back to article TalkTalk attackers stole 'incomplete' customer bank data, ISP confirms

TalkTalk confirmed on Saturday afternoon that incomplete bank details were lifted by crims, even though its core systems were not targeted in the attack on its business earlier this week. The budget telco said that its website had been plundered by malefactors. However, TalkTalk claimed that complete credit card details of …

  1. Anonymous Coward
    Anonymous Coward

    Corporate arse-covering in 5 ... 4 ... 3 ...

    Believe 'em? Neither do I ...

    1. Salts

      Re: Corporate arse-covering in 5 ... 4 ... 3 ...

      The real kicker is, they still are not sure what has or has not been taken, they are headless chickens running around with absolutely no idea!

      Oh, wonder how David Cameron is doing with his thinking on banning strong encryption, sorry, can't type, pissing myself laughing :-)

    2. I. Aproveofitspendingonspecificprojects

      15 year old using Talk Talk

      How is it reassuring that a child using talk talk couldn't get all the data he wanted.

      Of course it is true. He probably had shed loads, all pilfered as e-mail but they lost his emails like they lost all mine. Talk Talk's security was probably based on Julian Assanges used condoms.

  2. nsld
    Facepalm

    How stupid

    Do they think people are?

    The last 4 digits are a standard security question when trying to access other accounts and services, and combine that with the personal contact info and identity theft is a no brainer.

    And the bigger question is wtf is the card data doing in the same place as the other website data? It should be held in separate databases and secured separately as well but I guess its a lot easier to stick it all in one database!

    If only TalkTalk put as much effort into security as they have put into polishing the current turd this would not have happened.

    1. Len
      Holmes

      Re: How stupid

      The only reason I can see for storing their customers' bank account data but without the full bank account number is for the purpose of support. It might be that the hackers actually got access to a TalkTalk helpdesk system. As you say, the helpdesk often only has access to the last four digits for ID purposes.

      The billing systems (which would contain the full details) are likely not compromised.

      That would suggest that the hackers probably have contact details and the last four digits but indeed not enough to commit fraudulent transactions on those accounts. Judging from a few cases of people who are missing money that I heard on the radio it seems that the hackers took the details and started calling the victims. They received a phone call informing them about the hack, probably from the hackers identifying as TalkTalk. If you have contact details and the last four digits it should be relatively easy to convince people to hand over any missing details.

      1. PNGuinn
        FAIL

        Re: How stupid re helpdesk

        "It might be that the hackers actually got access to a TalkTalk helpdesk system"

        Poor s*ds. I'm even beginning to feel sorry for the crackers now.

    2. Anonymous Coward
      Anonymous Coward

      Re: How stupid

      Can't recall ever being asked last 4 digits of card number as a security question ... at most its displayed on sites to show what card you have registered - ie enough data for you to know which card is being used but not enough for anyone else to use. I'd assume this is what was kept on the customer facing part of the the payment system. Given that the last 4 digits of card used are also routinely printed on receipts then its not exactly difficult to find so I'd be astonished if anyone considered this to be "secure" information.

    3. PNGuinn
      Mushroom

      Re: How stupid

      I don't tkink you've got it quite right.

      As I read that a**e covering drivel it seems that their "core systems" were not targeted. Apparently customers' details weren't stored on the "core systems", but on "the site" - I presume that means the website.

      So - anyone having a dig around the website ......

      I wonder what's on their "core systems"?? Cookery recipies? Pr0n stash?

      I could be wrong of course.

      There are already public complaints about bank accounts being syphoned. That suggests that those punters paid by debit card. Note that they only talk about cc info. Either they were storing all the debit card info but not the cc info - unlikely - and keeping quiet about that or a headless chicken is telling porkies.

      In any case - if they haven't got the full cc info themselves it's no good to them, so why store it? Perhaps they mean " encypted" - for some new IOT definition of encrypted.

      I think I'll start a kickstarter project to develop the world's largest, nastiest rubber hose. There's probably enough irate customers out there only too kean to weild it.

