TalkTalk hacked - fears of bank & credit card details being compromised.
tinyurl.com/plgu8mf - The Telegraph
Last edited by: VxFan on Fri 23 Oct 15 at 12:47
|
|
I wonder if it's part cause of Pat's Problem!
|
I'm not called The Flying Witch for nothing, you know!
Pat
|
|
Moved into Discussion as the story gains momentum...
|
Talk Talk have been attacked several times over the last year and one would have thought that they would have updated their security but yesterday their MD advised that the data stolen was not encrypted.
In today's climate this is not acceptable.
|
|
I agree. For safety I have cancelled my credit card that I had registered on their website. Fortunately no fraudulent activity had occurred on it.
|
>> Fortunately no fraudulent activity had occurred on it.
Down to them if it did happen.
I'd be more worried about identity theft though, seeing as the hackers have got everything bar your inside leg measurement.
|
Government must do more about this, government must do more about that.
What do people expect the government to do on this one?
As we all know and practise here, different passwords for different sites would mean that people are slightly less compromised.
And as for those quoted in the Times today saying they were going to move their accounts - surely before too long TalkTalk will be one of the most secure around?
btw I see today that TT are saying that there is inadequate information for bank accounts to be hacked. So what should the government do about those people who claim to have had money taken, if it turns out to be nothing to do with TT, or (God forbid) untrue?
|
>> What do people expect the government to do on this one?
Work within it's own jurisdiction and with EU to require minimum security for e-business and ensure non compliant companies have to accept liability.
>> As we all know and practise here, different passwords for different sites would mean that
>> people are slightly less compromised.
Easy to say but then users need to write passwords down. Can you remember 20+ passwords each of which follows different protocols for character combinations? And that's before you need to change them every few weeks.
>> btw I see today that TT are saying that there is inadequate information for bank
>> accounts to be hacked.
In the words of Mandy Rice-Davies........
|
|
As in "whine whine passwords difficult to remember whine whine have to change passwords whine whine therefore the government should hold my hand whine whine too difficult to resist phishing whine whine keep telling people my own PIN whine whine horrible world not my fault whine whine"?
|
>> As in "whine whine passwords difficult to remember whine whine have to change passwords whine
>> whine therefore the government should hold my hand whine whine too difficult to resist phishing
>> whine whine keep telling people my own PIN whine whine horrible world not my fault
>> whine whine"?
Err No.
For the benefit of binary thinkers:
(a) The law should require basic stuff like encryption of personal information - early reports suggested TT were not doing this.
(b) It's all very well saying it's common-sense to use different passwords. Managing 20+ of them each using different protocols while some need regular changes isn't straightforward.
I don't know the answer either but nothing in my earlier post suggested I needed government to hold my hand while managing passwords.
|
>>
>>>>
>> Easy to say but then users need to write passwords down. Can you remember 20+
>> passwords each of which follows different protocols for character combinations? And that's before you need to change them every few weeks.
>>
>>
>> >>
Actually, yes.
I have about 25 active passwords, random letters and numbers and I can type all of them in without having to write them down and check them - no two the same either. I have a very simple system that I use.
|
|
I think if you've a very good memory or some sort of system then that many passwords are fine. But for the majority of people it's baffling. I know i have to write down the five passwords in user at work for various systems.
|
>> I have about 25 active passwords, random letters and numbers and I can type all
>> of them in without having to write them down and check them - no two
>> the same either. I have a very simple system that I use.
A very simple system is one that's susceptible to being cracked.
|
No, I too have a reasonably simple "algorithm" which results in different passwords for each site (and that's considerably more than 20). But it doesn't result in simple passwords, most sites where they tell you the strength of the password it's in the Strong section. (It contains upper and lower case, alpha and numerics).
It has the spin-off benefit that were I or SWMBO to become suddenly incapacitated then we wouldn't be locked out of websites through which we manage our lives (e.g. she manages banking, I manage utilities etc.).
