Talk Talk hacked

[Solomon1 10]

Talk Talk internet provider has bee attacked/hacked

Anyone affected by this?

 

Is this why yee be ranting everywar

 

Chill your beans dude

 

What's worst that could happen?

[AlexAtkin 10]

Is this why yee be ranting everywar

 

Chill your beans dude

 

What's worst that could happen?

 

If it had been as bad at first thought, having your identity stolen and your credit cards/bank drained was a high probability.

 

That would hardly be considered something you could just shrug off as insignificant.

 

Fortunately it seems to not have been that bad after all, although still having access to a ton of names, addresses and e-mail has the potential for widespread fraud.

 

I mean sure, someone could steal your mail and get enough information to steal your identity - but the effort required to do that per person is not worth it. The issue here is they obtained this information in bulk and it will most likely be sold on for profit.

 

I myself got hit by the Boomerang Rentals hack and it was damned frustrating having to get all new cards (because I couldn't remember which ones I had used on their site, and which ones they might have had in their database as even older deleted ones could have been stored) and then remember which different sites I used them on so I didn't miss a payment for anything.

 

If I had been a TalkTalk customer I would be concerned that having to get them all replaced again so soon, they might charge me. When it comes to bank details, its even more of a problem as its not as easy to change as a credit card number.

Edited October 25, 2015 by AlexAtkin

[tzijlstra 11]

i'm quite sure the technical layer did know, the management layer probably didn't bit in general that's not such a problem.

 

however, the mangement spokesperson really should have been properly briefed and that's a failure which clearly needs addressing.

 

Sorry andy, but that isn't the case here. That might be true in a non IT business, but if your core-business is the provision of access to the internet, including the security aspects related to that, you'd better make damned sure you know what you are talking about as CEO and if you don't, you need to send your CIO out to talk to the press whilst you deal with the financial people.

 

As an information management specialist this is exactly the sort of thing that we teach students about: How does IT fail, where do projects fail etc. etc. if management can't buy into understanding what is needed and why than a company will not 'self-right' the wrongs.

[JFKvsNixon 11]

these people are monitoring your credit record, they need sufficient information to be able to do that and i'm guessing you are also signing up for and agreeing in principle, subject to a right to cancel, to pay for the next period of memebership once talk talk's deal expires and as you have helpfully provided the necessary infromation it will all be done automatically so your protection is continuous.

 

this is the ultimate problem with the internet, you cannot prove you are you except by allowing the use of things like the ccv number to confirm your identity.

 

the only solution to this is to turn the internet off or at an individual level disconnect yourself totally.

 

pandora has, once again, opened the box and as always we must live with the consequences.

 

It can't be long until finger print recognition is introduced. The technology is cheap and I'm guessing that it must be reliable.

[Alcoblog 10]

It can't be long until finger print recognition is introduced. The technology is cheap and I'm guessing that it must be reliable.

It can't be long then, until secateurs become the best selling item on the internet, bought with stolen identity credit cards. Garden pruning technology is also cheap and reliable.

[Phanerothyme 12]

It can't be long until finger print recognition is introduced. The technology is cheap and I'm guessing that it must be reliable.

Fingerprint recognition is here already and was successfully hacked in 2002.

 

Google "Gummi Bear hack"

 

It might be an old hack (13+ years) but it still works on today's fingerprint recognition algorithms, like the one used on the iPhone 6, for example.

[JFKvsNixon 11]

Fingerprint recognition is here already and was successfully hacked in 2002.

 

Google "Gummi Bear hack"

 

It might be an old hack (13+ years) but it still works on today's fingerprint recognition algorithms, like the one used on the iPhone 6, for example.

 

So all that's needed is a tightening up of the software. It must be more secure than needing to input a few letters from a word to confirm online identification.

[sgtkate 10]

My friend is with TalkTalk and we were just debating what to do about this. Of course changing the password to the member centre and webmail is the first thing to do but we couldn't really think of anything else. It is awful, especially as there was something in the news about information not being encrypted. The cat is well and truly out of the bag. They have had a bad reputation for a very long time and If I were a customer I'd be off like a shot.

 

I can't think I've EVER defended TalkTalk, but it is NOT a requirement nor common practice to encrypt customer details. It is a legal requirement to encrypt credit card details, that's all. Your bank details can be kept in plain text wherever you want. And encrypted ONLY helps if the data is stolen at source, so directly from the disks. In this case it appears the application was compromised so the data would have been unencrypted at that stage anyway. When you logon to change your bank details or address you can see that in normal text right? So it's not encrypted anymore at the point. In a highly simplified example, if you could pretend to be any customer then you could get all the details out even if the data was encrypted on the disks. It's just how computers work. The issue here ISN'T necessarily lack of encryption, but lack of auditing to know EXACTLY what has been taken.

 

This is my a huge part of my job, to secure databases and customer information.

 

Also EVERYONEs bank details are already available to anyone who wants to know them. There is no security breach in someone having your bank details, you can't do anything malicious with them except pay you some money and I'm cool with that Card details are a different kettle of fish so they must be encrypted and audited.

Edited October 26, 2015 by sgtkate

[beady 10]

Reading this thread and the potential serious consequences, has anyone any experience of what any bank considers 'negligence' on their customer's part? I readily understand divulging pin nos., not reporting lost or stolen plastic cards etc etc but was wondering whether not taking up the offer with Noddle can be classed as negligent?? Will be interesting when, not if the stolen info starts to be used.

[sgtkate 10]

Having read more about the attack, encryption would not have helped one bit. The attackers used a technique called SQL injection to get the data. Now that IS embarrassing for TalkTalk as it's one of the most basic types of data security any company has...

SQL injection would have allowed them to run something like 'get all the data from the customers bank details table' by typing in simple code in a text input box on the website.

For anyone who vaguely understands this, here's a cartoon that covers it: https://xkcd.com/327/

Edited October 26, 2015 by sgtkate

[cgksheff 44]

...........

For anyone who vaguely understands this, here's a cartoon that covers it: https://xkcd.com/327/

 

Please try and keep up

 

http://www.sheffieldforum.co.uk/showpost.php?p=11191317&postcount=33

[sgtkate 10]

Please try and keep up

 

http://www.sheffieldforum.co.uk/showpost.php?p=11191317&postcount=33

 

LOL! Great minds eh?