back to article TalkTalk attack: UK digi minister recommends security badges for websites

The UK's digital minister Ed Vaizey has floated the idea of adding kitemarks to websites that have strong security measures in place, following the attack on TalkTalk's business last week. Speaking in Parliament on Monday in response to an urgent question on data breaches and consumer protection, following the ransack of …

  1. 0laf
    Meh

    That'll be Security Essentials (self assessment) or Security Essentials + then.

    Neither really bad things but not really suitable to multi-billion pound high profile telcos or other high profile organisations.

    Why not just get one little bit of the company ISO27000 accredited then claim everything is great everywhere, forever? That's what everyone else does.

    Then you ask for the scope of compliance and it all goes quiet....

  2. wolfetone Silver badge

    At least he's right about the terms and conditions not being easy to understand for most consumers, and his only problem with what he said is that he didn't stop after saying the above. No, he kept going, and removed all doubt that the man is in fact an idiot.

  3. 2460 Something
    FAIL

    Demonstrable negligence should be the way forward against talk talk, they ARE legally obliged to protect their customers data.

  4. A Non e-mouse Silver badge
    Black Helicopters

    Government & Encryption

    Of course the government aren't against encryption - providing THEY have access to the decryption keys. (Preferably without needing a pesky court order)

  5. Tony S

    What we are now seeing is a round robin game of "It's not my fault; place the blame somewhere else!" Deeply unedifying and considerably less than useful.

    Essentially, we need people in charge who are going to stop pontificating, point scoring, political spin doctoring or in any other way, trying to wriggle out of their responsibilities; and then actually getting down to identifying precisely what is needed (without a knee jerk reaction) and subsequently ensuring that it is done.

    In other words, earn their pay.

    1. annodomini2
      Pint

      I'd give you a pint if it were possible.

  6. John H Woods Silver badge

    "There has been some misinformation that the government are somehow against encryption," the minister said, without elaborating further.

    Well, I'm not sure it's tactful for a minister to say that it was actually his prime minister who was responsible for the said misinformation, which is probably why he did not elaborate further.

    [Edit: Back on topic, what's the point of a kitemark? You cannot purchase anything without giving payment details, so the advice is one of two things (a) people should use one-off payment (bitcoin?) for everything or (b) companies that cannot safeguard such information should be prosecuted.]

    1. Anonymous Coward
      Anonymous Coward

      > You cannot purchase anything without giving payment details

      Yes and no. For example, I can buy something using Paypal and, although Paypal have my details, the retailer that I am buying from does not.

      Perhaps the Government should be encouraging banks to provide this kind of service for retailers at a sufficiently low price that they will adopt it rather than roll their own?

      1. Camilla Smythe

        Yes and No

        "Yes and no. For example, I can buy something using Paypal and, although Paypal have my details, the retailer that I am buying from does not."

        you received a payment of $XX.XX from 2+2=5@pantysniffers4U.yandex.ru

        Glad to be corrected..

        1. Stoneshop

          Re: Yes and No

          you received a payment of $XX.XX from 2+2=5@pantysniffers4U.yandex.ru

          At least that's sufficiently less sensitive than your credit card details.

    2. dogged

      > Well, I'm not sure it's tactful for a minister to say that it was actually his prime minister who was responsible for the said misinformation, which is probably why he did not elaborate further.

      That would be the same Prime Minister who claimed he was going to safeguard tax credits and wouldn't permit any cuts during the election? That Prime Minister? I don't think he has many issues about bullshitting the public, somehow.

    3. Doctor Syntax Silver badge

      "Well, I'm not sure it's tactful for a minister to say that it was actually his prime minister who was responsible for the said misinformation, which is probably why he did not elaborate further."

      There you are, you see. You've been misinformed. The Prime Minister never said such a thing. On the contrary he's been following the TalkTalk saga and is quite adamant that if his strong recommendation for encryption had been followed it wouldn't have happened. And anybody who said anything different has been spreading misinformation.

      Now do you understand?

  7. Dan 55 Silver badge
    Flame

    "There has been some misinformation that the government are somehow against encryption"

    The prime minister* going on record in a speech as wanting to ban encryption is called misinformation?