With a good handful of my passwords it wouldn't necessarily take a rocket scientist to figure out the algorithm but it would probably be beyond many and as the passwords are different site to site if a single site hacked the risk exposure on other sites is non-existent. Unlike many. However the algorithm is readily memorable so no passwords are written down anywhere.
|
>> No, I too have a reasonably simple "algorithm" which results in different passwords for each
>> site (and that's considerably more than 20).
Is your work is something in IT? As such algorithms probably come easy to you. On the other hand those who struggle with number and mathematical concepts may not 'get' algorithms at all.
However good one's passwords are they're less so if you take up the offer to save them. Even less so if you allow your Google account to store them. The Lad had his laptop stolen last week. As he uses my Amazon account, with my permission, for textbooks etc I had to change the password pronto.
|
>> No, I too have a reasonably simple "algorithm" which results in different passwords for each site (and that's considerably more than 20). But it doesn't result in simple passwords, most sites where they tell you the strength of the password it's in the Strong section. (It contains upper and lower case, alpha and numerics).
>>
>>>>
Similar to mine. Easy for me to remember, but random enough to make it difficult to crack.
|
>> www.theguardian.com/business/2015/oct/24/talktalk-attack-government-urged-to-do-more-on-cybercrime
What I don't understand is, why does not GCHQ make money out of cybercime prevention? Supposedly some of the most accomplished hackers in the world, surely they could be setting up a security business. Loads of advantages in doing so - Makes money, provides good training for employees, access to the latest threats and sources, and you get to inject back doors into everything for more gov snooping.
Mind, from what I hear, a first year IT graduate would have plugged the well known vulnerability that was used years ago.
|
20 years ago when I was an IT security manager for a very large world wide known corporate we tried to get board directors to listen to us but we failed.
A simple message." It is not just IT security it is Business Continuity !and therefore one board members prime task should be to oversee this aspect of the company.
If you do not act then the very existence of the company could be seriously threatened"
" other large corporate companies have taken the massage and have acted
I have no idea about the state of their security since I took early retirement but obviously the overall situation has become far more complicated since.
How many companies when you phone them, know your password, when it should have been one way encrypted ?
|
I've had to do a crib file, but it too is passworded! But as I probably use the file weekly, not too hard to remember the access password.
The problem with passwords in general is the fact the 'cleverness' of the system tends to be self defeating. I've got passwords that are not case dependant, and those that are. I've got passwords that insist on special characters, ie $ * ( etc and others that won't allow them. So there is absolutely no chance of me ever having a single password. Likewise the fact the password for the work computer was mandated to be changed monthly actually led to some people putting it on a post it note and sticking it to the computer.
|
I understand data breach caused hackers getting customers' bank details.
But how they are using it to take money out? If you issue a cheque, that will also include your bank details.
|
As you point out there is no way that anyone can directly tale money from you using the information that has been stolen without you giving them some more, perhaps by a an email or phone call impersonating Talk Talk and asking you for your bank account details.
The information could be used in a identify theft operation to establish a false ID to borrow money, open credit cards accounts etc.
The later is the reà son that Talk Talk have given their members a year's subscription to Noddle's email alerts system so that you would be aware of anyone attempting to open an account in your name
|
Not heard of Noddle, so have just looked through their terms and conditions.
For me, anyway, barge poles spring to mind.
|
|
Much the same as the other two credit rating agencies.
|
|
Noddle's fine...it's a no frills version of one of the big three. CAB recommend the parent company. It does what it says on the tin.
|
>>The later is the reà son that Talk Talk have given their members a year's subscription to Noddle's email alerts system so that you would be aware of anyone attempting to open an account in your name>>
Noddle is a free credit and information rating service open to anyone who applies - nothing particularly notable about the offer.
hacking is far more common than many realise. See, for instance:
tinyurl.com/o6zcaqe
Last edited by: Stuartli on Mon 26 Oct 15 at 18:12
|
|
Yes basic Noddle is free. However their automatic email alert system cost £20 per annum. That's is what Talk Talk are giving you free. Not a big deal but useful.
|
>> Yes basic Noddle is free. However their automatic email alert system cost £20 per annum.
