Slashdot Mirror
Experian, Ford, and Identity Theft
corebreech writes "The mighty New York Times (I think they might want you to register) is reporting that hackers posing as Ford employees have managed to pilfer some 13,000 credit reports (Quality is Job 1.) Supposedly the info isn't restricted to merely credit card numbers, but rather includes such delectable delights as address, SSN, bank account info and creditworthiness. Glad I take the subway." The original story was from the Boston Globe.
No need to give them your email address!
In the land of the great lawsuit, which is America at the turn of the millenium, I'd be more than happy to have Ford leak my info. In a flash I'd have a family member sell of my identity to someone (or have a good friend assume my identity) and rock my credit record for all it's worth.
Then I'd just sue Ford for lossing my info. They've already admited to doing it, so there's pretty much no burden of proof. Corporate neglegence should be pretty easy to prove.
That sound you hear is lawyers sharpening their claws.
www.ftc.gov/bcp/conline/pubs/credit/fcra.htm here's an FTC FAQ on credit reports.
Experian , Transunion and Equifax are the big 3 for reports.
From the original Boston Globe story (couldn't be bothered to register at NYT) :
Van Leeuwen of Ford said he thought the company had done everything it could to help the individuals affected by the security breach, and didn't plan to offer them any financial assistance.
Surely Ford have broken some law here ? In the U.K. there is something called the Data Protection Act, c'mon the U.S. has got to have some equivalent legislation.. They're not blaming it on hackers, they admit they don't know how the access code or whatever was taken !
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
Read the article again. They didn't just steal the personal financial information of Ford owners.
They just pretended to be Ford so that they could access the credit reports of thousands of people. Subway-riders included.
The group that handles most of the credit processing for Ford Motor Company is The Associates. At least it was a few years ago. They were recently purchased by Citigroup. They also do home loans etc, and incidentally, are having some controversy regarding discrimination in loan practices (redlining). At any rate, security there was never what it should have been. There were quite a few systems around the various building where anyone could just walk up and access that kind of information. You could cross-reference by address also, or last name. What was worse, you didn't need a password, because it was embedded in the software. Some of my co-workers would occasionally run reports for their family and friends. All in all, I can't say I'm too surprised by this.
-- -- Warning. Do not stare directly at the sun.
Sig: What Happened To The Censorware Project (censorware.org)
I'm sure that if there was a national ID card system they would have been caught immediately.
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
It seems to make sense (well, to me at least) that the corporations charged with the information of your identity should be forced to have this identity insurance. Sure people could get it, so if they gave up their identities by accident (people going through their trash) they would be covered.
However, corporations like Ford saying "oops, sorry! but i'm not paying for our mistake" is unacceptable. They should be required by law to have identity theft insurance, and reimburse those who's identity has been stolen through the identity insurance.
Ford Really Sucks
These credit bureaus have too much centralized data on citizens. They are a one stop shop for crooks, be they crackers or whatever.
Curb CO2 emissions: Kill yourself today!
Blaming Ford is like being accused of murder when somebody steals your credit card, buys a gun with it and kills somebody else.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
This is exactly why I hate the way so many companies require you give them so much personal info. I can understand why a car dealer would need it, but what about Blockbuster who wants you to give your SSN to some pimple faced teenager behind the counter. I don't think so.
Sigs are out of style, so I'm not going to use one...oh wait..
While the "crackers" (who did nothing more than use a leaked password), should be held accountable, so should FORD and its executives
I hope each and every victim files a separate multi-million dollar lawsuit. I'd bet that juries would be very sympathetic to these cases.
--
Ask the Ya-Hoot Oracle Anything!
It used to be:
Found On Roadside, Dead
Now I guess it has to be:
Fumble Our Records, Daily
Freak Out, Records Damaged!
Find Our Reports, Dammit!
Faked Our Reliability Data
Ah well. Never reply when hungover.
AMCGLTD.COM. Where cats, science fictio
You might want to start with the fact that it took these guys 10 months just to figure out they had a problem and another 2 months to get around to telling anybody about it. Then you might go on to point out that anybody who lets anyone automatically deduct money from their credit account needs to have their head examined. And you might conclude with a suggestion that companies that put their customers at risk shouldn't have to be sued by those customers to receive satisfaction. They should automatically be held responsible for their lapses.
This all comes down to something I've been painfully aware of for most of my life, though it doesn't seem to be terribly obvious to those who need to recognize it. Which is the very essence of the problem itself: The guys at the top don't know what's going on at the bottom. They have their little meetings where they talk to the guys just under them in the corporate hierachy who in turn have had their little meetings with the folks under them and so on and so forth until you get to the bottom where the first line supervisors are more concerned with protecting their own butts than communicating anything of importance to their own supervisors. The former head of the company where I work once called this an "inversion layer," implying that there was some particular point where communications break down. This is how it looks, but it's not how it is. The lack of communications results from the fact that each individual level of organization in a company is not totally transparent to the level above it. It is simply the accumulation of many layers of less than complete transparency that results in the appearance of this mythical inversion layer. The real problem is too many levels of management and more precisely the whole multi-layered managerial system itself, where the guys at the top really don't won't to "dirty their hands" looking at anything more than one level below them. Not only is it impossible for them to know what's happening using the current organizational model, they don't really want to do anything that would allow them to know.
If they did know, they would have to take responsibility. And nobody sitting behind an expensive desk making obscene amounts of money for having little meetings about his "vision" of the future wants to have to worry about being responsible.
Hic iacet Arthurus, rex quondam rexque futurus.
"Oh, and one last thing - never give anyone your social security number. Or your mother's maiden name
"
Are they not necessary to open a bank account in america? or to get a credit card? or a hotel room or a train ticket? or to file a tax return on the internet?
I can't wait to see the governments' look of surprise when people start using cash again for serious things. "Airline ticket by cash? Right, bodily-search for you, boy. We'll not have anyone who doesn't trust the Credit Corporation"
Text of Article below, for those without accounts:
Hackers posing as employees of the Ford Motor Credit Company have in recent months harvested a trove of 13,000 credit reports -- a virtual one-stop shop for fraud and identity theft -- with data on consumers in affluent neighborhoods across the country.
The company said in a letter to the victims that computer intruders used an authorization code from Ford Credit to get the credit reports from Experian, one of three major reporting agencies.
Advertisement
"I've never seen anything of this size," a spokesman for Experian, Donald Girard, said. "Privacy is the hallmark of our business. We're extraordinarily concerned about the privacy issue here, and the trust factor."
The inquiries gave the intruders access to each victim's personal and financial information, including address, Social Security number, bank and credit card accounts and ratings of creditworthiness, which can be used to identify the best targets.
"This is not just a credit card number; this is the whole kazoo," said Richard Power, the editorial director for the Computer Security Institute, an industry trade group. A criminal could use the data to make credit card charges or even open bank and credit card accounts in the victim's name.
Thefts of credit records, Mr. Power said, are far more common than is reported. "The unique thing about this one," he said, "is that it has surfaced." The theft was first reported yesterday by The Boston Globe and The Detroit News.
Statistics on identity theft are hard to come by, with estimates ranging as high as 700,000 cases a year. Betsy Broder, the assistant director for planning and information of the Federal Trade Commission, said the commission received 86,000 complaints of identity theft last year.
Representatives of Ford Credit said they did not know how the hackers acquired the code, which was used by the company's office in Grand Rapids, Mich. The intruders focused on addresses in affluent neighborhoods, often in numeric sequence, said Rich Van Leeuwen, executive vice president at Ford Credit.
The company said it had sent letters via certified mail to all 13,000 people, urging them to contact Experian and the two other credit reporting giants, Equifax and TransUnion, and to report any evidence of abuse to the F.B.I.
The company has also worked with Experian to set up a phone line to let victims get their credit reports and help them resolve discrepancies.
Neither Ford Credit nor Experian has determined how many people have reported fraudulent charges or other problems. Mr. Girard said that Experian had received 2,700 calls since the letters started going out this month. Although the unauthorized inquiries began in April 2001, Ford first heard about the problem in February, Mr. Van Leeuwen said. Only 400 of the 13,000 victims were customers of Ford Credit, he said.
Dawn M. Clenney, a special agent at the F.B.I. office in Detroit, said that she could not comment, except to say, "We're on the case."
Mr. Girard, the Experian spokesman, said the company would work with the F.B.I. to catch and prosecute the intruders. "It just shows that today, even big companies can be victimized," he said. "it's a never-ending struggle against the bad guys."
