Anyone with TalkTalk!! :(

[arclight]

TalkTalk don't inspire a great deal of confidence :-

https://grahamcluley.com/2015/10/video-talktalks-ceo-offers-poor-advice-following-hack/

LBC news this morning reported that some folks bank accounts have already been accessed.

Why are folk not paying their monthly subs / online purchases with a credit card. That avoids revealling bank account details and if your CC details get hacked etc. and money is taken it is the CC company's money that get's stolen. Saves a lot of hassle.

 

[neil_g]

i didnt think you could access someones bank account with just their acc and sort? which is what TT will have on record I imagine for Direct Debit?

 

[ZoneV]

A couple of my older neighbours (in their 70's & 80's) are with TalkTalk and this is a nightmare for them (the couple in their 80's in particular). On top of the usual scam calls they get, they've now got to monitor their bank account and watch out for phishing scams by people claiming to be from TalkTalk.

I popped around to see them last night to make sure they understand what's happened and what they need to do, without being alarmist. It's hassle they really could do without.

 

[viv1969]

BBC also reported bank account losses this morning. ..saying that clearly passwords have been compromised. The theory was that the victims probably used the same password for their TT and banking accounts.

 

[neil_g]

in that case there's something to be said for all of the hoops you have to jump through (pin devices, multi part signin etc) to sign in to some banks websites

 

[gramps]

Had a woman local to us ring in to local radio to report that she had lost money from the TalkTalk scam ... turned out she'd fallen for the 'Microsoft Agent' scam and just assumed it was the result of the TT issue because she was with TT., I'm guessing a lot of the flack will actually be totally unrelated.
How does anyone clear your bank acount with just the account number and sort code?
If it's possible then I and millions of others will have been putting themselves at risk for years by sending cheques and things like TP sales!

 

[neil_g]

How does anyone clear your bank acount with just the account number and sort code?

they cant. worst case is you might get a direct debit set up, in which case the direct debit guarantee kicks in and the bank will refund you. scammers much prefer to get the money into their pockets though, so card details will more likely be hit.

If it's possible then I and millions of others will have been putting themselves at risk for years by sending cheques and things like TP sales!

indeed!

e:

from another forum:

"Speaking to the TSB just.

If all you have lost is the ac no and sort code, the only thing that can be done to your account is to pay in money not withdraw.

If you pay TT by direct debit, you should be secure. Covered by direct debit guarantee.

If however you lodge the long card number with them (debit or credit) or pay by other than a direct debit, you could have an issue.

They still recommend you to monitor your account though and when TT is back online to change your password."

 

[arclight]

BBC also reported bank account losses this morning. ..saying that clearly passwords have been compromised. The theory was that the victims probably used the same password for their TT and banking accounts.

Yes, could be that or the crooks are using the info they have hacked as a means of appearing credible when they phone customers to elicit further information.

 

[viv1969]

Yes, could be that or the crooks are using the info they have hacked as a means of appearing credible when they phone customers to elicit further information.

Yep, although the largest loss used as an example had apparently been contacted by no one, and was alerted by her bank.

 

[gramps]

If you take up the TT option for free Noddle (why wouldn't you?) then your accounts/identity will be monitored by their Alerts feature to alert you to any activity in your name.

 

[ZoneV]

I hope Noddle's systems are more secure than TalkTalk's.

 

[gramps]

I hope Noddle's systems are more secure than TalkTalk's.

I think that what we now know is that nobody has a secure system ... basically we are on our own.

 

[ZoneV]

I think that what we now know is that nobody has a secure system ... basically we are on our own.

No system is 100% secure however some are definitely more secure than others.

For example, it's looking increasing likely that the data stolen from TalkTalk wasn't encrypted. That's one area they could improve in future (assuming they survive as a company after this).

 

[arclight]

No system is 100% secure however some are definitely more secure than others.

For example, it's looking increasing likely that the data stolen from TalkTalk wasn't encrypted. That's one area they could improve in future (assuming they survive as a company after this).