>> That's is what Talk Talk are giving you free. Not a big deal but useful.
>>
I've signed up for it; might as well get something for nothing.
Some years ago I had problems with credit rating due partly to inaccurate info on the electoral roll. It cost me a few quid and a lot of hassle with Experian to get it put right. I recommend to everyone that you ensure that ALL the info on your bank details, utility bills and the like matches exactly, even down to correct spacing.
|
BBC reporting that the alleged hacker is a 15 year old from Northern Ireland...
|
The way some of the reporting of this (and other hacking) has been, it makes you realise how little most people understand about networks and in particular firewalls. They probably do not realise how simple a concept a firewall is. Not realise you have to have multiple layers of firewalls, Demilitarised Zones (DMZs) etc.
You would hope the front facing (behind firewalls and responding only to HTTP/HTTPS requests on ports 80/443) web servers are properly patched, do not allow connectivity on other ports and have only limited connectivity to back end systems.
It's hardly rocket science.
|
>> It's hardly rocket science.
Indeed, specially as TT have been cracked by a well known, well understood vulnerability that has had a patch available for years.
The vast majority of hackers are not highly intelligent innovators, they don't invent new ways to crack things, merely use pre existing tools and scripts obtainable anywhere on the net.
You never hear about the really clever innovative successful cyber attacks. They happen.
|
>>
>> You would hope the front facing (behind firewalls and responding only to HTTP/HTTPS requests on
>> ports 80/443) web servers are properly patched, do not allow connectivity on other ports and
>> have only limited connectivity to back end systems.
>>
>> It's hardly rocket science.
But I for one hav no idea whatsoever what you are talking about. :-)
|
Someone interviewed on the news the other day mentioned that the 'UK firewalls' should stop these hacks. What shared firewalls are they then. A company will connect systems to the Internet and the Internet is an open network.
I suppose if we were China or Iran then yes there would probably be a country level restriction/firewall for the ISPs.
|
>> But I for one hav no idea whatsoever what you are talking about. :-)
>>
I'm wiv ^this^ Giza......As Perro might say.
|
>>BBC reporting that the alleged hacker is a 15 year old from Northern Ireland...
Always remember what "Q" said in his first few lines in Skyfall!!
|
>> >> BBC reporting that the alleged hacker is a 15 year old from Northern Ireland...
Clever child.
He may already have been plucked, and may now be being crammed for Cambridge and MIT ready to do his duty. One would hope so anyway.
|
Yes, because hacking someone's computer and stealing the personal details of a load of other people is exactly the behaviour we wish to encourage and reward.
What about those vandalising telrphone boxes? Don't forget them.
What a silly point of view.
I guess even with the change in the clocks the yardarm has still been passed.
Last edited by: No FM2R on Mon 26 Oct 15 at 23:19
|
>> I guess even with the change in the clocks the yardarm has still been passed.
Hours ago. Do keep up.
I hope things are mellow over there in Latinoland FMR. I wish you well you know.
All I meant really was that that's a clever boy with what look to me like useful skills. Nothing to get in a flap about. 'Vandalising telephone boxes'? What could you mean?
Don't tell me, I beg.
|
Once the sun passes the yardarm, which is typically about 6ish, its always mellow. Or at least soggy.
The kid probably isn't that bright, but he probably is a git.
|
|
P.s. and the very best of mellowness to you too.
|
>> The kid probably isn't that bright, but he probably is a git.
Lots of gits with useful skills though FMR.
I couldn't judge how clever he is. There are different kinds of clever though.
Cheers! (sip sip).
|
We can't know if he's clever.... but what TalkTalk allowed to happen meant it didn't take someone clever.
If he'd identified a new buffer underflow in some code for example and exploited it (injecting his code to exploit this).... but I doubt it.
Nothing to do with this, but in days before executable code was meant to be protected, I remember hacking copy protection on games to get a copy to work. Some games rewrote the loader code multiple times in clever ways before you got to the real machine code.
