Kitz Forum
Announcements => News Articles => Topic started by: broadstairs on October 22, 2015, 10:19:03 PM
-
Just had a news alert from the BBC about this see here (http://www.bbc.co.uk/news/uk-34611857).
Stuart
-
Yes I also saw this on the news before TalkTalk informed me :no:
Would be interested if it was the same vulnerability as the Carphone Warehouse website.
-
From the TalkTalk site: http://help2.talktalk.co.uk/oct22incident (http://help2.talktalk.co.uk/oct22incident)
From the BBC: http://www.bbc.co.uk/news/uk-34611857 (http://www.bbc.co.uk/news/uk-34611857)
-
So far I have not been contacted nor notified but noticed, this morning, that there was something ongoing with the lack of web-site access.
Currently the following is being displayed --
-
Apologies if the ordering of the posts to this thread seem to be a bit awry . . . I have done my best to merge two separate posts on the same topic.
Note to self: A merge will sort the posts from each thread into chronological order.
-
Currently it's the main headline on BBC news. Outranks the goings-on in Syria, as well as the Chinese visit to UK. :o
Will be interesting to get some balanced reporting, once the dust has settled.
-
I wonder if Zen have a similar thing going on. I noticed these two stories broke at the same time. Or maybe that might be a co-incidence.
-
TalkTalk, who I still have my mobile with, never bothered to inform me about their last customer details hack - found out by accident. I'm currently with BT who I think are pretty safe, every time a hacker tries to initiate a TCP connection they are redirected to India and put in a queue for at least 20 minutes...at which point they lose interest and give up. ;)
-
Well I have been informed this morning about this attack BUT I never received any emails from TT on the previous occasions. The CEO was on the news this morning saying they are setting up free credit checking for 12 months for all customers to enable them to more easily keep a check on their credit cards etc, announcement later today. Probably will mean even more scam phone calls!
Stuart
-
I see TT are trying to tick all the "bad guys" boxes by spinning that it was "Russian Islamists" and hopefully deflect attention from the fact that they did NOT comply with PCIDSS requirements and encrypt card data.
Hopefully (as they're now permitted in the UK) somone will bring a class action against TT for negligence. Not a fan of parasitical solicitors but this is a case which needs to be started.
Oh and if the "free credit checking" is with Experian then you might want to ask what's the point of that as Experian has been hacked for the last 2 years! (http://www.t-mobile.com/landing/experian-data-breach.html).
Suing the company is the only way to go on this as the ICO is (deliberately) as much use as a chocolate teapot.
-
TT will just use the blame culture without admitting it's fundamental faults.
I just hope that all the other ISP's learn from this and comply with the PCIDSS requirements (if they don't already).
I have this morning deleted my card details from my plusnet account (which is used as a back up in case my DD fails) just in case!
-
The first words on BBC News website are still 'TalkTalk', in large bold font. It outranks a story further down the page about 40 people killed in a coach crash which is France which is pretty poor judgement by Beeb IMHO.
The Beeb article might even be seen as free publicity. Most people who are not TT customers will probably just skim over it. In 6 months time they might vaguely remember that TT were in the news, but won't even remember whether the story was about a good thing or a bad thing. :-[
-
There's a small sample of the hacked information that's been posted online, seemingly showing password changes but also bank account details (redacted for the sample post) - this does seem to indicate that the data stolen wasn't encrypted, or was easy to break.
On a related note, I'm signed up (free) with a service called "Have I been pwned?" where you can enter your email address(es), and it will tell you if you are on any known hacked database lists. It also notifies you by email if you appear on a new list.
Might be worth a look?
The site is https://haveibeenpwned.com/ (https://haveibeenpwned.com/) and you can read about it in this short article by security blogger Graham Cluley here https://grahamcluley.com/2013/12/check-youre-victim-database-breach-pwned/ (https://grahamcluley.com/2013/12/check-youre-victim-database-breach-pwned/)
So it seems legit.
Ian
-
The first words on BBC News website are still 'TalkTalk', in large bold font. It outranks a story further down the page about 40 people killed in a coach crash which is France which is pretty poor judgement by Beeb IMHO.
I'm the last person to defend the BBC (my opinion of them is unprintable) but I reckon a story affecting 4 million people in the UK outweighs a coach crash in another country, despite the deaths. A lot of TT customers have no clue at all about the previous (unrelated - pull the other one Dido, its got bells on) hacks over the last year as well.
I reckon TT are toast inside 12 months. This is going to cost the banks/CC companies loads of cash and you can bet your last penny they're not going to take that lightly - several pounds of financial flesh will be extracted one way or another. As for trust issues with customers - well they're out the window now anyway, you'd have to be delusional to trust them again.
-
Just seen a thread on the TT community forum with a list of databases which were compromised, obviously dont know how accurate it is but it is 64 databases long!
Dont know how long it will be there but I copied it just in case ;)
Stuart
-
I've just seen the head of TT, Dido Harding, on the BBC news today. Not sure if it was live or not but she didnt have much information. It was obvious she was fumbling through the questions being asked. She didnt even know if the data had been encrypted or not. There is NO excuse for not encrypting data in this day and age.
She claims they announced all this without knowing the exact full extent of whats been stolen or what the full situation is.
She come across very weak on detail, not someone in charge of the situation.
Someone asked if former customers details would be included in this attack. She couldnt answer. I have a feeling they could be compromised too.
-
Just seen a thread on the TT community forum with a list of databases which were compromised, obviously dont know how accurate it is but it is 64 databases long!
Dont know how long it will be there but I copied it just in case ;)
Stuart
So someone on the TT community forum as posted direct links to the databases? Wow.. All the Mods are in self panic mode and ran off from their stations? lol... smh.
-
Just seen a thread on the TT community forum with a list of databases which were compromised, obviously dont know how accurate it is but it is 64 databases long!
Dont know how long it will be there but I copied it just in case ;)
Stuart
So someone on the TT community forum as posted direct links to the databases? Wow.. All the Mods are in self panic mode and ran off from their stations? lol... smh.
No not direct links but a simple list of what was taken I believe. Still enough to make them nervous though.
Stuart
-
Someone asked if former customers details would be included in this attack. She couldnt answer. I have a feeling they could be compromised too.
Now that makes me wonder what happens to former customers information in TalkTalk :-\
-
Someone asked if former customers details would be included in this attack. She couldnt answer. I have a feeling they could be compromised too.
Now that makes me wonder what happens to former customers information in TalkTalk :-\
As they appear to have violated most if not all of the DP regs (they shouldn't be storing DoB for a start) and ALL of the PCIDSS regs I would suggest the only difference between current and former customers is that one set will get told & the others won't.
ie you're screwed too but you get no "compo"
-
The TT boss was on the six o'clock news, claiming she has received a 'ransom' demand. Incredibly, she was still talking as if TT were the victims rather than the villains. She just didn't seem to 'get it'.
That said... What are we actually worried about? So they have handed over private data on a plate, including date of birth, name, address. Shocking, as that might facilitate identity theft and bank fraud. But that information triplet of name, address and DoB is trivially easy to obtain for many people. Anybody who is a company director for example, it is public domain, freely available from Companies House.
To me, as well as a welcome opportunity for sinking TT, this is an opportunity to get the banks to pull their heads out of the sand, and appreciate they need much better security processes themselves too. Such that it takes more than a DoB and address to achieve fraud!
-
I am quite sure I was never asked for nor gave my date of birth to TalkTalk. Possibly because I transferred my service to them a long time ago. :-\
-
Sure it could be an inside Job by a disgruntled IT employee at TT not all attacks comes from the outside.
-
Saw Baroness Harding on Channel 4 tonight where she said they had bought 4 million subscriptions to Noddle for their customers!!! Now 4 Million Noddle account are free, it is only their add-on services which cost, so what are they giving?
Stuart
Edit just checked the TT site and it does say you can sign up for the Noddle Credit Alert using a code. I have just signed up for Noddle Alerts as I already had a Noddle account anyway.
-
I am quite sure I was never asked for nor gave my date of birth to TalkTalk. Possibly because I transferred my service to them a long time ago. :-\
DoB is normally used for the credit check and (these days) to determine whether you can be trusted to view nipples (content filters) without being driven into a frenzy ;)
Neither check requires the data processor to retain the actual DoB, merely to record that you are over 18 for future govt content filters. In fact the DP guidelines specifically mention that you should not retain the DoB for longer than the period required to verify that data.
TT are in a big big hole & the nonsense about "ransoms" will dig that hole a lot deeper.
Then again Dido is married to one of "Call me Dave"'s buddies so I'm sure the tories will help their own.
-
you can be trusted to view nipples
During the interview questions by BBC they did seem to be extruding I am guessing she was not sexually aroused at this stage she must just be feeling the cold chill of contempt.
