, Tania used that stat, which I'll dig into in a tick. About $2.7 billion lost in 2022 three to scammers. Behind every one of those dollars is a human tragedy. Many people have gone on to do self harm. I meet with some problem once a day. Once a day I meet with a victim and hear their stories. And generally there's not much. By the time I get to my door that we can do to help them. So we should care because it's a human tragedy behind every one of those dollars lost. If you're less moved by that, I want you to contemplate what our society would be like, if everyone decided that they wouldn't use the rails of modern commerce because they couldn't trust them. They couldn't trust that an email they received was bonefide, a person they were calling or talking to at a call centre was who they represented. A web page they were using to transact business was bonefide or not, or somebody representing and holding themselves out to be a representative of a government agency, business, professional service was who they said they were. So if the social tragedy stuff doesn't animate you, I hope the stuff around the efficiency of our economy and our markets does. There's two good reasons why we should care about it. The situate the problem around scams is located in a huge area of government activity and work at the moment around how we which can all be boiled down to around how we keep people's information safe and how we keep their money safe, and what the role of digital platforms and social media and traditional businesses is in all of that. I just, so that we focus the conversation we're having, just want to start with a bit of a definitional thing. People often confuse cybercrimes and hacks and all of that sort of stuff with scams. And yeah, they related, you know, often same actors involved, definitely operating within the same criminal networks. But I want you to imagine, use the analogy of a house. This is important for a reason I'll explain. So a cybercrime or a hack is when somebody breaks into your house and steal some stuff, and you probably don't know they've done it until long after. And there's an obvious answer to crimes like that. And that is you just put more locks on the windows and stronger bars on the doors. Obviously not literal bars and locks, but the ones that are involving security, our digital infrastructure, and we're doing that. That's our cyber strategy. But none of that's going to work, to extend the house analogy, if instead of the crook breaking into your house, you just open the door and let them in, and say, come on in, have a cup of tea, sit on my co while I go and make the cup of tea, and help yourself to whatever you find. And I use that analogy because it's really important to us understanding how we countermand and how we respond to and react to crimes. Locks and bars ain't going to work, and a whole heap of the traditional law enforcement strategies that we're encouraged to use as governments, "why don't you just employ more cops to kick down more doors and arrest more criminals?" Well, that won't work because most of them aren't here in Australia. So we've got to think about this differently, and we've got to understand the ecosystem in which these criminals are operating, and we're a part of the ecosystem, and our businesses are part of the ecosystem. So we're going to understand that to deploy the right sort of strategy. So that's about the definition, the quantum. It'll surprise you to know that that 2.76 billion that Tania mentioned in her intro, it's actually a good news story. You know why? Because up until last year, the losses to scams were increasing by 80% every year. And they had been for a decade. So we when we came into government, they were, it was 2022. We expected them to go from about 3 billion to 6 billion at the end of the last calendar year. If you know, things had followed the normal course... they didn't, and that's a story of hope. But then some of the strategies that we've deployed in Australia that haven't been deployed elsewhere in the world are actually working. We are the only country in the world, by the way, who saw scams flatline or go down in the last 12 months. Every other country in the world has followed, the same trajectory of roughly doubling every 12 months. Everyone's a target. Okay. And I'm sure if I asked everyone to stick their hands up and tell me a story about a message of God, everyone would stick their hand up, and we could occupy the rest of the time hearing their stories. So it's true. Everyone's a target. But it's also true that older Australians are losing more. When I ask people why, they'll say "Oh, because older Australians are more gullible", or they're softer or whatever. And mostly that's not true. Older Australians are losing more because they've got more. And the scammers know that. They're not mugs. They're not going to go after somebody with a bum out of their pants. If they can go for somebody with a superannuation account, with 50 or $100,000 in it, they're going to go for the place where the money is. So, that's why older Australians are losing more. And most of the losses, like a tick over half the losses are investment scams. Cryptocurrencies, fake bonds, fake investment products. Once in a lifetime offer to double your money, or even not that, you think you're putting your money in a term deposit with a legitimate bank and you've arrived at a scam website. So, all