I suspect this young lad will not gain reward from this hack.
|
We can't know if he's clever.... but what TalkTalk allowed to happen meant it didn't take someone clever.
If he'd identified a new buffer underflow in some code for example and exploited it (injecting his code to exploit this).... but I doubt it.
Apparently there are quite a few 'hackers scripts' on the web but even so, it is tantamount to putting the confidential information in an unlocked filing cabinet next to the public waiting room. You're not supposed to go there, but there is little to stop one and you know what teenagers are like.
My money is on he's not a genius, but of better than average intelligence and woefully lacking in street awareness on the superhighway - ie he got caught. No sensible hacker would give a ransom demand, although no one has yet said that the demand came from him and not somebody jumping on the bandwagon.
|
>> My money is on he's not a genius, but of better than average intelligence and
>> woefully lacking in street awareness on the superhighway - ie he got caught. No sensible
>> hacker would give a ransom demand, although no one has yet said that the demand
>> came from him and not somebody jumping on the bandwagon.
We don't know yet if the ransom demand and the hack were from the same source. We don't know yet if he was the source of the hack, or the ransom demand. Or both. We don't know if the DOS attack and the hack were even connected. Frankly I wouldn't be surprised if the hack was only found because of the DOS attack. Could have been going on for a while before.
|
>> The information could be used in a identify theft operation to establish a false ID
>> to borrow money, open credit cards accounts etc.
>>
That's more of a concern for me than fraudulent access to my bank account.
Identity checks now are as likely to be electronic as documentary. The services have grown up around the anti-money-laundering regulations.
All that is required for a basic check is name, address and DOB which I suspect have all been hacked from TT along with bank details.
I have a sample identity check report in front of me. It confirms that the DOB and address match the name. It also confirms that the name appears with the address on the property register. It includes mortality checks, trace checks, company director search, credit data (Experian/Equifax payment performance), CCJ checks, insolvency check, linked address information, gone-away-suppression check, and a bunch of other stuff. If bank account sort-code and account number are provided, then they can be confirmed as matching the name.
All of this confirms to a prospective lender that the details are of a real individual. Add some form of easily forged or obtained documentary ID such as a driving licence, bill etc and many lenders will accept the identity.
I know a certain amount about this stuff and I will take up the Noddle offer.
|
|
I get free identity and credit scanning from my Bank...(truly free) - Because I had an alert from them when I wasn't in a position to check online, I registered with Noodle, and still am. The data I get is as good as the Bank one - handy to do a safety check. As I say CAB use them
|
|
I have had a free noodle account for a couple of years. Very useful.
|
>> I have had a free noodle account for a couple of years. Very useful.
>>
It must be when you fancy a Chinese.
Noddle is better for credit checks. :-)
|
Noddle does not exist
.
.
.
.
.
.
.
.
.
.
According to my predictive speeler
|
|
Is this the end of TalkTalk one wonders...
|
|
Stand by for a change of name.
|
Why on earth should it be. I doubt very much whether most people are overly concerned and in any case I rather suspect that the security of their competitors is much the same. Indeed Talk Talk is likely to be the most secure of all in the near future.
|
>> Why on earth should it be.
Because people are stupid.
>>Indeed Talk Talk is likely to be the most secure of all
>> in the near future.
I'd agree they are likely to be trying very hard, but so will the others if they have any sense.
|
The bits that put me off noddle are the
Collection and aggregation of the very data you are concerned about losing; should noddle themselves be hacked you lose everything you are trying to protect anyway
The statement that your data will (not may) be transferred to the States, with the drawbacks that has, especially given the knowledge that so called "safe harbor" is likely to be doomed anyway in the next few weeks
The bit in the terms and conditions that say your details will (not may) be passed to third parties, which takes us back to the first objection. Now all your data is aggregated in numerous servers owned by numerous people, and you won't know who they are
The bit that says that if they get taken over they will give your data to the new owners, whoever they may be
Maybe that's all just paranoia, as always with me, but it just feels uncomfortable. At least as it stands my various details are spread amongst one or two institutions, none of which have ALL the data that Noddle wants from me to register, and I know who they are (and am happy with their terms).
|
I guess that several dozen organisations at least have the same information about me as Talk Talk and Noddle. From John Lewis to Amazon, from my energy supplier to the council. I'm not about to lose any sleep over it.
|
I agree.