-
Thankfully I was spared that sight otherwise I'm sure a frenzy might eventually have occurred :D
-
https://twitter.com/haveigotnews/status/657499167535800320
Shamelessly copied from a link in comments elsewhere. Might make some TT customers smile tonight? :)
-
https://twitter.com/haveigotnews/status/657499167535800320
Shamelessly copied from a link in comments elsewhere. Might make some TT customers smile tonight? :)
yeap these stolen telephone numbers could be sold on to blackmarket call centers, I have said it before in another thread i am 100% sure that telephone numbers of users on TalkTalk have been taken and sold on :(
-
https://twitter.com/haveigotnews/status/657499167535800320
Shamelessly copied from a link in comments elsewhere. Might make some TT customers smile tonight? :)
yeap these stolen telephone numbers could be sold on to blackmarket call centers, I have said it before in another thread i am 100% sure that telephone numbers of users on TalkTalk have been taken and sold on :(
Did you read the link? It has nothing to do with phone numbers :D
-
DoB is normally used for the credit check and (these days) to determine whether you can be trusted to view nipples (content filters) without being driven into a frenzy ;)
Determines if contents are yoghurt, full cream, semi-skimmed, or 90% proof. :)
-
This has just come up on twitter
https://twitter.com/didoharding (https://twitter.com/didoharding)
Which does appear to be the MD's account, given the one reference, and the official account that follows it.
The lack of tech savvy or general twitter interaction in itself isn't a problem, Dido is the the boss, doesn't have to have her finger on the pulse of tech. But when she's wheeled out onto TV to do interviews and give tech advice (that is poor at best, eg suggesting an email that has a From: header as TalkTalk indicates it's genuine) it's more of a problem.
It's worrying that TalkTalk are trying to put PR spin on this that's it's not a problem, or else really don't know what's going on generally.
Ian
nb I'm not piling in to attack TalkTalk, they've been good to me, I've experienced good service and I've defended them on a number of occasions.
Ian
-
Not really sure why she's the CEO with a PPE degree? Likewise the commercial manager has a "Spad" degree (more political nonsense).
Is this the "world class leadership" we're told we have to pay for in the UK? People who have no clue about the businesses they (ostensibly) run?
Sounds a lot more like jobs for the boys (and the occasional girl) to me :(
-
It seems to me to fall back to the dissonance between successful business, good value/price to consumer and good customer support. They are, at a base level, mutually exclusive. In the end, one has to give way.
Dido may well have been successful as head of TalkTalk from a business point of view (+revenue +customers etc) but....
Next few days/weeks will be interesting.
Ian
-
My own only encounter with TT was calling to wind up Dad's account after he died. Upshot was, unbelievably, they somehow claimed I'd agreed to a new full year contract in my own name on an empty flat 400 miles away. I won in the end, but it was serious hassle, the kind of thing you never forgive.
Listing to the lady in question though I can't help imagining her taking advice from the Indian call centre staff before each interview. If they were anything like as good as the people I encountered, I'm not surprised she doesn't know which way's up after the 'advice'. :D
-
Did you read the link? It has nothing to do with phone numbers :D
The stolen telephone numbers on TT years ago was a precursor to the events we can clearly see as of to-day they had plenty of warnings but never did anything about it's just shameful.
-
Next few days/weeks will be interesting.
Indeed. I expect to see the tories using this to extend the law inappropriately (again).
Its all set up for that now isn't it - "Russian Islamists issuing ransom demands" :lol:
Lets find a bogeyman or two, get the heat off the totally incompetent company because after all they're jolly good chaps - even the gels - who give us access to all their data without any problems & while we're at it sneak some more laws in that the plebs don't notice..... :-X
-
@rizla
Unfortunately, that is exactly what I expect as well. :( :(
Even better from 'The Register' TalkTalk has been advertising for a Infosec Officer !!! (You could not make this up!!)
http://www.theregister.co.uk/2015/10/23/tardy_talktalk_advertised_for_infosec_officer_four_days_ago/ (http://www.theregister.co.uk/2015/10/23/tardy_talktalk_advertised_for_infosec_officer_four_days_ago/)
Best of luck to anyone stupid enough to take this on.
Obviously did not think it was important before and/or ignored everything that they should have been doing.
-
@rizla
Unfortunately, that is exactly what I expect as well. :( :(
Even better from 'The Register' TalkTalk has been advertising for a Infosec Officer !!! (You could not make this up!!)
http://www.theregister.co.uk/2015/10/23/tardy_talktalk_advertised_for_infosec_officer_four_days_ago/ (http://www.theregister.co.uk/2015/10/23/tardy_talktalk_advertised_for_infosec_officer_four_days_ago/)
Best of luck to anyone stupid enough to take this on.
Obviously did not think it was important before and/or ignored everything that they should have been doing.
There are quite a few job postings posted "today". I wonder if that's coincidental or not.
-
I don't think I could even begin to advise how to deal with this - given the likelihood is they've been compromised for a year or more. Thats a long time to plan the final heist of (plaintext) data but its sort of looking like that is what happened.
I wouldn't be surprised if within the next 12 months TT was "just another brand name subsumed into another ISP" - in fact its odds-on IMHO.
-
I don't think I could even begin to advise how to deal with this - given the likelihood is they've been compromised for a year or more. Thats a long time to plan the final heist of (plaintext) data but its sort of looking like that is what happened.
I wouldn't be surprised if within the next 12 months TT was "just another brand name subsumed into another ISP" - in fact its odds-on IMHO.
True, if they are not any more successful at identifying what the situation is and being seen to get control of the situation.
The floundering around 'may' cost a few heads but solves nothing and the hit on the share price is setting them up for some hostile activity from a competitor.
[TalkTalk is a MVNO of O2 which is due to be swallowed up by 3's (Three) parent Company Hutchison Whampoa, could be a good way to get into the 'Quad Play' arena cheaply.]
-
I thought the share price nose dived spectacularly early, but largely recovered by the end of play.
I still think it'll all be forgotten by most folks in a few months. Customers will be queing up on their doorstep as long as they are perceived to be cheap, that is the society we live in.
And all this publicity will be adding to the perception, "Wow, I bet they're cheap."
-
I thought the share price nose dived spectacularly early, but largely recovered by the end of play.
I still think it'll all be forgotten by most folks in a few months. Customers will be queing up on their doorstep as long as they are perceived to be cheap, that is the society we live in.
And all this publicity will be adding to the perception, "Wow, I bet they're cheap."
Re: Share price, I did not check recently & I expect the shares will bounce again as this saga goes on.
(Someone always is trying to make money out of a bit of 'Share price' manipulation.)
I hope you are wrong, on the rest !! :(
If that is the case everyone deserves what they get.
I wish security would stick in peoples mind for once.
We are more and more enmeshed in the Internet for everything in our daily lives, yet security is less than an afterthought for most including the companies we trust to keep our information safe.
What does it take for people to take all this seriously. !!
You cannot simply say 'Oops' and press the reset button on this. :no: :no: :no:
-
TalkTalk obviously aren't going to pay the hackers any money, so the question is how much data do the hackers release(if any)? If they do a Sony or Ashley Madison and release gigabytes and gigabytes then surely Harding is finished - being the third breach in a year as well. In that case I would also hope action could be taken that would hit TalkTalk hard financially.
Not really sure why she's the CEO with a PPE degree? Likewise the commercial manager has a "Spad" degree (more political nonsense).
Is this the "world class leadership" we're told we have to pay for in the UK? People who have no clue about the businesses they (ostensibly) run?
Sounds a lot more like jobs for the boys (and the occasional girl) to me :(
Winning the Oxbridge lottery often pays dividends whether your degree is good, bad, or indifferent.
-
Sacking someone is of no value, whether it is a 'scapegoat' or CEO. Much like apologies after the fact are of no value also.
Real action of security is what is needed before you are hacked.
People should be asking their ISP's now .... "Are you storing my Data encrypted, regardless of how good your security is supposed to be ?"
[I anticipate that some companies will say .... "Our security is much better than Talk Talk's and the Data is safe", without answering the question. :( >:( )
-
I may well be ignorant/naive but I don't understand why these companies don't do things properly so that hackers have absolutely no chance of getting in in the first place. (Unless of course it was an inside job.)
Every system I have been responsible for is secured to the absolute max, far above standard configuration, and is tested too.
Perhaps they are just hiring too many rubbish people so that the good people are diluted, drowned in compensating incompetence.
-
I may well be ignorant/naive but I don't understand why these companies don't do things properly so that hackers have absolutely no chance of getting in in the first place. (Unless of course it was an inside job.)
Every system I have been responsible for is secured to the absolute max, far above standard configuration, and is tested too.
Perhaps they are just hiring too many rubbish people so that the good people are diluted, drowned in compensating incompetence.
The problem is often that the people who know at the sharp end (as in 'IT') are out ranked by the people that sell.
The usual conversation is give me a system I can use 'Now' so I can start selling to customers and make money.
Any attempt to talk about security and 'Doing things right' gets stomped on from on high as delaying things and getting in the way.
The Sales people then get their way and the IT people are told to work around the 'Live' system BUT do not stop the Sales people from working.
Any further attempts from the brave few gets the standard "We make the money that pays your wages, so stop delaying things", usually to an Senior IT Manager who resents the comments and stomps down harder on his people to save his/her own neck.
When it all hits the fan is usually the point were the IT Division are suddenly seen as being 'in control' of their own domain.
The same IT Manager will be getting it in the neck for NOT doing the right thing.
The usual suspects/scapegoats, many levels below, will be blamed and fired.
Seen it and reported on it and it has been acknowledged and ignored because it would be too embarrassing to admit that is the way things really happened.
i.e. The real culprits are too senior to be seen to be in the wrong.
