On Wednesday September 21, the website of telecoms provider TalkTalk was subject to a cyber-attack. As serious a breach of cybersecurity as it was, and as vigilant as the four million TalkTalk’s customers potentially affected by the violation must now be, they shouldn’t worry too much. Yes, the perpetrators of the attack may possess their personal information, and it’s certainly an impressive haul these anonymous pirates have plundered. However, there’s very little chance of them or anyone else actually using all of it.
Of course, they might sell the records they’ve culled on the black market. That is, if they’ve been successful in obtaining complete credit card information then they might put such information up for sale on sites like Silk Road 3.0 and Rescator, where each set of details will be sold for anything from $5-$45 each. However, if they’ve obtained only addresses, telephone numbers and birthdays then their harvest as a whole is useless, since even the most organized of criminal gangs don’t have the resources to process around 4,000,000 customer profiles and use such profiles as the basis of some money-spinning exercise.
Starting with TalkTalk itself, the worst the hackers could do with non-banking info is access each individual account and change the terms of each user’s service. Why anyone would want to do this is something of a mystery, however, and once again the ability of any individual or group to do it on a mass scale is seriously lacking. Such individuals or groups might be able to alter a handful of customer addresses so that, for maybe a couple of days, they have free broadband in their homes (although this is a big “might”), but as soon as either TalkTalk or the customers involved discover any changes of address, these alterations will be rectified. Moreover, their own addresses will have been disclosed in the process, meaning that the thieves will have opened themselves up to arrest.
So much for toying with the TalkTalk profiles themselves, but what about using the personal information to access other accounts elsewhere, such as those with banks and other financial institutions? Well, if you’ve ever done any banking over the phone or internet recently, you will know that a requirement of such telephone or online services is that the client has to create a unique identifier for these accounts, such as an e-banking number or a passcode. In case it wasn’t already obvious, these aren’t passed on to TalkTalk or any other business the client might have dealings with, so the ability of the TalkTalk e-burglars to gain access to the client’s financial accounts and, say, make a bank transfer is, once again, distinctly absent.
There are other ways the criminals could potentially use the personal information they’ve swiped, yet the idea that they could exploit a significant fraction of the reported four million accounts they’ve compromised is questionable at best. They may have the ability to make a few illicit transactions here and there before such activity is uncovered and prevented, but this sporadic criminality doesn’t warrant the seemingly widespread alarm that met the cyber-attack, especially from the press. The Daily Mail reported to TalkTalk customers, among others, that the perpetrators are already “raiding their bank accounts“, while The Independent provided a single anecdote concerning an attempted (yet failed) scam with the headline, “customers targeted a week before hack announced“, as if masses of customers had been victimized.
The press have unsurprisingly reported on cybercrime before, paying special attention to the money that certain notorious thieves have ‘earned’, for want of a better word. For example, the Russian cybercriminal known as “Rescator” had reportedly raked in $1 million in credit-card sales after the notorious hack of US retailer Target. However, even though this testifies to the considerable exchange value of stolen card details, such estimates do not provide comparable evidence of their use value.
The closest thing to evidence of this latter value comes with studies which estimate, for instance, that the Russian market in online banking fraud was worth $942 million in 2011. As provided by Russian security research firm Gourp-IB, this is admittedly a considerable sum, yet it still doesn’t mean that consumers lost a corresponding $942 million, nor does it mean that this sum was amassed thanks to the purchase of stolen credit-card details.
On the one hand, this claim is borne out by the fact that a vast majority of victims of bank fraud receive full compensation from their banks, with a Which? survey from 2013 indicating that 98% of defrauded bank customers are fully remunerated for their losses by their banks. On the other, it’s evinced by a closer reading of the study, which reveals that most online banking fraud comprises the use of malware, remote access of computers, automatic substitution of e-banking screens, and phishing.
In other words, credit card information isn’t particularly useful or valuable by itself, and an indication of this is also furnished by the news that TalkTalk received a ransom demand. If credible, and if actually from the cyber-attackers themselves, it suggests that the attackers see little or no inherent value in the data they’ve obtained, and want it merely to blackmail money out of the UK company.
Hence, this company’s customers need not be as concerned about the security breach as they might now be, or as the media would want them to be. No doubt they have to watch their bank activity very carefully, and no doubt they have to be wary of any phone calls they receive from people purporting to be employed by TalkTalk, yet they should rest assured that there’s not much the cyber-robbers can do with all the information pertaining to four million accounts. There’s little or no way the personal information of all four million people affected will be utilized, harvested and mined en masse by these criminals, and even an attempt to sell any corresponding card details would be hampered by how the (black) market value of such details decreases when a large influx of them floods the market at once, sometimes bringing them to prices as low as $0.75 per unit.
No, TalkTalk’s customer’s shouldn’t be worried, since the brunt of this attack will fall predominantly on TalkTalk themselves. Its shares fell by 4.4% on Friday September 23, as the confidence investors and customers have in its ability to deliver a reliable service plummeted by a comparable proportion. Since the firm had already been hit by two previous cyberattacks in 2015, this latest incursion has potentially damaged its reputation, not least because it failed to encrypt much of the information that was held by its databases. They will therefore have to learn difficult lessons, and redeem themselves for their negligence by overhauling their security systems. However, the lesson to be learned by the public is a much simpler one, namely: don’t panic.