Consumer Action Group Hacked!

Mr_MD

Paul_Varjak wrote: »

Now I will expect the ICO to take action on that. By comparison, your small problem with CAG is just that, tiny.

If you believe that the ICO will act on what you consider a tiny problem, it can't be so tiny. In Fact the ICO are at the bottom of my list of importance as I thought CAG would take positive action. After all it is a tactic they as well as many other sites recommend. However, some at LB felt that I needed encouragement as do you

One problem and a significant one, is that they probably sent the email to active users at the time or there was a traffic issue at the server. You may be right regarding being treated as spam being filtered at my providers site. What's more my old CAG email address was on the safe list, hence receiving the virus emails, in my inbox. However, in saying that I can't find anything from CAG in the server junk files either. Something else to consider, according to a numpty on Legal Beagles CAG has 350,000 registered users and the emails would have been sent in batches and some didn't get done or through.

My issue with CAG is the way they acted or rather lack of action, especially because they should be practicing what they preach. The fact that this has escalated is due to the considerable level over protection of an indefensible problem. Instead of apologising and looking for a solution I was given the brush off. Something that would not be accepted anywhere else, especially by members of CAG, LB and MSE.

There is far too much complacency in relation to hacks and attacks. There are far too many people who say "so what", "fact of life" "Goes with the territory". Because they are only thinking of themselves and not those who are not as computer savvy. There is also a massive streak of hypocrisy by these people who become outraged when something like this happens due to a hack at their local authority, DWP, Bank or NHS. They will bleat and squeal like farmyard animals when it happens. Oh but when the problem is at their door, they act like cowboy traders who have been cornered and every minor criticism is received like they were being poked with a cattle prod. Thing is that CAG has been silent and are letting the misguided supporters do their dirty work on other sites. Behaviour by some that brings those other sites into question. Something CAG would be complaining and campaigning about should it happen on their doorstep


Back to why I am sticking to my guns and will dig in further. How many people out there need help and who are barely computer literate, especially vulnerable ones who have just got to grips with the internet and who need help. They put a lot of trust into sites like this and when they don't live up to the high standards which they hold others, it makes a mockery of what they stand for and do

So even though you felt the need to complain yourself somehow your change in tac seems a tad disingenuous. Like so many bad companies their workers or supporters are closing ranks and it is a sad indictment of what happens when things go wrong

Mr_MD

keyser666 wrote: »

Oh wow, nice card. so I am intellectually challenged now with no concept of your situation, how is that possible when I dont know your situation? How do you kow I am not disabled and do have concept of this?

Just for you I will rephrase my comment, you are wasting your time, do something more constructive

You don't know my situation because you didn't think to ask, you didn't think when you wrote that comment or the following comment. My point your not thinking or reading everything through. Something that many trolls do

keyser666

Mr_MD wrote: »

If you believe that the ICO will act on what you consider a tiny problem, it can't be so tiny. In Fact the ICO are at the bottom of my list of importance as I thought CAG would take positive action. After all it is a tactic they as well as many other sites recommend. However, some at LB felt that I needed encouragement as do you

One problem and a significant one, is that they probably sent the email to active users at the time or there was a traffic issue at the server. You may be right regarding being treated as spam being filtered at my providers site. What's more my old CAG email address was on the safe list, hence receiving the virus emails, in my inbox. However, in saying that I can't find anything from CAG in the server junk files either. Something else to consider, according to a numpty on Legal Beagles CAG has 350,000 registered users and the emails would have been sent in batches and some didn't get done or through.

My issue with CAG is the way they acted or rather lack of action, especially because they should be practicing what they preach. The fact that this has escalated is due to the considerable level over protection of an indefensible problem. Instead of apologising and looking for a solution I was given the brush off. Something that would not be accepted anywhere else, especially by members of CAG, LB and MSE.

