Talk Talk

[Richard]

Well now, who is with Talk Talk?
All companies will be scurrying around to tighten security and 'Talk Talk' may even 'go under' as a result of the latest attack.
Their systems have been hacked before, I complained about being phoned up by a person pretending to be from 'Talk Talk', who asked for personal banking data, and informed T'alk Talk' and the manager just responded just by saying I should inform the Police, they did not seem in the least concerned.
I suspected an insider because of the knowledge he posessed about previous communications I had with the company.

Too many companies have experienced data breaches I think the Law now needs to be changed to force all companies dealing with personal data to tighten security by a belt and braces approach.
All the Data Protection Act states is that 'Appropriate technical and organisational measures should be taken to secure personal information'.

[moonjiver]

Some friends tried to persuade me to get broadband from TalkTalk in view of cheapness, but I didn't because everything I hear about their customer service is bad.

I'm quite old-fashioned in some ways - and all these security breaches just make me glad I am so. I don't do internet banking and only use cards with a few very trustworthy sites. Despite all the propaganda from the banks, it seems to be riskier than ever to put any financial details online - because of sloppy safeguards from big companies as well as banks.

With TalkTalk of course it was a matter of giving them your bank details etc. and trusting them, I assume you couldn't avoid agreeing to the usual direct debit. Wouldn't it be nice if you could still walk into a shop once a month and dig out a bit of cash from your piggy bank or old shoe box?! I'm sure there was less chance of fraud then ..

[Richard]

Well, it really shouldn't matter at all as long as you don't respond to requests to transfer money from your account to a company you deal with.
No Bank will ever contact you and ask for account details and if they do then someone has hacked in and are phishing.
Banks keep telling you this (PayPal is less forthcoming).
The problem is that some people are vulnerable to requests after being told they owe money and most of those contacted under the pretext of 'Talk Talk' operatives, in the recent hacking scare, have been very silly in agreeing to transfer large sums of money after receiving a phone call, but that is how it all works by preying on the vulnerable.
Even if your personal details have been hacked nobody can access your Bank account and withdraw money and even if they could you would be covered for any loss.

By agreeing to release money after receiving a phone call no crime is registered since you gave the money of your own volition, but 'Talk Talk' may be willing to accept liablity and recompense gullible customers since they have admitted a data breach and don't want to lose face over its consequences.
Technically there is no danger to customers unless they are persuaded to part with their money - and yet some do!!

[Derek Jempson]

What's frightening about the Talk Talk attack is that the hackers apparently used SQL injection to breach security. SQL injection goes back to the year dot and is so well known that it's hard to believe that a company like Talk Talk could succumb to it.

[Richard]

SQL Ijection, the most overlooked hacking method.
If that was the case it was very slack of 'Talk Talk', any kid could use an appropriate freeware program to hack an unprotected database SQL, without knowledge of coding, luckily that they did not manage to throw in a 'worm' at the same time.
You can use the same free tools that amateur hackers are using for SQL injection to check if your site is vulnerable and find out what types of private data are being compromised.

CEO Dido's excuse was that they have hundreds of databases and it would have been difficult to protect (by that she meant encrypt) all the data.

[moonjiver]

The banks of course reimburse (or should do so) any money fraudulently withdrawn after these hacking attacks. I suppose what was really on my mind was the sheer hassle that a customer has to go through in order to sort out the compromised bank account - even more hassle if ID tbeft has taken place.

If the CEO of TalkTalk really used that as an excuse: "hundreds of databases to protect", she should be shot at first light! It's like Barclays saying "You know, we have hundreds of branches to look after .." There should be proper security of course for one database or for many - and in the modern age of technology computerised systems should be capable of protecting a banking or any other business operation, however vast.

[Gerry Glyde]

I have no idea what the various acronyms mean in the previous posts, but what is perhaps more perplexing is that it apparently only needed a bright 15 year old lad to hack into a major company who presumably employ lots of high flying computer experts.

The lad should not be hung out to dry by the Crown Prosecution Service due to the incompetence of the system, unless it is shown that he is part of a criminal network or was attempting an audacious crime of the century. In addition, if it only took three or four days to track down this lad it enhances my view that the IT system programmers if that is what they are, are crap at their jobs.

[Gerry Glyde]

And now today a 16 year old in London has been arrested in connection with the same issue of Talk Talk

[Richard]

Once he has been released from custody he should find gainful employment, pointing out security weaknesses elsewhere, there must be an opportunity for such people.

Talk Talk don't appear to have an in-house team able to cope with security issues, the same thing happened at the end of last year and they responded by saying:
"As part of our ongoing approach to security, we constantly test our systems and processes using external security consultants.
Apparently such attacks are very common in the U.S. and Europe but are not publicised for fear of losing business.

[Richard]

I walked into the NatWest bank opposite Debenhams today, gone are the secure counters of old, just a couple of relaxed style, open and unprotected stands for business and plenty of coffee tables laden with copies of pamphlets full of 'security on the web' warnings.
Clearly, with Banking moving online the need for security inside Banks has lessened, as criminals can make more money on the internet.
The world is changing rapidly!!

Why rob a bank when you can steal directly from customers online, with very little chance of being caught, or the risk of violence?