Telcos warned to update security as TalkTalk admits some data wasn’t encrypted

Telcos have been warned to update their inadequate security in the wake a third security breach at Talk Talk in 12 months.

Talk Talk has confirmed, via a blog post, that hackers may now have the names, addresses, dates of birth, phone numbers, email addresses, TalkTalk account information, credit card details and bank details of 4 million customers.

In a statement, CEO Dido Harding, CEO, has insisted that, “TalkTalk constantly updates its systems to make sure they are as secure as possible against the rapidly evolving threat of cyber crime. We take any threat to the security of our customers’ data extremely seriously and we are taking all the necessary steps to understand what has happened here.”

However, yesterday Harding told ITV: “I can’t even tell you today exactly how many customer have been affected.”

The FAQ section of the Talk Talk web site claims that Talk Talk believed that the data was a secure as it could be, but admitted that some of the data was not encrypted. The cyber attack is the third affecting the telco in 12 months.

Some critics have asked whether Talk Talk takes security seriously enough or has learned lessons. Security expert Ryan Wilk, director of NuData Security, predicted what would happen next with the Talk Talk customer’s identities.

“Data thieves sell this information to aggregators, who cross-reference and compile full identities – or fullz as they say on the data black market. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches. With this level of information, fraudsters can create new bank accounts or take out loans under an actual person’s name, causing problems for fraud victims for years down the road,” said Wilk.

Telcos should be aware that account creation fraud is on a sharp rise, having doubled since February 2015, said Wilk. NuData analysed 500 million account creations and found that 57% were flagged fraudulent. “That kind of long-term, big payout fraud can only happen with stolen customer personal identities.”

The traditional security systems used by many telcos, such as KBA-based authentication, are too easily stolen and should be replaced with user behavioural analytics (UBA) and passive biometrics, said Wilk. “We learn how a legitimate users act and get a front row seat to watch thieves try and fail to game the system with their stolen data. Becoming complacent in an age of massive data breaches is both a financial and reputational hazard.”

  • BIG 5G Event

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.