But it is as Manatee said - people are stupid. The same day there was some plank claiming that £600 had disappeared from her bank account because of the hack.
Its not dissimilar to people and their approach car registration numbers.They drive around all day revealing their registration number to millions, but scratch it out of a photograph.
Quite ridiculous.
|
>>The same day there was some plank claiming that £600 had disappeared from her bank account because of the hack. >>
Just the point I made earlier about people looking to make a quick buck......
|
Joined Noddle as a result of this thread. One of the security questions was to identify (from a multiple choice) the company to which I re-mortgaged nearly nine years ago
Interesting illustration of how long information lingers on credit reference etc files.
|
|
Noddle is a division of Callcredit which is one of the big three credit agencies.
|
>> Why on earth should it be. I doubt very much whether most people are overly
>> concerned and in any case I rather suspect that the security of their competitors is
>> much the same. Indeed Talk Talk is likely to be the most secure of all
>> in the near future.
>>
>>
Let's put it this way. How many people who are looking for a BB provider will now have Talk Talk on their list of potentials?
And how many of their existing customers who are either out of contract or whose contracts are coming to an end will stay with them?
|
Many more than you would think.
What's the going rate for doubts of safety and justified outrage?
About £5 I should think.
So it might harm their profits, but I'd be surprised if it gets worse than that.
|
16 years ago someone with a similar name managed to get hold of a credit card info & changed the billing address to another about 1 mile away. I knew nothing about it until I was phoned and asked why I had not made a payment in 2 months - I never got the bill!
I paid the amount owed over Xmas of £600, got a rebate of the charges for non-payment and thought nothing more of it.
A year later my 23 yr old son, newly graduated, wanted a mortgage and was refused point blank - he thought it was the chap he flat shared with. It was I who had the Black Marks - I had moved from my home address to 1 mile away, borrowed money using the 2 month statements as proof of address & credit limit & defaulted on the lot -then "I moved back" to my home address.
Getting matters cleared up took 6 months - very slow process of writing and waiting 28 days for a reply....eventually cleared up. You cannot phone the person who replies to you (that might be different today). I got through on the phone by phoning a number in the same exchange number and got the wrong department & person who then put me through to the admin person who was writing to me - an hour later all was cleared up. As well as the Credit issues he had changed the Nectar Card and cashed in the value, all told about £8,000 fraud overall.
There was nothing showing on the Financial statements you get for ££2.00 - just hidden Black Marks of a fraudster.
Police were not interested - it was an open & shut case as he still lived at the re-directed address etc etc.
My son got his mortgage BUT the house price had risen by £8,000 to £70K - I have always wondered if we could have claimed that off the Credit Card Company as they had caused the problem
|
>> My son got his mortgage BUT the house price had risen by £8,000 to £70K
>> - I have always wondered if we could have claimed that off the Credit Card
>> Company as they had caused the problem
The matter of Richard Durkin and HFC Bank might interest you. In 1998 he returned a laptop he had bought on credit to PC World. Long story short, HFC chased him for the loan and his credit record was damaged. He claimed that as a result he had been unable to get a loan to buy property in Spain which would have appreciated in value, resulting in a loss to him of £250,000.
A sheriff court awarded him £116,000 - sheriff courts are notoriously random - and then unbelievably HE (not the bank) appealed and he lost the lot.
Last year he was awarded £8,000 by the Supreme Court, net result he is now another £250,000 down having spent that and 16 years of his life on it.
www.bbc.co.uk/news/uk-scotland-north-east-orkney-shetland-26731192
|
|
And when they check on a comparison sight and find TalkTalk are significantly cheaper they will chose the loŵest price. They always do.
|
I'm not concerned at all and don't think it will make a lot of difference to TalkTalk's future.