    4. chivo243 Silver badge
      Headmaster

      Re: How stupid

      I bet an industrious individual could take partial data from this heist, and partial data from a few others and have the info needed to pop lots and lots of bank accounts. If I can think of it, someone smarter can do it...

      1. Danny 14

        Re: How stupid

        First 4 will give you the provider. Enough to scam people by ringing them up as your bank and proving you the last 4 as a 'see we are your bank'

  3. JakeMS
    Facepalm

    So...

    By the sounds of things the crims basically got EVERYTHING.

    I think the better question for this attack would be "What did the crackers NOT get?".

    Who's willing to bet this attack was helped by some admin who thought it'd be okay to not update that machine as no one would be likely to exploit that security bug as they thought it was too obscure to be exploited?

    1. 080

      Re: So...

      "What did the crackers NOT get?". From Talk Talk...decent customer service

  4. quattroprorocked

    That's all Ok then.

    This won't happen to anyone.

    http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/

    1. Fraggle850

      Yes, exactly that

      Irrespective of whether card details have been taken there is undoubtedly enough information to facilitate identity theft on a large scale. The Mat Honan story should have been a wake up call to the industry yet such hacks still occur. Isn't it the case that the CIA director's email account was compromised by the young hacker getting a password reset through a support call?

      1. matthewdjb

        Re: Yes, exactly that

        Through a support call where the id was verified by the last four digits of his credit card number.

    2. Anonymous Coward
      Anonymous Coward

      Matt Hanon is a bit of an idiot.

      "My MacBook data — including those irreplaceable pictures of my family, of my child’s first year and relatives who have now passed from this life"

      Local back-ups sonny.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.

        I don't understand. Am I not supposed to get asked "security questions" and at amazon I have even labeled them "security question #1", "security question #2", "security question #3"...

        1. Anonymous Coward
          Anonymous Coward

          Utterly astonished to read this ... do Apple really use the last four digits of a credit card as being a secure method of identifiaction validation ... I will clearly have to treat my Waitrose receipts with much more care in future!

          1. a_yank_lurker

            In the US it is common to ask for the last 4 numbers of one's social security number - defacto US government ID number. The only time I see the last 4 of a credit card is when it stored on a site to identify the account to use in e-commerce.

  5. Steve Davies 3 Silver badge

    Weasel Words from T-T

    They can't hide the fact that they were hacked and lost a lot of data over hours, possibly days.

    They have a duty of care for our data. End Of.

    They failed that and the ICO + the Rozzers should be all over them.

    The Class Action suit might even be enough to put them out of business.

    They will haemorage customers even if the give a year's free everything to those affected.

    The future is bleak for T-T. I would not want to be a T-T shareholder for all the tea-tea in China.

    sorry for the rant but their actions just make me Mad.

    1. Anonymous Coward
      Anonymous Coward

      Re: Weasel Words from T-T

      Class Action in the UK is only covers Competition and Price Fixing - and it's only been in existence since 01/10/15.

      So good luck with that.

      http://www.bbc.co.uk/news/uk-34402483

      1. Anonymous Coward
        Anonymous Coward

        Re: Weasel Words from T-T

        @ac,

        There is always pitchforks, tar and feathers ;)

        1. John Brown (no body) Silver badge
          Flame

          Re: Weasel Words from T-T

          "There is always pitchforks, tar and feathers ;)"

          Flaming torches! You forgot the flaming torches!

  6. Brent Longborough
    Stop

    That's OK, then...

    Nothing to see here, move on please...

  7. Anonymous Coward
    Anonymous Coward

    Change my password?

    As a TalkTalk customer, I'm relieved to read that my password wasn't nicked. Baroness Harding and her chums have been telling me for the past couple of days to change my password but, since the relevant part of their website is "unavailable right now", it can't be done.

    Incidentally, I'm not really a TalkTalk customer.

    I was a Pipex customer.

    Pipex me sold to Tiscali.

    Tiscali sold me to TalkTalk.

    So I'm a commodity.

    1. I'm Brian and so's my wife

      Re: Change my password?

      I just switched my parents to PlusNet today. The cashback (I did it via Quidco) covers the overlap between the contracts - they had a month to the end of their contract.

