Armed with this information I signed up as my friend to Telstra's online portal and was in. They were notified via text message and email that a new account had been created in their name but as it arrived while they were asleep it was too late for them to do anything about it. David Thodey's date of birth, like that of many company directors, is easily discoverable. Credit:James Alcock In all my years of reporting on IT security, this was a doozy of a flaw to find. For a journalist who uses a mobile phone to contact numerous sources, this was alarming. It should also be alarming to Telstra subscribers, as it is believed private investigators use similar techniques to gain access to telephone records when checking if wives or husbands are cheating. How exactly is someone's date of birth a secret? It's not. Take for example the Telstra chief executive, David Thodey. His birth date is May 14, 1954 according to his Wikipedia page and numerous news profiles. Combine that with Mr Thodey's mobile or landline number and one would have been able to get in. It's much harder to know the mobile number of David Thodey, of course – unless you know him personally – but there are many who do.

Dates of birth are not secret. Heavens, my parents outed my birthdate in my hometown newspaper when I was born and this is now accessible for a small fee through online newspaper archives. Just some of the details previously at risk by insufficient ID checks. The dates of birth of company directors are also divulged in publicly accessible ASIC records for a small fee. And then there are birthdays, when your milestones are inevitably shared with friends and colleagues. Lax security

Given this, you'd think organisations would stop using dates of birth as a way of proving identity. Two years ago I raised this issue with Telstra publicly on its Facebook page. Back then its response concerned me. You should ensure "that your details aren't made quite so public", a Telstra representative said. "It is a digital era, which of course makes information a lot easier to retrieve, however there are ways certain things can be kept sacred." It said its procedure was "the same for almost every company".

It is right there. But that doesn't make the practice a good one. Telstra's response Telstra took the opportunity to make changes to its identity verification procedures, following Fairfax Media's enquiries. Fairfax waited for the security to be upgraded before publishing this story. The company said it planned to implement the changes later this year but has now brought them forward. It will now ask for account numbers, in addition to name, phone number and date of birth. Telstra's contact centres are also adding further security questions for transactions that carry a higher risk, such as change of account ownership or mobile number porting.

I accessed my friend's account to test the flaw after a reader contacted me complaining their account had been accessed in a similar way. Had I done this without permission I would have committed a computer crime punishable by up to two years' jail. But hackers flout the law all the time. In 2012 Mr Thodey said "customer privacy is not negotiable" and that the company had "to do better" for its customers. I'm glad Telstra decided to listen to that sage advice this week. I still worry about other companies which are yet to figure out a way to verify the identity of customers other than using dates of birth. The same should be said about the ease with which mobile numbers can be ported to new SIM cards on a variety of telcos in Australia. At present, a mobile phone number or account number and date of birth is all that is needed in most cases to move a mobile number from one telco provider to another.