of that sort of gives us a sort of understanding of what we need to do. Overwhelmingly the scams are arriving at us, and I should I wanted to ensure that I created lots of space for other contributors to talk about this stuff as well. So I might say just a little bit and you can fill out the vectors. I look at this like we look at a virus or and so I use organism, I use environment and ecosystem. The vectors, the telecommunications network, I have a 60% of coming through phone calls and estimates is, an increasing number through social media platforms. And that's overwhelmingly, the way they're arriving at us. The bank is kind of just the wallet at the end of the transaction, but they're all part of the first line of the ecosystem. So the government strategy is about firming up that ecosystem and putting in place strengthened mechanisms. We've rolled out the first phase, where we've stood up a national anti scam centre, which is pretty unique in the way we're doing it. It's consumer driven more than law enforcement driven puts consumer at the centre of it. It's genuine collaboration between law enforcement, banks, telcos, social media platforms, regulators. It's got three functions, which is, intelligence sharing in real time. So that a scam that you receive is reported and is shared to everybody within the ecosystem in real time so they can act on it in real time. However, the losses, by the way, because of occurred because the person who scammed you also scamming you, also scamming you. You didn't fall for it, you didn't fall through it, you didn't... but somebody else in the room did. And they only need to get one person and it's a good day's work. Reporting matters. So reporting and intelligence sharing, interruption activities, which we can talk about in detail after my colleagues talk and, the education stuff. We've got a bit of work, a fair bit of work going into taking down fake investment websites so ASIC have pulled down about 6000, of those in the last six months. I reckon that's a drop in the ocean, by the way. And we're doing call blocking. We've established, list of, malignant phone numbers, and we add to it every day. We're blocking about a billion calls in the last six months. You're saying you're still getting them. We're blocking about a billion. It's a whack-a-mole game. So whenever we knock one off on off. I just. There must be a maths professor in the room can tell me how many different combinations you can get out of ten numbers, but, you know, it's infinite. It approaches infinite anyway. So that's phase one. Phase two, which we can talk about in more detail in Q&A will be about us establishing new legal obligations on the key players within the ecosystem. So new codes of practice, obligations on vectors, which are social media platforms and telecommunications companies to keep their environment safe. So to be following protocols around call blocking, SMS blocking, by the way, on the SMS stuff, we're going to move. We've got this register that we're setting up. We're moving from a system where we block known malignant numbers. We're going to move to a approved number, process for a bulk SMS, distribution. So if you want to send out a large number of SMS's you've got to be on the register, and if you're not on the register, your SMS messages get blocked. A bunch of other things we're doing in that space we can talk about, but the codes of practice will be where the heavy lifting is done and why I'm hopeful that that downward trajectory that we've seen in Australia and nowhere else in the world will work, because that puts strong legal obligations on telecommunications companies to do more of that, social media companies to do a whole heap of stuff which they are not even, you know, frankly, in the right universe about what they need to do to pull down, they take advertising revenue for, distributing criminal content. Literally, they make money out of the criminal endeavour because somebody wants to advertise a fake investment site, and distribute it on a meta project or a Google platform, they make money out of that. You lose money, they make money. The criminals make a lot of money. So more obligations around removing, and blocking, stopping and removing, the criminal content and, on banks stronger obligations to report and respond to keep the customers money safe. If any of these things are breached, then compensation should follow. But I've probably already gone over my ten minutes, Tania. And I want to leave room for my colleagues here to speak in much more learned ways than I can, but it fits into a broader agenda. It's about keeping information safe. It's about keeping money safe. We should care about it. Because for mine, I entered politics to ensure that we could look after and create a fair and decent society. A modern economy, but a fair one. And none of that works unless people trust the rails of modern commerce. And, we want to ensure that, you know, all the great benefits that have been given to us through digital ecosystems, and they are immense. Imagine having to race out at, lunchtime on payday, and have to go and pay all your bills like we used to have to do, instead of being able to do it from your banking app or your your desk. It's immeasurably made our life better. But there are risks which have to be mitigated. And that's what this project's about. Thank you for the opportunity to share some thoughts. 
 