There is far too much complacency in relation to hacks and attacks. There are far too many people who say "so what", "fact of life" "Goes with the territory". Because they are only thinking of themselves and not those who are not as computer savvy. There is also a massive streak of hypocrisy by these people who become outraged when something like this happens due to a hack at their local authority, DWP, Bank or NHS. They will bleat and squeal like farmyard animals when it happens. Oh but when the problem is at their door, they act like cowboy traders who have been cornered and every minor criticism is received like they were being poked with a cattle prod. Thing is that CAG has been silent and are letting the misguided supporters do their dirty work on other sites. Behaviour by some that brings those other sites into question. Something CAG would be complaining and campaigning about should it happen on their doorstep


Back to why I am sticking to my guns and will dig in further. How many people out there need help and who are barely computer literate, especially vulnerable ones who have just got to grips with the internet and who need help. They put a lot of trust into sites like this and when they don't live up to the high standards which they hold others, it makes a mockery of what they stand for and do

So even though you felt the need to complain yourself somehow your change in tac seems a tad disingenuous. Like so many bad companies their workers or supporters are closing ranks and it is a sad indictment of what happens when things go wrong

You make a whole heap of assumptions. It was very clear in the moderators response that they have unnapproved your post while it is looked at by the admin team and in the emails they said they were referring it to the sites admin team yet you went on and on. Think they done with it fine.

Dread to think if something like that happened on here, you would no doubt hammer a board guide and then one of the MSE team and then probably doorstep Martin as he left the ITV Studios, all because you received a few emails.

jwruk

OP reminds me of someone who used to post on ADSL guide - used to complain to the MD of whichever ISP he was using that month complaining that he was getting the gazillion gigabit download speed that they advertised, and then used a card whenever someone questioned his posts.

Mr_MD

keyser666 wrote: »

You make a whole heap of assumptions. It was very clear in the moderators response that they have unnapproved your post while it is looked at by the admin team and in the emails they said they were referring it to the sites admin team yet you went on and on. Think they done with it fine.

Dread to think if something like that happened on here, you would no doubt hammer a board guide and then one of the MSE team and then probably doorstep Martin as he left the ITV Studios, all because you received a few emails.

Concise misrepresentation and missing the point entirely. Too focused on the criticism and locking into defence mode rather than even approaching or thinking of a solution to protect those who don't have the ability or knowledge to do it themselves. Has this been a construction thread on how to deal with it? No. CAG made the same mistakes that companies make and were caught on the hop. Were notifications sent and solutions offered to all members, No.


Assumptions regarding pulling the thread, then why hasn't it been pulled from here or LB. Was there a Hack, Yes they had admitted it. Was the thread received and treated poorly? Yes it was. Was the actions and attitude of the moderator conducive with the moral and professional standards to which they hold others. Definitely not. What would they have recommended should a similar situation occur somewhere else. Write a complaint and if you don't get a suitable response, take it to the next level

Your argument has no point or in fact real relevance. Why should CAG, MSE or anyone else be treated differently when something goes wrong. This is a situation when it is the supporters who cause more damage than critic. All 3 sites have shown the exact attitude and behaviour that they would deplore and heavily criticise should it happen elsewhere. Hypocrites or Victims was the question and some members and supporters are making them look like hypocrites when they were a victim of an attack.


Am I playing devil's advocate? yes, Because if one of these overbloated corporate thieves that we all deplore would do far worse with a lot of misguided loyal staff and instead of waving a flag of allegiance they would all be anonymous and be showing the same ferveur as you or worse.

The biggest mistake is how this has gone from a frankly everyday problem and a cautionary issue into a panic riddled, face saving exercise by the wrong people. Farcical it is and I have definitely hit a number of nerves and they are a bunch of keystone cops with uzis stuck on auto. It would be amusing if it were not such a dangerous issue relating to privacy and security.


The most damning thing is the displaying of the denial and defensive mentality which the sites are vehemently opposed

Mr_MD

jwruk wrote: »

OP reminds me of someone who used to post on ADSL guide - used to complain to the MD of whichever ISP he was using that month complaining that he was getting the gazillion gigabit download speed that they advertised, and then used a card whenever someone questioned his posts.

They made a snotty thoughtless comment that was inappropriate. I could have got snotty and reported it as offensive but I didn't.

Now because you can't think of a suitable response, you are throwing it back into the mix. It shows that you too are at a loss of logical argument but your response is far more offensive as it is considered.

By the way wasn't it this site who was at the forefront of misleading ADSL speed advertisements and I bet you were actually one of those who complained

This is what happens on forums when home truths are not welcome. Petty, pathetic and useless comments.

jwruk

Mr_MD wrote: »

They made a snotty thoughtless comment that was inappropriate. I could have got snotty and reported it as offensive but I didn't.

Your tone was (and is) very snotty IMHO.

Mr_MD wrote: »

Now because you can't think of a suitable response, you are throwing it back into the mix. It shows that you too are at a loss of logical argument but your response is far more offensive as it is considered.

I tried a suitable AND logical response but you appear to have chosen to ignore my suggestion of a problem locally or a MITM issue.

Mr_MD wrote: »

By the way wasn't it this site who was at the forefront of misleading ADSL speed advertisements and I bet you were actually one of those who complained

Nope, never had an issue with my ADSL speed thanks. I fully understand what 'up to' indicates and I'm more than satisfied with 10meg on an 'upto' 20meg line.

Mr_MD wrote: »

This is what happens on forums when home truths are not welcome. Petty, pathetic and useless comments.

And this is what happens when an OP objects to home truths, they complain that everyone else is being petty/pathetic/useless.

I'm almost tempted to suggests toys & pram but that would be petty of me.

keyser666

Mr_MD wrote: »

Concise misrepresentation and missing the point entirely. Too focused on the criticism and locking into defence mode rather than even approaching or thinking of a solution to protect those who don't have the ability or knowledge to do it themselves. Has this been a construction thread on how to deal with it? No. CAG made the same mistakes that companies make and were caught on the hop. Were notifications sent and solutions offered to all members, No.


Assumptions regarding pulling the thread, then why hasn't it been pulled from here or LB. Was there a Hack, Yes they had admitted it. Was the thread received and treated poorly? Yes it was. Was the actions and attitude of the moderator conducive with the moral and professional standards to which they hold others. Definitely not. What would they have recommended should a similar situation occur somewhere else. Write a complaint and if you don't get a suitable response, take it to the next level

Your argument has no point or in fact real relevance. Why should CAG, MSE or anyone else be treated differently when something goes wrong. This is a situation when it is the supporters who cause more damage than critic. All 3 sites have shown the exact attitude and behaviour that they would deplore and heavily criticise should it happen elsewhere. Hypocrites or Victims was the question and some members and supporters are making them look like hypocrites when they were a victim of an attack.


Am I playing devil's advocate? yes, Because if one of these overbloated corporate thieves that we all deplore would do far worse with a lot of misguided loyal staff and instead of waving a flag of allegiance they would all be anonymous and be showing the same ferveur as you or worse.

The biggest mistake is how this has gone from a frankly everyday problem and a cautionary issue into a panic riddled, face saving exercise by the wrong people. Farcical it is and I have definitely hit a number of nerves and they are a bunch of keystone cops with uzis stuck on auto. It would be amusing if it were not such a dangerous issue relating to privacy and security.


The most damning thing is the displaying of the denial and defensive mentality which the sites are vehemently opposed

Oh get a grip will you. I work in IT and have done for 20 years and am a enterprise architect, I moderate and admin on several forums, I would hazard a small guess that I am far more qualified than yourself to know what are and are not security breaches.

Now lets dissect what you have said eh?

You have had 4 emails to your unique email address that was only used for CAG. These contained virus'. First and foremost why would you open an attachment from an email whereby you are not expecting said email? There are enough warnings not to do this and anyone with common sense would not do this. Clearly upon opening it you were informed that it was a virus, so your protection worked so what is the issue? You have your safeguards in place and they worked. I assume you are not using a client to access these mails as the extensions normally used for virus' are removed by the client so assume you are probably accessing them via webmail or a CPanel.

CAG were not caught on the hop, the issue was due to a VB vulnerability that not even VB were aware of, so much so they had to rush out a patch when they were made aware, CAG were not the only ones this occurred to. The only information gleaned from the DB was email addresses, nothing else, nothing else was compromised, no passwords nothing, so a relatively small breach IMHO. They have acknowledged this breach and any questions you may have could have been posted on the relative thread they have for it which wa pointed out to you.

The company calling and portraying themselves as Reclaim the Right Ltd are nothing to do with CAG, this is has no bearing, there is nothing to stop any scammer representing themselves as any company, utilities, banks even MSE.

There is no need for people to buy domain names and sub domains just for an email address as this will not prevent spam or phishing emails at all, common sense is key here with reasonable protection for your devices.

