Codified Security Warns Of Ongoing TalkTalk Vulnerabilities

TalkTalk customers are still at serious risk after security researchers at Codified Security uncovered ongoing vulnerabilities with the Internet Service Provider.

It comes after the ISP suffered a high-profile hack in October that saw the personal details of 156,959 customers stolen.

Serious Flaws

Martin Alderson, Codified’s chief technology officer told TechWeekEurope that he nearly “fell off his chair” when he discovered the flaws, especially in light of the recent hack.

He discovered the flaws after listening to a speech by TalkTalk’s CEO, Dido Harding, in which she talked about the security of TalkTalk’s cloud.

Codified’s Alderson then decided to check this out and discovered that a “significant part of TalkTalk’s website does not have encryption properly configured.” Alderson was reluctant to go into too much detail about the exact nature of the security flaws, and requested that TechweekEurope not to reveal too much specific information about the vulnerabilities.

Alderson confirmed he had told TalkTalk about the issues a couple of weeks, but has not heard back from them.

It seems that basic oversights by TalkTalk could allow hackers with access to a user’s internet connection (if they are using a public Wi-Fi network for example) to steal email address, password and even financial data. This is despite TalkTalk promising to beef up its security in the wake of the October hack, that exposed 15,656 bank account numbers and sort codes. It also seems that 28,000 obscured credit and debit card numbers were also accessed.

“Some people say it is overkill to use encryption, but when you are dealing with logins and passwords, it is absolutely essential,” said Alderson. “It is very surprising. After they took down their website following the hack, they brought it back online with exactly the same problems.”

Alderson confirmed that unless these problems are rectified, TalkTalk customers remain at risk, as the “vulnerabilities can cascade” leading to very serious risks.

But TalkTalk remained defiant, and insisted that it was taking its security seriously.

“Whilst we appreciate the many suggestions and opinions sent to us daily by external security consultants, we (together with our world-leading security advisers) constantly run vulnerability checks using tools developed by industry experts,” a TalkTalk spokeperson told TechweekEurope in a statement.

“Whilst we cannot go into detail on specific aspects of our website and email platforms for obvious security reasons, we are confident we are taking all the appropriate steps to keep our customers details safe,” the spokesperson added.

Many Arrests

Last month police arrested yet another teenager in connection the hack of TalkTalk. The 18-year-old youth from Wales was arrested in an investigation has so far seen the arrests of four other youngsters.

The police initially arrested a 15-year-old boy from Northern Ireland and a 16-year-old boy from Feltham, west London, in connection with the attack. They later arrested a 20-year-old man in south Staffordshire and a 16-year-old boy in Norwich.

All were arrested for suspected of Computer Misuse Act offences and have been bailed pending further inquiries.

But in a twist, the Northern Ireland schoolboy arrested has taken legal action against The Daily Telegraph, The Daily Mail and The Sun, as well as Google and Twitter, for alleged breach of privacy.

Legal measures has also been taken to ensure the removal of information published about the boy and where he lives. The boy’s family has apparently had to move home due to the publicity surrounding his arrest.

TalkTalk has responded to adverse publicity by offering free services to customers, telling investors that the incident is likely to cost between £30 and £35 million.

Customers will be able to choose a ‘selection’ of additional TV content, a mobile SIM with various allowances, unlimited UK and landline calls, and a broadband ‘health check’ from an engineer.

Are you a security pro? Try our quiz!