[Tania Brown] Thank you Stephen, and I think there's a lot to come back to on that. Apart from the fact that we no longer carry cash. But I'm very excited for the SMS register. So we'll come back to all of that. We'll move to Katina. And just to introduce Katina formally, she's the director of the Society Policy Engineering Collective and holds a joint professorial appointment in the School of the Future of Innovation in Society and School of Computing and Augmented Intelligence at Arizona State University. How's that for a long title? It's cool. It's pretty impressive. She also holds an honorary professorship in the Faculty of Business and Law at UOW, and has served as the associate Dean international at UOW. And I believe in EIS as well. We have a connection there. In 2017, she was awarded the Brian M O'Connell Distinguished Service Award from the society for the Social Implications of Technology and is the founding editor in chief of the Transactions on Technology and Society. And she studies the ethical, legal and social implications of emerging technologies, shedding light on how they shape our self-image and societal values. Thank you Katina. 
 
[Professor Katina Michael] Thank you Tania. And thank you to the organisers for putting this event on. It's such an important topic. And Minister, I'm going to rip off, your, introduction because it's right on the money. And, you mentioned so many things that took us two years to research with the Alan Turing Institute, in the UK, and also the National Cyber Security Institute, in the UK. And it was all about that. The ecosystems and the human factors. I want to begin by acknowledging a number of people in the audience today, which just talks really to our dedication of former colleagues, current colleagues, alumni, and even a representative from Arizona State University who's made the trek here. It's the first time I'm meeting them in person. But how about that? It's very special. In the audience are also colleagues from a former company I worked for on the UOW campus 30 years ago. Thank you to my former colleagues at Nortel Networks. In the audience, students from 20 years ago who worked with me on cyber security issues and are now prominent CISOs, information security officers in leading organisations in Australia. We've done really well at UOW to provide an education and a platform for which these individuals have really launched their careers. And we have a strong computing school with a strong cyber security focus. And as I mentioned, a student from our public interest technology degree at Arizona State University, a degree I introduced in the Masters of Science, which is there to tackle complex socio technical challenges such as cyber security. This isn't a simple response, but we do need more simplistic solutions and we'll get back to that at the end of my initial discussion. But all of you in the audience today, as theForMinister said, have your stories, every single one of you. And we focus in one of the core courses in public interest technology and public engagement. We're actually this is a demonstration of public engagement. Imagine we had these sorts of town halls all over Australia at the local level, and we shared our stories, and we amassed information together and shared collectively and acted on that, created a plan and then an action plan and implemented that plan and then was able to harness all the different ideas that you have. To target the cybersecurity issue. That's how it's done, by listening to stories, by looking at individuals and communities and what their needs are. For every community it would be different. For some, it would be access to the internet or denial of service attacks. For others, it might be spam on your mobile phone. For others, it might well be phishing attacks because there's a density of, large organisations and medium median, medium organisations. So we need to understand their community and then provide solutions that we can scale up. Every problem is local, but we scale up based on the information we gather. Municipalities have a huge role to play. In many of the studies we looked at, it was municipalities that were raising awareness at local libraries, at local museums and art galleries, at schools, places where people congregate, places of worship. This is where we scale up the knowledge base, and this is how we work together as a community. And if I told you, citizens wear multiple hats and multiple life roles. You're not just a parent or a sibling or a carer. You also work somewhere potentially, or volunteer at a not for profit or a part of a non-government organisation and an employee, and perhaps even working for government. If I said to you that all of you are designers in addressing the complex problems in society, how would that make you feel? Because we're not mono people. We're multilayered and our responses need to be multilayered. Multidisciplinary, multi paradigmatic, multidimensional. But it starts with us. We are the community. It's just we all wear different hats. So if I perhaps jump to the gaps that we identified late last year for the Alan Turing Institute, they were, as the minister said, the human factors, which are largely missing in cyber security research. We've got great technical responses to our cyber security problems. And we heard some of this from Minister [Stephen Jones]. But tech is not enough. Obviously, if it was, we wouldn't be actually having this talk. There'd be no hackers out there. There'd be no one spreading disinformation. There would be no no one actually having ransomware attacks and holding large organisations accountable when they conduct data breaches of cloud computing. So we need sociotechnical, legal responses. The human factor. This is vital to a response. The regulatory infrastructure. Think about regulation as technology. What? Regulation and law is technology? Yes, technology is a process. It's not shiny gadgetry as we've we've been taught. It's not your smartphone. The smartphone is where they try to hack you. The processes we respond with are not shiny gadgetry, but they're still technology. They're just a different type of technology, and we need to anticipate what those problems of the future will be. Some of these are about biometrics. Your face. But hang on. There are 40 billion images of individuals in the world on the internet. There are companies now who can scrape 40 billion images and search them within milliseconds. But hang on. What if I decide to create some deepfakes? Add Katina's and Shah's images together? See what happens. Then perhaps Katina and Tania's, and Katina and Minister Jones and see what happens. Just start flooding the internet with facial images. Who's real? Who's not? And how about those other biometrics like fingerprints or DNA? And the sensitivity there. So we can talk about deep fakes and real time deep fakes. We can talk about certain zoom meetings with 4 or 5 major cases have been identified to date. Where people masqueraded as others using deepfake videos and audio. And one person, transferred 25 million USD in a Chilean, mining company because he was gypped in Hong Kong, another in China, another in Inner Mongolia. Another. Ranging from between $US 600,000 to more than a couple of million to 25 million. Why? Were the employees so stupid? Absolutely not. The deep fakes are beginning to become convincing. Not only that, but people are beginning to study personas. Now, how does Katina write her emails? How does she write her LinkedIn posts? Hang on there. There's an audio recording of this event today. Let's step into that. We know her mannerisms. Now, I also have targeted the victims so I know who they are on the board, what their positions are. Who their social network is at work. How about I stage a theatrical production using deepfake technology based on AI? That's exactly what is starting to begin. And as the Minister warned, we need to have responses to this because our digital economy needs to survive. Some people have talked about quite outlandish, potentialities such as, Bitcoin implants. Few stories going round in the UK on that. Is that going to make us more secure? Ditch the mobile phone. Ditch the credit card. And why don't we head to implantables? When I postulated that as a possibility 30 years ago, I'm sure some thought it was conspiracy theory, but no longer. When I was in Finland recently, I walked past the company epicentre. Lo and behold, one of the first implant organisations. Made, sent an email to the country manager of Finland. He was on holiday, and he noted we would, sync up in a couple of weeks via zoom. I'll make sure it's him when I talk to him. But gaps. Okay. Human factors are largely missing. Lack of emphasis on human values. Single focus perspective of cybersecurity is limiting. We said that we just focusing on the technical, not the social and the legal. Stakeholder mapping of the complex cybersecurity ecosystem to take the words right out of your mouth, Minister. Emphasis on educating members of society about the dynamic cybersecurity landscape. Again, something that was mentioned. Lack of attention to capabilities, development and maturity models in organisations, not just about consumers and citizens, but about organisations and their capabilities. A lack of emphasis on human centricity, social securitisation and security exposures. Lack of regulatory and policy approaches and responses to cybersecurity issues. A process of socio technical security design in conjunction with existing organisation of cyber security practices. Looking at the practices of organisations and saying what does the next cybersecurity model say? Or what is a best in practice cybersecurity model, say? And how can we enhance what organisations are doing today and the development of cybersecurity models that are not traditional? Simulations and scenarios in the context of sociotechnical systems. As we said, from the micro to the meso to the macro. So interdisciplinarity is very important. We stress that. And the other thing I'm going to leave you with is the notion of the paradox of security. Too much security. Makes us feel insecure. Have a think about that. Too much security makes us feel more insecure. Whatever solutions we come up with have to be simplistic. I don't mean in the complexity of the technicalities. I mean in the process. Otherwise we get entangled in a mess and there is no way that organisations can come together to share. Thank you. 
 
