100,000 More Social Security Numbers Exposed

ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through news.com, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."

As this becomes commonplace...

You know, the more of this I see, the more annoyed I become.

We're taking the wrong tack here... the problem isn't that SSNs and CC#s are so insecure - the problem is that we have become so dependent upon just one or two pieces of information that identity theft has to defeat only one or two "choke points" to screw us.

Instead of improving security at the choke points - which will always be under heavy attack - why not make identity theft harder by multiplying the potential number of choke points? If someone has to have, say, my Driver's License, Passport, Social Security Number, Credit Card Number, "Personal ID Password" and, say, a "Counter-Identity-Theft Number" suddenly ID theft becomes a heck of a lot harder.

Seriously... are we burying our heads in the sand and attacking the wrong thing here?

--AC

Time to write to my Congressman

[Ironsides]

I'm thinking that it's time to write to my state and federal congressmen to get California's Security Breach Information Act (S.B. 1386) amended into state or national law. That way when this shit happens I can find out if any of my info is at risk.

When will these idiot companies start taking security seriously instead of being idiots about it? Time to take a page out of the "If I were an Evil Overlord List": One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation. and My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords. Source

On a side note, all this stuff just keeps reminding me about the No Networked Systems requirement in BattleStar Galactica.

Sophisticated and determined???

[Weaselmancer]

From the article:

"No system in the world is 100 percent secure from a sophisticated and determined hacker," the Tennessee-based payroll company said in a statement sent to CNET News.com

And...

Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company's system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.

Instead of being denied access, Greenspan found that another person's W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers' data.

Sophisticated and determined my ass!!

Security and Windows and courts.

If you check back on all the screw-ups, and cracked systems, you will find that they all run windows. While the screw-ups can be sued just for screwing-up, the fact that they run an insecure OS is another sign of total ineptness and easy to prove in a court.

It would be useful to see class action suits go against these companies as being run by inepts. In fact, I wonder if it is possible to hold the CIO personally responsible.

Once a few lose their homes or are thrown in jail, the bribes will no longer matter and real security will start to happen.

Re:Yeah, it's insecure. So?

Actually, you can only legally get YOUR or your husband/wife's tax return from the IRS.
You can ILLEGALLY get someone else's return by lying on the form.

F*ck It.

I have a feeling that this crap is just the tip of the iceberg. Maybe we should all just throw away our identification and go by the honor system. Imagine that, a modern technological society that doesn't have a number for everybody.

Re:Use of SSN fundamentally flawed.

[cosmic_0x526179]

State and local governments, businesses, and eventually the military decided that since everyone had a unique SS number, they could save themselves some money and effort by simply requiring everyone to use their SS number as an ID number.

Well yes, but lets talk about how we got here (no defense mind you, just how)...

In the early 70s I worked in a data center at a largish community college. We were using SSNs for student IDs. Wrong ? Yes. Easy ? Yes. But in those days, we had no online access. Everything was done on punch cards and printouts. IIRC, grades were posted on a bulletin board with just SSN and your class grade (no names). So as time passes, new hardware flows down the pipe, new software is written and no one thought about it all that much. I left before the terminals showed up, so I'm not sure how long it took them before the light finally went on.

Think of this in the context of Y2K and date fields... what was once a simple programming objective has been made extremly complex by the internet, scammers, spammers and such. Time passes and things get more complicated. Some developers think outside the box and some don't (they just look forward to retirement).

Re:But will this matter...

[AceCaseOR]

Out of curiousity, do you know some non-partisan (and non-Teacher's Union or school district administration) sites that have evidence of this? I'm not saying your wrong, but I would like more information. I'm posting from my own experience here, but I'm interested in the information your post is based on. IIRC, before NCLB, there was very little to encourage schools to work harder towards the goal of educating their students and getting them to preform, besides the threat of de-accreditation (and you have to be doing really bad for that threat to be made.) In the past, should the student population be under-performing, the school districts, in my recollection, rather than improving, blamed a lack of funds. NCLB has the promise of forcing the administrators and teachers to create curriculum that engages the students.

Administrators don't like this because by potentially ending the cycle of performance-is-down-more-money-please, which allowed them to bloat their salaries. Teacher's unions don't like this because, frankly, not every teacher is a good teacher, and while good teachers are easier to find, it's because they shine so brightly. Bad teachers, on the other hand, have the most to lose from this, and will fight it the most vehimently, and be the most vocal, and can shout down the good teachers when it comes to Union positions. Not to mention, the good teachers do not necessarily have the time to focus on taking office within a Union.

Oh, and with regards to Grandparent's comments on vouchers. I'd like to mention that those school districts and counties in suburban (and not necessarily upper-class) Oregon that have embraced Vouchers and Charter schools have done well and helped lower income students. Administrators and the Teachers Unions don't like this for the obvious reasons, it's money out of their pockets. However, from what I have heard from parents in my community and other local communities who have been able to get their children onto a voucher program or into charter schools have said their children got a better education and enjoyed going to school more than they were in public schools.

If i've learned one thing from all my experiences in Public schools, it's that administrators and teachers unions have no problem with spreading their own brand of FUD, and members of the teaching community are not immune to groupthink. However, due to the school administrators and teacher's union's positions, people are not as likely to question those positions.