Now to your post being unapproved, it has not been yanked as you say. Coniff is a moderator over there and as such would have been told to unapprove posts that require admin input and referred to them. That is simply what they have done as their role as a moderator, nothing more nothing less. They stated you would get a repsonse to your concerns but you wanted to carry on badgering and get all uppity over it. The email timeline is over a serious of a few hours, give them a fricking chance to come back to you and respond to your complaint. Admins are not always on fora, how long would you expect a resolution to a complaint made to say Tesco or a utility company? not 4-5 hours. So why different here? Complaints need to be examined, investigated and resolved, that takes time, something you have not given here.

as for your emails, you have come across totally snotty, and if anything you were rude and offensive. Making unfounded accusations and exacerbating an issue that need not be. Stating that they were making an unsuitable and inflammatory retort is exactly what you were doing and no-one else. You then go on and personally attack them, I suppose this is acceptable though because I remember you are disabled and that excuses you somewhat.

I do hope that you do make a complaint to the ICO because I cannot wait for what their response will be however I dont hold out much hope that you will post that here. Oh by the way the fact your posts remain on here and LB is nothing to do with CAG, totally seperate entities and totally insignificant

Paul_Varjak

Mr_MD wrote: »

If you believe that the ICO will act on what you consider a tiny problem, it can't be so tiny.

You are so wound up you are not thinking properly. Read my post again. I expect the ICO to take action on MY problem as fraudsters now have copies of passports and other valuable documents. The whole operation is a fraud.

CAG is NOT a fraud. It is unfortunate that your email details were stolen but you still have no definitive proof that was from the CAG hack or not. So, it is unwise to get on your high horse with wild accusations that CAG do not care or it was an 'inside job'.

You do seem to have been very unfortunate in that you claim your details have been hacked on several sites. So many sites in fact that I really have to wonder if the problem lies with you rather than the sites you use.

From the LB forum I note you use SIP with call filtering. I use SIP for all my calls - incoming and outgoing and have never had a single marketing call on any of my many SIP numbers even though they are registered on numerous websites. So I have never had to use any filtering whatsoever, even though I can. My landline number only gets such calls once in a blue moon.

If you have the skills, you can actually make SIP work for you and 'unmask' hidden caller IDs. So, if you really need to find who those people are that are calling you, watch Kevin Mitnick on Youtube.

You are really making a mountain out of a molehill. Just make your complaint to the ICO and come back when they give you an answer. I am sure we will all be interested in what they say.

Mr_MD

Paul_Varjak wrote: »

You are so wound up you are not thinking properly. Read my post again. I expect the ICO to take action on MY problem as fraudsters now have copies of passports and other valuable documents. The whole operation is a fraud.

CAG is NOT a fraud. It is unfortunate that your email details were stolen but you still have no definitive proof that was from the CAG hack or not. So, it is unwise to get on your high horse with wild accusations that CAG do not care or it was an 'inside job'.

You do seem to have been very unfortunate in that you claim your details have been hacked on several sites. So many sites in fact that I really have to wonder if the problem lies with you rather than the sites you use.

From the LB forum I note you use SIP with call filtering. I use SIP for all my calls - incoming and outgoing and have never had a single marketing call on any of my many SIP numbers even though they are registered on numerous websites. So I have never had to use any filtering whatsoever, even though I can. My landline number only gets such calls once in a blue moon.

If you have the skills, you can actually make SIP work for you and 'unmask' hidden caller IDs. So, if you really need to find who those people are that are calling you, watch Kevin Mitnick on Youtube.

You are really making a mountain out of a molehill. Just make your complaint to the ICO and come back when they give you an answer. I am sure we will all be interested in what they say.

I never said that CAG was a fraud. I said that they were subject to scammers when they used the same name.

Like you I have over a 200 email addresses which I have issued to specific people. Upon checking only 6 have been leaked or stolen by hacking or someone walking off with a DB after loading it onto their phone, MP3 player or USB key

Let me make it clear yet again on a specific example. I tracked the use of a email address from one company to another. I then investigated a number of key staff who had left that financial institution around the time when the 1st instance happened. I narrowed it down from 5 people to 1 a former marketing manager and every time he moved over a period of a couple of years I received unsolicited emails from those firms.