[Tania Brown] Thank you. Katina. I think I'm more scared now, so I look forward to unbundling that as well. Thanks, Katina. Professor Shah Akhtar is a professor of marketing, analytics and innovation and associate dean of research at the Faculty of Business and Law at UOW. He was awarded his PhD from UNSW Business School with a fellowship in research methods from the University of Oxford. He specialises in the study of advanced analytics and AI, algorithmic biases and digital innovation in business studies. He served as a visiting professor at the University of Michigan and Shanghai Jiao Tong University Joint Institute in China, and Toulouse Business School in France. Welcome, Shah. 
 
[Professor Shahriar Akter]Thank you. Thank you so much, Tania, and thank you, everyone, for joining today's session. Most of the things that I'm going to say have been covered by Mr. Jones and my research co-partner, Professor Katina. Katina and I have been doing research together on cyber security for the last seven years? Seven years. So we have published papers together. We have done research together. What I am going to focus on with regard to cyber security is scam. We are in the midst of a fourth industrial revolution. So it started in the 18th century with the steam engines, then electricity, then microelectronics, computer. The third industrial revolution we passed, and now we are in the midst of a fourth industrial revolution, which is a fusion of artificial intelligence, internet of things, quantum computing, genetic engineering, robotics and all these have created this by-product of hacking and scamming. Hacking and scamming are two different things. We define scamming as a way to steal personal information or mix or steal money. And it is. It is largely organised by sophisticated criminals, sophisticated networks. For example, if we order a Christmas tree on Facebook, we will receive a toy Christmas tree in our postbox. And that is a common example of scamming. Someone has ordered a quad bike and they have received a toy quad bike, and PayPal has approved that transaction as a legal transaction because it's a quad bike. Now, this type of scamming is rampant in social media, in social media alone. Last year, Australians have lost $80 million. And the channels, the traditional channels of this scamming are, for example, phone text message or estimates websites. We have got some other, social media or app based, platforms that are also used as common channels for this scamming. The most, common types of scams are basically investment scams. Recently, the Queensland Premier voice has been copied using deepfake technology and, no loss has happened. But, this technology has been used to, to to to fake his voice and and and and it has become it is have been very recently. So we have got now because of this fourth industrial revolution, we have got this new technology called generative AI. And it can write files, it can create recipes, it can paint portrait, it can do all sorts of things. And that has created the another platform for deepfake voice, deepfake video, deepfake messages. And this are also used for these scams. Now with regard to these scams, if we look at these types of scams, the investment scam is the most important one because people have been losing lots of money in Bitcoin related investments. If it seems too good to be true, and it probably is, and people have been losing money in investment and then the old our old generation is victim of romance or dating websites or dating types of scams. And we have got phishing scams. So every time we receive a link in our phone, every time we receive an unsolicited email, if we accidentally click that link, that information can go into the dark web. And according to today's rate, you can buy an Australian passport in the dark web at $1,100, driving license $1,000. If you want to access into someone's Facebook Instagram page $300. That's today's rate in the dark web if you want to access. So now how do you control all these things? If we if we as an academic. The Industrial Revolution equation to us is it consists of three things. The infrastructure plus innovation equals revolution. The infrastructure is the internet. The innovation is artificial intelligence or all related technologies. And the revolution is basically this fourth industrial revolution. And we have got this by product of scamming and hacking. Now, if we want as consumers, they cannot control infrastructure, they cannot control innovation. They either enjoy the innovation or  suffer from this innovation. Now how to control that? My co-researcher Professor Michael has told that socio technical, legal. This is important. How can you come up with policies focusing on socio technical legal aspects? In our research, we have also focussed on technology management and talent factors. Because we have to educate people, we have to create talent that can basically understand these types of issues in different organisations. If we look in two organisations, 80% of these scams or cyber security issues happen because of the human factor. Accidentally someone has click the link. If we look at the Optus one, 9.8 million customers data have been stolen. Someone has forgotten to patch up the software and it has created this Optus  situation. 9.8 million customers data have gone into the dark web. In case of Medibank, 4.8 million customers data have got into the dark web and all these data are basically being used for creating all these fake IDs, fake information. As I said, if someone wants to buy a passport, an Australian passport with someone else's name, they can pay $1,100 according to to this. Right. So this is happening. As academics, we as researchers, as as community organisation. We are basically studying how can we create, protection? How can we create awareness for this type of scamming or hacking? Socio technical legal aspect is important. Technology management and talent factors are important and we have to study as interdisciplinary manner. We have to study it as using multiple stakeholders together and then we can create some source of protection. But having said that, this is a very dynamic state of, matter. So it is going to evolve in a very surprising way. And we have to tackle all this as a community. 
 
[Tania Brown] Thank you, Shah. Just doing a scan for any hints if anyone's ready to go. No. Okay. We'll move into our Q&A. 
 
[Stephen Jones] Can I just joined the dots, please, that Shar mentioned the, Optus data breach. There was Medicare, there was Latitude. People didn't know they were customers of Latitude bought a tele from Harvey Norman ten years ago they realised that, when they use the finance company, the successor to that was Latitude. Probably 1 in 4 Australians, was caught up in if you put all of those three together. Why does somebody want your passport? It's actually not to travel in your name. With if you've got somebody's passport, you've got the license, you've got a Medicare. What can you do with that? Well, criminals used to rob banks with guns. Now they don't need to. They can set up a loan account in your name with those three documents, the first time you realise it is when you've got a negative credit score where you get a bill from your bank saying you're overdue on this loan account. It's not fanciful. It's surprisingly regular. So that's why the data breach stuff matters a lot. And why we've got a whole lot of companies to account for the information this time. 
 
[Tania Brown] We have a question.
 