      I mentioned this latest breach as one of the reasons. They sounded ready to make all sorts of offers to keep the business. The one reason I didn't mention to them was that I wanted to support a UK-based business - it seemed a little too ranty to mention it to the overseas call centre operative.

      1. Anonymous Coward
        Anonymous Coward

        Re: Change my password?

        it seemed a little too ranty to mention it to the overseas call centre operative.

        Fingers crossed that the hack is an offshore insider job.

    2. Anonymous Coward
      WTF?

      Re: Change my password?

      And don't forget to change your date of birth too.

      1. Chris King

        Re: Change my password?

        Date of birth is (or used to be) used for resetting 3DSecure passwords, so it's useful to crims for Verified by Visa and MasterCard SecureCode transactions.

      2. Phil Kingston

        Re: Change my password?

        That's why for anyone that doesn't have a proper legal need for it, like an ISP, I always give them a second DOB I've committed to memory.

        Banks and the like, who have 2FA, can have my real DOB. An online retailer who can't really demonstrate a need to have my DOB (other than it being a shared secret between us) can have a made up one.

  8. Michael B.

    I a couple of years ago I was in the queue for the bank and I overheard a distraught customer revealing how she had be scammed into giving the rest of her bank account details. A scammer called her up and for security reasons they gave her the (standard) prefix of her card number and got her to reveal the rest to confirm her identity,

    With this data a scammer could easily modify it by giving the first and last digits and getting the customer to reveal the middle digits. As the first 4 digits are card and bank specific they can easily cycle through the card numbers pretending to be the relevant bank that the card is attached to.

    1. John H Woods Silver badge

      It is time for a PSA

      (Public Service Announcement)

      It won't be popular with some companies with bad practices but tough.

      "Never, ever, give an agent any details on the phone when they have called you. You don't know who they are unless you are the one making the call to a number whose provenance you trust"

      * it might be best to call that number from another phone - you cannot be sure the dial tone you hear is not being played to you by an attacker who has not actually hung up

      1. Anonymous Coward
        Anonymous Coward

        Re: It is time for a PSA

        ""Never, ever, give an agent any details on the phone when they have called you. You don't know who they are unless you are the one making the call to a number whose provenance you trust""

        I got called up recently by someone claiming to be from a well known pension firm wanting to carry out a "survey of my financial providers" and asking to confirm my name.

        I explained to him that I couldn't speak to him until he identified himself to me. He started to argue and I told him I had been warned by [same well known pension firm] that there were a lot of fraudsters trying to get people's financial details, and it was his job to prove who he was. Hangup...

        They must think we're stupid, I thought...and then I thought, well, how many people do actually understand that it is a random caller's job to prove who they are?

        1. Doctor Syntax Silver badge

          Re: It is time for a PSA

          "They must think we're stupid, I thought...and then I thought, well, how many people do actually understand that it is a random caller's job to prove who they are?"

          The banks, building societies and insurance companies certainly don't. Neither do they think it essential that they prove their emails are from them. I've had emails from digital marketing companies working on their behalf where the client's domain is in the From: field but a quick glance at the headers shows that it never came from them and any links don't come from them either. When the clients are taken to task over this they show no indication that they realise the result looks just like a phishing scam and that they're training their customers to be scammed.

      2. Doctor Syntax Silver badge

        Re: It is time for a PSA

        "it might be best"

        Better to say it's essential.

      3. Captain Badmouth

        Re: It is time for a PSA

        "* it might be best to call that number from another phone - you cannot be sure the dial tone you hear is not being played to you by an attacker who has not actually hung up"

        In which case dial 1471 or a friend's no. first to make sure the line has disconnected.

        1. John H Woods Silver badge

          Re: It is time for a PSA

          "In which case dial 1471 or a friend's no. first to make sure the line has disconnected." -- Captain Badmouth

          Not sure it's beyond the ability of a clever crim to fake the voice-synthesized response to 1471 -- I'd stick to calling a person whose voice (or whose response, e.g. "4As Taxis") you will recognise. Better still, use a mobile which cannot still be connected to the previous call.

