Slashdot Mirror
100,000 More Social Security Numbers Exposed
ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through news.com, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."
These guys (and everybody who violates the privacy laws like them) should be required to pay for in depth fraud monitoring and credit report monitoring. If you are going to warehouse our data especially without our knowledge, then they should pay for their own screwups.
Visit Jonesblog and say hello.
Man, I hope Jon Stewart's wasn't in there!
Oh wait...
The coolest voice ever.
Don't put it on the web unless you can secure it. Period
Does it mean something along the lines of "we were actively attacked by skilled persons who exploited a little-known/unknown flaw" or does it mean "we were sloppy".
-Charles
Learning HOW to think is more important than learning WHAT to think.
That they weren't even willing to listen when someone pointed this out to them is appaling.
I wonder if their failure to actually do their job might land them in trouble. Saying that you've been audited for security and therefore no problem exists is kind of a cop-out.
Lost at C:>. Found at C.
With guardians like this, pretty soon the whole XXX-XX-XXXX range will be p0wn3d!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Usually financial companies like this feel its a waste to pay a good experienced sysadmin to keep their shit secure. Its only recently that all companies have started adopting IT as part of thier Business Model.
------ The best brain training is now totally free : )
You know, the more of this I see, the more annoyed I become.
We're taking the wrong tack here... the problem isn't that SSNs and CC#s are so insecure - the problem is that we have become so dependent upon just one or two pieces of information that identity theft has to defeat only one or two "choke points" to screw us.
Instead of improving security at the choke points - which will always be under heavy attack - why not make identity theft harder by multiplying the potential number of choke points? If someone has to have, say, my Driver's License, Passport, Social Security Number, Credit Card Number, "Personal ID Password" and, say, a "Counter-Identity-Theft Number" suddenly ID theft becomes a heck of a lot harder.
Seriously... are we burying our heads in the sand and attacking the wrong thing here?
--AC
I hate to say it, but I think it's time the Government steps in. Tis sort of thing simply cannot be allowed to continue. These data warehousing companies must be held to account.
____
~ |rip/\/\aster /\/\onkey
omg, this is getting bad... now salaries are out there...
"begin humiliation sequence..."
An upside to being unemployed.
Religion is a gateway psychosis. -- Dave Foley
What is it with corporations today? When a customer points out that you are making a horrible mistake there is only one option.
Acknowledge it, say that you're sorry, and fix it!
Everyone makes mistakes - the question is what you do to make things right.
"Nah, let's insult the customer, ignore them, and hope that problem will just go away. Surely no-one else will ever notice."
"Hey - what's that lawyer doing here?"
Three Squirrels
just by going thru your trashcan. By the way, you really should ask for a raise.
Rocky Raccoon.
p.s., please stop dumping the bathroom trash can in with the kitchen's. Thanks.
324-12-1125
You wally, when you posted this your username was exposed!
I guess it's a good thing that I can get free credit reports from each of the nationwide consumer credit reporting companies starting March 1st.
These companies should be held accountable for their gross negligence.
"No system in the world is 100 percent secure from a sophisticated and determined hacker"
I can't see what is so highly sophisticated about incrementing an ID passed as a URL parameter.
I think they are lucky to not have been visited by some real "sophisticated hackers"...
Sinepaw.org: Grape Winos
This is exactly why its mandatory for universities to change their systems to use a separate school ID and not the SSN
fuvoo: watch something
Looks like social security is really in trouble. Lets rename SSN to Social Insecurity Number (SIN).
These guys should be fined to Hell for that. If the government lets this go without any punishment, it will just keep happening.
All I can say is thank God that I've been unemployed since the dot-com crash!
FP
There is a more in-depth article about this at the Boston Globe.
First ChoicePoint now this? How long until a major government database like one from the IRS gets hacked and information on almost every US citizen is available? Scary thought.
- Cary
--Fairfax Underground: Where Fairfax County comes out to play
Does PayMaxx do business in California? If so, it too may be subject to criminal liability for failing to protect individuals' information.
sulli
RTFJ.
Anyone else think that Slashdot is starting to look like the 'News' section from the Uplink game..?
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Get your free MacMini
(just to freak out the Christians of course)
when you can just unplug the darn thing?
--
sig not ready
Abort, Retry, Fail
All credit applications should require a fingerprint or retnal observed by a qualified individual.
You can still steal my identity, but if you have to use one of my fingers or eyes chances are I'll know about it.
These companies don't get paid to be secure, and in the related Choicepoint case, Choicepoint only makes money by selling your data.
:-)
The more people they sell to, the more money they make.
In
this case, keeping your data secure costs money, so it just doesn't pay.
Oh, you think they should care about you? For a price, maybe they will...
There is not nearly enough love in the world, but there is far too much trust.
To the maxxxxxxxxxxxxxxxxxxxx!
I'm thinking that it's time to write to my state and federal congressmen to get California's Security Breach Information Act (S.B. 1386) amended into state or national law. That way when this shit happens I can find out if any of my info is at risk.
When will these idiot companies start taking security seriously instead of being idiots about it? Time to take a page out of the "If I were an Evil Overlord List": One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation. and My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords. Source
On a side note, all this stuff just keeps reminding me about the No Networked Systems requirement in BattleStar Galactica.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
Do you think it's bad that PayMaxx shows people's personal information on the web? Of course it is. But how about if you get it legally from the IRS instead?
Have fun: Join D.N.A. (National Dyslexics Association)
and it's been more than four years of constant and unending failures, that just keep getting bigger and bigger and bigger.
Next they'll tattoo us with barcodes and require we use fingerprints to buy coffee - oh, wait, they already DO!
Dang, when will this failed regime END!?!
-- Tigger warning: This post may contain tiggers! --
Who thinks the first call was to the lawyers and not to the programmers?
I'm not a Troll, it's reverse psychology.
From the article:
"No system in the world is 100 percent secure from a sophisticated and determined hacker," the Tennessee-based payroll company said in a statement sent to CNET News.com
And...
Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company's system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.
Instead of being denied access, Greenspan found that another person's W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers' data.
Sophisticated and determined my ass!!
Weaselmancer
rediculous.
Remember how cool those collapsing credit card company buildings looked at the end of Fight Club? Well, the personal info copyright violators have flipped the script on us. They're profiting mightily, while trashing our identities. Time to fight the power.
--
make install -not war
The moment you decide to require ALL of those things to be validated some dumbass will put them all in a database record side by side unencrypted with no password protection. The end user will be forced to endure more hoop jumping but the sum total of added security would be quickly nullified by the morons of the IT world. It only takes one village idiot to ruin things.
Build it, Drive it, Improve it! Hybridz.org
Why not just create a national id that is not sensitive?
Everyone is just piggybacking off of the social security administration.
Atleast they could have created a password to use with your ssn so no one else can use it with the password instead of just knowing it.
If you check back on all the screw-ups, and cracked systems, you will find that they all run windows. While the screw-ups can be sued just for screwing-up, the fact that they run an insecure OS is another sign of total ineptness and easy to prove in a court.
It would be useful to see class action suits go against these companies as being run by inepts. In fact, I wonder if it is possible to hold the CIO personally responsible.
Once a few lose their homes or are thrown in jail, the bribes will no longer matter and real security will start to happen.
No wonder why online trust is failing.
http://uptime.netcraft.com/up/graph/?host=www.paym axx.com
It's time to make this company Paymaxx! Mistakes like this are simply unacceptable and should be treated as crime IMO.
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
I mean it's on the main page
Quidquid latine dictum sit, altum viditur
He didn't dump the RAW contents of the database tables, he didn't steal the disks. Encryption would've done absoutely ZIP to fix this issue. He was using a legit login and interface to view the data, had encryption existed (and it may have actually) then the account he was using would've dutifully decrypted the data and displayed it. A security genius you are not...
Build it, Drive it, Improve it! Hybridz.org
Stewart married long-time girlfriend Tracey McShane in 2000, at which time they both legally changed their last names to "Stewart." The couple had their first child, Nathan Thomas, on July 3, 2004.
no wonder nobody trusts the internet...
Did you get any of the names and numbers? Where do I buy them??
In Soviet Russia, asses suck this joke.
Why stop there... if my identity is stolen through the theft of their ideas;
The fact that this (very real) failure by PayMaxx to protect thier customer's privacy escalated into the potential for identity theft is the fault of the government not PayMaxx. This is because the use of social security numbers as an authenticator is fundamentally flawed and insecure.
Every authentication system needs at least one identifier and one secret. The former is public information while the latter, obviously, must remain private. However, when the US government and other institutions use SSNs as a way to authenticate who you are, they are attempting to use a single piece of information as both the identifier and the secret. Since it is impossible for something to public and private at once, this is bound for failure.
For years, the "solution" to this problem has been to avoid giving-out your SSN unless at all necisarry. While this is a very good idea for privacy reasons, it is worthless advice for protecting your security. Imagine your computer admin telling you that you should "only" give out your password when necissary. And that meant writing it on every government, healthcare, banking, and educational form you fill out. Then imagine that admin expecting your account to be secure. If an computer admin instituted a policy like that he would be fired, and yet that is the policy we are using to secure our very identities!
The government needs to step up and institute a new secure way to authenticate people, as well as begin a campain to inform the public that SSN are not suitable for authentication, by any organization. We cannot expect to have any security of identity if everyone in the country autenticates our identity using a fundementally flawed manner.
This is nothing. Insiders are still the biggest threat. A few years back some people were found in posession of complete sets of CD's containing DMV information from all drivers in a state (I forget which: Oregon or Washington) that sort of thing was most likely an inside job.
A feeling of having made the same mistake before: Deja Foobar
...the US changes over to SIN numbers. Canada's had 'em for years :P
Actually, you can only legally get YOUR or your husband/wife's tax return from the IRS.
You can ILLEGALLY get someone else's return by lying on the form.
and choicepoint http://informationweek.com/story/showArticle.jhtml ?articleID=60403673/
news article on about how congress wants the california law to be aended and spread over all the states, should fix this nicely hmm any complaints?
If you check the Boston.com article that's been posted by another user, you'll see that "Think Computer" was demanding payment to tell them about this bug. This sounds a little bit like extortion, don't you think? What gets even more interesting, is that I recognized this guy from an earlier story on Slashdot. He wrote a rambling, alarmist "whitepaper" about how unsecure WiFi was in the Boston subway. Furthermore, searching Massachusetts business filings doesn't show that any "Think Computer" corporate entity exists.
I believe that this is just some young kid who desperatly wants for himself to be seen as some sort of security expert. His techniques are highly unprofessional and insulting to those of us in the industry who do, in fact, have a clue as to how IT consulting works.
Entrepreneur : (noun), French for "unemployed"
You can't just get this same info from the IRS under FOIA. Look at the exemptions.....
How about this: post yours, and I will tell you if it's on the list.
That's a really bad summary.
I have a feeling that this crap is just the tip of the iceberg. Maybe we should all just throw away our identification and go by the honor system. Imagine that, a modern technological society that doesn't have a number for everybody.
This identity theft is an impending train wreck on the Social Security Number.
I think its time to adopt something like a Sweden model of smartcards for a national id.
No smartcard is worth its salt without a personal user-definable PIN number.
And forget this Bio-authentication crap. Bio-authentication is never revokable once stolen.
That would probably freak out the Jews, too.
Give a man fire, and you warm him for the night. Set a man on fire, and you warm him for the rest of his life.
I declare that I am either the taxpayer whose name is shown on line 1a or 2a, or a person authorized to obtain the tax return requested. If the request applies to a joint return, either husband or wife must sign. If signed by a corporate officer, partner, guardian, tax matters partner, executor, receiver, administrator, trustee, or party other than the taxpayer, I certify that I have the authority to execute Form 4506 on behalf of the taxpayer.
Of course, you can obtain it by fraud. It would be easier to just break into the person's house. IRS personnal have also been caught with unauthorized access. But it's certaintly not "public records."
Your misguided. FOIA has nothing to do with personal information. FOIA has entirely everything to do with tax payer supported (FEDERAL) projects as a means to let the tax payers know what is going on with the government they fund and support and pay for. Corporations don't have "Freedom" over personal information and infact there are strict privacy acts that enforce rules upon them to protect such.
Byron Miller for Congress.
The old scheme of authenticating people using readily and widely copied information is a recipe for identity theft. If someone stores data on you, that data should be only sufficient for verification and insufficient for the opening of new lines of credit. Some form of encryption/hash should be used that lets someone verify that you are you, but does not let them take that info and reuse/abuse it for their own purposes. Moreover, in an ideal world, each copy of "your information' should be uniquely associated with the collector of that information. That way breaches would be readily traceable back to the leaky database.
Two wrongs don't make a right, but three lefts do.
Put a celebrity in the Home Land Security Department, then something might get done because only they can attract enough attention to all the flaws to having computers with information connected to the net.
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
Blake is right again! It will be interesting to see how many slly ideas get posted - and then shot down - by the end of this thread :-)
Build it, Drive it, Improve it! Hybridz.org
Instead of the SSN as a unique identifier (a use for which it was never designed), how about the government institutes a new identity number based on asymmetric key encryption (a la PGP).
Crypto guys out there, please let me know if this is a viable idea at all, or if all I've done is push the problem back one level.
____
~ |rip/\/\aster /\/\onkey
For us non-Americans here, will someone please explain how companies like this and choicepoint get people's Social Security Numbers and what these companies do with these Social Security Numbers?
Where do I sign up to have my SS# stolen?
bluespaceradio.com - New Wave, Indie and Alternative
I don't see much difference between these guys and a stalker excpet these guys are stalking everybody.
I wonder if it would be possible to take out a restraining order against them.
Or we could adopt the Canadian Electronic Privacy Act regulations in the USA ... same thing, but TOUGHER.
-- Tigger warning: This post may contain tiggers! --
Since my first computer class, that binary systems will never be completely secure.
There's some myth that is out there, that it's possible to secure our data.
The truth is that everything is down to a question of bits. Either it's a 1 or a 0.
and so it's not really out of the realm of possibility to find and break encryption.
And anyone who suggests otherwise is trying to sell you a Yugo.
Is it 5:30 yet?
When people ask me for a social security number and I decline, they generally stare at me like I am unsound.
With identity theft and unsound business security so widespread, what more reason does one need to withold the SS number, assuming one even exists? Did anybody read about the verizon hack last week that resulted in their clients voice mails, photos, private phone lists, etc., being exposed?
Maybe we should enter contracts with companies that are requesting/demanding SS numbers before doing business with them. Said contract would stipulate that they owe a sum certian that is due immediately in the event that my personal details become exposed through security breaches, employee misconduct, etc.
Of course they could opt out if they decide they do not need the SS number after all. There is no reason they should carry that liability if they limit the amount of personal data they collect to a level that does not put me at risk of becoming an identity theft victim.
If they ask why we want them to enter such a contract, then cite the above story and other similar stories as our reason.
Sometimes when people ask for the number and I decline and they wonder why on earth I would keep such information private. My response, depending on my mood, varies. If I am in a funny mood I sometimes say:
"Assuming that I do have a retirement plan, why would I provide that to you? What does a private retirement plan have to do with your business? Will you give me your banking and retirement plan accounts? How about your credit card numbers? What is your mothers maiden name and your birth date?"
In some situations they will try to convince you that it has something to do with a government requirement.
In which case, I might respond that since it was the government who created both the number and any alleged requirement, they surely already have the number on file and can look it up themselves. So, call them up - if you are required to get the number then they will have to give it to you.
Let them chew on that a while.
Bank of America just misplaced the SSNs of 1.2 million federal employees: Data on 1.2 million federal charge card holders goes missing
from the linked pdf, this thing ran on Windows using some VB scripts.
...I think they are lucky to not have been visited by some real "sophisticated hackers"...
With the attention they've paid to the security they've done up until now, how would anyone know if they haven't?
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
I agree, and indeed I would go further and say that such companies should face criminal charges as well as lawsuit liability. They are essentially accomplices to the crime, as other posters mentioned. A company that keeps such records inappropriately and lets them get into the wrong hands should lose its corporate charter. I don't want to see this company pulling the same shit ten years from now with a different technology. We need real information privacy laws with teeth.
Oklahoma used to use your SSN as your driver's license number! So every time you showed your ID, you gave away your SSN! I went straight to the tag agency and changed my DL number to Pi (OK 031415926). They made me put a 0 in front, so I couldn't match someone's SSN by accident.
They've sence smartened up, but I got to keep Pi.
I don't understand the SSN as secret identification role anyway. There's nothing secret about a number you have to give to every state and federal agency who asks.
-troy
At least they didn't deny it like the scum bags at ChoicePoint
Let me say I think BUSH is an ASSHAT.
That being said, there is NO social security trust fund. The social security surpluses were mandated by law to be invested in government bonds.
So what you say?
Government bonds are how we have financed our national debt, and our daily deficit. The problem becomes that in 2018 or thereabouts the money being paid in to SS will be less than the money being paid out. At that point the government will have to start redeeming the bonds to pay the difference.
Here is the catch. They pay off the bond by issuing new bonds and printing more money, which creates inflation. SS payments are protected against inflation however, so you will get a situation where SS creates inflationary pressure, in a positive feedback loop.
Frankly I'd be happy to let them keep the money they have taken if I could just opt the hell out from now on.
Of course while Bush speaks of "privatization" he means NOTHING of the sort. My take is the government will put out a list of "acceptable" companies and or mutual funds to invest in. This makes said corporations more insulated from stockholder complaints. Don't like the fortune 500 companies records on human rights? Tough! They will be the only government approved investment choices and as such won't care.
Service guarantees Citizenship! Questions Guarantee GITMO.... Amerika Uber Alles!
"The system runs on a Windows-based server and a combination of scripting languages, including ColdFusion, sold by Macromedia, Inc., and Microsoft VBScript, which is coincidentally a favorite of virus authors."
'Nuff said.
...I couldn't help but think about three things:
1. Illegal immigrants are working using other people's SS#s, because having an SS# is a requirement to work -- and various agencies look away, because (thanks to withholding) they collect -additional revenue- this way.
2. Illegal immigrants can't be issued real SS#s, claim people in the article, because it would make them eligible for SS benefits in the future.
3. We have an impending shortage of SS funds (supposedly), since there will be fewer workers supporting the older retirees soon.
Well, wouldn't it make sense to issue input-only SS#s to illegal immigrants? Let 'em work, let 'em pay into Social Security (which they do with the stolen SS#s already) -- but don't let 'em take SS benefits later.
The illegal immigrants would be better off (they don't have SS benefits now, but they lose jobs if their fraud is found out, so this will allow them to keep their jobs), and so would the retirees (more money going into SS now, the same amount being taken out later).
I'm just sayin'.
Imagine coming face to face with your ID thief and you both have the same number tatooed on your forehead.
I crossed my fingers and clicked on that link, thinking, maybe , maybe this time, my ship has come in! 100,000 good email addresses and a cut of all the uh... references, that is it, references. Looks like I'll be back at work again next week instead.
This is not really a new problem. Technology has just changed the way we deal with it. Before all of this computerization, if someone wanted to know about you, they had to ask you questions. The dialog might go like this:
Nowadays, you are not involved in any of this process. All of your personal information is flowing around behind the scenes between companies that trust each other, but *NOT* you. However, the amount of personal information is increasing to the point that the resulting questions might be more like this:
The catch is "our records" really is "your records" that they have collected without mentioning to you.
Solution: We need a legal principle that it is *YOUR* data and it is *YOUR* right to decide who knows it and what is done with it. (This is actually implicit in the Fifth and Sixth Amendments of the Bill of Rights.) We also need a technical principle that *YOUR* data should be stored on *YOUR* own computer. (This is the old "Possession is nine points of the law.")
How it works: If someone wants to record information about you, they should contact *YOUR* computer and store it there. They can include whatever signature they like to insure that you can't tamper with the content. They can include a binding request that you back up the data. However, if they want to see that information later, they must ask *your* computer to provide it, and *your* computer will only provide the information if *YOU* agree. (Actually, this means you would define privacy policies for your computer to enforce, including such things as "doublecheck with me anytime someone claims I owe them more than $10", etc.)
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
the gov. will be bankrupted.
I prefer the "u" in honour as it seems to be missing these days.
MAYBE, just MAYBE this will lead to a ban on using your Social Security Number as identification to anyone other than the banks, employers, or anyone with whom you have financial dealings, a school doesnt need to use SSN's on thier ID's, States dont need to use SSN's as a Drivers licence number.
NO ONE needs to use my SSN on anything for verification or that I can carry around except for my Social Security Card, which I only use for work.
moo.
The problem is that in the US your SSN acts as your secret password. If I know your SSN I can get a driver's license (ID card) in your name and I can open any kind of credit/bank/whatever account in your name with no checks at all. I even checked into putting a password on my bank account and was told they couldn't do it and that my social security number would have to be good enough for security.
he broadcast it for the whole world on Comedy Central's Daily Show last night, so that's my new SSN.
Man, do I have great credit!
-- Tigger warning: This post may contain tiggers! --
I would rather see a ban on the use of your SSN as a password. Someone who knows your SSN shouldn't be able to do anything more than they would if they only knew your name. The problem is that your SSN is used as both your username and password and any sysadmin can tell you just how bad that is.
He uses the Mug Power Social instead.
...
That way noone can steal his identity
-- Tigger warning: This post may contain tiggers! --
This is a little off topic ( mod it so if you wish) but How long will the 9 digit SSN hold out?
9 digits will give you 999,999,999 combinations, or 1,000,000,000 if you count 000-00-0000 as a valid SSN. What happens when we reach 1 Billion people? Right now we have 293,027,571 ( estimate by CIA for July of 2004). But this could expand quite quickly. Will we have to over haul the numbersystem? or start adding letters?
-William
God is everything science has yet to explain.
My dad is on Social Security retirement. A few months back someone changed his bank routing number at SS. His direct deposit went to some bank in NJ. Since the money was withdrawn right away there was nothing that SS would do about it. My dad lost his whole check and nobody would do anything about it. The problem was clearly at SS for allowing someone to change his info.
My dad now has a password protecting his account at Social Security so that nobody can make changes to it. It's a shame that he had to go a whole month with no money. It's a bigger same that SS would not do anything about it.
Beware of your credit and money. The instant something goes wrong, get on the phone.
The above is not worth reading.
Binary systems can be just as secure as any other system. Encryption that would take longer than the lifetime of the universe to break is also considered secure, and is usually used instead of a one-time pad.
...that when you are writing a web site or web service that is going to pass information based on some sort of identifier, that identifier should be cryptic enough that it will be hard to guess other valid identifiers.
If you don't know what that means (for you Microsofties)... that means you should be using a GUID or something just as random or hard-to-guess identifier, like a SHA-1 hash, as an identifier for records that your web client will pass back to the web server.
So in this case, PayMaxx could have used a GUID or SHA-1 hash or even some big random unique number for enumerating its W-2s and then tie the enumerator to the actual payroll ID with an indexed lookup table to prevent just the sort of "data snooping" that happened here.
Instead we have a system which is more like a managed retirement account. People don't have to pay SS tax on any of their income over $90,000. The amount of benefits you get is proportional to what you put in. You get benefits whether you really need it compared to your other income. It's silly. If we really want a "Social" program we should treat it as such. All income and wages should be SS taxable. That alone could extend the system another 75 years with no other changes!! In addition if we make some common-sense limits on who exactly can collect benefits, the system could probably be extended indefinitely
The sending of this message pretty much inconveniences everyone involved.
Here's a bit of history for anyone interested. Roman Emperor Domitian took control of the (physical) marketplace in Ephesus in order to tax it. Ephesus was an important city straddling several trade routes so the taxes there were really important. No one could buy or sell in the marketplace unless he burned incense to the emperor as a god. When you had burned the incense they put a blob of wax on your hand or forehead to show that you had "paid". Unless you could achieve self-sufficiency apart from the market, you had to pay to survive, sorta like how we have to pay Social Security to survive today.
Judaism was a sanctioned religion in the Empire so they didn't have to worship the Emperor. But Christianity was not sanctioned. So when upright Roman citizens saw a Christian refuse to burn incense, they said things like "Why are you rebelling against the government? Why won't you pay your due so that the nation can prosper? Do you have something to hide? Do you hate our country?" Sound familiar?
During the rule of Domitian millions of Ephesians died (yes, millions, the city was huge). That is why it is a big deal to Christian ministers today. To fact check you really have to read Suetonius and Pliny the Younger et. al. For some reason modern commentaries try to make like he was a good guy, but then have trouble explaining why everyone wanted to kill him but didn't care who replaced him. Apparently the authors who knew him were all mistaken and he was just really misunderstood.
Your social security number doesn't happen to end with "AND 1=1", does it?
Don't blame me, I voted for Baltar.
is that people in the USA are afraid of having real identification papers. By not having papers, it's easy to steal your 'identity', because it's based on knowledge of a number, which you are forced to tell to everyone. It's like if a bank account were available to anyone who knew the number id for it.
Basically, if everyone were asked to have a passport-like id, it'd be much, much safer, since you'd be required to have that id (difficult to fake) and look like the one in it (any facedancers here?). 'identity theft' is not a recognizable phrase in my country, most people would imagine a James Bond stunt when hearing the phrase.
Too bad you're so paranoid.
Instead of being denied access, Greenspan found that another person's W-2 was downloaded and readable.
Was he in a violation of the DMCA when he "tried to find out" if another person's W-2 was readable?
This is the FOURTH TIME this week!!! I am so sick of this, those illegal citizens are lucky!
Your skill in reading has increased by one point!
Just a few weeks ago it was reported, but not covered by media, that a over 1.4 million Scottrade (a Stock Broker) had a vulnerability that revealed personal information about customers, their trading habits, and worst of all... allowed an anonymous third party to make actual stock transactions using other people's money.
0 252.htmlhttp://lists.insecure.org/lists/bugtraq/20 05/Feb/0252.htmlt ml
See http://lists.insecure.org/lists/bugtraq/2005/Feb/
and
http://seclists.org/lists/bugtraq/2005/Feb/0254.h
573-06-6811
.cig
It's interesting how everyone is so quick to assume this was a major act of negligence on the part of the company in question. PayMaxx, ChoicePoint, whoever's next. As a network security consultant may I'd like to point something out: No network is 100% secure. According to the 2004 FBI/CSI Computer Crime and Security Survey, 53% of polled corporations, government agencies, financial institutions, medical institutions, and universities detected computer security breaches within the last twelve months. If we're naive enough to think PayMaxx and ChoicePoint are the only companies who have let millions of SSNs slip we're dead wrong. Oakland University was utterly hacked three months ago. Shortly after, a research server at UC Berkeley was hacked and lost a few more million SSNs. Network security is not some simple line item that an organization can pay to show "due diligence". No matter how many firewalls, high-end intrusion prevension systems, and encryption ciphers people deploy on their networks one thing holds true: prevention eventually fails, & the best you can do is 1) try to prevent it, 2) be prepared to deal with it when it happens. As the network security goes, "It's no longer a question of if you'll get hacked. It's when."
From Form 4506-T, which is a request for a transcript of a tax return:
----
CAUTION: Lines 6 and 7 must be completed if the third party requires you to complete Form 4506-T. Do not sign Form 4506-T if the third
party requests that you sign Form 4506-T and lines 6 and 7 are blank.
----
Lines 6 & 7 describe what information and for what years the IRS should provide to the requestor or third party. This form must be signed by the taxpayer.
You have control over all of your information that you send to the IRS. They have a duty to keep it to themselves, and they even advise you that it's a good idea to not release this information indiscriminately.
They tell you that in bureaucratesee, but they do tell you.
Not A Sig
Maybe some accountant gone cracker will do my taxes for me.
"Simple words such as 'better' or 'faster' are best used by simpletons. Life [...] is more complicated." - TMC
Not good enough!
Fraud detection and monitoring services are cheap and inadequate. My personal data is worth a lot more to me than the fraud that can be committed with it.
I don't want strangers to be in possession of my Social Security Number, because I'm stuck with that number for the rest of my life - and a couple of years of someone watching my credit report for me, does not make up for the damage that the disclosure might do decades from now - or even after my death. (Defrauding the estate of a dead person is unsportingly easy, since no one but the dead guy really knows what his financial obligations were.)
If my personal information is disclosed, then things like my home address and annual income are revealed - telling potential burglars who has the expensive stuff, and where to steal it from. Credit report monitoring and fraud detection do not cover my risks or losses, here, either. If the number of people in my family is released, then they know how many kids I have - perhaps even their ages - and they now know who to kidnap and hold for ransom - or just sell into slavery or the child pornography trade. None of these things are covered by a couple of hundred bucks spent on watching my credit report for abnormalities.
The core of the problem, here, is (and I said this in the GMail thread, but apparently no one listened) that information security policies are designed to protect the companies that create them - not the customers of those companies, nor their employees, nor the public at-large. As long as these companies can place nice low values on the losses that they experience, when they disclose information that YOU value much more highly than they apparently do, they will continue to protect this information inadequately, by the standards of the victims.
Frankly, if they had to be accountable for damages as assessed by the victim, they would almost certainly do one of the following:
To guarantee the we do not experience the latter option, we really need to make credit and information-reporting agencies pay a tax for the right to run such services, and use the money to fund a consumer-oversight agency, that audits them relentlessly, and often. Assuming, of course, that we can trust such an agency not to be influenced by the organizations that it oversees. That's not a given; the FCC and various state Public Utility Commisions are a prime example of this type of failure.
In any event; my personal information is a great deal more valuable than the cost of a fraud detection or credit monitoring service. Having them pay only that much, for revealing it, is not good enough!
The Wiley CyberKitty
just admited to losing 1.2Million Federal accounts on tape. Story on CNN.
Based on the nature of PayMaxx's press release in the news.com story and the method by which ThinkComp explored the nature of the vulnerabilities, my cynical side says PayMaxx will try get ThinkComp prosecuted for "hacking". Perhaps PayMaxx will also try to throw extortion attempts in there as well. And they'll use the prosecution as an excuse for delaying the notification of CA customers.
Using an SSN as an ID is just fine. As the grandparent comment points out, however, the issue is in authentication. In theory, if I have your SSN, I should be able to do no more than refer to you. Sure, I might be able to get information about you with that information. What should never be allowed to happen is to pretend to be you. But if I want into a bank and produce some faked ID and give your SSN I can open an account in your name (with my fake of your signature on the signature card) and put in $250. Then when the checks arrive, I can write a whole bunch at once all over town, for small amounts ($100 here, $200 there) totalling thousands, and disappear with the goods, leaving you to clean up the mess in some town 1000 miles away from where you really live that you've never even been to. The fact that the bank ass-u-me-s I was really you is the flaw in the system.
There should at least be a law that says if you deny being the person who opened the above account, then that bank must produce proof that you (and not someone with your info) actually opened the account and passed the bad checks ... or drop the matter with respect to affecting you. Such a law should cover all businesses that use SSNs in any way, shape, or form. Of course, then banks will have to cover their ass and require fingerprints and photos to open an account.
A 25 year minimum mandatory prison sentence for conviction of identity infringement would help put a stop to this.
Then we still need to deal with the sloppy businesses that let identity infringers do this. Triple corrective costs, plus legal expenses, plus punitive to a million dollars, would send a clear message to such businesses ... as clean as driving an ice pick in their eyes.
now we need to go OSS in diesel cars
Igor you imbicile! That has only half the base pairs we need! That's not good enough!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Why are all these companies even allowed to maintain databases on us? I know it's for credit and such, but is it the freakin' end of the world if creditors can't see your entire (but flawed & incomplete) credit history? I don't know of anyone that has any trouble getting credit, in fact the worse your credit is the more offers you seem to get.
So what if they give you a credit card and you're a deadbeat? If you read the fine print most credit cards have horrible consequences if you miss a payment, your interest rate skyrockets and you pay a big penalty.
This is *my* SSN, *my* bank accounts, *my* financial information. I want to be notified if and when anyone wants access to that information.
I was once able to do the same thing at Royal Bank Action Direct: changing the account number in the URL would allow you to view the investment holdings for that account number. God knows what else you could have done - I'm no hacker. This flaw seems to have disappeared since.
Shutup already about the stolen SSNs... you are scaring the IT Managers.
Christ, how scary that such a suggestion (which is the literal truth of my banking relationship for the last decade) was perceived as A JOKE. WOW. You know, some countries have serious fscking privacy laws and the result is they take security equally as fscking seriously. It may sound like a joke in the United States, but I can assure you, in certain places it is absolutely standard practice and has been for a very long time. Sheesh... "Funny." Now THAT'S funny... Wow...
99.5% of the time, you should trust the compiler. After all, if you are better than optimising than the compiler, you should be writing the compiler. And people who can write optimising compilers are in the other 0.5%. I'm pretty sure you know which side you're in... I know I'm in the 99.5%, and I have no damn intention to go up against people who write these things for a living.
Karma: It's all a bunch of tree-huggin' hippy crap!
I stumbled across this while meta-moderating btw, and it's the kind of thing I mod up when I get points. It's got none at time of writing, but I like the point being made - we need something to make identity theft harder to pull off, such as a password to go with the id, that is kept from the 3rd party who've requested proof of your id, but used by the government to inform said 3rd party you are who you say you are.
Though I remember reading something here once about security not existing in nature..
Have fun. Or failing that, be miserable with style.