How Hackers Steal Your ID Panorama

They've got your name and they know where you live.

The rush you get from hacking is quite phenomenal.

I nearly fainted when I saw they'd practically cleared the account out.

As soon as you log in, they've got everything.

Hackers have stolen information from thousands and thousands of us.

Major companies have failed to keep our private data safe.

What's happening now is a big wake-up call.

Tonight on Panorama I'll be finding out just how easy it is for cyber

Every day we hand over sensitive information about ourselves.

I thought I was safe, until I saw this.

A major cyber attack on the broadband

Millions may have had their personal details stolen.

As a TalkTalk customer I could be one of them.

Finding out my personal details could have been stolen - personal

details I trusted them with - is alarming to say the least.

The company says it doesn't yet know how many customers

What I want to know is, what happens when hackers get

TalkTalk now say nearly 157,000 customers had

There have been some big hacks of late targeting big companies -

There's more bad guys than there are good guys, and

the bad guys only to need to find one vulnerability, just one single

This map shows just a fraction of cyber attacks as they happen

Millions of attacks - targetting websites day and night.

A bank robber, why would you walk into a bank with

a sawn-off shotgun taking a big risk, getting a relatively

small haul compared to being able to commit a crime remotely from

another country where you have got very little chance of being caught?

Cyber criminals hide in the shadows, but hackers attack computers

for a variety of reasons and some are willing to talk.

I'm on my way to meet the man who has been accused

by the United States authorities of being one of the most sophisticated

He's acccused of hacking into the US military,

Yeah, so this is the indictments that were issued.

He faces extradition next year, which he will fight.

They should have spent the money and the resources to secure them

if somebody, especially somebody sitting in their

bedroom in a dressing gown, was able to hack all of those things.

The major problem isn't that person, the problem is the US Government.

If someone can breach some of the most secure websites in the world,

how hard must it be for companies like TalkTalk to defend themselves?

They're not special, in the sense that everybody has

Nobody in this business is without the sin of being insecure, of not

having paid sufficient attention and resources to their security.

Lauri says he has been shown the code used to attack TalkTalk.

He says the hackers exploited a vulnerability that's been

Pretty much this TalkTalk hack, they didn't write any software,

they didn't think hard about the problem, they used a tool somebody

else had, they ground away at it and eventually pop goes the weasel.

TalkTalk customers have been hacked three times in less than a year.

The latest hack, last month, was the most damaging.

15,500 TalkTalk customers had their bank account details stolen.

Ma'am, this is Shane Williams from TalkTalk.

The voice of a scammer targeting TalkTalk customer Tamsin Collison.

Her bank details weren't taken, but some

of her customer details were, in the first major hack last December.

Phone call, good afternoon Miss Collinson, this is TalkTalk calling,

Phone call, good afternoon Miss Collison, this is TalkTalk calling,

we understand you have a problem with your broadband connection

Which made sense to Tamsin, because she'd reported a fault to TalkTalk.

The people that were on the telephone knew our name

and our telephone number and that we were TalkTalk customers,

and they said that somebody else had been using our computer.

82-year-old Barbara Manley and her husband, Harold,

also believed they were dealing with a genuine TalkTalk employee

I'd got to know her quite well because she said her name was

Michelle and we'd had quite a chat to her.

It seemed quite feasible that there was something wrong with

They were on the phone to me for about an hour-and-a-half fixing

my computer, showing me all kinds of terrible things.

Both Tamsin and the Manleys were talked

into giving the scammers access to their computer and online banking.

They were tricked into thinking they were getting

a refund from TalkTalk but instead the thieves were raiding their bank

I went to the bank and I nearly fainted when I saw they'd

It was an absolutely horrific moment to discover that I had been mugged,

basically, and that I had sort of said, help yourself.

I'd been complicit in my own mugging.

Tamsin says TalkTalk only confirmed her personal data had been stolen

She says she should have been told much sooner.

I would have been armed and I would have been protected.

I believe that TalkTalk did not protect their customers

TalkTalk say they wrote to customers twice to warn them

of scams following last December's data breach.

They are not to blame for the losses suffered by Tamsin

and the Manleys because the scams would not have been possible without

either of them giving the thieves banking information.

It's as if somebody is outside the house looking through the window.