After the fuss has died down the Senior People usually are reassigned to another geographic area where the true facts can be ignored/re-written/lost in the mists of time. ;D ;D ;D
Recruit and/or promote as needed and start again. :D :D ;)
-
Just saw this in a post on the TT forum:-
I just phone up my bank to change my sort code and account number, by opening up a new account with them.
The advisor advised me that the bank is not allowing talktalk customers to change account at the moment.
Talktalk this morning have giving banks more details on what is going on. She wasn't going to tell me any more, but she let it slip, maybe she's a talktalk customer, that some officials thinks that the criminals might be still in talktalk system, or have left a way in. In that case if we changed our account details, or password. If the criminals have still got access to their systems any changes we make they will know about.
I think the only way we can solve it is. If TalkTalk is close down and we go somewhere else, possibly with the help of Ofcom!
There may not be a guarantee that Talk Talk will ever now be safe! Sad to say
The fact that they have still not brought their main website back online seems to indicate there is a lot going on that has not been made public.
Stuart
-
The reviews of Noddle https://uk.trustpilot.com/review/noddle.co.uk have things in common with some reviews of TT !!!! I find it extra worrying if that is the best offer TalkTalk can make to its customers.
-
The reviews of Noddle https://uk.trustpilot.com/review/noddle.co.uk have things in common with some reviews of TT !!!! I find it extra worrying if that is the best offer TalkTalk can make to its customers.
I'm glad it wasn't Experian, as I believe they were hacked recently with around 2 million customers data released?
-
The reviews of Noddle https://uk.trustpilot.com/review/noddle.co.uk have things in common with some reviews of TT !!!! I find it extra worrying if that is the best offer TalkTalk can make to its customers.
noddle.co.uk is Callcredit Information Group Ltd :
Our Mission
Callcredit Information Group unlocks value for businesses and consumers by the secure and innovative transformation of data into intelligence and insight, enabling transactions across multiple channels and markets.
I wouldn't hold out much hope of this lot being much more use than the proverbial chocolate teapot....
-
I wonder if TT have been paid finder's fees for all these millions of people they've introduced to Noddle?
-
I don't know why people just don't pay for the statutory credit reports. It's £2 a go but it's a one time thing, but you don't have to worry about trying to cancel CreditExpert at £10 a month or whatever (and their "credit score" feature is useless as it's just their interpretation, the UK doesn't have formalised scoring like the US does, each company has their own scoring criteria). At least you know the data isn't going through some third party who may have even laxer security standards than either TalkTalk or Experian
Though I suppose TT will be trying to give you a year of that sort of service anyway as part of the "compensation". If I was a TT customer I'd be happy with being let out of my contract first of all
-
... If I was a TT customer I'd be happy with being let out of my contract first of all
If you remember the interview TT are going to be 'dancing' around that one.
The advice to call CS, to make it an individual issue, hinges on you being able to prove you have been affected by the 'Hack'.
Until TT release more information they are not giving anyone the ammunition to leave, for Free, without some debate with TT.
I don't know if loss of service is enough, yet. (Someone who has access to T's & C's needs to get advice on this)
Proof of reckless loss of Data would be, of course, which is one of the reasons that TT are not releasing any specific information.
When more specific data is released or the hackers get bored waiting ... there will be a 'run for the door'. :( :(
-
I found the interview with Dido Harding very frustrating to watch.
When I was in college many many years ago, I drifted between IT subjects and Business classes. I noticed immediately that there is a difference in mentality and priority between the two types of people.
Business people dont want to know the minoe details of things, especially it seems when it comes to IT systems. They tend to implement the cheapest solution until a problem happens.
I suspect, as already been suggested, that the IT people 'on the ground' would have been asking for more security but they was probably outranked by business people.
Time and time again I see and hear of IT people being seen as a lesser class of people in companies, when the reality is they are probably the biggest asset a company has.
Leaving details unencrypted in this day and age is unforgivable, and I wonder if there is a possible class action law suit in the future about it, as if a company performs under-par then its fallen below expected standards.
I'm not a big fan of these hackers, but one good thing they do is keep the security of companies in check. I don't believe these are 'Islamic' hackers. I've heard so many hackers in the past claim to be them, but they are just trolling.
The thing we found out from the xbox and playstation hacks was that sony only had one data centre, while xbox had 3 (or more?).
These companies need to stop cutting corners. I think this will be a reality check on how TT handle this. So far they haven't handled it at all well.
-
@Bowden Too True.
The issue is will anyone learn from this?
Past experience says NO!
A lot of posturing will take place from the ISP's who did not get hacked and noise about the security they have.
In reality little will change because when costing out of the changes and impact is made, someone will ask "Is it worth it ?" and ask if it can be done cheaper.
By time the final decision is made the changes will be mostly peripheral and will impact 'Business' as little as possible.
These sort of threats are always seen as 'unlikely to happen' & 'happen to someone else'.
I am not sure how many events of the 'TT sort' need to happen before we move off the 'unlikely' mark. ;D ;D
There is a downside to doing what is right, unfortunately.
May be if we are lucky a few companies will learn and do something useful but it is more than likely even if they do they will keep quiet about it.
Anyone found to be doing any 'real' changes will get hit by negative press announcing they are fixing things because their security is/was bad!!!
That is the 'Lose/Lose' problem that companies also have to navigate with our press ;D ;D
-
Again, my ignorance. Why does it cost any more to do things right than wrong? ( Answer: rubbish people are cheaper? )
Again, my ignorance and naïveté.
-
Been out today and on the radio on my way home the news reported that TT have said that complete credit/debit card numbers were NOT stored, only partial ones so they are now saying that is at least safer I guess.
Talking to a friend of mine (in his 80's I believe) nearly got caught out by the scammers about 10 weeks ago, they did pursuade him they were TT and to install some software but he smelled a rat later in the conversation when the asked him for his credit card details to do a refund and he refused, the guy on he phone said 'Oh well your PC is now hacked anyway' and hung up. Furtunately John turned off his PC and to it to a local PC guy he trusted who disinfected it and recovered his data.
Stuart
Edit: The TT community website now confirms that the card numbers were not stored in full on the system which were hacked, and that MyAccount passwords were not accessed they say although still rpudent to change them anyway.
-
Copied from comments on El Reg :
As part of the "mitigation" for the breach, TT are offering people a year's free "credit alerts" if they sign up with Noddle. What they don't appear to be telling their customers is that Noddle partly finances its "free" basic service by targeting you with advertising (you will be provided with money saving offers and vouchers online) and encouraging you to participate in their "confidence rating" service which will direct you to products provided by carefully selected third party providers, including credit cards and loan products.
For a further fee, which isn't part of the TT deal, Noddle offers its Web Watch service which provides notification if your personal data is being traded or being sold fraudulently on the Internet, chat rooms, bulletin boards and file sharing sites. However use of this service involves the transfer of your information outside the European Economic Area [specifically, to the US].
I'm not sure this is the kind of "identity protection" TT's customers might have chosen for themselves. There does seem a possibility they may be exchanging TalkTalk for StalkStalk.
-
It is really down to TT users to organise themselves a little and let TT know the Noddle service is not good enough.
Signing up to a 'Ad financed' service that is going to waste even more of my time would annoy me no end.
I am sure I read something somewhere that seemed to imply TT may even make money off the customers it pushes noddle's way.
(A very large number of customers who are going to use your service, handed to you on a plate must be worth something. A percentage of them will sign up for the other services, if they know no better, and that is real money for noddle !!)
TT are being very cheapskate on this, considering it is their fault at the end of the day. >:( >:(
[Not a TT Customer but this still makes me angry as it is a true reflection of what TT think of their Customers = 'Mugs and worth very little.']
-
If their systems are like many others then it'll be the last 4 digits of the card which are visible to whatever CRM system they use.
This probably isn't a good thing as I know I've been asked for the last 4 digits of the card as a "security question" by at least one ISP (not Sky) in the past.
Also aren't the first 8 digits of the card specific to the issuer (ie your bank/CC company)? I guess we'll see if there's an increase in scamming calls asking for the "second-last block of four numbers".
Were it me then I think I'd be calling my bank/CC company to tell them that I was a TT customer & instruct them not to process any new card transactions where a PIN isn't used/cardholder not present.
-
It does make me wonder if TT are telling the full truth. I was reading this article; http://www.dailymail.co.uk/news/article-3287470/TalkTalk-accused-covering-scale-jihadi-cyber-attack.html (http://www.dailymail.co.uk/news/article-3287470/TalkTalk-accused-covering-scale-jihadi-cyber-attack.html)
These two examples stood out when reading;
"Conmen also sabotaged a TalkTalk customer’s broadband line on Wednesday morning.
Iain Frater, a trainee doctor from Glasgow, said: ‘They slowed my internet down then phoned pretending to be TalkTalk support. They had all the details you would expect, including name, address, phone number and account number. The guy really sounded like he was in a TalkTalk call centre.’
When Mr Frater became suspicious and tried to end the call, the fraudsters warned him his computer was at risk of exploding."
And
"Hilary Foster, a barrister’s clerk from Surbiton, south-west London, found that scammers had tried to go on a shopping spree funded from her bank account.