TT are in a hole. Having had their security breached and personal data taken they have lost customer trust. No matter how much is claimed about how bank accounts cannot be accessed - http://news.sky.com/story/1575586/talktalk-hackers-cant-access-bank-accounts - people will just conclude "well they would say that, wouldn't they".
Furthermore, to claim that the hackers cannot access bank accounts and also to tell customers to keep an eye on their accounts are two things that do not sit well together and certainly do not instill confidence. In a hole and still digging !!

 

[neil_g]

I think that what we now know is that nobody has a secure system ... basically we are on our own.

No system is 100% secure however some are definitely more secure than others.

For example, it's looking increasing likely that the data stolen from TalkTalk wasn't encrypted. That's one area they could improve in future (assuming they survive as a company after this).

indeed. i believe (could be wrong) that it is a requirement of the data protection act to encrypt sensitive data. it seems that TT may not have done this.. i believe the CEO said that they "did not know" whether the data was encrypted. how they do not know is a little beyond me, but pretty serious if it was not.

 

[gramps]

indeed. i believe (could be wrong) that it is a requirement of the data protection act to encrypt sensitive data. it seems that TT may not have done this.. i believe the CEO said that they "did not know" whether the data was encrypted. how they do not know is a little beyond me, but pretty serious if it was not.

I'm guessing that they don't know which data was encrypted out of all the data they think might have been taken, I can't honestly believe that nothing was encrypted ... if it wasn't I would think the software designers would have something to answer for, let alone the alleged 'IT security advisors'.

 

[ZoneV]

indeed. i believe (could be wrong) that it is a requirement of the data protection act to encrypt sensitive data. it seems that TT may not have done this.. i believe the CEO said that they "did not know" whether the data was encrypted. how they do not know is a little beyond me, but pretty serious if it was not.

I agree but an "expert" I heard being interviewed earlier said that the legal requirement is more vague in that a company has to take "reasonable steps" to secure data, with no specific requirement for encryption.

I can't help but think though, if they hold customers complete bank/CC details in unencrypted form (oops!) on a web-facing server (double opps!), it isn't going to do them any favours at all if someone decides to sue.

 

[gramps]

I can't help but think though, that the fact they hold customers complete bank/CC details in unencrypted form (oops!) on a web-facing server (double opps!) isn't going to do them any favours at all if someone decides to sue.

Except that we don't know that yet do we?

 

[gramps]

3:30pm - 24/10/2015 - Latest Update

• This cyber attack was on our website, not our core systems
• We can confirm that we do not store complete credit card details on the website; any credit card details that may have been accessed had a series of numbers hidden and therefore are not usable for financial transactions eg 012345xxxxxx 6789
• TalkTalk My Account passwords have not been accessed
• We now expect the amount of financial information that may have been accessed to be materially lower than initially believed and would on its own not enable a criminal to take money from your account
• The Metropolitan Police Cyber Crime Unit criminal investigation continues

 

[ZoneV]

Except that we don't know that yet do we?

What don't we know, Gramps?

 

[gramps]

What don't we know, Gramps?

if they hold customers complete bank/CC details in unencrypted form (oops!) on a web-facing server (double opps!),

Except that with my update we now know that they don't.

 

[ZoneV]

Lol. So they didn't even know what was or wasn't stolen?

What an utter shambles.

 

[Deleted member 49549]

Lol. So they didn't even know what was or wasn't stolen?

What an utter shambles.

The problem is this isn't a typical robbery. You just need to do a stock check in that situation to see what is missing. Data isn't so easily checked to see what has been taken.

Regarding the encryption, the data may well have been encrypted on the database, but as the attack was (apparently) and SQL injection, this can present the data in an unencrypted format.

 

[gramps]

I wonder how many companies would know exactly what was stolen in a hacking attack until such time as the matter had been investigated?

 

[Nod]

Except that with my update we now know that they don't.

We only "know" what they are telling us and how much of the whole truth that is and whether it is indeed the truth at all is yet to be known.