Mother's maiden names are similarly public records. In practice they have been harder to track down in the past, but wiht various records including those of the Mormon church coming on-line that information is not fully accessible as well. See first paragraph for implications.
sPh
Look mate, if anybody is victimized here it's those 13000 er! customers while you guys obviously didn't protect their data adequately.
No need to thank me
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
As a result. these script kiddies^w^w^w Ford was able to get identity theft kits on a truckload of (mostly) rich people just based on their home addresses.
If anything is going to put a big "oomph" behind online privacy initiatives in the states, I think that this may be it.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
I don't think that Ford did anything illegal. If anybody did anything illegal it would be the credit reporting companies that allow any company or group with enough money to generate identity theft kits with just a victim^w customer's home address.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Repeat after me: this is not hacking.
Repeat after me: this is not hacking.
Repeat after me: this is not hacking.
This kind of activity is cracking, theft, robbery, a crime; but it is most definitely not hacking.
Looks like although quality is job 1, Security is job 3.74rc3 :)
Seriously though a big company has more to worry about from people you thought were employees than from any computer system breach.
Social Security Numbers are public records. They are not, and never were intended to be, secret.
What they may have been intended for, and what innumerable private companies use them for, may not be the same thing.
SSNs seem to be the stock in trade as unique IDs. I know my old bank's automated phone service would ID you with a) your account number (found on any check you've every given out), your SSN, and a private pin which defaulted to the last four of your SSN. With that you could do just about anything, including transfer funds.
Did I mention that is was my OLD bank. 8) It also took them about a year and a half to catch on that someone else was writing and signing my checks, but that's wandering off topic. (It was my wife, so I knew about it, otherwise I would of caught it.)
Because it's a ready made unique identifier, that people will most likely remember, businesses love to use it. I think that you don't have to give it our if it doesn't involves taxes (like interest bearing accounts, jobs, etc), but that doesn't stop companies from asking you - you need to police it, they will try and get away with as much as they can.
It seems pitifully simple to steal an identity today.
=Blue (23)
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
ANYONE can get a credit report on anyone else. you just have to pay for it... Credit reporting companies are not secure by any means and their database is regulary full of gross inaccuracies. On average your credit report is only 50% accurate.. this is figured from across the board and figured by the number of errors on people's credit reports.
It blows my mind that any company would take a credit report as anything but mild information that is suspect. It is really easy to wipe your credit report clean, and to seed it with "good credit reporting"... hell there are companies that will for $9.95 a month post a good payment history every month to your credit report (They report that they lent you $1000.00 and you are paying it on time and are a perfect client.... after 6 months pay them $19.95 to close the account and they report you paid it off and you are A+)
Credit reports are wildly inaccurate.. other than the SSN (of which I have 2 credit reports I found out.. they mis-typed my SSN once and attached it to my Drivers License number.. Again that entire credit history was deleted because the SSN was not mine.)
Do not look at laser with remaining good eye.
I was the victim of ID theft. You do not want this to happen to you. Ever. It involves filing police reports, calling every company that showed up on your credit reports and providing all kinds of info to their fraud departments. It took me over a year and a half of phone calls, faxes and emails to straighten everything out. I'm still getting calls from creditors about unpaid credit cards and such that clearly aren't mine.
I think it's obvious that if the only thing between theives and your identity is your mom's maiden name, your address, and your SS number, that it's been made pretty freakin' easy for them.(Granted it's not quite that simple, but it's damn close)
One thing that struck me throughout the entire process of cleaning up my credit reports was that I was doing the cleaning up. Here are 3 companies that basically control whether you can ever buy a house, and when they screw up and allow someone to assume your identity using their services, it's the victim that's left picking up the pieces.
Call this telephone number. This number is maintained by the three credit reporting agencies and it allows you to "opt-out" of certain marketing games; basically, this means the three credit reporting agencies will no longer be allowed to give your credit report to marketers, but only to people with whom you actually have business.
Ford is a legitimate business; if you don't "opt-out," they can get a credit report on you. I opted out and I've never done business with Ford, so this story doesn't affect me.