          I'm not sure why the calling party must hang up to disconnect the call on a landline, can this be fixed?

          Can we start a campaign to make it illegal for outbound calling agents to ask security questions, and restrict them to giving names and/or reference numbers and a request to call back?

          1. The Boojum

            Re: It is time for a PSA

            Yet another reason never to use a landline for anything (other than being ripped off by the telco so that you can have broadband).

          2. Elmer Phud

            Re: It is time for a PSA

            Get a 56k modem to ring back . . .

          3. Vic

            Re: It is time for a PSA

            Not sure it's beyond the ability of a clever crim to fake the voice-synthesized response to 1471

            No need - they just intercept the DTMF tones and dial out anything that isn't interesting. Dial 1471 and you get the real 1471. Dial your bank, and you get a scammer...

            Vic.

      4. PNGuinn

        Re: It is time for a PSA

        Or just put in a quick call to Auntie Madge* from the same phone. If someone else answers....

        * or Uncle Horace...

        Actually, that second paragraph needs to be doubly emphasised, even paranoid moi didn't think of that one until I heared about its use.

    2. Anonymous Coward
      Anonymous Coward

      Often these cards are assigned a nick name like 'Natwest Credit Card' so if that was stored openly too, makes it even easier to know the first 6 Digit Prefix of the card. Not good.

  9. jonathanb Silver badge

    I wonder if any of the people who complained about having bank accounts emptied had accounts with Lloyds. It appears the information they had was enough to open account there, and the recently closed security hole at Lloyds meant that they could have accessed other Lloyds accounts held by the victim.

  10. C. P. Cosgrove

    On a couple of occasions I have been phoned up by my credit card company and they have started by asking me to confirm MY identity. It always throws a spanner in their works when I respond -

    "Hold on, YOU have phoned ME, therefore you know who I am. Now, how do we go about confirming who YOU are ?"

    After a pause for thought, sometimes a long pause, the usual reply is "My name is ****, phone the number on your card and ask for me." And that is fair enough.

    Chris Cosgrove

    1. I'm Brian and so's my wife

      Yes, as long as you do that 1471 trick mentioned further up the comments. That's a neat way around the dial tone trick they can pull on you.

    2. werdsmith Silver badge

      I've had this too, but they have a problem that they don't know for sure that the person that has answered their call is the person they are looking for and they are regulatory bound to have to identify the person on the phone.

      But I have the same conversation with them and I always end up having to call back.

      The other stupid one is when I call for some business on an account that is in my wife's name. They won't speak to me until they've spoken to my wife to verify it's OK first, but the only ID they are interested in is a female voice.

  11. Anonymous Coward
    Anonymous Coward

    A few things don't make sense

    So why is this such a bit issue, besides the large scale social engineering attack vector opportunity. Read opportunity. But even that is information that is on the electoral role, albeit now linked to a possible identification of which bank.

    I mean your cheques include you bank details? It is normal for corporate letter head to include full address, bank details including international notation. None of this is actually secret information.

    The last 4 digits of a credit card transaction are on every receipt from a pdq machine...

    Sure it is bad, it highlights in appropriate measures, there is a huge scamming possibility, but without that no bank accounts or credit cards will be emptied....

  12. Anonymous Coward
    Anonymous Coward

    I used to be a Tiscali customer, and was swept up in the takeover.

    I quit Talk Talk a couple of years ago.

    Earlier today I came across an old bookmark to a file I had uploaded on the customer-website. It still worked. Nothing critical, but sadly out-of-date now.

    So they don't seem to be handling data very well. I was paying so much a month for all their services. I stopped paying them. They're still providing some of those services.

    (Those business directory websites have a lot of defunct entries too. They scooped up names and addresses from somewhere, plastered the pages with adverts, and have never bothered to update. I know of several such businesses in one small town: gone but not forgotten.)

    1. Doctor Syntax Silver badge

      "I used to be a Tiscali customer, and was swept up in the takeover."

      I used to be a Nildram customer. Nildram was taken over by Pipex which was taken over by Tiscali but the email address remained Nildram. After the TalkTalk takeover I also bailed out. As a matter of curiosity I just tried a test post to my old Nildram address. It bounced but a quick whois indicates the domain expired yesterday. Deliberate, coincidence or have they just been too distracted to renew it?