[Tania Brown] With a loud voice for the recording. 
 
[Speaker 5] Minister, with what you envisage, we're going to have a change in the way that we're approaching cyber security, so very much today we're thinking about what tools to offer to stop the bad guys from getting in and breaching my data. The bad guys are trying to steal our data, because they're there to make money, that is what their focus in life is. If we took away the value of what they steal, then their impulse to steal from Australia is minimised. So when are we going to stop making breach resistant identity cards? Something like a driver's license that's got your license number attached to it, and then a cycling number, which you control when it maybe refreshes. You know. 
 
[Stephen Jones] One really good question. I talked about keeping information safe, and. keeping your money safe. Yeah. The the answer to the problem we have at the moment is far more basic than what you were proposing. It's not a breach proof digital chip. It's the fact that to get into a pub or a club, or to buy a cup of coffee or to do just about bloody anything, somebody takes a photocopy of your driver's license and stores that God knows where and God knows how. So you've got to go either up or down the chain to work out where the greatest vulnerabilities are. And the greatest vulnerabilities are as the amount of data and the form the data is being collected. And for, frankly, pretty spurious reasons quite often. So we're working on that from two angles. One is a review of the privacy laws, which is asking some fundamental questions. Why are you collecting that data? Is there a good reason why you're collecting it? If there is a good reason, how are you storing it? And how long are you storing it and what are you doing with it? So this is basically going back to Tores on those four questions. So that's one part of it. But the other part, even if you've got the right answers to all of that, it's not going to stop the frigging photocopying and PDF storage of all of these, forms of ID so the answer to that is what we're calling digital ID. We have just legislated it. There's a whole heap of really cooker stuff getting around on the internet about what it's about, but essentially it doesn't create any new ID system. But what it does is create a verification system so that instead of handing a copy of your license over to somebody, you basically just tap your phone and a digital token is exchanged in the same way as a digital token is exchanged when you do tap and go on, a non-cash transaction. So which is a long answer to your question. Storing less information and verifying people in a much safer way than we're doing at the moment will probably deal with 70% of that problem, 70% of it. 
 
[Professor Katina Michael] Interestingly, as well, we had, the circulation numbers actually be hacked as well recently. I assume they have one of the best security, systems in the world, I would say as a university, when I received that email, I was in shock. Mobile had been hacked. It's like, wait, even the circulating number? Crazy. 
 
[Professor Shahriar Akter]Some stuff in which to address that question. I would like to add a little bit more information, for example, in case of Optus. It has asked for 100 points of applying, 100 points of authentication, for example, passport, driving licence, Medicare. So if any organisation which asks for 100 points of authentication as a customer, we're not bound to give that. Because if we give 100 points of authentication and if it goes to Darkweb, then it is very easy to, that means to create a stolen identity. So as a customer, that means to all customers. As a researcher, we encourage them not to give 100 points of authentication, not to give your passport, driving licence or Medicare if anyone wants that. That means you can ask your question, like, why do you need all this information? 
 
[Stephen Jones] But sometimes the answer to that question, sometimes the answer to that question is the government tells them they've got to and for good reason. So, for example, anti-money laundering and anti-terrorist financing laws require banks to verify that somebody is who they say they are, and for the same reason, to get a new mobile phone, because mobile phones were used in terrorist activities. You got to verify yourself. And if you're an insurance company, you know, often the question is, why are you keeping my personal details for ten years when I stop being a customer of your company? Yeah, eight years ago. Often the answer is they required by law because of a long title claim might be available on a policy. So that's why the privacy stuff is really important to go back and ask the fundamental question, why are we asking for that information and do we need to and is there a better way of storing it than the way we're storing it at the moment? 
 
[Tania Brown] Yes. Which technology moves so much quicker than government policy does? So. Well done ontrying to capture that. I've got a question here and then over the back, and then we'll go through. So. 
 
[Speaker 5] I love the idea of the digital thing. I'm terrified of losing my phone, I've bought another phone just to ring this one when I lose it. And so I'm thinking, gosh, this becomes so important in our lives. How the heck do we take that side of it? 
 
[Stephen Jones] Passwords. And have them secure. You know the most common password in the world, by the way. Password, password. And then one, two. Three, four. And then your birthday. And so just bear in mind what you got on your Facebook account. 
 
[Speaker 5] So say I lost it. How would I retrieve for digital I.D. without that? 
 
[Stephen Jones] Okay. Through most of this stuff is recoverable that you've got on your phone without wanting to give a checklist. And here most of the stuff you got on your phone is recoverable. If you know the passwords to your accounts, most of it is that was recovered. 
 
[Speaker 5] How are they able to verify that actually belongs to me. 
 
[Stephen Jones] Again, you would have to use separate information to be able to verify yourself. But yeah, these are not novel problems, by the way. It, you know, people have lost their wallets for as long as wallets have ever existed. They're not novel problems. It's a pain in the butt when you do it. But, you know, we've had to solve these problems for as long as wallets and purses and handbags and mobile phones have existed. 
 
[Speaker 5] I've been a victim of a little scams, not big ones, where they send you something and tell you it's a certain price and it shows that it's in Australia. But then its in Uzbekistan, something like that. And it's actually you ordered one, you ordered one on special, but it was five and it checks. That's what had to and my, my bank has helped me by allowing me to block my credit card. You know, I use that all the time, I unlock it for a short window to do a transaction and and lock it again. 
 
[Tania Brown] Good plan. Sir in the back. 
 
Unidentified For the digital verificati of ID. Is it going to expand to companies and organisations and be able to verify all? 
 
[Stephen Jones] Yes. Yes. Not all at once, but. Yes. Yeah. You want to do it in a controlled way. So any teething problems are sorted out as you do it. Public confidence in these things matters a lot. Yeah. 
 
Would it be easier to start with organisations then rather than individuals? 
 
[Stephen Jones] We'll start with government services, and then we'll probably move out to, you know, like large banks or, oh, start with the federal government and move to state government and finance industry. I'd say will be the next cab off the rank with that. But, you know, it could be just as easily telcos for all the reasons I've mentioned before. Okay. 
 
[Speaker 5] So, yes, I do have a question but a point of irony. I did have to supply some personal information to attend this  brilliant event. And I'm wondering what you are going to do with it? 
 
[Tania Brown] Well, I think that was from our perspective of was just to know where people were coming from. And UOW Local is particularly about reaching out into our community. So we wanted to be able to see that we were reaching our target audience, that it's not just our beloved colleagues from the university who are here. So it was only post code data just to assure everyone. 
 
Unidentified It was your address, your phone number and a lot of data, your email address. 
 
[Stephen Jones] So, you know, can I just say. 
 
[Stephen Jones] This is just a great example of how it's just become normalised. And my what drove me bloody nuts was having to upload 80 to 100 points of, I do want to pay for an $8 ticket to take my daughter into an athletics carnival. You know, what am I doing this for? You know, they wouldn't take cash. So it's become normalised and with just reached a point as a government we're saying how can we unpick some of this stuff. 
 
[Tania Brown] But even as the client, we don't receive that information. We were only getting the postcode data. There was a lot of hoops we had to jump through as a client to say, can we access who came to our event? So there's a lot of security and privacy around that.
 
[Professor Katina Michael] That's good. Could I just say on on that? Sorry. Just to answer your question, I think, having just gone to a week of a conference on possibilities at Cambridge Uni, I've come back to Australia with a completely different perspective on traditional responses. We really have to be imaginative about how we go to events. I want you to think completely against everything we know and start imagining what that solution might look like. We don't imagine enough. We just go right this next, next, next hour because we live in a fast world. And the motto from the conference all week was we have to slow down. How we played with the notion of time, space, relationality, interactivity. You know, and I say, somebody's saying it's not possible. Of course it is. We just have to think more imaginatively and we have to think in non-traditional ways. Cybersecurity is almost like a feedback loop. Okay. Someone breaches, okay. We we we slap at the back of the hand. The organisation who was breached. We have a scholar here in the back who studied this for ten years at UOW and written many papers on, on cloud computing data breaches. And then it's dragged through the courts. For how long? Ten years at least. Cases from 2014 are just being resolved in the States today. Can you believe that? The Sony Data breach case 70 million passwords back in woop woop time., relatively speaking, in the modern era. So we're like, we're stuck in a pacing problem. Okay. How do you got that pacing problem? As Tania mentioned it a second ago. We have to think completely differently. As was posed in the second row just a moment ago as a question of why are we collecting? Okay, well, then how else would we do it? Listing scenarios. What if let's put our brains together in a transdisciplinary way? Government is represented here today. Academia here. Organisations in the audience. Citizens in the audience. How do we do this differently going into the next 20 years? I'm not talking about switching off the internet. We just said many times the digital economy is here to stay. Okay. Leverae it. Completely different ways of doing business. New business models. How? Why are we stuck on this ping pong data breach? Slap the organisation on the back of the hand. Told the hackers we're not going to give them the ransom, but behind the scenes. Give them the money. Get the data back. Perpetual cycle because somebody said, it's all about money. It all is about money. Threaten. Get threatened. Get feedback loops. Okay. How do you disrupt that? That's the challenge we have, not just more sophisticated tech. That's one of the obvious responses. Another response. Okay, crazy thought. Let's make all the data public, ahhh. It's worth nothing. But how do you ensure security? How do you trust? But we're talking about an era of deepfakes where I can morph images, and it's been proven I can get through passport gates. If two women, or two men or two others come together and morph the image, one or the other can get through a smart gate. Been proven. Just published. Not myself. Published by others in our journal about two years ago, on morphing attacks, presentation attacks, injection attacks on biometrics and faces. Okay, how? Biometrics used to be our best in class. Best in practice.Doesn't help anymore. It will to an extent. I'm not saying biometrics is gone, but the more you place morphed images and conduct presentation attacks and as we saw, many state governments actually admit and federal governments not far from Australia, when you upload your image now, because there's too many of us and we try to do that in an automated way, people are uploading silly images like their cat or dog. And the governments are trying to process these and go, this a cat or dog? It's not actually a human or it's the default image on the front of the passport piece of paper. Copy, paste. Upload. No. Okay. If it's the dimensions, but there's no one on there. How is this getting onto the databases? How is our software allowing these things to be uploaded? And then the governments are spending time trying to figure out, oh my gosh, it's a cat. Katina Michael is a cat. Or she's the fake image or the default image on the screen, because the person is too lazy to go and get a perfect shot of themselves at a at a post office, or they can't afford it, or they don't understand the instructions. There's lots of these possibilities. So the gentleman who stated what do you do when you lose your mobile phone? Well, what about the fact that 30% of people in New South Wales are migrants? What about the fact that more than 30% were non-English speaking? What about the 30% who can't hear? What about the 30% who can't see clearly? What about the 30% who don't have access. These numbers, right? They had to understand them to build the Services NSW app. And I'm just giving you a 30% figure, although the figures are variable between 15 and 30. But these are the other complexities we've got to deal with, let alone losing my mobile phone. How do you target everybody? How do you include everybody but non-traditional thinking? Please. All of us acting together, all of us thinking about what these non-traditional solutions could be. 
 
[Tania Brown] I know you didn't finish your question. 
 
[Speaker 5] Thank you very much. Yeah. This is a serious point to to the minister or to other panel members that could answer. The question is about accountability. You know, it's my understanding that. In the Medibank breach. They were actually warned by external auditors that their systems weren't up to scratch at least two years before the incident happened. I also know that the New South Wales Auditor General is rather scathing about New South Wales government agencies that were self reporting on the maturity levels of their cyber security programmes. You know, the people that get hurt again by the people that end up being scammed because of the data  breaches. So again, my question is accountability. How should,and I don't believe that people should be beaten to death over this. But certainly if there were executives, if anything, that chose not to implement whatever these business reasons or there are government ministers or secretaries of agency. 
 
[Tania Brown] Sorry. 
 
[Professor Katina Michael] Bless you. 
 
[Speaker 5] That are under-reporting their maturity levels, what should be done? Should we be taking a tougher stance on that? Or is it a different way of thinking? 
 
[Stephen Jones] I think we've got to set standards and expectations and we are around this. I guess the first thing I'd say, it's not like any of these actions or negligence or failures or omissions are operating outside the reach of existing law, whether it's director law, director obligations and director liability with it is the common law of tort and tort liability. It's not like they exist outside of any of those frameworks. They do, they exist within it. And it's why, in relation to all of the breaches that we have mentioned to date, there are class actions on for, for losses that are involved in all of them. I happen to believe it's for the most part the, not the most, go your hardest. If people have lost money, try and recover. I just don't think it from a system wide point of view, it's, the most effective way to regulate and hold somebody accountable for what they've done wrong. I think there is a role for having standards, accountabilities, fines, penalties that are applied. But I think a better approach, frankly, is the prudential approach that we take in the financial services industry. So what does that mean? We prudentially supervise banks, insurance companies, superannuation funds. They have a whole heap of legal obligations that fall upon them. But we don't take the approach that says we've got these legal obligations. And if you fall over or breach one of those, then we'll see you. The systemic impact of that is so great that, the remedy is not really a remedy because we created so much economic damage by letting them fall over. So we prudentially regulate them, which means we are actively looking over their shoulder and what they are doing in relation to all of those obligations, literally on a daily basis. And I think that is a better approach, not setting an obligation and fining you or penalising you if you breach it, but actually supervising you on a daily basis to ensure that you're meeting that standard. Clearly, you cannot do that for the whole economy. As we don't prudentially regulate every financial institution in the country, but we do prudentially regulate the most sensitive ones, the most systemically important ones. Banks, insurers, superannuation companies. W So I think that's the approach that is more effective from a, systemic point of view than fines, breaches, penalties, class actions, etc.. I hope that answers your question. 
 
[Tania Brown] I think. Can I just. Can I just bring it back to basics? To work on my anxiety levels. Would you mind? Each of you give me your top tips now. I know I'm not meant to click on links, and I need passwords that are not my pets and my children and my birthday. And to use a phrase, is better. But what are the things that, you know, average people in the community can be doing to protect themselves? 
 
[Stephen Jones] Don't press the bloody blue link. Just don't do it. It's going to take you. So, number one, don't press the blue link. It's really inconvenient, but it'll probably take you another 45 seconds to go and find out what the real web address is. It's probably about 45 seconds, so spend that time. Your place of mind is worth it. So don't press the bloody blue link. Don't let somebody remote access into your computer. So lots of scams are impersonation scams. Hi. It's Stephen here from your bank. We've noticed somebody trying to hack into your bank account. We just need you to let us remote access in there and move that money out of that endangered account into a safe account. Like, you've no idea how often that one goes on or a version of that. Or, you know, I'm from Telstra. I'm putting, you know, I need to install the latest anti-virus software because somebody is trying to hack into your, you know, like so number one, don't press the bloody blue link. Number two, don't let somebody remote access into your computer. And number three don't give your personal information out to unsolicited calls. But those three things I reckon half of, yeah, authorised losses would be dealt with by people not doing those three things. 
 
[Professor Katina Michael] That's great advice. I'm going to present three different ones. I agree with Minister on these top three. I'm going to say again slow down. Clicking on that blue link happens when we're on fast mode. Second thing is, if it's too good to be true. Generally is too good to be true. And the third thing is, and most people who tell their stories, they say this. I had a feeling something in my guts told me this was fake. You know. But you still do it. It's crazy. It's almost like target fixation. 
 
[Stephen Jones] So scammers will always create that sense of urgency. Yes. You know, they want you to rush to action. You know, create an urgency. You're going to miss an opportunity. If you don't move quickly, you're going to miss the opportunity on this investment. The kids are going to die. Yeah, we're going to steal. Somebody's going to steal your money. They're always trying to create that panic.
 
[Professor Katina Michael] O r we've just received the package in your name has got drugs in it. A new one happening to Indian academics at the moment. 
 
[Stephen Jones] Yes. 
 
[Professor Katina Michael] Crazy. 
 
[Speaker 4] Yes. I agree with, Mr. Jones and Professor Michael. My suggestion is basically multi-factor authentication for any source of passwords. Password has to be 12 characters or more than 12 characters long. Passwords should have symbols, letters and numbers, you know, to make it a stronger password. Field characters, long symbols, letters and numbers. Different passwords for different accounts. The same password shouldn't be used for your Commbank app or for your Facebook account. So different passwords for different accounts. And, basically, if any organisation for online shopping and transaction asks for unusual type of payment method, for example, bitcoins gift cards. So that's that's the question that we have to we have to be very careful about unusual payment methods. If anyone asks for that type of payment methods, say stronger passwords, unusual payment methods and all the things said by Minister Jones, and Karina Michael that can put us in a safe place. 
 
[Tania Brown] I think my passwords are now so complex I can't remember them. So I think at least three times today I hit forgot password and had to start all over again on the myGov website. And all these others. What system should I be using too? Well, can't write them down. So what do I do? How do I keep track of them all? 
 
[Speaker 4] That's the sentence that you love most.  
 
[Speaker 4] You can use that sentence. For example, I love the gong. 
 
[Tania Brown] To can't use that one, right? 
 
[Stephen Jones] Nobody's going to be able to use that. 
 
[Tania Brown] Okay. Well, we've got one more question. I think, two more questions and then we might wrap that up. 
 
Unidentified Isn't likely to have a great fall. This is the thing that really surprises me is how much good is what is a conspiracy? You just look here. I mean, just like I. What? 
 
[Speaker 5] I just want you just to get going. Out. Why are we moving? 
 
Unidentified Like next to my. This is like a step backwards. 
 
[Speaker 5] Yeah, it all is. And. 
 
[Stephen Jones] You know, the sooner we move to biometrics, the better, in my view. I did a calculation of how many, pins and passwords I needed between 530 in the morning when I get up and to walk into my office. And it was 20. You know, nobody can remember 20. I struggle remembering my kids birthdays. So nobody can remember. 20. So we all do break all the rules. We use the same things, or we use the same passwords. We write them down. We have a file called passwords on our phone or something like that. So, you know, everyone breaks all the rules. So the stuff that you're talking about out there, phrases and, you know, I think we've got to get the developers moving quickly towards different forms of verification. 
 
Unidentified How are you doing with cyber security tech? And that back. I know part of every. 
 
[Speaker 5] That's great. But I guess now that I. That when it comes to companies like Facebook, after showing up. And thank you to everybody. 
 
Unidentified At. There's been a heck a of great. 
 
[Speaker 5] Obviously they have. 
 
Unidentified The responsibility to to. What? How does that actually happen? The. I. I was like, I wish you had. 
 
[Speaker 5] Requested that advice. 
 
Unidentified What do we do? I was really curious about. What actually. Every. What happened? The present day. 
 
[Stephen Jones] I think that one of the things that Katina said earlier kind of resonates with me, and that is that technology is not a gadget, it's a process. And in the era of cyber security, in terms of all the things we study at university, when I, my student number at Wollongong was 8507404. I guarantee you they didn't have a course in cyber security when I started. This is all relatively new, but with systematising processes and the new graduates from your courses and the course that you're doing at the moment will learn new processes for doing those things that didn't exist five years ago. And whatever you learn today will be different in another five years as well, that's for sure. But, the thinking the schema will all be pretty consistent. 
 
[Speaker 4] I think in this case, in this particular case, law can playplease some role. For example, in the case of Europe, the General Data Protection Regulation, if any data breach happens, every company has to inform the customer within 48 hours or 72 hours based on the company. And if it fails to do that, $20 million euro, or 4% of the turnover as a penalty is imposed on that particular corporation, according to GDPR. In our case, the Privacy Act makes just $2 million fine. So there is a huge difference in this penalty. So I think in this case, law probably has to catch up. It's evolving very fast, but our our law and our responsibility in this particular case has to catch up. 
 
[Stephen Jones] Yep. I agree with that too. 
 
[Tania Brown] Last question please. 
 
[Speaker 5] Just on passwords. I use a password manager, and the password manager actually goes through and puts in all my password. And says, okay, here's all the passwords that are compromised. For the company that's been breached, you have to go and change the password. So it does an analysis about how watertight your security is. And so I'd suggest to anyone. You'll have to pay $50, but it's a small price to pay for security.
 
[Tania Brown] I think that's a great point. Thanks, Les. I'm going to find that. Thank you all for coming and sharing your knowledge tonight. Please join me in thanking our panel. I think there's a lot lots to learn. There's still lots of, learnings. I need to work on my passwords. And, I would just say to people, as someone who has been scammed, when, banks and people ring you, they are very convincing. And don't feel bad when you do fall for these things. But do try and bring in extra measures so we don't fall for it again. Because I said it's their job to defraud you and deceive you. And they are very clever at it. My children made me promise I wouldn't share all the stories of the phishing emails and scams and things I've purchased on Instagram that were not what I bought. So if you'll enjoy me in, excuse me. If you'll indulge me, this is my last gong talk. As I'll soon be ending my time at UOW. So I just wanted to thank you. I'll take the opportunity to thank you all for coming along, for your support of the Gong Talks and Luminaries series and, extend my appreciation to the team that you have assisted behind the scenes to make tonight happen. So thank you all. It's been a privilege for me over the last 15 years to work at the University of Wollongong and 13 years of that at the smart infrastructure facility and some, some of Team Smart here tonight. So thank you all. It's been quite the ride. And onto the next adventure. Thanks, everyone. 
 
[Professor Katina Michael] Thank you.