:00:08. > :00:10.They've got your name and they know where you live.
:00:11. > :00:12.The rush you get from hacking is quite phenomenal.
:00:13. > :00:20.I nearly fainted when I saw they'd practically cleared the account out.
:00:21. > :00:25.As soon as you log in, they've got everything.
:00:26. > :00:30.Hackers have stolen information from thousands and thousands of us.
:00:31. > :00:41.Major companies have failed to keep our private data safe.
:00:42. > :00:46.What's happening now is a big wake-up call.
:00:47. > :00:49.Tonight on Panorama I'll be finding out just how easy it is for cyber
:00:50. > :01:28.Every day we hand over sensitive information about ourselves.
:01:29. > :01:31.I thought I was safe, until I saw this.
:01:32. > :01:33.A major cyber attack on the broadband
:01:34. > :01:37.Millions may have had their personal details stolen.
:01:38. > :01:41.As a TalkTalk customer I could be one of them.
:01:42. > :01:44.Finding out my personal details could have been stolen - personal
:01:45. > :01:48.details I trusted them with - is alarming to say the least.
:01:49. > :01:50.The company says it doesn't yet know how many customers
:01:51. > :01:56.What I want to know is, what happens when hackers get
:01:57. > :02:06.TalkTalk now say nearly 157,000 customers had
:02:07. > :02:17.There have been some big hacks of late targeting big companies -
:02:18. > :02:28.There's more bad guys than there are good guys, and
:02:29. > :02:31.the bad guys only to need to find one vulnerability, just one single
:02:32. > :02:37.This map shows just a fraction of cyber attacks as they happen
:02:38. > :02:44.Millions of attacks - targetting websites day and night.
:02:45. > :02:51.A bank robber, why would you walk into a bank with
:02:52. > :02:53.a sawn-off shotgun taking a big risk, getting a relatively
:02:54. > :02:56.small haul compared to being able to commit a crime remotely from
:02:57. > :03:01.another country where you have got very little chance of being caught?
:03:02. > :03:04.Cyber criminals hide in the shadows, but hackers attack computers
:03:05. > :03:12.for a variety of reasons and some are willing to talk.
:03:13. > :03:15.I'm on my way to meet the man who has been accused
:03:16. > :03:18.by the United States authorities of being one of the most sophisticated
:03:19. > :03:28.He's acccused of hacking into the US military,
:03:29. > :03:36.Yeah, so this is the indictments that were issued.
:03:37. > :03:39.He faces extradition next year, which he will fight.
:03:40. > :03:44.They should have spent the money and the resources to secure them
:03:45. > :03:47.if somebody, especially somebody sitting in their
:03:48. > :03:51.bedroom in a dressing gown, was able to hack all of those things.
:03:52. > :03:56.The major problem isn't that person, the problem is the US Government.
:03:57. > :04:01.If someone can breach some of the most secure websites in the world,
:04:02. > :04:07.how hard must it be for companies like TalkTalk to defend themselves?
:04:08. > :04:10.They're not special, in the sense that everybody has
:04:11. > :04:16.Nobody in this business is without the sin of being insecure, of not
:04:17. > :04:20.having paid sufficient attention and resources to their security.
:04:21. > :04:25.Lauri says he has been shown the code used to attack TalkTalk.
:04:26. > :04:28.He says the hackers exploited a vulnerability that's been
:04:29. > :04:35.Pretty much this TalkTalk hack, they didn't write any software,
:04:36. > :04:38.they didn't think hard about the problem, they used a tool somebody
:04:39. > :04:45.else had, they ground away at it and eventually pop goes the weasel.
:04:46. > :04:50.TalkTalk customers have been hacked three times in less than a year.
:04:51. > :04:54.The latest hack, last month, was the most damaging.
:04:55. > :05:02.15,500 TalkTalk customers had their bank account details stolen.
:05:03. > :05:04.Ma'am, this is Shane Williams from TalkTalk.
:05:05. > :05:10.The voice of a scammer targeting TalkTalk customer Tamsin Collison.
:05:11. > :05:12.Her bank details weren't taken, but some
:05:13. > :05:18.of her customer details were, in the first major hack last December.
:05:19. > :05:28.Phone call, good afternoon Miss Collinson, this is TalkTalk calling,
:05:29. > :05:30.Phone call, good afternoon Miss Collison, this is TalkTalk calling,
:05:31. > :05:33.we understand you have a problem with your broadband connection
:05:34. > :05:37.Which made sense to Tamsin, because she'd reported a fault to TalkTalk.
:05:38. > :05:41.The people that were on the telephone knew our name
:05:42. > :05:45.and our telephone number and that we were TalkTalk customers,
:05:46. > :05:50.and they said that somebody else had been using our computer.
:05:51. > :05:53.82-year-old Barbara Manley and her husband, Harold,
:05:54. > :05:56.also believed they were dealing with a genuine TalkTalk employee
:05:57. > :06:04.I'd got to know her quite well because she said her name was
:06:05. > :06:06.Michelle and we'd had quite a chat to her.
:06:07. > :06:08.It seemed quite feasible that there was something wrong with
:06:09. > :06:14.They were on the phone to me for about an hour-and-a-half fixing
:06:15. > :06:17.my computer, showing me all kinds of terrible things.
:06:18. > :06:20.Both Tamsin and the Manleys were talked
:06:21. > :06:24.into giving the scammers access to their computer and online banking.
:06:25. > :06:28.They were tricked into thinking they were getting
:06:29. > :06:31.a refund from TalkTalk but instead the thieves were raiding their bank
:06:32. > :06:39.I went to the bank and I nearly fainted when I saw they'd
:06:40. > :06:49.It was an absolutely horrific moment to discover that I had been mugged,
:06:50. > :06:52.basically, and that I had sort of said, help yourself.
:06:53. > :06:55.I'd been complicit in my own mugging.
:06:56. > :06:58.Tamsin says TalkTalk only confirmed her personal data had been stolen
:06:59. > :07:05.She says she should have been told much sooner.
:07:06. > :07:09.I would have been armed and I would have been protected.
:07:10. > :07:12.I believe that TalkTalk did not protect their customers
:07:13. > :07:21.TalkTalk say they wrote to customers twice to warn them
:07:22. > :07:32.of scams following last December's data breach.
:07:33. > :07:35.They are not to blame for the losses suffered by Tamsin
:07:36. > :07:38.and the Manleys because the scams would not have been possible without
:07:39. > :07:43.either of them giving the thieves banking information.
:07:44. > :07:50.It's as if somebody is outside the house looking through the window.
:07:51. > :08:05.If they can get us on the computer, how do we know they can't get to our
:08:06. > :08:09.house. We feel unsafe. If we want to use the internet,
:08:10. > :08:12.we have to trust companies with I've come to King's Cross Station
:08:13. > :08:20.in London to meet a group of We're heading up to Edinburgh
:08:21. > :08:30.to set them a challenge. I have dabbled in writing code
:08:31. > :08:32.and playing with code and design. But nothing piqued my interest
:08:33. > :08:35.as much as learning how to hack. I know how to use a computer, these
:08:36. > :08:40.people know how to take them over. I got kicked out of school,
:08:41. > :08:44.so when I was at home I just started self teaching myself programming
:08:45. > :08:47.and then moved up to finding how to make a vulnerability,
:08:48. > :08:50.how vulnerability works. Hacking is a culture more than
:08:51. > :08:52.an activity. It doesn't have to be breaking
:08:53. > :08:55.things it can be creating things The Cyber Academy at
:08:56. > :08:59.Edinburgh Napier University train We've asked them to set up
:09:00. > :09:06.an experiment - create the kind of company website
:09:07. > :09:09.many of us place our trust in So the challenge that we have set
:09:10. > :09:17.for you we have created So we've got things like credit
:09:18. > :09:24.card details, passwords. Can the hackers break
:09:25. > :09:27.into our fictitious website, British Broadband, and steal
:09:28. > :09:32.its customers' valuable data? How long are you expecting them to
:09:33. > :09:45.take to get to these databases? We would think in total to find
:09:46. > :09:48.all the vulnerabilities will The academics had created
:09:49. > :09:55.a number of vulnerabilities, ways to hack into British Broadband,
:09:56. > :10:00.but our hackers found one of the easiest routes within
:10:01. > :10:04.minutes. There is
:10:05. > :10:06.an admin user here called John. So you have found one
:10:07. > :10:11.of the user names for the database? So they've done that in
:10:12. > :10:13.about five minutes. The password took about one second
:10:14. > :10:17.to crack because it was very basic. Mustafa has already cracked
:10:18. > :10:20.the password Most passwords are easy to hack
:10:21. > :10:26.because most of us use similar A few minutes later,
:10:27. > :10:30.British Broadband's customer details Because it's not surprising
:10:31. > :10:47.how easy it is. I think it shows how easy it is
:10:48. > :10:52.sometimes for intruders to get into databases if the credentials
:10:53. > :10:55.are not protected properly. So they've got access to all
:10:56. > :10:57.the information on the database, But that's something they're
:10:58. > :11:05.going to try and do is it? Our hackers have complete control
:11:06. > :11:15.of the website. With just a few clicks they
:11:16. > :11:20.take down the entire site. So if that was a real business,
:11:21. > :11:25.suddenly the customers will all find that if they go to the web page
:11:26. > :11:28.it's not there anymore. British Broadband's customers
:11:29. > :11:34.wouldn't be able to use the website, and their names, addresses, phone
:11:35. > :11:37.numbers and credit card details are Mustafa, how do you feel
:11:38. > :11:54.about the suspended sentence? I have to go now,
:11:55. > :11:57.so I can't really talk. In 2013,
:11:58. > :11:59.Mustafa was given a suspended prison sentence for attacking the Serious
:12:00. > :12:03.Organised Crime Agency and the CIA. He is now one of the good guys
:12:04. > :12:06.and currently completing So, how typical was that website
:12:07. > :12:12.in terms of its defences? A lot of credit card details
:12:13. > :12:20.are hacked in that way. In the real world it will be much
:12:21. > :12:23.tougher, and obviously an attack But are there some websites out
:12:24. > :12:28.there that will be as vulnerable Yeah,
:12:29. > :12:34.certainly the smaller websites that don't have a security team managing
:12:35. > :12:43.it 24/7 will typically be weak. In the age of cyber crime,
:12:44. > :12:46.criminals are waiting to invade Most of us have received
:12:47. > :12:53.a dodgy e-mail we shouldn't click on,
:12:54. > :12:55.but what happens if we do? I spend my time digging around in
:12:56. > :13:01.the cyber criminals' latest pieces of malicious code, figuring out
:13:02. > :13:04.how they're attacking people, and James Lyne is
:13:05. > :13:08.an internet security expert Cyber crime is a multi-billion pound
:13:09. > :13:18.enterprise, creating hacking programmes which can steal
:13:19. > :13:22.our data on an industrial scale. There were estimated to be nearly
:13:23. > :13:25.2.5 million internet-related crimes in England and Wales
:13:26. > :13:39.last year. At the top of the tree you have
:13:40. > :13:42.a number of people - a number of gangs producing these software
:13:43. > :13:45.packages that are used for the You have multiple parties selling
:13:46. > :13:48.competing cyber crime products, We see them do price drops to
:13:49. > :13:51.acquire more customers. They have commercialised
:13:52. > :13:53.and professionalised cyber crime to Hundreds of thousands of new pieces
:13:54. > :14:00.of malware are released every day. We see about 30,000 new
:14:01. > :14:15.infected websites a day. You land
:14:16. > :14:18.on a legitimate website that's been attacked that will exploit
:14:19. > :14:21.your computer and that will silently in the background instal a piece
:14:22. > :14:24.of code that lets the attackers So as soon as you log into any
:14:25. > :14:31.of these services, they've got everything,
:14:32. > :14:33.they own your entire digital life. Anything that might contain links to
:14:34. > :14:44.financial information will be mine - social media accounts,
:14:45. > :14:51.store accounts, e-mail accounts. It's funny, people don't think
:14:52. > :14:56.about e-mail accounts as being valuable, but e-mail accounts
:14:57. > :15:00.actually unlock a surprising amount And they can also
:15:01. > :15:03.unlock life savings. In June this year,
:15:04. > :15:06.Vivian Gabb was completing on the purchase of a house -
:15:07. > :15:11.which she'd planned as a retirement investment - when she got an e-mail
:15:12. > :15:14.she thought was from her solicitor. Dear Viv,
:15:15. > :15:17.we have changed who we bank with. I forgot to inform you
:15:18. > :15:21.of the changes Our new banking details
:15:22. > :15:27.are stated below. Kindly transfer the balance
:15:28. > :15:32.of ?46,703.20 into our new client account,
:15:33. > :15:35.and then it gives the bank details. It looks totally genuine,
:15:36. > :15:36.doesn't it? Vivian went ahead and transferred
:15:37. > :15:42.almost ?47,000 - her life savings. I phoned the solicitors because I
:15:43. > :15:45.hadn't heard anything and said, "Oh, So that's when everything
:15:46. > :15:57.started to fall apart. I think at the end of that day, at
:15:58. > :16:01.the end of that evening, when I was and I felt very vulnerable
:16:02. > :16:04.and violated. Vivian doesn't know how
:16:05. > :16:06.she came to be targeted. She still bought the house,
:16:07. > :16:09.but she had to borrow to replace the stolen money and is now working
:16:10. > :16:17.seven days a week to pay it off. It just seems that
:16:18. > :16:22.the criminals are getting better. It just seems like they are always
:16:23. > :16:25.big steps ahead. These are complex crimes carried
:16:26. > :16:30.out by criminals who could be Society is struggling with this,
:16:31. > :16:44.and we're certainly not dealing with it the way we are able to deal with
:16:45. > :16:47.other types of criminality. There's no doubt about that,
:16:48. > :16:50.and nobody's trying to deny that, and we're wrestling with how do we
:16:51. > :16:53.do this differently? Look at the scale
:16:54. > :16:57.and volume we're dealing with. It is very, very difficult to expect
:16:58. > :16:59.policing to detect these crimes. What do criminals do with
:17:00. > :17:01.hacked information? How do they turn it into cash
:17:02. > :17:05.and get away with it? An anonymous,
:17:06. > :17:11.underground world of cyber secrets - the perfect blackmarket
:17:12. > :17:20.for hackers hawking stolen data. James took us
:17:21. > :17:26.in using a Dark Web browser. People can't see where
:17:27. > :17:29.you're browsing or where In fact at the moment this
:17:30. > :17:35.website thinks I'm in Romania. Hacked mobile phone accounts,
:17:36. > :17:37.subscription TV accounts, All bought
:17:38. > :17:43.and sold here using Bitcoin, And what you've got here is
:17:44. > :17:58.a list of various credit cards James searched
:17:59. > :18:05.for UK credit cards. So we've got a couple here,
:18:06. > :18:07.haven't we. One from Gloucestershire,
:18:08. > :18:09.one from Devon there. Am I right
:18:10. > :18:11.in saying this is just one of Only one of them,
:18:12. > :18:21.but there several others. Cal Leeming knows all about
:18:22. > :18:23.using other people's credit cards. He started raiding websites to
:18:24. > :18:34.steal them aged just 11. The rush that you get
:18:35. > :18:40.from credit card fraud hacking is Within two years he was running riot
:18:41. > :18:45.I started ordering very small things and then it got progressively
:18:46. > :18:53.I ended up buying cars as well in the end, and that got me sent to
:18:54. > :18:56.At 18, he was sentenced to 15 months for hacking the details
:18:57. > :19:05.of 13,000 credit card users to buy ?750,000 worth of goods.
:19:06. > :19:10.I was by no means the best hacker in the world, or the country.
:19:11. > :19:13.I mean, I may have been the youngest, but not the best.
:19:14. > :19:15.Cal is now a software engineer and security adviser.