Another nice thing about using this number to "opt-out": I no longer receive any junk mail. No more pre-approved credit cards, no more free offers, no more anything. I now look forward to checking my mail every day, as it only contains only bills and personal correspondence. I also say "put me on your do-not-call list" to telemarketers and I don't watch TV, so live in an almost completely ad-free world. It's a very nice world and I invite you in.
"A criminal could use the data to ... open bank ... accounts in the victim's name."
:-)
Really? So, if I could find the account with my name on it, I could close it out and take the cash? Sounds like an item for News of the Weird's Least Competent Criminals category.
This is negligence in Fords part and they should be held accounatble. They should pay ALL legal fees to clear up this mess. What has ever happened to resposibility?
But then again I hate Ford due to past experiance with a LEMON...the AREOSTAR. What a peice of sh1t. The first year the van spent 6 months at the dealership due to transmission and engine problems. Did they take responsibility? No!
Yes the second part is a little offtopic but the attitude of the company is on topic. They refuse to take responsibility. Why do we accept this? Because legally it would cost too much to fight back and I think that is what is wrong with our society today.
/END OF RANT
DRM? No thanks, I'll just get it somewhere else...
I'm on a planet where even trolls are given the benefit of doubt. Give the benefit of doubt to the place with which you do business by at least *trying* to get around the requirement of the SSN. You'd be surprised at how willing people are to use some other identifier (most places take driver's license number).
My standard script:
"I'd rather not provide my SSN, I have deeep, personal beliefs against doing so. I'd be happy to provide alternate identification, such as my driver's license or my passport."
Sometimes this works, sometimes this does not.
If it does not work, ask to speak to the supervisor. Repeat spiel.
If you are calm and considerate and polite, they're not going to refuse you. Don't fill out the part that asks for your SSN, or make a big mark through it, or put it "REFUSED". This works. Really.
Tell me about it. I've had crap from Experian too.
What really sucks is some of the algorithms they use to determine your credit references. This includes the credit references of people who live / lived in the same house as you - even flat mates who you hardly knew - even flat mates who _moved in after you moved out_.
I don't know whether it's commendable or not, but they actually named the people who'd lived at the addresses I'd lived at in my copy of my credit report. Weird.
So, yeah, credit reference agencies suck. They are the bad guys. I've never defaulted on a payment in my life, and I got turned down for credit cards because I'd lived at the same address as people with debts. It's just weird.
-----
Give me a brake!!!! It IS FORDS responsibility!!! This has gone on for over a year before they found out. Do the passwords not change on a regular basis? If not then this will ahppen again and both these companies should be held responsible.
Class action anyone?
DRM? No thanks, I'll just get it somewhere else...
Wow. So some crackers got information that any normal business/corporation can already get about consumers. Credit reports.
Why does the editor lump credit reports with credit card numbers? Not the same thing.
This is not some crackers who broke into ford and stole customer data!
It is some guys who posed as ford employees in order to get credit reports from the nation's largest credit bureau. (Hint: Many, many businesses can get this information).
OH NO! Some kids got the same info your bank, car company, and just about any other place can get about you! Heaven forbid!
Hello! That's the kind of info credit bureaus keep and hand out to the highest bidder. It's not like these kids ripped you off.
It's also not like your SSN is a private, secret number. Anyone who treats it as such is being dumb.
Back Story: I am the IT administrator for a midwestern dealership that sells German luxury cars. I am the first person at this dealership to be a dedicated IT person, and I've only been here for a few months. Approximately 20% of dealers nationwide have dedicated IT staff, and even then, it's usually the multi-location/multi-franchise operations, with one IT admin spread across an entire metro area. This isn't overly significant, until you realize that the average level of technological competence at the dealer level is just barely above room temperature. A handful of companies, such as ADP, EDS, Reynolds & Reynolds, and UCS, have figured out how to exploit this particular niche market.
Dealer Management Systems are BIG bucks. What you do is you put together a package of desktop systems (originally, green-screen dumb terminals, but more recently, PCs), a server (Usually Unix-based - Reynolds & Reynolds uses Irix on their older systems and Linux on their newer ones), software that does soup to nuts, and a network to tie the whole thing together. They sell this to a dealership, and then lock them into a support and maintenance contract. Changes, updates, etcetera all cost large sums of money (we spent 6 figures with our vendor last year). They'll also sell you preprinted forms and everything that work with their software - checks, service orders, coupons, you name it.