If they can get us on the computer, how do we know they can't get to our

house. We feel unsafe. If we want to use the internet,

we have to trust companies with I've come to King's Cross Station

in London to meet a group of We're heading up to Edinburgh

to set them a challenge. I have dabbled in writing code

and playing with code and design. But nothing piqued my interest

as much as learning how to hack. I know how to use a computer, these

people know how to take them over. I got kicked out of school,

so when I was at home I just started self teaching myself programming

and then moved up to finding how to make a vulnerability,

how vulnerability works. Hacking is a culture more than

an activity. It doesn't have to be breaking

things it can be creating things The Cyber Academy at

Edinburgh Napier University train We've asked them to set up

an experiment - create the kind of company website

many of us place our trust in So the challenge that we have set

for you we have created So we've got things like credit

card details, passwords. Can the hackers break

into our fictitious website, British Broadband, and steal

its customers' valuable data? How long are you expecting them to

take to get to these databases? We would think in total to find

all the vulnerabilities will The academics had created

a number of vulnerabilities, ways to hack into British Broadband,

but our hackers found one of the easiest routes within

minutes. There is

an admin user here called John. So you have found one

of the user names for the database? So they've done that in

about five minutes. The password took about one second

to crack because it was very basic. Mustafa has already cracked

the password Most passwords are easy to hack

because most of us use similar A few minutes later,

British Broadband's customer details Because it's not surprising

how easy it is. I think it shows how easy it is

sometimes for intruders to get into databases if the credentials

are not protected properly. So they've got access to all

the information on the database, But that's something they're

going to try and do is it? Our hackers have complete control

of the website. With just a few clicks they

take down the entire site. So if that was a real business,

suddenly the customers will all find that if they go to the web page

it's not there anymore. British Broadband's customers

wouldn't be able to use the website, and their names, addresses, phone

numbers and credit card details are Mustafa, how do you feel

about the suspended sentence? I have to go now,

so I can't really talk. In 2013,

Mustafa was given a suspended prison sentence for attacking the Serious

Organised Crime Agency and the CIA. He is now one of the good guys

and currently completing So, how typical was that website

in terms of its defences? A lot of credit card details

are hacked in that way. In the real world it will be much

tougher, and obviously an attack But are there some websites out

there that will be as vulnerable Yeah,

certainly the smaller websites that don't have a security team managing

it 24/7 will typically be weak. In the age of cyber crime,

criminals are waiting to invade Most of us have received

a dodgy e-mail we shouldn't click on,

but what happens if we do? I spend my time digging around in

the cyber criminals' latest pieces of malicious code, figuring out

how they're attacking people, and James Lyne is

an internet security expert Cyber crime is a multi-billion pound

enterprise, creating hacking programmes which can steal

our data on an industrial scale. There were estimated to be nearly

2.5 million internet-related crimes in England and Wales

last year. At the top of the tree you have

a number of people - a number of gangs producing these software

packages that are used for the You have multiple parties selling

competing cyber crime products, We see them do price drops to

acquire more customers. They have commercialised

and professionalised cyber crime to Hundreds of thousands of new pieces

of malware are released every day. We see about 30,000 new

infected websites a day. You land

on a legitimate website that's been attacked that will exploit

your computer and that will silently in the background instal a piece

of code that lets the attackers So as soon as you log into any

of these services, they've got everything,

they own your entire digital life. Anything that might contain links to

financial information will be mine - social media accounts,

store accounts, e-mail accounts. It's funny, people don't think

about e-mail accounts as being valuable, but e-mail accounts

actually unlock a surprising amount And they can also

unlock life savings. In June this year,

Vivian Gabb was completing on the purchase of a house -

which she'd planned as a retirement investment - when she got an e-mail

she thought was from her solicitor. Dear Viv,

we have changed who we bank with. I forgot to inform you

of the changes Our new banking details

are stated below. Kindly transfer the balance

of ?46,703.20 into our new client account,

and then it gives the bank details. It looks totally genuine,

doesn't it? Vivian went ahead and transferred

almost ?47,000 - her life savings. I phoned the solicitors because I

hadn't heard anything and said, "Oh, So that's when everything

started to fall apart. I think at the end of that day, at

the end of that evening, when I was and I felt very vulnerable

and violated. Vivian doesn't know how

she came to be targeted. She still bought the house,

but she had to borrow to replace the stolen money and is now working

seven days a week to pay it off. It just seems that

the criminals are getting better. It just seems like they are always

big steps ahead. These are complex crimes carried

out by criminals who could be Society is struggling with this,

and we're certainly not dealing with it the way we are able to deal with

other types of criminality. There's no doubt about that,

and nobody's trying to deny that, and we're wrestling with how do we

do this differently? Look at the scale

and volume we're dealing with. It is very, very difficult to expect

policing to detect these crimes. What do criminals do with

hacked information? How do they turn it into cash

and get away with it? An anonymous,

underground world of cyber secrets - the perfect blackmarket

for hackers hawking stolen data. James took us

in using a Dark Web browser. People can't see where

you're browsing or where In fact at the moment this

website thinks I'm in Romania. Hacked mobile phone accounts,

subscription TV accounts, All bought

and sold here using Bitcoin, And what you've got here is

a list of various credit cards James searched

for UK credit cards. So we've got a couple here,

haven't we. One from Gloucestershire,

one from Devon there. Am I right

in saying this is just one of Only one of them,

but there several others. Cal Leeming knows all about

using other people's credit cards. He started raiding websites to

steal them aged just 11. The rush that you get

from credit card fraud hacking is Within two years he was running riot

I started ordering very small things and then it got progressively

I ended up buying cars as well in the end, and that got me sent to

At 18, he was sentenced to 15 months for hacking the details

of 13,000 credit card users to buy ?750,000 worth of goods.

I was by no means the best hacker in the world, or the country.

I mean, I may have been the youngest, but not the best.

Cal is now a software engineer and security adviser.

It was the police who saw the potential

Once I was released from prison, the police officer

involved in my case actually got me my two work references

He really helped me change my life around.

Cal might have turned his life around - the trouble is,

he says, business has not turned itself around.

It's easier now to do credit card fraud than it was back in 2001

On the Dark Web, James Lyne bought the credit and debit card details

That's what we bought and I presume that is your card number

If I was a criminal, I could have raided Janet's bank account.

Yeah, that's exactly the same, isn't it?

That's the number on the back, isn't it, yeah?

How do you think someone might have got hold of this?

I don't know, because I do so much shopping online

With just a few more details - like Janet's National Insurance

number - a hacker could have stolen her whole identity leaving her

What has staggered me more than anything is how easy you

I mean I've never been burgled or anything, but you're feeling

You know, that somebody can access all this

private information and it's out there for anybody to use.

So, it's not a very nice feeling at all.

As soon as we alerted Janet that her card details were for sale,

she called her bank and cancelled her card.

It is better to know than not know, isn't it?

We managed to contact 12 of the 13 cardholders, whose details

Ten people confirmed their cards were current.

Two had already cancelled their cards because of fraud.

You can do a lot to protect yourself in this space.

80% of all the frauds we deal with can be prevented.

And it's the most basic thing using anti-virus and yet still the bulk

Make sure you are using a different password on each

Make sure you update your computer,

And last, but not least, be a bit of a cynic.

For some companies, it's the hackers themselves who can help

They invite them to test their systems and can offer rewards

Enter Dubai-based hacker Yasser Ali.

I have found serious flaws in a lot of big companies,

like Paypal, like Ebay, Facebook, Microsoft, Adobe, Sony...

Last August, Yasser breached Paypal's web security discovering he

could take over customer accounts with one click

Instead he told the company about the flaw.

They fixed it and he received a $10,000 reward.

All the other companies made fixes too.

We're setting him our own challenge, which doesn't

I've got a selection of big British brand names, and I'd like you to

look at their websites for me, please, and carry out a

reconnaissance on them and tell me how vulnerable you

Once it's a passive reconnaissance then it's OK.

Passive reconnaissance is like a burglar working out how to

break into a house without actually doing it.

And then we can talk after that and let me know what

Yasser is what's known as a white hat hacker - using

Not as lucrative as crime but it still pays.

Apple or Microsoft, all the big names, they have

recognised that white hat hackers are sometimes better at finding

So, what they've done is it's like the Wild West, they've said

It can sometimes be hundreds of thousands of dollars

if you alert us to a vulnerability rather than disclose it or sell it

We don't suffer the losses, our customers don't

suffer the losses and we'll pay you for the privilege.

So, you've had a look at those company websites that I

Except just one website, they had pretty good security measures.

I know you've only done a passive reconnaissance, but can

you give a couple of examples of the ways in which they're vulnerable?

One of the companies, I could grab a lot of information from the

administration panel, like a lot of e-mail addresses, a lot of phone

numbers of the employees, which can be used by criminals.

It is very easy to find this information and also to exploit

Yasser's research is a small snapshot of UK

We're not naming names because if he's right it will alert

criminals to any potential weaknesses in their websites.

What the criminals know as well as the security industry, they know

when those vulnerabilities occur and so they go out and look for them.

So, if you're one of those who hasn't locked your door properly,

there's been a fault in your lock, and they

checking your door so, if you haven't corrected it, they will find

If a business holding our personal data is hacked, you'd think

TalkTalk came clean, but some companies don't.

In the UK, only phone and internet providers are legally

The legislation is fairly light at the moment.

But we could ask the question whether or not

the regulations are tight enough about how information should be

And I think it's an important question to ask where we see an

increasing number of breaches taking place and we therefore know that

whatever the standards are they're not actually effective in protecting

Following last month's hack on TalkTalk, it says it has

significantly increased the level of website protection.

Lauri Love, the man accused of hacking the US Government has

Me and some friends had a look at TalkTalk and there's probably

about three or four different ways you could still hack them today

But I don't want to say it's negligence on their part

The tide of complexity of computer systems has come in

so fast that we haven't realised that we're behind it now.

The UK cyber security industry is worth ?17 billion.

TalkTalk says it is continually reviewing and updating its systems.

I discovered at the end of last week I am not one of the 157,000

TalkTalk customers whose personal details have been stolen but can I

trust TalkTalk to keep my personal details safe in the future?

Or for that matter any of the companies I deal with online?

Their trust in the internet has been shattered.

We're completely bewildered about the whole thing and I don't

know now how we're going to cope because we don't believe anybody.

Every time you put your data in the hands of an organisation it

is a risk, you know, you are taking a gamble doing that.

What you've got to hope for is that organisation takes

It's a really, really bad situation at the moment,

One that's not going to get better until there is a complete change in

I don't say that to be alarmist, I say that because it's the truth.

Internet security is the responsibility of us all.

A responsibility many of us don't yet appear to be taking

# These streets are yours You can keep them... #