:19:16. > :19:17.It was the police who saw the potential
:19:18. > :19:25.Once I was released from prison, the police officer
:19:26. > :19:29.involved in my case actually got me my two work references
:19:30. > :19:34.He really helped me change my life around.
:19:35. > :19:36.Cal might have turned his life around - the trouble is,
:19:37. > :19:42.he says, business has not turned itself around.
:19:43. > :19:45.It's easier now to do credit card fraud than it was back in 2001
:19:46. > :19:54.On the Dark Web, James Lyne bought the credit and debit card details
:19:55. > :20:09.That's what we bought and I presume that is your card number
:20:10. > :20:30.If I was a criminal, I could have raided Janet's bank account.
:20:31. > :20:35.Yeah, that's exactly the same, isn't it?
:20:36. > :20:42.That's the number on the back, isn't it, yeah?
:20:43. > :20:50.How do you think someone might have got hold of this?
:20:51. > :20:52.I don't know, because I do so much shopping online
:20:53. > :20:56.With just a few more details - like Janet's National Insurance
:20:57. > :20:59.number - a hacker could have stolen her whole identity leaving her
:21:00. > :21:05.What has staggered me more than anything is how easy you
:21:06. > :21:11.I mean I've never been burgled or anything, but you're feeling
:21:12. > :21:18.You know, that somebody can access all this
:21:19. > :21:22.private information and it's out there for anybody to use.
:21:23. > :21:24.So, it's not a very nice feeling at all.
:21:25. > :21:27.As soon as we alerted Janet that her card details were for sale,
:21:28. > :21:33.she called her bank and cancelled her card.
:21:34. > :21:35.It is better to know than not know, isn't it?
:21:36. > :21:41.We managed to contact 12 of the 13 cardholders, whose details
:21:42. > :21:49.Ten people confirmed their cards were current.
:21:50. > :22:00.Two had already cancelled their cards because of fraud.
:22:01. > :22:03.You can do a lot to protect yourself in this space.
:22:04. > :22:07.80% of all the frauds we deal with can be prevented.
:22:08. > :22:12.And it's the most basic thing using anti-virus and yet still the bulk
:22:13. > :22:17.Make sure you are using a different password on each
:22:18. > :22:20.Make sure you update your computer,
:22:21. > :22:25.And last, but not least, be a bit of a cynic.
:22:26. > :22:34.For some companies, it's the hackers themselves who can help
:22:35. > :22:39.They invite them to test their systems and can offer rewards
:22:40. > :22:50.Enter Dubai-based hacker Yasser Ali.
:22:51. > :22:54.I have found serious flaws in a lot of big companies,
:22:55. > :22:56.like Paypal, like Ebay, Facebook, Microsoft, Adobe, Sony...
:22:57. > :22:59.Last August, Yasser breached Paypal's web security discovering he
:23:00. > :23:03.could take over customer accounts with one click
:23:04. > :23:09.Instead he told the company about the flaw.
:23:10. > :23:15.They fixed it and he received a $10,000 reward.
:23:16. > :23:18.All the other companies made fixes too.
:23:19. > :23:20.We're setting him our own challenge, which doesn't
:23:21. > :23:32.I've got a selection of big British brand names, and I'd like you to
:23:33. > :23:35.look at their websites for me, please, and carry out a
:23:36. > :23:37.reconnaissance on them and tell me how vulnerable you
:23:38. > :23:47.Once it's a passive reconnaissance then it's OK.
:23:48. > :23:49.Passive reconnaissance is like a burglar working out how to
:23:50. > :23:53.break into a house without actually doing it.
:23:54. > :23:56.And then we can talk after that and let me know what
:23:57. > :24:05.Yasser is what's known as a white hat hacker - using
:24:06. > :24:09.Not as lucrative as crime but it still pays.
:24:10. > :24:16.Apple or Microsoft, all the big names, they have
:24:17. > :24:19.recognised that white hat hackers are sometimes better at finding
:24:20. > :24:25.So, what they've done is it's like the Wild West, they've said
:24:26. > :24:31.It can sometimes be hundreds of thousands of dollars
:24:32. > :24:35.if you alert us to a vulnerability rather than disclose it or sell it
:24:36. > :24:41.We don't suffer the losses, our customers don't
:24:42. > :24:43.suffer the losses and we'll pay you for the privilege.
:24:44. > :24:46.So, you've had a look at those company websites that I
:24:47. > :24:55.Except just one website, they had pretty good security measures.
:24:56. > :25:02.I know you've only done a passive reconnaissance, but can
:25:03. > :25:06.you give a couple of examples of the ways in which they're vulnerable?
:25:07. > :25:09.One of the companies, I could grab a lot of information from the
:25:10. > :25:12.administration panel, like a lot of e-mail addresses, a lot of phone
:25:13. > :25:15.numbers of the employees, which can be used by criminals.
:25:16. > :25:18.It is very easy to find this information and also to exploit
:25:19. > :25:25.Yasser's research is a small snapshot of UK
:25:26. > :25:32.We're not naming names because if he's right it will alert
:25:33. > :25:37.criminals to any potential weaknesses in their websites.
:25:38. > :25:40.What the criminals know as well as the security industry, they know
:25:41. > :25:46.when those vulnerabilities occur and so they go out and look for them.
:25:47. > :25:48.So, if you're one of those who hasn't locked your door properly,
:25:49. > :25:50.there's been a fault in your lock, and they
:25:51. > :25:55.checking your door so, if you haven't corrected it, they will find
:25:56. > :25:58.If a business holding our personal data is hacked, you'd think
:25:59. > :26:04.TalkTalk came clean, but some companies don't.
:26:05. > :26:06.In the UK, only phone and internet providers are legally
:26:07. > :26:18.The legislation is fairly light at the moment.
:26:19. > :26:21.But we could ask the question whether or not
:26:22. > :26:24.the regulations are tight enough about how information should be
:26:25. > :26:30.And I think it's an important question to ask where we see an
:26:31. > :26:32.increasing number of breaches taking place and we therefore know that
:26:33. > :26:35.whatever the standards are they're not actually effective in protecting
:26:36. > :26:38.Following last month's hack on TalkTalk, it says it has
:26:39. > :26:42.significantly increased the level of website protection.
:26:43. > :26:45.Lauri Love, the man accused of hacking the US Government has
:26:46. > :26:56.Me and some friends had a look at TalkTalk and there's probably
:26:57. > :26:58.about three or four different ways you could still hack them today
:26:59. > :27:06.But I don't want to say it's negligence on their part
:27:07. > :27:13.The tide of complexity of computer systems has come in
:27:14. > :27:16.so fast that we haven't realised that we're behind it now.
:27:17. > :27:20.The UK cyber security industry is worth ?17 billion.
:27:21. > :27:29.TalkTalk says it is continually reviewing and updating its systems.
:27:30. > :27:32.I discovered at the end of last week I am not one of the 157,000
:27:33. > :27:35.TalkTalk customers whose personal details have been stolen but can I
:27:36. > :27:39.trust TalkTalk to keep my personal details safe in the future?
:27:40. > :27:44.Or for that matter any of the companies I deal with online?
:27:45. > :27:50.Their trust in the internet has been shattered.
:27:51. > :27:55.We're completely bewildered about the whole thing and I don't
:27:56. > :28:02.know now how we're going to cope because we don't believe anybody.
:28:03. > :28:05.Every time you put your data in the hands of an organisation it
:28:06. > :28:09.is a risk, you know, you are taking a gamble doing that.
:28:10. > :28:12.What you've got to hope for is that organisation takes
:28:13. > :28:18.It's a really, really bad situation at the moment,
:28:19. > :28:22.One that's not going to get better until there is a complete change in
:28:23. > :28:28.I don't say that to be alarmist, I say that because it's the truth.
:28:29. > :28:31.Internet security is the responsibility of us all.
:28:32. > :29:04.A responsibility many of us don't yet appear to be taking
:29:05. > :29:08.# These streets are yours You can keep them... #