A month ago, we "knew" that VWs were good for the environment and our health...

 

[gramps]

Obviously true of any company until fully investigated.

 

[ZoneV]

I wonder how many companies would know exactly what was stolen in a hacking attack until such time as the matter had been investigated?

Any company who knows its own IT infrastructure.

 

[gramps]

Any company who knows its own IT infrastructure.

I seriously doubt any company would know before carrying out an investigation, anything else would be an assumption.

 

[ZoneV]

The investigation hasn't concluded yet though, has it?

 

[ZoneV]

The problem is this isn't a typical robbery. You just need to do a stock check in that situation to see what is missing. Data isn't so easily checked to see what has been taken.

Regarding the encryption, the data may well have been encrypted on the database, but as the attack was (apparently) and SQL injection, this can present the data in an unencrypted format.

Correct re the burglary analogy, however, DDoS attacks like the one TT experienced only affect web-facing servers.

If sensitive data (like complete bank/CC details) were not held on those servers then they could not have been reached by that attack.

It's a bit like, umm, your local HSBC flapping about its central secure vault just because one of the local branches had its ATM ripped out of the wall, if you see what I mean.

 

[Deleted member 49549]

Correct re the burglary analogy, however, DDoS attacks like the one TT experienced only affect web-facing servers.

If sensitive data (like complete bank/CC details) were not held on those servers then they could not have been reached by that attack.

It's a bit like, umm, your local HSBC flapping about its central secure vault just because one of the local branches had its ATM ripped out of the wall, if you see what I mean.

Has it been confirmed what data was compromised?

 

[simonblue]

Have some of you got shares in Talk Talk ,you seem to be defending a complete f*** up by Talk Talk

 

[BRASH]

I've been with the f****rs for years and they still ain't even emailed me. Tossers. I'll be cancelling with them during the week.

 

[onomatopoeia]

BBC also reported bank account losses this morning. ..saying that clearly passwords have been compromised. The theory was that the victims probably used the same password for their TT and banking accounts.

Are there any banking systems that use account number, sort code and a single password to log on?

I'm with Lloyds who are one of the easiest as you don't have to carry around one of those OTP things, but that has a unique number and two passwords, and the acc no and sort code do not figure in any of it..

 

[gramps]

All of TV reports of the fraudulent gaining of funds has come from telephone contact with the people themselves, conning them into allowing funds to be taken, not from the direct use of hacked bank details.

 

[viv1969]

Are there any banking systems that use account number, sort code and a single password to log on?

I'm with Lloyds who are one of the easiest as you don't have to carry around one of those OTP things, but that has a unique number and two passwords, and the acc no and sort code do not figure in any of it..

I'm also with lloyds.
A unique number...one password and three random characters from memorable information is what I have to give.

 

[onomatopoeia]

I'm also with lloyds.
A unique number...one password and three random characters from memorable information is what I have to give.

Yep, one number, two passwords as I said. I didn't mention the fact that only three characters are needed from the second.

 

[viv1969]

Yep, one number, two passwords as I said. I didn't mention the fact that only three characters are needed from the second.

 

[gramps]

Another email this morning:-

The number of customers affected and the amount of data potentially stolen is smaller than originally thought. Our website was attacked, but our core systems weren’t and remain secure.
On its own, none of the data that may have been accessed could be used to leave you financially worse off.
We don’t store unencrypted credit or debit card data on our site, so any card details which may have been accessed have the 6 middle digits blanked out. For example, it would appear as 012345XXXXXX6789. This means it can’t be used for financial transactions.
No My Account passwords have been accessed.
No banking details were taken that you won’t already be sharing with people when you write a cheque or give to someone so they can pay money into your account.

 

[Beav]

My mum is :/

Can they actually take money out of your accounts or do they get your details and then scam you via a phone call?

I did see on the BBC news this morning that a woman lost nearly 9k but this was done via a phone call scam and she actually told them her bank details