"They've got your name and they know where you live." "The rush you get from hacking is quite phenomenal." "I nearly fainted when I saw they'd practically cleared the account out." "As soon as you log in, they've got everything." "Hackers have stolen information from thousands and thousands of us." "Major companies have failed to keep our private data safe." "What's happening now is a big wake-up call." "Tonight on Panorama I'll be finding out just how easy it is for cyber" "Every day we hand over sensitive information about ourselves." "I thought I was safe, until I saw this." "A major cyber attack on the broadband" "Millions may have had their personal details stolen." "As a TalkTalk customer I could be one of them." "Finding out my personal details could have been stolen - personal details I trusted them with - is alarming to say the least." "The company says it doesn't yet know how many customers" "What I want to know is, what happens when hackers get" "TalkTalk now say nearly 157,000 customers had" "There have been some big hacks of late targeting big companies " "There's more bad guys than there are good guys, and the bad guys only to need to find one vulnerability, just one single" "This map shows just a fraction of cyber attacks as they happen" "Millions of attacks - targetting websites day and night." "A bank robber, why would you walk into a bank with a sawn-off shotgun taking a big risk, getting a relatively small haul compared to being able to commit a crime remotely from another country where you have got very little chance of being caught?" "Cyber criminals hide in the shadows, but hackers attack computers for a variety of reasons and some are willing to talk." "I'm on my way to meet the man who has been accused by the United States authorities of being one of the most sophisticated" "He's acccused of hacking into the US military," "Yeah, so this is the indictments that were issued." "He faces extradition next year, which he will fight." "They should have spent the money and the resources to secure them if somebody, especially somebody sitting in their bedroom in a dressing gown, was able to hack all of those things." "The major problem isn't that person, the problem is the US Government." "If someone can breach some of the most secure websites in the world, how hard must it be for companies like TalkTalk to defend themselves?" "They're not special, in the sense that everybody has" "Nobody in this business is without the sin of being insecure, of not having paid sufficient attention and resources to their security." "Lauri says he has been shown the code used to attack TalkTalk." "He says the hackers exploited a vulnerability that's been" "Pretty much this TalkTalk hack, they didn't write any software, they didn't think hard about the problem, they used a tool somebody else had, they ground away at it and eventually pop goes the weasel." "TalkTalk customers have been hacked three times in less than a year." "The latest hack, last month, was the most damaging." "15,500 TalkTalk customers had their bank account details stolen." "Ma'am, this is Shane Williams from TalkTalk." "The voice of a scammer targeting TalkTalk customer Tamsin Collison." "Her bank details weren't taken, but some of her customer details were, in the first major hack last December." "Phone call, good afternoon Miss Collinson, this is TalkTalk calling," "Phone call, good afternoon Miss Collison, this is TalkTalk calling, we understand you have a problem with your broadband connection" "Which made sense to Tamsin, because she'd reported a fault to TalkTalk." "The people that were on the telephone knew our name and our telephone number and that we were TalkTalk customers, and they said that somebody else had been using our computer." "82-year-old Barbara Manley and her husband, Harold, also believed they were dealing with a genuine TalkTalk employee" "I'd got to know her quite well because she said her name was" "Michelle and we'd had quite a chat to her." "It seemed quite feasible that there was something wrong with" "They were on the phone to me for about an hour-and-a-half fixing my computer, showing me all kinds of terrible things." "Both Tamsin and the Manleys were talked into giving the scammers access to their computer and online banking." "They were tricked into thinking they were getting a refund from TalkTalk but instead the thieves were raiding their bank" "I went to the bank and I nearly fainted when I saw they'd" "It was an absolutely horrific moment to discover that I had been mugged, basically, and that I had sort of said, help yourself." "I'd been complicit in my own mugging." "Tamsin says TalkTalk only confirmed her personal data had been stolen" "She says she should have been told much sooner." "I would have been armed and I would have been protected." "I believe that TalkTalk did not protect their customers" "TalkTalk say they wrote to customers twice to warn them of scams following last December's data breach." "They are not to blame for the losses suffered by Tamsin and the Manleys because the scams would not have been possible without either of them giving the thieves banking information." "It's as if somebody is outside the house looking through the window." "If they can get us on the computer, how do we know they can't get to our house." "We feel unsafe." "If we want to use the internet, we have to trust companies with I've come to King's Cross Station in London to meet a group of We're heading up to Edinburgh to set them a challenge." "I have dabbled in writing code and playing with code and design." "But nothing piqued my interest as much as learning how to hack." "I know how to use a computer, these people know how to take them over." "I got kicked out of school, so when I was at home I just started self teaching myself programming and then moved up to finding how to make a vulnerability, how vulnerability works." "Hacking is a culture more than an activity." "It doesn't have to be breaking things it can be creating things The Cyber Academy at" "Edinburgh Napier University train We've asked them to set up an experiment - create the kind of company website many of us place our trust in So the challenge that we have set for you we have created So we've got things like credit" "card details, passwords." "Can the hackers break into our fictitious website, British Broadband, and steal its customers' valuable data?" "How long are you expecting them to take to get to these databases?" "We would think in total to find all the vulnerabilities will The academics had created a number of vulnerabilities, ways to hack into British Broadband, but our hackers found one of the easiest routes within minutes." "There is an admin user here called John." "So you have found one of the user names for the database?" "So they've done that in about five minutes." "The password took about one second to crack because it was very basic." "Mustafa has already cracked the password Most passwords are easy to hack because most of us use similar A few minutes later," "British Broadband's customer details Because it's not surprising how easy it is." "I think it shows how easy it is sometimes for intruders to get into databases if the credentials are not protected properly." "So they've got access to all the information on the database, But that's something they're going to try and do is it?" "Our hackers have complete control of the website." "With just a few clicks they take down the entire site." "So if that was a real business, suddenly the customers will all find that if they go to the web page it's not there anymore." "British Broadband's customers wouldn't be able to use the website, and their names, addresses, phone numbers and credit card details are Mustafa, how do you feel about the suspended sentence?" "I have to go now, so I can't really talk." "In 2013," "Mustafa was given a suspended prison sentence for attacking the Serious" "Organised Crime Agency and the CIA." "He is now one of the good guys and currently completing So, how typical was that website in terms of its defences?" "A lot of credit card details are hacked in that way." "In the real world it will be much tougher, and obviously an attack But are there some websites out there that will be as vulnerable Yeah, certainly the smaller websites that don't have a security team managing it 24/7 will typically be weak." "In the age of cyber crime, criminals are waiting to invade Most of us have received a dodgy e-mail we shouldn't click on, but what happens if we do?" "I spend my time digging around in the cyber criminals' latest pieces of malicious code, figuring out how they're attacking people, and James Lyne is an internet security expert Cyber crime is a multi-billion pound enterprise, creating hacking programmes which can steal" "our data on an industrial scale." "There were estimated to be nearly 2.5 million internet-related crimes in England and Wales last year." "At the top of the tree you have a number of people - a number of gangs producing these software packages that are used for the You have multiple parties selling competing cyber crime products, We see them do price drops to" "acquire more customers." "They have commercialised and professionalised cyber crime to Hundreds of thousands of new pieces of malware are released every day." "We see about 30,000 new infected websites a day." "You land on a legitimate website that's been attacked that will exploit your computer and that will silently in the background instal a piece of code that lets the attackers So as soon as you log into any of these services, they've got everything," "they own your entire digital life." "Anything that might contain links to financial information will be mine - social media accounts, store accounts, e-mail accounts." "It's funny, people don't think about e-mail accounts as being valuable, but e-mail accounts actually unlock a surprising amount And they can also unlock life savings." "In June this year," "Vivian Gabb was completing on the purchase of a house - which she'd planned as a retirement investment - when she got an e-mail she thought was from her solicitor." "Dear Viv, we have changed who we bank with." "I forgot to inform you of the changes Our new banking details are stated below." "Kindly transfer the balance of ?" "46,703.20 into our new client account, and then it gives the bank details." "It looks totally genuine, doesn't it?" "Vivian went ahead and transferred almost £47,000 - her life savings." "I phoned the solicitors because I hadn't heard anything and said, "Oh, So that's when everything started to fall apart." "I think at the end of that day, at the end of that evening, when I was and I felt very vulnerable and violated." "Vivian doesn't know how she came to be targeted." "She still bought the house, but she had to borrow to replace the stolen money and is now working seven days a week to pay it off." "It just seems that the criminals are getting better." "It just seems like they are always big steps ahead." "These are complex crimes carried out by criminals who could be Society is struggling with this, and we're certainly not dealing with it the way we are able to deal with other types of criminality." "There's no doubt about that, and nobody's trying to deny that, and we're wrestling with how do we do this differently?" "Look at the scale and volume we're dealing with." "It is very, very difficult to expect policing to detect these crimes." "What do criminals do with hacked information?" "How do they turn it into cash and get away with it?" "An anonymous, underground world of cyber secrets - the perfect blackmarket for hackers hawking stolen data." "James took us in using a Dark Web browser." "People can't see where you're browsing or where In fact at the moment this website thinks I'm in Romania." "Hacked mobile phone accounts, subscription TV accounts, All bought and sold here using Bitcoin, And what you've got here is a list of various credit cards James searched for UK credit cards." "So we've got a couple here, haven't we." "One from Gloucestershire, one from Devon there." "Am I right in saying this is just one of Only one of them, but there several others." "Cal Leeming knows all about using other people's credit cards." "He started raiding websites to steal them aged just 11." "The rush that you get from credit card fraud hacking is Within two years he was running riot" "I started ordering very small things and then it got progressively" "I ended up buying cars as well in the end, and that got me sent to" "At 18, he was sentenced to 15 months for hacking the details of 13,000 credit card users to buy £750,000 worth of goods." "I was by no means the best hacker in the world, or the country." "I mean, I may have been the youngest, but not the best." "Cal is now a software engineer and security adviser." "It