    Bunch of weasels, the lot of 'em.

    * I would normally use a more derogatory term but I want to get my point across.

    1. Anonymous Coward
      Anonymous Coward

      Re: "There has been some misinformation that the government are somehow against encryption"

      They don't oppose encryption.

      They oppose *good* encryption.

  8. Destroy All Monsters Silver badge
    Megaphone

    Knowledge is a Crime, Encryption is Self-Abuse, Freedom is Slavery etc.

    "There has been some misinformation that the government are somehow against encryption"

    Indeed, they are not "somehow" but "very much" against encryption.

    1. streaky

      Re: Knowledge is a Crime, Encryption is Self-Abuse, Freedom is Slavery etc.

      If it wasn't they'd have shouted down GCHQ, the police et al in public - given that's what civilian governments are supposed to do when military intelligence starts overstepping it's bounds against innocent civilians.

      There's no technical solution that's effective so they [the current government] are by definition anti-encryption, anti-privacy, anti-freedom nut-jobs and it should be stated so at every opportunity.

  9. Your alien overlord - fear me

    Hey, I've got a badge companies can put on their website. Looks a bit like a padlock and is placed on the address bar.

    Oh wait, that might confuse Average Joe into thinking their data is really secure.

  10. Ru'

    Can we not just start fining organisations properly, and perhaps jailing some CEO/CIO types, when the breaches occur? Seems to me that there is little incentive for proper security for the pointy haired ones.

  11. Anonymous Coward
    Anonymous Coward

    Genius. Right click --> Save As --> Certification!

    Finally a government process I approve of. Doubtless the minister had something more convoluted in mind and you can guarantee that there would be fee-clipping along the way but bloody useless however it's implemented.

  12. Anonymous Coward
    Anonymous Coward

    This whole thing is making me ever angrier.

    And every time I see these utter bastards trying to dodge the shit I get angrier. TalkTalk need to be made an example of, they need to be dragged over the coals to show all the other companies that data security needs to be taken seriously. Visa and Mastercard need to pull their card servicing until talktalk sort their shop out or else PCI can go fuck itself, it really is just 600 pages of scratchy toilet paper.

    This isn't acceptable that this is allowed to happen.

    As someone who takes my job very seriously and views myself as a custodian of our customers data with a duty of care to them, knowing that this will make an already impossible job all the more impossible if they don't get heavily fined and seriously punished just makes me want to throw the towel in. What's the point in taking customer data seriously if nobody else does?

    1. m0rt

      "What's the point in taking customer data seriously if nobody else does?"

      The point is that *you* do. That is where any revolution starts.

      PS - I hope that wherever you work, it is somewhere I am a customer. I appreciate the passion.

    2. Anonymous Coward
      Anonymous Coward

      TalkTalk is hilariously allowing customers to exit their contract without paying a penalty as 'a gesture of goodwill' - so long as the customer can prove their finances were compromised as a consequence of the hack. Clearly Dido (£4 million pay packet last year) is worried about a mass exit of people who don't think TalkTalk is capable of managing a whelk stall let alone personal information.

      Rather than a grudging gesture of goodwill, TalkTalk should be begging customers not to sue them for the damage and distress caused by their incompetence and be engaging in a recreational firing o their senior staff who have allowed not one, not two, but three major data breaches in the last year without apparently learning anything.

      In an ideal world, the whole wretched company would be destroyed because of this, but they'll get away with a fine (if it is anything less than the maximum £500k it will show how broken the DPA is), and the CEO will probably ooze on to another equally well remunerated job to fit in between being a Tory peer in the HoL.

      1. Dan 55 Silver badge

        Their T&Cs are worth nothing. They've broken the DPA even though it doesn't mention encryption by name, the customers' data is out there and they've broken the Supply of Goods and Services Act three times in the past year. If it went to any small claims court the customer would win.

        1. Anonymous Coward
          Anonymous Coward

          > they've broken the Supply of Goods and Services Act three times in the past year

          FOUR times in the last twelve months; they got popped last November too.