Many of the payments were declined but thieves still made off with more than £600, which they spent at Tesco and Office shoes.
When she called to block the card, the bank asked her whether she was a TalkTalk customer: ‘I was in a blind panic. I am really, really angry TalkTalk found out about this on Wednesday and didn’t tell customers until a day later.’"
I guess the first example might have just been the computer repair people scamming him. But the second example of Hilary Foster is more worrying. Bank accounts must have been compromised for the bank to be confirming if shes a TT customer. I've seen that theme on a few different stories. But the way the TT representative is saying then a bank account couldnt be directly compromised. So someone isnt tell the full story.
-
If their systems are like many others then it'll be the last 4 digits of the card which are visible to whatever CRM system they use.
This probably isn't a good thing as I know I've been asked for the last 4 digits of the card as a "security question" by at least one ISP (not Sky) in the past.
Also aren't the first 8 digits of the card specific to the issuer (ie your bank/CC company)? I guess we'll see if there's an increase in scamming calls asking for the "second-last block of four numbers".
Were it me then I think I'd be calling my bank/CC company to tell them that I was a TT customer & instruct them not to process any new card transactions where a PIN isn't used/cardholder not present.
As things are going I would withdraw enough cash for a week or so and contact the bank to re-issue new cards (new card numbers and pins) and change passwords on all internet banking etc.
You would be able to track any transactions easily as you will have gone to 'Cash Only' from a known date.
DD transactions should be safe but you will need to monitor your accounts for odd activity.
Q: Has anyone been through this and had to set up all new accounts etc ?
How good are the banks at doing all this without messing up all you DD's and other regular transfers ?
-
My wife's elderly mother was frightened half to death by cyber on the BBC. She has no idea what cyber is, but it's something scary and dangerous. She doesn't know what TalkTalk is or whether she might be a customer or not, so she rang the number that the BBC was giving, in terror. The people on the help line, whatever it was, reassured her that she wasn't a customer.
This must be affecting a lot of old folks who are nothing to do with TalkTalk. Giving them a day of fear.
-
Disregarding, as any scientifically minded person would, anything that is published in the Daily Mail...
Based on latest news releases, providing you are not completely stupid, the worst that can happen is that the hackers would have access to your bank accounts for sole the purposes of depositing their money in your account.
Assuming the above scenario to be unlikely, the words 'storm', 'teacup', 'shame' 'on' and 'BBC' spring to mind. Meanwhile, TT will be ultimately grateful no doubt, for all the free advertising - exactly as I predicted earlier.
:)
-
Whilst in no way trying to diminish this current TT fiasco I do think that some of these stories are probably from earlier hacking successes. As I pointed out earlier in this thread a fiend of mine was targeted some 10 weeks ago and has this been successful he might well have had a problem with his credit card being raided, the virus would not have acquired banking details as he has never used internet banking but had he done it could have. Some of the press (and I suspect the Daily Fail in particular) may well be printing the stories in the way they think best for maximum effect.
I also doubt very much that any ISP is safe in todays environment. One security expert interviewed (from the USA) on BBC today said he feels that companies need to stop trying to buy protection and start investing detection and mitigation strategies so that when hackers do make it in their access is more easily found and the systems designed in such a way as to make it difficult to get past one system into another.
Stuart
-
The time has come, I think, for Baroness Diana Harding to be "moved on" . . .
Just wondering what would have happened (remembering that we have no real, solid, first hand information) if the ISP/CP targeted had been, say, A&A rather than TalkTalk? :D
-
My own Dad was targeted by a scam call, in his latter years.
I shuddered as he told me, he's had a call about a problem with his AOL account, and how they'd 'helped him to install some software to fix it'. :o
Thing is, many's the time I'd spent hours on the phone with Dad, trying to sort out computer problems. ::)
Dad was a high-flying number-cruncher in his day, and remained so until the end, but remote computer support was was never easy. As it transpired the scammers had got no further that I ever did, Dad's computer was safe, owing to a combination of common sense and blissful ignorance. :D
-
Just wondering what would have happened (remembering that we have no real, solid, first hand information) if the ISP/CP targeted had been, say, A&A rather than TalkTalk? :D
That is indeed an interesting thought.
I hold A&A in very high esteem and so I hope they would recognise the possibility it might happen, no matter how good their own 'housekeeping'.
Their response to the question posed would therefor be fascinating.
-
Why A&A ? Out of interest.
They I think have a “no bullshit” policy of openness. I don't know if A&A have been subjected to a successful attack. RevK's well publicised political opinions regarding censorship net neutrality and openness on the Internet are probably such as to gain A&A some favour with the hacker community, so I would expect they don't have too many enemies amongst hacktivists, but then there are of course all the miscreants who just want money and have no opinions.
-
@weaver
I think you have answered the question.
They are seen as the antithesis of an ISP such as TT and it would be expected they have the right systems in place & know whether their data is encrypted :) :)
-
Why A&A ? Out of interest.
Your own comments, below, and the posts of 7LM & AArdvark that precede & follow your own post provide the answers . . . :)
They I think have a “no bullshit” policy of openness. I don't know if A&A have been subjected to a successful attack. RevK's well publicised political opinions regarding censorship net neutrality and openness on the Internet are probably such as to gain A&A some favour with the hacker community, so I would expect they don't have too many enemies amongst hacktivists, but then there are of course all the miscreants who just want money and have no opinions.
-
Actually, despite the BBC's twaddle, encryption is largley irrelevant in this scenario.
In the case of an organisation with fundamentally insecure IT, encryption confers no benefit at all as the encryption keys (/passwords) themselves must be assumed to be compromised in any attack.
I'm certainly not defending TT. They are, to me, in personal opinion, the root of much evil. But I might, just might, be tempted to have a flutter on their shares on Monday morning, as I suspect they are now on course for financial success. :)
I ought to stress, despite the fact I have no idea whether I am required to do so... I am most certainly not qualified to give financial advice and do not (yet) have any interest in companies concerned. :D
-
Btw, A&A is a customer of TalkTalk Business or Wholesale or whatever. A&A gets lots of wholesale local loops from TT.
-
Actually, despite the BBC's twaddle, encryption is largley irrelevant in this scenario.
In the case of an organisation with fundamentally insecure IT, encryption confers no benefit at all as the encryption keys (/passwords) themselves must be assumed to be compromised in any attack.
I'm certainly not defending TT. They are, to me, in personal opinion, the root of much evil. But I might, just might, be tempted to have a flutter on their shares on Monday morning, as I suspect they are now on course for financial success. :)
I ought to stress, despite the fact I have no idea whether I am required to do so... I am most certainly not qualified to give financial advice and do not (yet) have any interest in companies concerned. :D
I'm sure I heard that this was simple SQL insertion on the childish website, so encryption as you said is irrelevant!
-
From what I'm being told the XSS flaw was found several weeks ago and was located at video.talktalk.co.uk. Edit - in fact you'll find the details here: https://www.xssposed.org/incidents/93183/ Talktalk appear to have totally ignored the warning....
I'm told much of the TalkTalk site is (and I quote, so apologies for the language) "A {censored} mess coded by children or illiterate outsourced labour" and has multiple vulnerabilities, of which this is just the latest of many.
It would appear that the people with most to fear are some 400,000 people who recently joined TalkTalk as their credit check data (in its entirety) has been taken. This includes:
Name
DOB
Address
Tenancy Type
Years At Address
Months At Address
Home Telephone
Mobile Telephone
Email
Employer
Employment Title
Employment Location
Employers Phone
Bank
Account Number
Sort Code
I'd say that's more than enough data to ruin a lot of lives.
Time for the UK to bring in some real laws to affect negligent/incompetent CEOs. Someone within TT should be going to jail for this and we're always told the buck stops with the CEO, hence their pay so time for Dido to do some porridge I reckon.
NB - this is what I'm being told so its possible parts of it aren't true. So far it all checks out though....
-
Much as you might expect it seems impossible to get a Noddle account. I assume the site is simply overloaded. It get more depressing by the minute.
-
Much as you might expect it seems impossible to get a Noddle account. I assume the site is simply overloaded. It get more depressing by the minute.
Or possibly it is being targeted by hackers as it could have 1000's of TT customers data which could fill the gaps in the stuff they got from TT.
Stuart
-
Much as you might expect it seems impossible to get a Noddle account. I assume the site is simply overloaded. It get more depressing by the minute.
I can access Noddle without any problems?
-
I can access the site but experience endless waits after the first page of the signup.
-
I'm not sure I'd sign up to a US credit-checking agency* given the constraints the Patriot Act puts on US companies (ie all your data belongs to the US govt on demand).
YMMV of course....
*noddle is 100% owned by Callcredit who in turn are based in Chicago.
-
As things are going I would withdraw enough cash for a week or so and contact the bank to re-issue new cards (new card numbers and pins) and change passwords on all internet banking etc.
You would be able to track any transactions easily as you will have gone to 'Cash Only' from a known date.
DD transactions should be safe but you will need to monitor your accounts for odd activity.
Q: Has anyone been through this and had to set up all new accounts etc ?
How good are the banks at doing all this without messing up all you DD's and other regular transfers ?