  13. Anonymous Coward
    Anonymous Coward

    You missed this bit from the email

    No banking details were taken that you won’t already be sharing with people when you write a cheque or give to someone so they can pay money into your account.

    I read this as meaning they got my sort code and account number? Weasel words...very much not good news.

    1. Doctor Syntax Silver badge

      Re: You missed this bit from the email

      "I read this as meaning they got my sort code and account number?"

      And the account name.

  14. Slx

    The entire way we process payments is going to have to change.

    This notion that you can just give someone a 16 digit card number, exp date and a 3 digit code with some optional add on security is basically creating a giant honey pot for thieves.

    The whole concept needs to move to something totally different.

    One off transactions should be pushed - unique payment token sent to thr retailer. There's no need to have credit card info.

    Direct Debits should be setup using a unique code too.

    Banks could generate an "application specific code much like Gmail does with 2 factor security enabled. This could be done by online banking portals or for the less tech savvy just give them 30 unique codes on a card for setting up direct debit / automatic payments.

    Also your bank account should have an "Inward only" number to allow payments in only and then a confidential account number for your use only for actually accessing it.

    There's no reason why all these highly sensitive bank details should be exposed.

    1. chris 17 Silver badge

      @Slx

      People already struggle with PIN numbers and passwords, having them remember more numbers is not going to be popular.

      The card provider verification systems are good like pin sentry etc where you put your card into the reader type your pin choose an option and type in a code from the website and enter on the website the generated code. That could generate your token used instead of your card number.

      1. This post has been deleted by its author

        1. werdsmith Silver badge

          Bitcoin.

  15. Steve Davies 3 Silver badge

    T-T are refusing to waiver cancellation fees

    for those who want to leave.

    Shame on them. I fully expect a deluge of cases for breach of contract to hit the small claims court for .... the same amount as the fee they levy.

    T-T really are the pits.

    I really hope that other ISP's learn from this and sharpen up their acts and pray that it as'nt an inside job all along

    1. Anonymous Coward
      Anonymous Coward

      Re: T-T are refusing to waiver cancellation fees

      Popped into an EE shop yesterday to inquire about broadband. They say they will pay any cancellation fees up to £100 if you change to them, and you don't even have to talk to TT.

  16. ken jay

    talktalk and old users

    the biggest problem i see is the thousands of people tht left talktalk or cancelled the order before installation a you have to enter bank details and also pay for delivery etc. wht will happen to these people because i am totally sure they have never purged old customer data from any database especially the tiscali ones.

  17. JosephEngels

    What about passwords?

    They have not yet confirmed if passwords were also stolen ... I would hope they are salted and hashed .. but I suspect they may not be. When you initially sign up for their services (over the phone, not web) they will ask you for a password. You can then use that to log in to their website. Unfortunately they do seem to be able to ask you for your password when you call in for support ... which might mean they are typing it in and checking it matches .. or might mean its displayed on their screen .. and held in the clear.

    If they have held passwords in plain text, they need punishing, financially.

  18. jerky_rs

    Technically you only need to encrypt the 6 digits in the middle of the card number which is pretty ridiculous seeing you could derive the encrypted part by generating numbers in between that pass a LUN check, the postcode (truncated to digits only), numeric part of the address and CV2 all matching will get you a successful auth 99 times out of 100

    As a PSP/online store you are not ever allowed to store CV2 only use it for time of submission to the bank. Mastercard/Visa both have additional ability to protect transaction with 3DSecure but this is not generally mandatory to perform a credit card transaction.

    Having personally worked at a PCI DSS level 1 PSP for over 5 years and having seen how this stuff works in the backend is somewhat amazing what actually gets transferred. For example all Credit Card numbers for settlement files are plaintext uploaded via PSTN to a banks FTP site authenticated only with username/password and in some cases the file remains there, god knows what the banks actually do to protect this but it is common knowledge in PSP that this type of data is unencrypted in Auth files as well as on many private MPLS networks that BT manage.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon