TalkTalk has refused to delete a former customer's email address which was taken over by spammers – because the unfortunate person cancelled their contract eight years ago.
The customer, Joanne, was contacted by her friends after they started receiving spam from an old email address of hers. After digging out the account details, she found that she was able to log in – suggesting that her password had been brute-forced by the spammers.
While she was able to log in, the webmail interface provided by TalkTalk did not allow her to change her password. To do that the user has to log into the separate TalkTalk account portal, which you cannot do if not a current customer.
A Reg-reading friend of Joanne's, Daniel Gibbs, then had a look at her account. He told us that once the spammers had cracked the account password and harvested the contents of the address book, they began "sending out emails to the harvested email addresses – in this case the emails look more genuine than usual as the emails contain the subject line from a previous conversation. The emails contain a URL disguised as a hyperlink to a .pdf or .img file".
In emails seen by The Register, TalkTalk refused to take any action unless Joanne posted two separate proofs of her identity to TalkTalk's Salford HQ.
"Unfortunately we can not act on your query as you no longer have an account with TalkTalk," a customer service advisor said in an email to her. "Please contact your services provider so that they will help to investigate on your issue or request for a IT to look into this issue to come up with a resolution." [sic]
Gibbs commented: "Personally I would not be prepared to send two forms of ID to a company which has no current formal relationship or contract with me, and additionally has a track record of being catastrophically inept in protecting the data of its customers."
The Register has passed full details of Joanne's case to TalkTalk. The ISP acknowledged receipt but has not yet sent us a statement about why it refused to delete her account when she asked them to. Nor had it explained why a customer account that had been inactive for eight years wasn't deleted after the customer walked away.
Gaining access to a legitimate email account is a valued thing for spammers, and sending attachments to recent email conversations is one convincing method of getting past anti-phishing awareness training ("Do you know this sender? Have you interacted with them before?"). In this case it was pure luck that Joanne's account had been inactive for eight years and that recipients of the booby-trapped attachments knew instantly something was amiss.
The standard advice is never to open unsolicited attachments unless you know the sender and are expecting their email. Verifying that someone really has just sent you a file titled compromising-pics-of-the-boss.pdf takes mere seconds in this day and age. ®
If I read that correctly she wasn't prepared to prove her identity and wonders why TalkTalk won't cancel an email address? As do those intrepid "reporters" at The Register it seems. Yawn.
@ferguson As usual another unhelpful comment from you.
She is not the only one.
No, email scams are hardly new. But she must be the only one who expects an email address shut down without proof of identity. You tell me how that is helpful?
TalkTalk contacted The Register five hours after this article was published. A spokesperson said: "We are sorry for any inconvenience Ms Thompson experienced whilst her old TalkTalk email address was still active. The email address has now been deleted." Hurrah!
If you have a problem with the way The Register reports things then I suggest you get in contact with their editor.
And they did this without verifying the individual's identity? "Hurrah" would be the last thing that came to mind.
But you carry on disrupting and trolling and I will carry on calling you out.
What's so funny? A non-story about a non-event which was ultimately resolved, but could have been done so much quicker had the individual co-operated initially? There are cases like this sorted on these forums every day. But thanks for sharing in your unceasing quest to help others and demonstrating yet again how utterly disingenuous your signature is.
Quote:- What's so funny?
This, Quote:-But you carry on disrupting and trolling and I will carry on calling you out.
So any reply to you is disrupting and trolling then?
You need to look at and give some thought to what you are going to post before doing so.
Quote:- A non-story about a non-event which was ultimately resolved,
How can it be a non-story/non-event when it actually happened and TalkTalk admit it.
Only ultimately resolved with the intervention of The Register.
dishonest, deceitful, underhand, underhanded, duplicitous, double-dealing, two-faced, dissembling, insincere, false, lying, untruthful, mendacious;
not candid, not frank, not entirely truthful;
artful, cunning, crafty, wily, sly, sneaky, tricky, scheming, calculating, designing, devious, unscrupulous;
humorouseconomical with the truth, terminologically inexact;
rarefalse-hearted, double-faced, truthless, unveracious
So, in your use of the word disingenuous, describes the words as quoted from the Community Do’s and Don’ts then.