I once had my credit card compromised and it was swiftly stopped by my Bank and all fraudulent transactions refunded. The new account was set up immediately, but it took about a week to receive the new cards. Because my credit card could be used to initiate a password reset on my online banking and thus put my current account at risk, my debit cards were cancelled and reissued and my online banking credentials were removed as well. I could set these up again immediately, but the cards took about a week to come.
During the above my current account remained open, but I recently used the new switching service to move my current account and the process was seamless. Everything was transferred automatically, direct debits, standing orders, pension credits and all of my online banking payees. I was quite impressed. :wry:
-
@vic0239
Thanks, sounds like the banks are getting better. ;D
Useful to know.
-
Sounds like Dido has "done a Ratner" ;)
Harding said that her company was under no "legal obligation" to encrypt sensitive customer data, such as bank account details.
"It wasn't encrypted, nor are you legally required to encrypt it," she told the newspaper (Times). "We have complied with all of our legal obligations in terms of storing of financial information."
Technically she's correct - although the ICO has stated that no encryption will result in an automatic investigation and the PCI-DSS standards aren't enforced by Plod, they're enforced by Mastercard/Visa.
Anyone still want to buy TT shares? :D
-
Anyone still want to buy TT shares? :D
At the rate things are going I wonder if she'll still be in her post in a week's time.
-
At the rate things are going I wonder if she'll still be in her post in a week's time.
I'm sure that whatever happens to TT/her she has a big payoff lined up, they all do :(
-
It would appear that the people with most to fear are some 400,000 people who recently joined TalkTalk as their credit check data (in its entirety) has been taken. This includes:
....
Time for the UK to bring in some real laws to affect negligent/incompetent CEOs. Someone within TT should be going to jail for this and we're always told the buck stops with the CEO, hence their pay so time for Dido to do some porridge I reckon.
NB - this is what I'm being told so its possible parts of it aren't true. So far it all checks out though....
What time period does that cover? I joined TT at the beginning of December last year, am I one of the 400,000?
I agree that until prison sentences start being handed out for negligent security practices within companies, companies won't get serious about their IT. >:(
-
I agree that until prison sentences start being handed out for negligent security practices within companies, companies won't get serious about their IT. >:(
Potential problem with that is who goes to jail? The IT people who weren't able to do the job properly, the beancounters who refused to pay for doing the job properly, or the people at the top who want max profits no matter what?
-
What time period does that cover? I joined TT at the beginning of December last year, am I one of the 400,000?
I guess I probably am then - http://www.offta.org.uk/charts.htm ?
Potential problem with that is who goes to jail? The IT people who weren't able to do the job properly, the beancounters who refused to pay for doing the job properly, or the people at the top who want max profits no matter what?
I'm not a lawyer but it won't be the first time there will have been legal obligations for a person/body to maintain standards protecting the public/customers - no doubt something can be done.
-
@loonylion answer: all of the above. That way you will get all the guilty parties.
-
Btw, A&A is a customer of TalkTalk Business or Wholesale or whatever. A&A gets lots of wholesale local loops from TT.
b*cat nods in acknowledgement.
-
I couldn't resist borrowing this link from another place: http://i.imgur.com/al4kv26.jpg
-
I couldn't resist borrowing this link from another place: http://i.imgur.com/al4kv26.jpg
Great cartoon.... :lol:
As for punitive sentences for this I think the best we could hope for might be swinging fines and by that I mean millions of pounds not the stupid fines of a few 1000's which usually get handed out. Base the fine on 10x the CEO remuneration which would mean a fine of some £65,000,000+ for TT since Ms Harding earned (sorry got paid) £6.5million last year.
Stuart
-
At the rate things are going I wonder if she'll still be in her post in a week's time.
I'm sure that whatever happens to TT/her she has a big payoff lined up, they all do :(
Sadly I have to totally agree. The only people getting fired and punished will be some IT staff (or more likely, they'll fire the outsourcing company they probably use and go with the second cheapest)
It's pretty ridiculous that the ICO can't levy a particularly large fine (I think people have said £500k) despite this being the third occurence in a year
-
:D :D :D :lol:
Love the Cartoon
In terms of the Fine .... don't hold your breath.
I would not expect much to happen to our wonderful CEO beyond at best a slap on the wrist.
It was nothing important only customer data, after all!!
-
I'm sure the tories will protect their own, they have plenty of experience with a myriad of other dodgy tory peers.....
-
Shadow Minister for Business, Innovation and Skills, Chi Onwurah, is to ask an Urgent Question on data breaches and consumer protection on Monday 26 October 2015 in the House of Commons. She will ask about the Government's responsibilities and policies protecting consumers and infrastructure from large scale data breaches such as that suffered by Talk Talk.
It is estimated the Urgent Question will begin 4.15pm, following the Urgent Question on the arrest of protesters. Timings are approximate as Parliamentary business is subject to change.
http://www.parliament.uk/business/news/2015/october/urgent-question-on-data-breaches-26-october-2015/
-
Why am I not surprised that Labour can't ask a question on this without giving the govt an open goal to demand more spying powers?
"She will ask about the Government's responsibilities and policies protecting consumers and infrastructure from large scale data breaches such as that suffered by Talk Talk."
A normal person - ie not someone climbing the greasy pole - wouldn't have mentioned infrastructure, just consumers and the answer to that of course would be massive fines from the ICO to compensate said consumers.
In the case of TT it wouldn't be unreasonable for each customer to demand £250 compo* & that'd translate into £100million in compo plus lets say 20% for the govt. Make the fines transferrable to directors if the firm can't/won't pay.
That'd concentrate minds at board level....
People like Dido can afford it - she gets paid more than the minimum hourly wage every minute of the year (she gets paid £7.35/minute averaged over a year - or if you'd prefer it in terms of a 45 week year, 40 hours a week - that's £3611/hour.)
For "infrastructure" then that depends - private companies can sort their own out & in the event they don't the abovementioned massive fines will deal with them. For public infrastructure (is there any apart from roads/bridges & health/education?) then govt should deal with it.
The very last thing we need is more "black boxes" in private networks. Remember its likely to be people like Crapita who will end up running them :(
*this is the figure Barclays paid out when they lost similar data.
-
For "infrastructure" then that depends - private companies can sort their own out & in the event they don't the abovementioned massive fines will deal with them. For public infrastructure (is there any apart from roads/bridges & health/education?) then govt should deal with it.
Government IT/phones? NHS health records? Military comms? Though I suppose whether that is private or public sector can be debated given that it's been outsourced and subcontracted to all the large incompetents at some point.
Presumably Labour are trying to capitalise on the rise of "cyber warfare"
-
Government IT/phones? NHS health records? Military comms? Though I suppose whether that is private or public sector can be debated given that it's been outsourced and subcontracted to all the large incompetents at some point.
Presumably Labour are trying to capitalise on the rise of "cyber warfare"
Govt is govt & there's not going to be any substantive answer on comms. NHS records are up for sale by the govt anyway.
Labour are the party who gave us 3000 new criminal laws in just over 10 years - mind you I reckon the Tories will give them a run for their money in the next 5 years....
-
Labour are the party who gave us 3000 new criminal laws in just over 10 years
The key question is not the number of new laws but how many of them are 'Bad laws'.?
We can now debate what is a 'Bad law' !! :D :D :D
You are right about the current Govt being likely to challenge this number, as the Govt has shown that changing rules/laws as they see fit is a good way to get their own way and 'adjust' the odds further down the line, for when the next election comes.
I still have not forgotten the change made to a fixed 5 year term for govt's which was the first bit of skewing the odds the Tories (with help from the Lib Dems) felt just had to be done.
[Fixed-term Parliaments Act 2011] https://en.wikipedia.org/wiki/Fixed-term_Parliaments_Act_2011 (https://en.wikipedia.org/wiki/Fixed-term_Parliaments_Act_2011)
(This set the tone for what was to come, which the 2nd win has unleashed with no constraint at all)
I am not the only one who thinks this was a bad idea .... even Ken Clarke now thinks it was a bad idea. (See http://www.bbc.co.uk/news/uk-politics-31917502 (http://www.bbc.co.uk/news/uk-politics-31917502))
Sorry for the OT. ;D
-
I think you English people have to sort that all that out amongst yourselves. Worth bearing in mind that most of the "New Labour" laws were surveillance laws.
/me has lived in England for 26 years but no longer votes here because the choice is war-mongering right wingers or tories. I'll be leaving ASAP (once my English kids are done with school) because frankly nobody is welcome in England unless you're white (I am), English (not), right-wing (not) or have loads of wealth (again I fail). Enjoy your country peeps because you look very bad from the "outside".
-
15 year old boy arrested in county antrim in relation to talktalk hack attack.
BBC News article (http://www.bbc.co.uk/news/uk-34643783).
[Moderator edited to add the link to the BBC News article.]
-
Heard it in passing at the end of News.
Someone taking 'Script Kiddie' to heart.
Unfortunately, he is not going to like what happens next. :( :(
Stupid thing to do. :no: :no:
-
It will be interesting to see how this pans out; there are a number of incidents here, and (as far as I know) it's not been stated which one the 15 Year Old Boy has been arrested for.
Consider :
TalkTalk have been compromised several times before. Was it one of these the lad was arrested for?
or Was it the recent attack that's made the news? All of them? Some of them? None?