was the police who saw the potential" "Once I was released from prison, the police officer involved in my case actually got me my two work references" "He really helped me change my life around." "Cal might have turned his life around - the trouble is, he says, business has not turned itself around." "It's easier now to do credit card fraud than it was back in 2001" "On the Dark Web, James Lyne bought the credit and debit card details" "That's what we bought and I presume that is your card number" "If I was a criminal, I could have raided Janet's bank account." "Yeah, that's exactly the same, isn't it?" "That's the number on the back, isn't it, yeah?" "How do you think someone might have got hold of this?" "I don't know, because I do so much shopping online" "With just a few more details - like Janet's National Insurance number - a hacker could have stolen her whole identity leaving her" "What has staggered me more than anything is how easy you" "I mean I've never been burgled or anything, but you're feeling" "You know, that somebody can access all this private information and it's out there for anybody to use." "So, it's not a very nice feeling at all." "As soon as we alerted Janet that her card details were for sale, she called her bank and cancelled her card." "It is better to know than not know, isn't it?" "We managed to contact 12 of the 13 cardholders, whose details" "Ten people confirmed their cards were current." "Two had already cancelled their cards because of fraud." "You can do a lot to protect yourself in this space." "80% of all the frauds we deal with can be prevented." "And it's the most basic thing using anti-virus and yet still the bulk" "Make sure you are using a different password on each" "Make sure you update your computer," "And last, but not least, be a bit of a cynic." "For some companies, it's the hackers themselves who can help" "They invite them to test their systems and can offer rewards" "Enter Dubai-based hacker Yasser Ali." "I have found serious flaws in a lot of big companies, like Paypal, like Ebay, Facebook, Microsoft, Adobe, Sony..." "Last August, Yasser breached Paypal's web security discovering he could take over customer accounts with one click" "Instead he told the company about the flaw." "They fixed it and he received a $10,000 reward." "All the other companies made fixes too." "We're setting him our own challenge, which doesn't" "I've got a selection of big British brand names, and I'd like you to look at their websites for me, please, and carry out a reconnaissance on them and tell me how vulnerable you" "Once it's a passive reconnaissance then it's OK." "Passive reconnaissance is like a burglar working out how to break into a house without actually doing it." "And then we can talk after that and let me know what" "Yasser is what's known as a white hat hacker - using" "Not as lucrative as crime but it still pays." "Apple or Microsoft, all the big names, they have recognised that white hat hackers are sometimes better at finding" "So, what they've done is it's like the Wild West, they've said" "It can sometimes be hundreds of thousands of dollars if you alert us to a vulnerability rather than disclose it or sell it" "We don't suffer the losses, our customers don't suffer the losses and we'll pay you for the privilege." "So, you've had a look at those company websites that I" "Except just one website, they had pretty good security measures." "I know you've only done a passive reconnaissance, but can you give a couple of examples of the ways in which they're vulnerable?" "One of the companies, I could grab a lot of information from the administration panel, like a lot of e-mail addresses, a lot of phone numbers of the employees, which can be used by criminals." "It is very easy to find this information and also to exploit" "Yasser's research is a small snapshot of UK" "We're not naming names because if he's right it will alert criminals to any potential weaknesses in their websites." "What the criminals know as well as the security industry, they know when those vulnerabilities occur and so they go out and look for them." "So, if you're one of those who hasn't locked your door properly, there's been a fault in your lock, and they checking your door so, if you haven't corrected it, they will find" "If a business holding our personal data is hacked, you'd think" "TalkTalk came clean, but some companies don't." "In the UK, only phone and internet providers are legally" "The legislation is fairly light at the moment." "But we could ask the question whether or not the regulations are tight enough about how information should be" "And I think it's an important question to ask where we see an increasing number of breaches taking place and we therefore know that whatever the standards are they're not actually effective in protecting" "Following last month's hack on TalkTalk, it says it has significantly increased the level of website protection." "Lauri Love, the man accused of hacking the US Government has" "Me and some friends had a look at TalkTalk and there's probably about three or four different ways you could still hack them today" "But I don't want to say it's negligence on their part" "The tide of complexity of computer systems has come in so fast that we haven't realised that we're behind it now." "The UK cyber security industry is worth £17 billion." "TalkTalk says it is continually reviewing and updating its systems." "I discovered at the end of last week I am not one of the 157,000" "TalkTalk customers whose personal details have been stolen but can I trust TalkTalk to keep my personal details safe in the future?" "Or for that matter any of the companies I deal with online?" "Their trust in the internet has been shattered." "We're completely bewildered about the whole thing and I don't know now how we're going to cope because we don't believe anybody." "Every time you put your data in the hands of an organisation it is a risk, you know, you are taking a gamble doing that." "What you've got to hope for is that organisation takes" "It's a really, really bad situation at the moment," "One that's not going to get better until there is a complete change in" "I don't say that to be alarmist, I say that because it's the truth." "Internet security is the responsibility of us all." "A responsibility many of us don't yet appear to be taking" "# These streets are yours You can keep them... #"