      2. Anthony Hegedus Silver badge

        I once left talktalk (home) supposedly out of contract (I just left my contract after some annoying indian chap at wankwank phoned me and promised me lower phone bills and they ended up being double!), When their "solicitors" phoned me I told them I will not pay them a penny under any circumstances ever, because they broke the contract. I never heard from them again after that (about 5 years ago).

        More recently my company cancelled 50 broadband lines with them because of their incompetence, and they kept chasing us for money. They gave up after a couple of years.

        They are just an incredibly incompetent bunch of crooks. I wouldn't trust that dildo woman to pour piss our of a boot with the instructions written on the heel. She would graciously allow some people to break their contracts?!? Fuck that, people should leave in droves. They won't be able to cope!

        1. Fraggle850

          @ Anthony Hegedus

          >I wouldn't trust ... to pour piss our of a boot with the instructions written on the heel.

          Nice turn of phrase, well and truly purloined for future use. Can certainly see me making use of that when referring to manglement and m.consultants.

    3. tiggity Silver badge

      "Visa and Mastercard need to pull their card servicing until talktalk sort their shop out"

      You mean those same supporters of "verified by visa" where (in a web page that behaves like a xss vector) you have to enter characters 2,4 and 7 (or some other combination) of characters of your password.

      Which means password not stored as hash.

      Password either stored plaintext or encrypted with on demand decryption (hopefully the latter as better than plaintext, but depending what encryption is used, key management methods etc. could easily be relatively insecure)

      Not convinced Visa et al are great models for web security

      1. Velv
        Boffin

        "You mean those same supporters of "verified by visa" where (in a web page that behaves like a xss vector) you have to enter characters 2,4 and 7 (or some other combination) of characters of your password.

        Which means password not stored as hash."

        It is possible to encrypt and hash the individual values of each character and store those for later comparison of an encrypted result with the need to decrypt. With a limited set of single values it is possible to brute force each value if you can get directly to the service interface, so you still need to secure against brute force attempts on a users password values.

    4. Hollerith 1

      Mr or Ms Coward, I agree: it is a point of personal pride

      I do a lot of things, as it is clear you do, to meet my own standards of quality. These are usually higher than what my dearly beloved company would ask, but they don't know what to ask for, would be content to take the lowest-possible threshold of acceptability, if proffered by a consultant, so I don't tell them what I am doing and am willing to spend the extra time creating security etc that would not shame me if I fell under a bus and a colleague such as you replaced me. If someone like you can look at what I' created and think "well done, good job", then I know I've achieved the standards I aim for.

  13. GregC
    Coat

    Badges?

    We don't need no stinkin' badges!

    Someone had to say it....

    1. Anonymous Coward
      Anonymous Coward

      Re: Badges?

      Badges?

      Do you want badges motherbitch?

      I give you badges!

      99 cents each.

      I sell you some.

  14. Christoph

    A kitemark says that way back when it was awarded, no obvious security holes were found. It does not mean that the site is secure. But way too many non-technical people will think that it does mean that. As will way too many managers who will assume they don't need to keep spending a fortune on keeping the security current.

    It only takes one tiny slip in security to compromise the entire site.

    1. Doctor Syntax Silver badge

      "A kitemark says that way back when it was awarded, no obvious security holes were found. It does not mean that the site is secure."

      Could it be made meaningful?

      1. Requires regular 3rd party checking to a given standard, preferably including pen testing. Regular as at mandated intervals, say 6 monthly.

      2. Date of last test shown on site.

      3. Covered by insurance. Preferably no limit to amount insured.

      4. Expiry date of current insurance shown on site. If the amount of insurance is limited this should also be shown.

      This would mean that there would be at least two parties, the testing company and the insurers and maybe also the testing company's insurers standing behind the site's certification.

      It could work, it wouldn't be cheap but it would mean that you'd be able to identify a site that took security seriously.

      Self-certification? ROFLMAO

  15. Fraggle850

    The only way to make slack-ass PLCs take their responsibilities seriously

    Is to hit them where it hurts. There have to be appropriate penalties, financial penalties should scale according to number of people affected, severity of data loss and the size of the organisation responsible. There ought to be criminal negligence prosecutions in the worst cases and certainly penalties along the lines of banning negligent C-suite execs from directorial roles.

    Some half-baked bureaucratic 'certification' that no one understands and with likely poor implementation is going to be worse than having nothing at all.

    I never tought I'd say this but I actually look forward to the more proportional sanctions that the incoming new Euro rules seem to make possible.

    1. Anonymous Coward
      Anonymous Coward

      Re: The only way to make slack-ass PLCs take their responsibilities seriously

      Is to hit them where it hurts.

      That's true, but the problem is that fines don't hit executives. They get treated as "other operating expense" and rarely affect the bonuses that the bosses get. Look at how banks have been hit with billions in penalties and compensation costs, yet they serially mis-sell, and have continued to pay obscene bonuses throughout the financial crises of recent years.

      The way to hurt corporate bosses is banning the company from selling anything for a period. That affects growth targets, churn targets, profit targets, customer satisfaction targets, market share targets, operating cost targets. And that affects bonuses, without actually taking money off the company that has ultimately been paid by the customers affected. Such a ban becomes a public badge of shame, and corrodes employee morale. In this case a six week ban on Talk Talk recruiting new customers or selling new products to existing ones would seem about right. Unfortunately MPs and their lickspittle civil service advisers are too dim witted to realise this, and whenever sanctions are called for, they fall back on the hackneyed and proven-not-to-work "fines up to 10% of turnover" or similar. Except in data protection, where fines up to £0.5m are deemed adequate.

      For Talk Talk, that's a fine less than 0.03% of turnover. Is anybody surprised they don't take infosec seriously?

  16. Anonymous Coward
    Anonymous Coward

    "It has to be said that companies should encrypt their information.

    Likewise the goverment. But God forbid customers, cause for customers encryption can cause all sorts of problems (for our brilliant intelligence services), it's illegal (or should be) and is PURE EVIL, no misinformation about that!

  17. Bronek Kozicki

    ICO is right

    For one, database encryption wont't usually protect against SQL injection attacks, since venue of attack works on already decrypted data. Multiple layers of protection are not an option, they are a necessity.

    Although of course, I can recommend single 100% effective layer of protection for firms which absolutely cannot be bothered to implement more than one. Disconnect all computers from power, remove all storage devices and destroy those in fire, returning remaining hardware to seller. That usually stops idiots from putting sensitive data on them!

    1. Dan 55 Silver badge

      Re: ICO is right

      But given the nature of their customer data and the amount of customers they have, that data needs to be encrypted, it's not optional any more. It also needs to be accessible to the web front end only by stored procedures and the formatting (e.g. hiding digits with *s) needs to be done inside the stored procedure.

      In that quote the ICO seem to be wiggling out of it instead of gearing up to give them a record fine and publicly humiliating them.

    2. Stuart Halliday

      Re: ICO is right

      Put data on small pieces of cardboard, place in filing cabinets and lock the door.

      There, that'll work.

  18. Quids
    Trollface

    How about a badge to say the website is susceptible to SQL Injection attacks

    1. Haku

      It almost sounds like someone could write a program that automatically scans websides for SQL Injection attacks, then use said SQL Injection attack to put a badge on the website...

      1. Dan 55 Silver badge
        Coat

        Which website is that... pastebin?

    2. Stoneshop
      Devil

      "Welcome, Bobby Tables"

  19. leon clarke
    FAIL

    Read the PCI DSS and weep

    PCI is both an intolerable pain in the ass to comply with and completely inadequate at protecting consumer's interests. However, when you look at it, it's all quite reasonable, in the sense that if you're going to write a box-ticking assessment standard to prove a system is secure then PCI does about as good a job as is possible. There aren't absurd pointless requirements or obvious omissions.

    So the question for any such kitemark is how does it compare to PCI. Is it more onerous, in which case no-one will bother. Is it less onerous in which case it gives no meaningful assurance of anything. Is it the same, in which case no-one will bother and it gives no meaningful assurance of anything.

    1. Doctor Syntax Silver badge

      Re: Read the PCI DSS and weep

      "So the question for any such kitemark is how does it compare to PCI"

      As per my other post. There needs to be 3rd party audit/testing and insurance cover.

      1. leon clarke

        Re: Read the PCI DSS and weep

        That falls into my 'more onerous than PCI' category. No-one will bother with compliance unless it's made mandatory, and if anyone suggests making it mandatory then some trade association will invite lots of ministers to their long conference in the Bahamas to convincingly explain why it's a bad idea. (The more factual aspects of this presentation will involve remaining competitive with economies that don't have excessive red tape. Funding this trade association's blatant bribery would be much cheaper than complying with such a certification)

        I entirely agree that to offer any useful protection such auditing and insurance is needed.

  20. Anthony Hegedus Silver badge

    well obviously, you can't put the kitemark on your site unless you've got the correct certifications. Malware website designers will be trembling at this news - there's no way they'll get the kitemark so nobody will go to their websites. Problem solved. Why hasn't this been done before?

    In other news, only genuine goods are allowed to have the word "genuine" on them, and only non-burglars are allowed to wear non-black-and-white-striped tops.

  21. Jake Rialto 1

    A Nice Shiny Badge

    It will be the equivalent of saying "come and have a go if you think you're hard enough", to the hacking community.

    And once the first company with it's nice shiny badge gets hacked, it will back to the hand wringing again.

    Talk Talk skimped on it's web application security tests - either by only testing major releases and not bothering with small scale changes, or just missing it out all together.

  22. This post has been deleted by its author

  23. Anonymous Coward
    Anonymous Coward

    Brilliant this, isn't it?

    Talk Talk, who have No Fucking Idea how to keep their data secure, get hit by a massive security breach. So they wheel out their CEO, who has No Fucking Idea what she is talking about, to explain it to a mass media that has No Fucking Idea what she said, nor what the problem is.

    Luckily a government minister - who has No Fucking Idea what to do either - is on hand with a cretinous proposal for self regulation, which has No Fucking Chance of working.

    Until we start punishing them, companies will not pay proper attention to our security. Offending firms need to be brutally fined, to the point where their top management starts worrying about the forthcoming removal of working tax credits. Customers should also be allowed to switch providers with no penalty if there's even a sniff of lax security.

    Hit them in the pocket, it's the only language they understand.

    1. 0laf

      Re: Brilliant this, isn't it?

      Luckily a government minister - who has No Fucking Idea what to do either but sits of the board of a large IT company which sells cyber security products - is on hand with a cretinous proposal for self regulation, via services provided by the company they have a directorship with - which has No Fucking Chance of working, but gives a nice covering of security whitewash and gets the government minister a nice photo opportunity or two.

      FTFY.

      I hope the ICO will be supported in it's request for criminal action against serious corporate data abusers (including prison sentences) and the new EU Data Directive will be fully supported when it comes in next year with its potential for massive fines.

    2. Anonymous Coward
      Anonymous Coward

      Re: Brilliant this, isn't it?

      Offending firms need to be brutally fined,

      And what money will they pay with? Unless they've got a printing press its money paid by customers that would otherwise have gone on to shareholder's (generally your insurers or pension fund). Doesn't affect the management pay. And if fines affected people's behaviour, speeding, mobile use whilst driving, and littering would have ceased years ago.

      Severe action is needed, but it needs to have a different form. Making fines severe is one part, but you need to affect performance metrics that affect directors pay. I'm in favour (see above) of sales prohibitions rather than fines, but there's other things that could be done, such as having significant monetary penalties that have to be paid as a refund to customers, rather than to a regulator or the treasury. That still doesn't really compensate those affected, but would at least ensure that the company and investors suffered, but in net terms the customers weren't paying quite as much for their incompetence.

      1. Bronek Kozicki

        Re: Brilliant this, isn't it?

        @Lendswinger it is only customer money in uncompetitive market, otherwise it is shareholder money. And the shareholders are best people to withhold bonus to CEO, through board of directors.

        1. Anonymous Coward
          Anonymous Coward

          Re: Brilliant this, isn't it?