Was it the (bogus?) claim of Muslim terrorist involvement?
Was it the (separate?) posting of such on pastebin?
Was it the (bogus?) blackmail of TalkTalk over (unconnected?) hacking?
Was it some undisclosed hacking / muddying of waters / wasting police time?
There seem to be a number of incidents here that may not all be related, so I'm a little cautious of leaping to the conclusion that the arrest of the 15 year old kid "in relation to talk talk hack" is a simple closure on this.
Interesting to see how this develops.
Ian
-
Interesting to see how this develops.
Indeed it will.
-
It's a just a shame that this 15-year old kid can't employ his talents for something more socially constructive.
Despite all the harm caused, I kind of hope they don't throw the book at him, at that age.
-
I doubt it's actually a "talent", more an interest. Unlikely he will have crafted an exploit himself but just hung out at the right forums/IRC and copied other people.
Kids do stupid things ... as a young teenager, in idiot mode with a Commodore 64 and a modem, I nearly booked a whole airliner's seats because I thought it might be funny if the plane turned up at the airport and no passengers arrived - luckily a friend stopped me getting myself in trouble(though I think this was before digital telephone exchanges so perhaps my connection may not have been traceable). :fingers:
-
I doubt it's actually a "talent", more an interest. Unlikely he will have crafted an exploit himself but just hung out at the right forums/IRC and copied other people.
True enough.
-
This maybe off topic, sorry if it is.
I have been onto NatWest bank over the last year as to why a 3rd party (liveperson.net) collects part of my login details (customer number) when entering online banking.
Most people would not see this but I have been using software for years that informs me if the details are entered are not on the same URL as they were first made.
So what has this to do with this thread?
Well just out of interest I put TalkTalk and liveperson.net into a Google search and it seems they started also using their services, I don't know what for but this prompted another phone call to my bank.
It seems to me they put a lot of trust into 3rd party sites and don't seem to think that maybe they should be checking the security of the services they employ others to do, I may be wrong but that's the impression I got.
I asked what happened to my login detail that live person.net collected and was it stored or not saved, I got no answer. Only that they trusted them.
-
Latest update on the TT site suggests they pro-actively block spam calls at the network level and have been doing so for a long time. Well all I can say is that when I rang to complain about my spam calls from their previous hack into the TT systems a couple of months ago now and asked exactly that question 'Why cant you block at the network level?' I was told that this is not possible and all they would offer was a change of my phone number.
It is a little suspicious now that since this latest attack I have not received any spam calls from the Indian gentlemen at all. I suspect they decided it was about time to try to stop at least some of these calls entering their network.
Stuart
-
TT are FTSE 250, and ended the day as the Index's strongest riser, by a huge margin. One commentator I saw attributed this to a TT statement ( not seen it, so may have some details wrong) that they would allow early exit from contracts, but only for those who's accounts are raided.
Now that's clever management. Keeps the red-top readers happy yet, as it is highly unlikely that anybody at all will have an account raided, so TT will keep all their customers and suffer no loss, it is good for the business as well.
Will be interesting to see where the fortunes go from now on. The share price had already been in decline in recent weeks but I still predict, with all the free advertising, started by BBC's sensationalism, this whole incident could be the turning point?
-
TT are FTSE 250, and ended the day as the Index's strongest riser, by a huge margin.
Par for the course;buy in cheap and off load to the rabble before theproverbial hits the cooling... One commentator I saw attributed this to a TT statement ( not seen it, so may have some details wrong) that they would allow early exit from contracts, but only for those who's accounts are raided.
Now that's clever management. Keeps the red-top readers happy yet, as it is highly unlikely that anybody at all will have an account raided, so TT will keep all their customers and suffer no loss, it is good for the business as well.
Will be interesting to see where the fortunes go from now on. The share price had already been in decline in recent weeks but I still predict, with all the free advertising, started by BBC's sensationalism, this whole incident could be the turning point?
Well, at least for a few months.
-
so I'm a little cautious of leaping to the conclusion that the arrest of the 15 year old kid "in relation to talk talk hack" is a simple closure on this.
The problem is he/she is a juvenile so under the (Care and Protection of Children) Act, 2000 it's going to be very hard to obtain information in relation to who or what they did and the media will also be locked down "we will never know"
-
I just seen the picture of the hacker. It's not Asbokid is it?
-
I just seen the picture of the hacker. It's not Asbokid is it?
Let me see . . . No, that's not the person I know. :no:
-
I called TalkTalk today, I thought I'd see how much termination fees actually were (I fancied a laugh).
My contract started in December last year, and expires in June, and the current termination fee is £280! :O
So I will be staying, but with them informing me of the £75 extra on top of termination for TV, I won't be renewing the TV contract. I can get Fibre with anytime calls and pay line rental up front for £20 p/m. The hack hasn't really put me off tbh
Signed up for Sky TV today for £24 instead of £30. Regret leaving them tbh the TalkTalk TV hardware is apalling >:(
-
One thing I did find rather interesting about this is the way the media handled this and the difference in how things came across when watching either Sky News or BBC news. Sky news seemed to focus rather a lot* on those members of public who were said to have had funds go missing or 'almost' fallen for a scam to clear out their bank account.
Perhaps Im cynical, but Im not sure if I believe that all 'scam' incidents were directly related to the most recent breach of security and some may have been co-incidental. Im also unsure as yet to the extent of the involvement of the 17 y/o youth.
------
* believe me I watched most of those reports many, many times as they loop every hour or so.
-
Over on ThinkBroadBand, in their ISPs section of the forum, there is a longish thread on this subject (http://forums.thinkbroadband.com/talktalk/f/4442836-full-statement-on-talktalk-attack.html).
Various TBB-notables have given their interpretation of the facts, as the latter have been slowly revealed.
-
The window cleaner called last week, I paid him with a cheque.
That means he now has...
My name (from the cheque)
My partner's name (joint account, so also on the cheque)
My full address.
Our phone number (from above, and BT directory).
The name of my bank.
Sort code.
Account number.
And (one up on the Talk Talk hackers), a copy of my signature.
We do that all the time, or at least we used to. And nobody worried about it. Why is it then, that when the same data we give away freely to total strangers is 'hacked', people and the media suddenly assume it's terribly dangerous?
-
Good Grief! :o
I've only briefly scanned the thread as I'm well behind on posts on here, nvm spending time to read it in detail.... but there are some umm interesting comments and theories. :-\
Skilty's post (http://forums.thinkbroadband.com/talktalk/t/4444248-re-details-up-for-sale.html) about sums it up for me. The media always love a juicy story... what I was politely trying to say in my earlier post because I'd only been exposed to different media reports from TV and newspapers was that I was taking a lot of it with a pinch of salt... and it was pretty damn obvious to me that Sky news appeared to be lapping up the opportunity to overdo the 'Joe Bloggs' lost x amount or nearly lost y amount, whilst anyone with half a clue may realise there wasnt any hard information to tie up the events. Even my mother who is a technophobe commented about how many scam type phone calls there are and it may not be related.
{Moderator edited to fix the link to the post so referenced, above.]
-
Far more intriguing, is how big is your bl00dy house that you pay the window cleaner by cheque ??? ;) ;D
-
Far more intriguing, is how big is your bl00dy house that you pay the window cleaner by cheque ??? ;) ;D
I could pay mine by direct debit if I wanted to.... and I dont have a large house!
Stuart
-
Far more intriguing, is how big is your bl00dy house that you pay the window cleaner by cheque ??? ;) ;D
Some of us (including I've heard, some of the Royal family) simply don't carry much loose change. :P
More seriously, whilst I have no reason to suspect that particular chappie of any wrong doing, in fact I'd refuse to believe it if we was accused, I argue it is a good habit to pay tradesmen by cheque. Just in case they might have trouble 'remembering' when filling out their tax returns. :D
-
The window cleaner called last week, I paid him with a cheque.
That means he now has...
My name (from the cheque)
My partner's name (joint account, so also on the cheque)
My full address.
Our phone number (from above, and BT directory).
The name of my bank.
Sort code.
Account number.
And (one up on the Talk Talk hackers), a copy of my signature.
We do that all the time, or at least we used to. And nobody worried about it. Why is it then, that when the same data we give away freely to total strangers is 'hacked', people and the media suddenly assume it's terribly dangerous?
I think the problem with the TT hack was that initially no one knew what had been taken, and because TT obviously (to me) knew that IF their main core systems HAD been hacked then all sorts of financial information COULD have been taken which COULD have resulted in folks bank accounts being targeted and potentially emptied. My view is that their core system does NOT have the required encryption of financial data and I suspect we are seeing a significant delay in their website coming back precisely because they are right now encrypting everything in sight in the core just in case a potential new hacker does manage to get in to it.
Stuart
-
I think the problem with the TT hack was that initially no one knew what had been taken, and because TT obviously (to me) knew that IF their main core systems HAD been hacked then all sorts of financial information COULD have been taken which COULD have resulted in folks bank accounts being targeted and potentially emptied. My view is that their core system does NOT have the required encryption of financial data and I suspect we are seeing a significant delay in their website coming back precisely because they are right now encrypting everything in sight in the core just in case a potential new hacker does manage to get in to it.
I don't really buy the encryption thing, because anything that is encrypted can be decrypted. It can be decrypted by guesswork, or by brute force, or by finding a flaw in the algorithms or if all else fails, by slowly pulling out the toenails of somebody who knows the password.
What worries me most is, if we allow the notion to prevail that "encryption saveguards data", we may find that organisation progress to storing more and more data, of a more and more personal nature, on the assumption that "as long as it is encrypted they'll be off the hook".
-
While I agree that encryption does not prevent data theft or make it more secure of itself real encryption can make it harder for anyone to use the data and it takes a very long time to decrypt several 1000's of peoples data using brute force. All the time people succeed in getting data by hacking that is not encrypted then it is like leaving the door to the safe open, at least with the safe closed all you get initially is the safe, and breaking into it may destroy the contents. As I think I said before detection of unauthorised entry into systems is something all corporations should be investing in as well as doing things like encryption. You have to do lots of things which I suspect TT were not doing.
Stuart
-
Perhaps Im cynical, but Im not sure if I believe that all 'scam' incidents were directly related to the most recent breach of security and some may have been co-incidental. I'm also unsure as yet to the extent of the involvement of the 17 y/o youth.
I'm very much the same; as soon as the news was reporting customers who had lost money through scams, I could see no reason why these were connected to the recent data theft. We know that scammers have (some?) TT account data from a while back, and are presumably still using that.
Likewise with the 17yo kid, he could have simply submitted the ransom email "as a laugh" without considering the consequences, or posted some (fake?) data to pastebin etc etc.
What we can learn from all of this is it's unlikely we'll get an accurate picture from any mainstream news service that doesn't seem to understand anything technical (or wants to chase particular angles, ignoring inconvenient facts along the way).
This is a great shame.
Ian
-
I agree that encryption alone is no protection but is not security a game of layers.
The idea is to combine a number of techniques to make the cost of trying to get the data too high compared to other targets, at a minimum.
Encryption does have value otherwise no one would use it or test it or keep developing 'new/better' methods etc.
It may be misused or misunderstood but that is a different set of issues.
Basic things like only keeping data you need and only allowing access to data from the internet when necessary would also help.
If you are reasonably going to treat 'pulling of toenails' etc as a serious threat then the data needs to be isolated from external access and/or stored somewhere that is geared up to withstand all serious attempts to force access, including protecting the data from unauthorised access by having key stakeholders with security access guarded from kidnap etc or needing simultaneous key entry at multiple secure locations. [Of course costs goes up as security gets more paranoid :)]
The issue is one of understanding what security you really need and being prepared to pay what it costs to reach and maintain that level of security.
Many companies do not understand fully what they need (this does not mean they have not been told) or feel that cutting a few corners is worth the risk to save costs.
Until the true costs of these sorts of 'events' are known and publicised, the risks will continue to be underestimated or undervalued in terms of their financial hit on the company *after* the event.
In short, encryption has its place but is only one of many techniques to secure data. One that is relatively cheap to implement and can complement other security methods well.
-
Apologies for any factual/mathematical innacuracies in what follows... I am not a mathematician or cryptologist, though I do believe I have a basic understanding... :-[
Encryption was developed for the purposes of protecting communications from eavesdroppers. From the earlest letter-shifting techniques, through Germany's Enigma machines in WW2, and beyond to current RSA methods, all have served their purposes well. At least until each, in turn, was worthwhile dedicating some serious mathematical brainpower (as in Enigma) to defeating it.
Per communications data I find current technologies very convincing indeed, to the extent I trust them completely. As far as I understand the technology, the maths of prime factorials, while unproven, are widely acceptable as being good, and keys are machine generated and evaporate after the communications is complete, so nobody's toenails to pull. :)
But the real distinction that worries me is nowadays, people think encryption can be used not just to protect communications, but also to protect stored data. That is my criticism, based on all historical precedent they are wrong. If if the data is that sensitive then I would say either...
A) don't store it
or
B) ensure that nothing bad will happen if it escapes
or
C) accept that if it escapes it is your own fault, the fact it was encrypted is no defence at all.
I have not the slightest doubt the day will come when somebody finds a mathematical flaw in prime factorials and RSA. It will come as a shock, but no more of a shock that cracking Enigma was to 1930s Germany. But when that day comes, I shall feel vindicated that I have no online bank accounts. :)
-
I shall feel vindicated that I have no online bank accounts. :)
You may not USE online banking but that does not mean your data could not be exposed if your Bank was hacked, it just means that your security methods used to access data online cannot be collected ;)
Stuart
-
You may not USE online banking but that does not mean your data could not be exposed if your Bank was hacked, it just means that your security methods used to access data online cannot be collected ;)
Stuart
It means I have never agreed to the liability shifts buried in the T&C of online banking, so if the bank is hacked they cannot blame me, or accuse me of disclosing my own account details.
-
Back on topic, BBC are reporting another arrest, a 16 year old.
-
This morning the BBC are reporting a 20 year old in Staffordshire has been arrested in connection with this hack.
Stuart
-
And another arrest, another 16 year old.
http://www.bbc.co.uk/news/uk-34717572
I've mixed feelings here, seems a pity if what might have seemed to them like a 'prank' ends up ruining these kids' lives. Even a police caution is a blight these days, being effectively a criminal record that must be declared long for evermore (eg if applying for foreign travel Visas).
Yet if a 16 year old were to steal my car, I'd want to see him (/her) serve a very long prison sentence. :-\
-
May be I am either naive or the diametrically opposite! But how come that such a geographical wide spread group of young men have been caught up?
Could they be stool pigeons, set up by the real perpetrators? have they got found too easily? :-\
-
Obvious answer is that one suspect lead to another.
Standard Police strategy is to make it clear that the 'Heavens will fall' on the head of the 1st suspect if they do not allow any other person to be found and they attempt to protect others.
Once you have 1 leading to 2 the strategy works even better.
Hardened Crims may be able to take the rap but it is very easy to scare kids.
You may be brave 'hidden' behind a nice Nickname on the Internet but real life and potential prison makes all that disappear pretty rapidly.
This approach is used in the US of A to offer the 1st suspect to crack preferential terms when plea bargaining.
("I was lead astray by the others ...." is the usual line that gets you a lesser sentence !! )
[I have watched too much 'Law & Order' obviously ;D ;D]
-
Apparently there will be an inquiry by MP's into this hack I read elsewhere.
Also right now if you go to the TT MyAccount website you get an invalid security certificate :o more incompetance then by TT or their site has been hacked again!
stuart
-
Also right now if you go to the TT MyAccount website you get an invalid security certificate :o
Not here. Maybe your equipment has a problem?
(I saw - and fixed - a PC the other day that was throwing up spurious certificate errors due to low-level semi-malware browser add-ons)
-
Also right now if you go to the TT MyAccount website you get an invalid security certificate :o
Not here. Maybe your equipment has a problem?
(I saw - and fixed - a PC the other day that was throwing up spurious certificate errors due to low-level semi-malware browser add-ons)
Not here my friend it is on Linux and happened on multiple browsers. I suspect it was TT trying to bring the website up and made a mess of it. It has changed now and shows a holding page.
Stuart
-
Well, that's all right then (http://www.telegraph.co.uk/finance/newsbysector/mediatechnologyandtelecoms/telecoms/11979032/TalkTalk-claims-cyber-attack-hit-just-4pc-of-customers.html)!
[Moderator edited to fix a minor error in the above link.]
-
Well, that's all right then (http://www.telegraph.co.uk/finance/newsbysector/mediatechnologyandtelecoms/telecoms/11979032/TalkTalk-claims-cyber-attack-hit-just-4pc-of-customers.html)!
[Moderator edited to fix a minor error in the above link.]
Quote from article:
In a statement TalkTalk said that cyber criminals managed to get hold of details of 156,959 of its customers and of these, they accessed the bank account numbers and sort codes of 15,656.
How to make up some numbers. <jk>
Pick a number out of mid-air say .....156960
10% of 156960 = 15696 then knock say 40 off to make derivation not too obvious = 15656 looks good.
Hang on 156960 is also too 'round' ........ lose 1 .... 156959 that's better
:D :D :lol:
-
What is all this playing around with numbers?
The company added: “Our ongoing forensic analysis of the site confirms that the scale of the attack was much more limited than initially suspected, and we can confirm that only 4pc of TalkTalk customers have any sensitive personal data at risk.
In my books 4% of 4 million customers is 160,000 people with 'sensitive personal data'. Presumably that wont include things like names, addresses and phone numbers and those debit and credit cards details that were supposedly obscured like they say. They have been playing down bank account and sort code details as not sensitive... but even if you were to include those, the remaining figures simply dont add up.
15,000 dates of birth
21,000 unique bank account numbers and sort codes,
28,000 obscured credit and debit card details.
______
64,000
Thats not 160k ???
-
@kitz
That's 3 of us playing with numbers then!!
:D ;)
-
The TT statement does define the meaning of 'personal details'
Personal details accessed include: name, address, date of birth, telephone number and email address
One could therefor conclude that most of those affected only had name/address/phone/email accessed?
-
There's other numbers that don't add up either.
On Friday the BBC published...
http://www.bbc.co.uk/news/business-34743185
Since news of the cyber-attack emerged, TalkTalk shares have lost about a third of their value.