Another instance was when I received a substantial payment from another financial firm a day later I had a telephone call from a scammer using that unique email address as a contact. They were calling from a Barcelona number and claimed to be a Currency Trading Company based in Switzerland. Due to this specific event I had to take drastic steps from changing bank account numbers and debit cards to telephone numbers all of which that financial institution had on record.

To let you know how much I dislike my details being leaked. A scam firm called me again and again , so I extracted as much info as possible. I got phone numbers and a name and they did the worst thing of all set up a website. They claimed to be a Swedish Firm with US and Swedish registration and placed false credentials on the site, They had numbers in London and Stockholm. So I looked up the Swedish address, it was non existent and I had the Swedish post office email a confirmation. I tracked the site to a Malaysian server, and checked out the domain ownership. It was registered to a German office services address and German prepaid mobile phone. The telephone numbers were SIP ones through a Belgium provider. To do the final check I called the London number and got the guy on the phone, I cut the call short and said I would phone back. I did straight away but on the Swedish number. Guess who answered! I confronted them with what I had and told them not to call again. I then sent all the info to the COLP and FSA using a specially set up free email address. Within a week a warning was issued on the FSA site. Now this is the interesting thing. That email address only gets emails from financial scammers.

My Paypal email address was leaked and when I contacted PayPal they admitted that it had erroneously been given to a "Partner" and they apologised.

The rest were subjects of hacks or internal issues, either way they were at fault because I only found out when I received dodgy and spam emails instead of them contacting me. However when they were contacted I got an instant apology without argument or abject stupidity.

If my white list had been got at all of my email addresses would have been hit. If it were a MITM problem over 80% would have been hit. Only 6 in 5 years have had problems so it isn't at my end All have been proven or have stuck their hands up except for CAG

The difference with CAG is that they acted badly to a complaint. I sent a message to them and got no reply at which point I made the post and they still haven't replied. All they have done is to stop me from gaining access to my profile to take off personal info and you think I am being unreasonable?

In relation to my phone system, I have ID and instant blacklist facility and at one point had a scammer redirect with a suitable welcoming loop message which was funny at first until a hospital called. Now I bar anonymous calls and for some reason some official offices use anonymous numbers. However, scammers are using SIP generated numbers and when you trace them they are from a non UK provider. Now they are moving legit call centres with proper numbers to get through. It really pees me off when you hear the phrase, you called us 6 months ago. But the problem with the telephone number is that you have one or 2, you can't give everyone a different number. The thing with SIP is it depends how the call arrives at the server and if it is routed through BT landline you can't uncover the anonymous number.

Of course I am annoyed about this and I admit that some toys have been thrown and I'm not the only one. I have spent a lot of money to minimise risks, but you are forgetting those who don't have a clue with expired security software and are absolute novices on the internet. These novices and technophobes who may have a Amazon account and have missed a DHL delivery and open these emails by mistake.

Hacks do happen and staff do nick or lose data on USB keys in car parks (DWP Atos). The hack is is an inconvenience for all but it's how companies handle this and any criticism that follows will reveal their true character and integrity and in this case the extent of their hypocrisy.

CAG , specifically Marc Gander has admitted on their site that they were hacked and if you read what Conniff stated, their email address was hit too. There is your definitive proof of the hack but you failed to notice it.


CAG have royally screwed up on this, especially the way in which that have treated the access to my account without any communication, that's why I feel that sticking up for them is a TAD misguided and I will stick to my guns.

It seems that for some reason you are doubting beyond reason and I could say that your troubles were brought upon yourself due to your own negligence so suck it up but I have to take your word for it. I for one always put a watermark with the relative authority or companies name across the copy. I always hold my breath when giving it out and send it by recorded delivery with a request to destroy and confirmation after use. Even then you can never be sure.

One more tale of caution when it comes to how your ID is used. I know someone who sends money to family by Western Union. They were hit twice with an already collected response when it was to be picked up. Thing is the recipient office had a scam going on between 2 outlets. When the person went in to collect, The agent would take the documents, including Passport and out back. They called the other outlet with the details of the transfer and the passport number. The person at the other end entered in the system and pocketed the money. They would then go back to the person the money was for, hand back the passport and info and say that it hadn't arrived or the number was wrong. Off they would go to check the details and when they came back they were told it has already been collected, on the other side of the country.

In this case Western Union acted quickly and handed over the cash after a short investigation. I have to add this was not in the UK