Experian is pushing the ASP model, because it means that a dealer doesn't have to worry about a server in a closet, swapping backup tapes, and so forth. As part of the hook, Experian is promoting its vast mine of data as a major benefit. As one of the Big Three credit bureaus, they have detailed financial, credit, and personal data on jsut about everyone in the country. They also have a database of (according to them) 335 million vehicles. This is great for doing history checks and such, but it can get very scary very quickly.
Picture this. You want to find out who lives within 15 miles of your dealership and makes enough money to afford your luxury automobiles (when it's luxury, it's more than just a car, it's an automobile). "No problem", says Experian, "we've got all that right here!". They can also tell you if they're credit-worthy, what they drive, and which of your competitors they bought their current vehicle from, and what it's worth as a trade-in. It goes downhill from there. None of the other companies operating credit bureaus have a division catering directly to the automotive business like this.
Let's face it, your personal data isn't personal anymore, it's an asset, and it belongs to companies like Experian.
I had my wallet with my life in it stolen about 7 months ago.. my health insurance company is brilliant enough to assign us ID's that are our social security numbers.. I was so paranoid about identity theft, but after talking to a lot of people, I found it's very easy to make it much more difficult for someone to steal your identity. The best thing to do is call all the major credit beareaus, such as Experian, Equifax and there are a few others, and tell them to "red flag" your account. When you "red flag" your account, then any place opening a new account that effects your credit will have to speak personally with you and verify that your account is flagged for whatever reason you specified when you flagged the account. Since I did this, I have received 3 phone calls from major credit card companies asking me to verify my recent credit card application. I don't think this will totally protect you, but it will definatley make it much harder for someone to steal your life.
-- pX
Besides, nobody takes trains anymore...the rail system is pretty much only used for cargo. (Amtrak discontinued service here years ago.)
20 January 2017: the End of an Error.
Is it me, or are people too lazy to put in a bunch of fake info to register? I mean, coming up with a fake name & a fake address is not *that* hard. Plus, it helps point out the folly of asking for so much personal info anyway.
% ftp reports.experian.com
Connected to ilovedancing.org.
220 ProFTPD 1.2.0rc3 Server (ProFTPD Default Installation) [reports.experian.com]
User (reports.experian.com:(none)): ford
331 Password required for ford.
Password: 12345
230 User ford logged in.
ftp> prompt
Interactive mode Off.
ftp> mget *
Don't pass that around!
"You have the option of insanity. I do not. And that makes me crazy!" - Brian to Angela, My So-Called Life
I was also a victim of identity theft. Someone with the same first and last names as me, living in another state, began forwarding my home mail to his address. Then he began contacting my online brokerage directly and changing my account address to HIS address! I immediately changed my address information back, but he changed it again.. EIGHT TIMES! My online brokerage did not care. The postal inspector in my state did not care. The postal inspector in his state did not care. The local police in my state did not care. The local police in his state did not care. The FBI did not care. He was committing inter-state mail fraud, threatening my brokerage accounts, and repeatedly giving us his REAL HOME ADDRESS but still no law enforcement agency cared. The postal inspector in my state even had his handwriting and fingerprints on the change-of-address postcard he mailed, but the postal inspector did not care.
One year later, he tried to apply for credit card using my SSN. Because I had put a warning on my credit report accounts (at my hassle and cost), the credit card company called to warn me. Finally, the police were interested. They nabbed him the next day. After not showing up in court once, he eventually was sentenced to three months in jail. I later found hundreds of dollars of HIS debts on my credit report. I called the police again, but they did not care. They said that since he already spent three months in jail, he has done his time. Nevermind that he went to jail for the credit card fraud, a separate instance of a different crime!
After these two stressful years, this "gub'mint-fearing liberal hippy" has lost any shadow of confidence that our impotent law enforcement can protect the innocent from the criminal. Or that they even care to try.
cpeterso
I filled this out last summer. Not only does it cut down the junk mail and telemarketing calls (I've had three calls since August, and can check my mailbox for bills once a week), but the reporting agency letters request that many casual inquiry requests not be honored.
If you request your credit report, you can deny access to specific companies (I banned Providian many years ago).
What part of "gestalt" don't you understand?
Yes, I am my own "asshole modgeek".