Hmm, about a third certainly makes a good story, but let's just check these figures...
The news broke late in the evening of 22 October, a day on which, so far as I can ascertain, TT shares had closed trading at 268.5. The shares have indeed dropped in value and so far as I can see, reached a low point on 5th Nov, the day before BBC article. On that day they dipped to a low of 220.1 then closed at 220.9. The day article was published, which I think was their lowest point since the incident - they recovered a bit on Friday. That low of 220.1 would be a drop of 48.4 since the attack was announced. By my rusty old calculator, a drop of 48.4 from 268.5 is 18.0%. .
Even allowing for journalistic licence, it surprises me that '18%' should be rounded to 'about a third'. :-\
The shares did dip in the day or two preceding the breaking of the news, and I guess it could be speculated that 'rumours circulated' before the news release. But before the attack even happened, close of trading on 20 Oct, value was 289.4. Even using that figure for above calculations, the drop was 24%. Even then, is 24% 'about a third'? ???
Please feel free to check these figures, I believe them to be accurate but I am neither an accountant or a stockbroker, I may be misunderstanding how such figures are stated, and even simple (big) errors on my part are possible too. :-[
-
Even allowing for journalistic licence, it surprises me that '18%' should be rounded to 'about a third'. :-\
They must be using the Special Calculator that they use for 'Business & Travel Expenses'. :D :lol:
-
The TT statement does define the meaning of 'personal details'
Personal details accessed include: name, address, date of birth, telephone number and email address
One could therefor conclude that most of those affected only had name/address/phone/email accessed?
It was the mention of sensitive personal data at risk as opposed to personal data. Personal data would quite rightly be say name associated to an address or email etc.
Sensitive personal data could be DoB or financial details such as net/worth etc... depending on how they are used and stored and can be defined as sensitive or not depending upon who owns the data.
Im no expert on the DPA (http://www.legislation.gov.uk/ukpga/1998/29/pdfs/ukpga_19980029_en.pdf) and dont intend trawling through it... but I wouldnt have thought obscured credit card details or simply account no and sort code would be classed as sensitive when in the hands of TalkTalk. However things change in the eyes of the DPA when in the hands of a third party and if they have combined details to be able to build up a profile of a user, then that would be considered sensitive personal data.
-
I think I see what you mean now, the TT statement seems to refer to 'personal details' and 'sensitive personal data' as two different things. It defines one of these terms, but not the other, and it is indeed difficult to infer the absent definition, while still making the numbers stack up.
In normal circumstances, I might attribute it to poor choice of words by whoever composed it. But I'm willing to bet that statement was scrutinised in several passes by high level company executives, and then again by savvy lawyers. It seems fair to assume that the wording would be carefully chosen, exactly as intended, and 'legally accurate'. ???
-
Agreed.
The separate mention of sensitive personal data is what doesnt seem to add up. Also I thought later, I totalled the three items which could perhaps be sensitive, but I wouldnt be surprised if some/many of those users had more than one of those items disclosed, so that would mean less than 64k
I'm willing to bet that a lot more had just personal data such as address or email disclosed, which wouldnt be classed as sensitive.
Ive no doubt they are playing with numbers and that any releases are carefully worded :(
-
TalkTalk wouldn't let us out of our contract despite us having an unresolved fault open since June and our data being stolen.
An absolute joke of a company.
-
To be honest none of this is a surprise, I expect their lawyers have advised that there contracts are enforceable in the majority of cases and the board has to consider shareholders who have taken a hit on share price. If they let everyone go for free who wanted to go the company would possibly collapse and that ends up putting people out of work. I know what happened was not right and that their system had old bugs which should have been fixed but that is incompetance which does not necessarily invalidate the contracts.
Now we know what has been taken if you stop to think about it then actually nothing much has been taken that could not be obtained in many other ways albeit perhaps with more inconvenience and certainly more slowly. How many people are in the phone book? That gives your name address and phone number. How many times do you use a credit/debit card and how careful are you with how and where you use it, some will do but many 1000's dont. A lot of people still use cheques, that gives sort code and account number as does filling in forms in shops for DDs etc - are you being watched?
So bottom line here is yes TT have been incompetent and this should not have been able to happen as easily as it did, however there is no such thing as 100% security, and people need to remember that. If you are not sure who it is on the other end of the phone simply hang up and call the company yourself perhaps using a different phone. Simple things can keep you safer. Also remember to shred (using a cross-cut shredder) all personal paperwork you throw away.
And finally I have no relationship with TT other than being a customer.
Stuart
-
Boy arrested over TalkTalk hacking sues newspapers for privacy breach
Lawyers take action taken against Sun, Daily Mail and Telegraph over claims they identified minor accused of breaking into mobile provider’s network
A teenage boy arrested over the TalkTalk hacking breach is suing three national newspapers over an alleged breach of his privacy.
Lawyers for the 15-year-old are taking legal action against The Sun, Daily Mail and the Daily Telegraph over allegations they identified the minor accused of breaking into the mobile and broadband provider’s data network.
The Daily Telegraph named the boy on its website after he was arrested at his home in County Antrim. The minor’s name was later removed.
Google and Twitter have also been named in a legal action at Belfast high court again over an alleged breach of the boy’s privacy. Details emerged over the weekend about the privacy case after a judge lifted reporting restrictions.
The boy was interviewed by detectives from the Metropolitan police and the Police Service of Northern Ireland on suspicion of offences under the Computer Misuse Act before being released on bail.
Since then the boy’s lawyers have issued writs claiming negligence, misuse of private information, defamation, breach of confidence and data protection.
In court on Friday, the boy’s lawyers claimed his family has had to move home as a result of the publicity surrounding his arrest and identification by the three papers and online. A barrister for the boy said the content contributed to his client being “stigmatised” within his community.
Lawyers acting for the Daily Mail rejected allegations that the paper had identified the boy. They argued that the newspaper had taken steps to alter the boy’s appearance and even change the colour of his hair from a photograph of him that was posted online.
Reporting restrictions were lifted late on Friday after Google and Twitter agreed to remove information about the boy from its networks.
An order prohibiting the publication of any material that could lead to the boy being identified remains in place. This includes his name, address, images or any other material about his appearance. The case is due to be heard again next month.
During coverage of the boy’s arrest last month, the Guardian took the decision not to follow other news organisations online who were publishing details about the boy, including his name.
http://www.theguardian.com/business/2015/nov/08/talktalk-hacking-boy-arrested-sues-newspapers-privacy
Very strange they should make the mistake of naming him ... in the Sun's case actually on their front page. ::)
-
It was no mistake!!
It was calculated to sell more papers.
After all the 'pain' the newspapers have been through over the last few years they would not be making simple mistakes.
They probably thought they could get away with it as the person was too busy dealing with the fall out of being arrested.
Nothing like a little bit of contempt for people, to sell newspapers.
-
This whole issue is just fundamentally wrong, on so many levels...
Wrong that hackers committed their crimes.
Wrong that TT allowed it to happen.
Wrong that it's still quite hard to figure out how many folks are actually affected, and to what levels of risk.
Wrong of the media to 'drum it up' for a good story and report it as they have done, including identifying a child as a suspect.
Sometimes, I despair. :(
-
It is also interesting it is the 'Sun' that has 'Slipped up'. :o :o
It looks as though the 'old ideas' have returned and the papers no longer have to pretend to be contrite.
Lets see how this one pans out with the new and improved regulation of the press. ;D ;)
-
It looks like TT are now going to bribe their customers with goodies! I just had a letter saying none of my personal details or significant financial data was taken in this last attack, although it must have been in previous attacks judging by the number of spam phone calls we have had over the past months!
Now during December they are offering:-
A huge range of TV content,
including movies, kids entertainment and sports
or
A mobile SIM,
with a monthly allowance of free texts, data and calls
or
Unlimited UK landline and mobile calls
or
A broadband health check
by our experienced engineers
and apparently they are not extending anyone's term of contract with any of this, although the exact detail is yet to come.
Stuart
-
I had a TT flyer in the post yesterday, offering half price packages for the duration of the contract. Unlimited fibre with TV and SIM was about £17.50 per month. I didn't study the details.
-
Why is it TalkTalk won't take on non LLU customers ? :(
-
Why is it TalkTalk won't take on non LLU customers ? :(
They can make more money from LLU customers using their own equipment, as opposed to paying BT to use their systems to provide customers with a phone service and broadband etc. When they have full control of equipment and backhaul, its cheaper.
-
To me, it seems as if nothing is yet restored or fixed. :(
I have cleared the browser cache and deleted every TalkTalk cookie but still only receive the following screen (split into two screen-scrapes, attached below) when I go to --
https://myaccount.talktalk.co.uk/
-
To me, it seems as if nothing is yet restored or fixed. :(
I have cleared the browser cache and deleted every TalkTalk cookie but still only receive the following screen (split into two screen-scrapes, attached below) when I go to --
https://myaccount.talktalk.co.uk/
Yes it is down again at the moment, it did come up because I signed in and changed my password. Just shows how incompetent they are in my view.
Stuart
-
It was back and accessible, a couple of hours ago, this afternoon . . . :)
Let's see how long it lasts, this time! ::)