Price is the main concern for anyone looking for a 12/18 month deal and not security.
I do almost all of my shopping online so there are so many websites who have the same details as TalkTalk about me.
Pat
|
Just tried to go to 'myaccount' on TT's website, which is now back.
There are 9329 people ahead of me and an estimated wait time of 13 minutes to get connected.
|
>> There are 9329 people ahead of me
Probably all trying to claim their freebie.
tinyurl.com/ohav8la - The Independant
|
>> >> There are 9329 people ahead of me
>>
>> Probably all trying to claim their freebie.
>>
>> tinyurl.com/ohav8la - The Independant
Probably all bots, its another DDoS attack.
|
Talk Talk are crap.
I have recently had to move house.
I cancelled my electricity and gas. NPower repaid me the small amount of money in my account with in a week.
I cancelled my water and Southern Water took the small extra charge that week.
I told the council and they refunded me the overpaid council tax.
Even the insurance companies repaid me without any fuss.
I called Talk Talk a month and two days before I left to cancel my contract - I was out of any contractual period.
I told them I wanted to cancel because I was moving. "Why are you moving" I was asked!
I told them it was "None of your b***** business!"
The contract ended exactly 1 month later, which was a pain because I asked them to end it 1 month and 2 days later.
I found that I was still billed for a full month after the contract ended, so I called their helpdesk only to be told that a month was not enough notice to cancel the direct debit at their end and that they will send me a final bill for the last 5 days of the month that I had the line for.
Then I needed to reclaim the difference from them!
CROOKS - everyone else made automatic repayments where they were due - I wonder how many people forget to claim the money that they are owed!
|
>> everyone else made automatic repayments where they were due
>>
Crooks? isn't that a bit strong or possibly libellous?
I cancelled TalkTalk last year in May giving one month's notice.
I logged on to the MyAccount page on TalkTalk to inform them where the refund should be paid, and it was all done correctly on time.
A day later I cancelled my direct-debit online via my Bank.
|
You mean you read the instructions didn't swear down the phone at them and use a bit of common sense?
No way to deal with a company.
|
>>No way to deal with a company.
Give 'em a try, CGN. See how you get along...
Last edited by: Clk Sec on Thu 28 Jan 16 at 15:23
|
Been with TT for 5 years. Always had good service for them and very good value for money.
|
Me too, I certainly can't complain and when I've had to talk to customer services they have always done exactly what they promised to do.
Pat
|
>>Me too, I certainly can't complain and when I've had to talk to customer services they have always done exactly what they promised to do.
They didn't for me.
I moved in to my last house in September 2012 and ordered a Talktalk package right away.
It took 2 months to install and then broadband would only work if the phone was off the hook. Not unplugged - it wouldn't work if it was unplugged, just off the hook with a dial tone. In the end I had to disconnect the handset to stop the constant "please replace the handset" messages! I had also tried several different filters and phones.
They wouldn't fix it because both the phone and broadband worked, just not at the same time!!!
I did call them on numerous occasions to get them to fix it but gave up in the end as I had to go through the whole explanation process each time.
Broadband was more important to me than phone calls (as I work from home) and couldn't face having to find another contract. My fault for not progressing it further I suppose, but after about a couple of dozen phone calls I just gave up.
Last edited by: zippy on Thu 28 Jan 16 at 16:22
|
I know it's easy to be wise after the event Zippy but I would never have made that many phone calls. I would ask for it to be escalated to a manager straight away and backed it up with an email.
Pat
|
>> backed it up with an email.
>>
How do you email them?
I think they have removed that option from "MyAccount" following the site getting hacked.
|
I asked them for an email contact address when I was on the phone to them but that was before they were hacked.
Dido Hardings email address is available via Google and does work!
Pat
|
>>Then I needed to reclaim the difference from them!
Best of luck with that. You may well need it.
|
Talk Talk hacked. - devonite