          And the shareholders are best people to withhold bonus to CEO, through board of directors.

          Sadly not. Most shares are owned directly by institutions, and only indirectly by individuals. You might think it wrong, but (if I had one) I would want my fund manager to be spending far more time on portfolio management than attending AGMs, and a tracker fund may have no active human manager. HFT and algorythmic trading often involves machines buying and selling shares without people in the owning company even knowing. The few activist investors tend to identify a weak company, call up a coalition of investors (their mates, natch) and then step in a force changes, but this is the exception rather than the rule, and there's little empirical evidence that activist investors improve things for customers or regular employees, nor much that they improve corporate behaviours.

          Even within a company, it is the remuneration committee (made up of non-exec directors) not shareholders who decide on bonus structures and pay. Things need to be REALLY bad before the remuneration committee act, usually so bad that the shareholders are in open revolt. That's rare because most institutions go with the board proxy, hoping the directors behave.

          You'd be right if you conclude that this is a flaw in secondary equity markets, but there's not really much way round it.

      2. Anonymous Coward
        Anonymous Coward

        Re: Brilliant this, isn't it?

        And what money will they pay with? Unless they've got a printing press its money paid by customers that would otherwise have gone on to shareholder's (generally your insurers or pension fund)

        Sure it would be money raised from customers, that's where they get it from. But if you were free to jump ship to a more secure and/or cheaper provider at no penalty to yourself, then the insecure (and consequently expensive) ISPs would go out of business or at least be severely damaged.

        As for financial penalties not working - they must have some deterrent effect otherwise courts would hand out nothing but custodial sentences.

    3. BlartVersenwaldIII
      Angel

      Re: Brilliant this, isn't it?

      I propose a new El Reg badge called a Graham for the Most Depressingly Eloquent Use Of The Word Fuck Regarding A Serious Regulatory Issue.

  24. nsld
    Mushroom

    I think appropriate badge for talk talk would be

    A massive dog turd with a lolly stick in it.

    Rather than a kite mark its a shite mark.

  25. Gary F

    Cattle dung! Kite marks mean nothing.

    A kite mark like the Government's Cyber Essentials initiative? Where anyone can tick "yes" to a load of yes/no questions, hand over £300 and be given a badge to put on their website to show everyone how secure the site is?

    That hasn't solved any problems and in fact made things a lot worse because the public are lured into trusting a badge that in reality means bugger all.

    Even if a site is genuinely very secure it doesn't make it hack proof. It's more of an enjoyable challenge to hackers. Bigger kudos for getting in. Advertising the level of a site's security, even if accurate, doesn't help as it can attract more hackers wanting a challenge.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cattle dung! Kite marks mean nothing.

      A kite mark like the Government's Cyber Essentials initiative? Where anyone can tick "yes" to a load of yes/no questions, hand over £300 and be given a badge to put on their website to show everyone how secure the site is?

      Your rant would be better if this were actually how it works. But it isnt.

      Its not a simple as ticking yes - or at least it isnt for most certification bodies and any who do take that need to be outed as they are pretty much stealing money.

      However the general gist is correct - but the scheme was never meant to say "this is a secure website" so that might be down to misunderstanding. The scheme itself makes sense - it isnt there to challenge genuine hackers, its there to put paid to the companies repeatedly losing data and / or money to ransomware. Given the costs of this (and the costs to companies from Dridex and CEO Phishing type messages), Cyber Essentials isnt a bad move.

      As you probably already know, most organisations will actually fail to certify on the first attempt as the bar is higher than most people realise.

  26. Fraggle850

    Here's a thought

    Stick your badges where the sun doesn't shine (preferably with the safety pin sticking out)

    Why not get the spooks at GCHQ to do frequent, unannounced pen tests on any UK websites? First strike and you get a notice to improve (and a public shaming too?), second strike and you incur proper, proportionate penalties. Would also provide a good training ground for noob cyber-spooks, possibly incentivise it with a pay bonus (based on the size of the target/level of compromise uncovered?) and give them all some alloted weekly time to spend on it.

