Slashdot Mirror
100,000 More Social Security Numbers Exposed
ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through news.com, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."
These guys (and everybody who violates the privacy laws like them) should be required to pay for in depth fraud monitoring and credit report monitoring. If you are going to warehouse our data especially without our knowledge, then they should pay for their own screwups.
Visit Jonesblog and say hello.
Man, I hope Jon Stewart's wasn't in there!
Oh wait...
The coolest voice ever.
Does it mean something along the lines of "we were actively attacked by skilled persons who exploited a little-known/unknown flaw" or does it mean "we were sloppy".
-Charles
Learning HOW to think is more important than learning WHAT to think.
That they weren't even willing to listen when someone pointed this out to them is appaling.
I wonder if their failure to actually do their job might land them in trouble. Saying that you've been audited for security and therefore no problem exists is kind of a cop-out.
Lost at C:>. Found at C.
With guardians like this, pretty soon the whole XXX-XX-XXXX range will be p0wn3d!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Usually financial companies like this feel its a waste to pay a good experienced sysadmin to keep their shit secure. Its only recently that all companies have started adopting IT as part of thier Business Model.
------ The best brain training is now totally free : )
You know, the more of this I see, the more annoyed I become.
We're taking the wrong tack here... the problem isn't that SSNs and CC#s are so insecure - the problem is that we have become so dependent upon just one or two pieces of information that identity theft has to defeat only one or two "choke points" to screw us.
Instead of improving security at the choke points - which will always be under heavy attack - why not make identity theft harder by multiplying the potential number of choke points? If someone has to have, say, my Driver's License, Passport, Social Security Number, Credit Card Number, "Personal ID Password" and, say, a "Counter-Identity-Theft Number" suddenly ID theft becomes a heck of a lot harder.
Seriously... are we burying our heads in the sand and attacking the wrong thing here?
--AC
An upside to being unemployed.
Religion is a gateway psychosis. -- Dave Foley
just by going thru your trashcan. By the way, you really should ask for a raise.
Rocky Raccoon.
p.s., please stop dumping the bathroom trash can in with the kitchen's. Thanks.
324-12-1125
I guess it's a good thing that I can get free credit reports from each of the nationwide consumer credit reporting companies starting March 1st.
"No system in the world is 100 percent secure from a sophisticated and determined hacker"
I can't see what is so highly sophisticated about incrementing an ID passed as a URL parameter.
I think they are lucky to not have been visited by some real "sophisticated hackers"...
Sinepaw.org: Grape Winos
There is a more in-depth article about this at the Boston Globe.
First ChoicePoint now this? How long until a major government database like one from the IRS gets hacked and information on almost every US citizen is available? Scary thought.
- Cary
--Fairfax Underground: Where Fairfax County comes out to play
(just to freak out the Christians of course)
These companies don't get paid to be secure, and in the related Choicepoint case, Choicepoint only makes money by selling your data.
:-)
The more people they sell to, the more money they make.
In
this case, keeping your data secure costs money, so it just doesn't pay.
Oh, you think they should care about you? For a price, maybe they will...
There is not nearly enough love in the world, but there is far too much trust.
I'm thinking that it's time to write to my state and federal congressmen to get California's Security Breach Information Act (S.B. 1386) amended into state or national law. That way when this shit happens I can find out if any of my info is at risk.
When will these idiot companies start taking security seriously instead of being idiots about it? Time to take a page out of the "If I were an Evil Overlord List": One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation. and My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords. Source
On a side note, all this stuff just keeps reminding me about the No Networked Systems requirement in BattleStar Galactica.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
Do you think it's bad that PayMaxx shows people's personal information on the web? Of course it is. But how about if you get it legally from the IRS instead?
Have fun: Join D.N.A. (National Dyslexics Association)
From the article:
"No system in the world is 100 percent secure from a sophisticated and determined hacker," the Tennessee-based payroll company said in a statement sent to CNET News.com
And...
Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company's system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.
Instead of being denied access, Greenspan found that another person's W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers' data.
Sophisticated and determined my ass!!