    1. 0laf

      Re: Here's a thought

      Yeah but the spooks don't want you to close all the back doors.

      Especially the Muricans, they want the wholesome, Earthican, Jesus lovin backdoors left in.

  27. 8tpercent
    Happy

    I've just made this post 100% safe...

    <insert html img src>

    http://www.onlinecasinoblog.co.uk/wp-content/uploads/2015/08/Safe-casinos.png

    <etc>

  28. Oor Nonny-Muss
    Boffin

    The answer isn't to levy fines...

    The answer is to jail the board members responsible and sue them personally for the entire costs associated with their trial and incarceration.

    This may have a short term net positive effect on the Exchequer whilst minds are concentrated.

  29. Camilla Smythe

    Here's a Good Idea.

    <caps on>

    WHY DON'T YOU COMMENTARDS JUST FUCK OFF AND MING ON ABOUT SOMETHING LESS IMPORTANT LIKE THE SIZE OF JUSTIN BEIBER'S ARSE BECAUSE IT IS NOT AS IF ANYTHING YOU SAY ON THE PRESENT SUBJECT WILL MAKE A FUCK OF A BIT OF DIFFERENCE.

    </CAPS OFF>

    1. Fraggle850

      Re: Here's a Good Idea.

      Gosh, you're right! What a revelation! I must give up voicing my opinions on the interwebs forthwith!

      Does rather beg the question though: what the fuck are YOU doing here?

  30. John Brown (no body) Silver badge
    Thumb Down

    We don'n need no steenkin' badges!

    51 comments at time of writing an no one said it yet? Commentardery has reach a new low!

    1. Graham Marsden
      Facepalm

      @John Brown (no body) Re: We don'n need no steenkin' badges!

      Err, no, nobody said "We don'n need no steenkin' badges!", but GregC said "Badges? We don't need no stinkin' badges!" five hours ago at the time of my writing this...

      1. Fraggle850

        Re: @John Brown (no body) We don'n need no steenkin' badges!

        Yes, although I did consider correcting GregC's mispronunciation of 'steenkin'...

  31. Bleu

    'Talk Talk' was the name of a very dull band I never willingly listened to. Just hope this company had to pay to steal the trademark at some time.

  32. Graham Marsden
    Thumb Down

    You can get badges already...

    Companies like Trustwave and Geotrust do ones which you can put on your site and which are regularly updated to ensure they're still valid.

    The problem is that they have to appear on every page on your site and when you're running an e-commerce store, need to be re-loaded on every page a customer visits, adding a time over-head which slows page loads (even if you try to load them asymmetrically) and can cause the whole thing to freeze until the badge appears which pisses off customers and makes them more inclined to go somewhere else.

  33. T I M B O

    Not the first time this year

    From what i understand, Talk Talk has been hacked 2 other times this year. I only found this out when i hear news of this latest security laps!

    I personally think this is totally irresponsible that this was not reported to all & past customers of this so it would give the customers time to change there security details.

    Had my bank account been emptied i am very sure that talk talk would not replace a penny.

    This 15 year old boy should be patted on the back for showing up the inadequacy of talk talk security.

  34. Anonymous Coward
    Anonymous Coward

    what about PCI? Who was the QSA?

    Whilst I am annoyed, outraged (and not surprised) at what happened with TT, and whole-heartedly support the rightful slating they are getting, did they not have to be PCI compliant to handle credit card data? They stated 'no legal requirement for encryption' but there is a regulatory one for credit card information (yes, I know there are specifics on what does/does not have to be encrypted - I am fully aware of PCI).

    I hope the CC vendors throw the book at them - BUT I would like to know which company certified them as being PCI compliant in the first place. TT may have been given a false sense of security (I am being kind here), but who issued the certificate, who was the QSA? It's all well and good having a go at TT but unless we start publicly demanding answers from those who certify then we are playing whack-a-mole when a new incident happens. QSAs should be named and shamed (or at least have questions asked about their competence).

    As a consumer I want to have trust in regulatory compliance standards (like PCI), and things like this just shatter that confidence. Is PCI compliance worth anything?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like