Weaselmancer
rediculous.
The moment you decide to require ALL of those things to be validated some dumbass will put them all in a database record side by side unencrypted with no password protection. The end user will be forced to endure more hoop jumping but the sum total of added security would be quickly nullified by the morons of the IT world. It only takes one village idiot to ruin things.
Build it, Drive it, Improve it! Hybridz.org
you think that's much better? a fingerprint scan is just another piece of digital information that they'd have to store...
and they'd probably sell that information as well, so other services can verify your fingerprint too...
so, we're back at square one.
No kidding. Hey, let's put Carnivore to good use for once - let's put this into terms that will send a red flag up over Washington:
Think about the following, in terms of being a terrorist, or just someone who wants to gain illegal entry into a country un-noticed:
With a W-2 (which is a statement of income for last year, I presume, like a T4 in Canada where I live) you now have:
- A valid name of a US Citizen
- That citizen's SSN
- thier place of employment complete with job title
- last years earnings, which should allow you to look the part if you decide to impersonate them
- thier home address
All of this put together would allow for the easy forging of identiy papers. Yup, it could allow a terrorist un-fettered entry into the US with a great degree of anonymity and secrecy.
Hi, Mr. Rumsfeld - feeling OK now?
Soko
"Depression is merely anger without enthusiasm." - Anonymous
Did you get any of the names and numbers? Where do I buy them??
In Soviet Russia, asses suck this joke.
Why stop there... if my identity is stolen through the theft of their ideas;
The fact that this (very real) failure by PayMaxx to protect thier customer's privacy escalated into the potential for identity theft is the fault of the government not PayMaxx. This is because the use of social security numbers as an authenticator is fundamentally flawed and insecure.
Every authentication system needs at least one identifier and one secret. The former is public information while the latter, obviously, must remain private. However, when the US government and other institutions use SSNs as a way to authenticate who you are, they are attempting to use a single piece of information as both the identifier and the secret. Since it is impossible for something to public and private at once, this is bound for failure.
For years, the "solution" to this problem has been to avoid giving-out your SSN unless at all necisarry. While this is a very good idea for privacy reasons, it is worthless advice for protecting your security. Imagine your computer admin telling you that you should "only" give out your password when necissary. And that meant writing it on every government, healthcare, banking, and educational form you fill out. Then imagine that admin expecting your account to be secure. If an computer admin instituted a policy like that he would be fired, and yet that is the policy we are using to secure our very identities!
The government needs to step up and institute a new secure way to authenticate people, as well as begin a campain to inform the public that SSN are not suitable for authentication, by any organization. We cannot expect to have any security of identity if everyone in the country autenticates our identity using a fundementally flawed manner.
and choicepoint http://informationweek.com/story/showArticle.jhtml ?articleID=60403673/
news article on about how congress wants the california law to be aended and spread over all the states, should fix this nicely hmm any complaints?
If you check the Boston.com article that's been posted by another user, you'll see that "Think Computer" was demanding payment to tell them about this bug. This sounds a little bit like extortion, don't you think? What gets even more interesting, is that I recognized this guy from an earlier story on Slashdot. He wrote a rambling, alarmist "whitepaper" about how unsecure WiFi was in the Boston subway. Furthermore, searching Massachusetts business filings doesn't show that any "Think Computer" corporate entity exists.
I believe that this is just some young kid who desperatly wants for himself to be seen as some sort of security expert. His techniques are highly unprofessional and insulting to those of us in the industry who do, in fact, have a clue as to how IT consulting works.
Entrepreneur : (noun), French for "unemployed"
This identity theft is an impending train wreck on the Social Security Number.
I think its time to adopt something like a Sweden model of smartcards for a national id.
No smartcard is worth its salt without a personal user-definable PIN number.
And forget this Bio-authentication crap. Bio-authentication is never revokable once stolen.
Your misguided. FOIA has nothing to do with personal information. FOIA has entirely everything to do with tax payer supported (FEDERAL) projects as a means to let the tax payers know what is going on with the government they fund and support and pay for. Corporations don't have "Freedom" over personal information and infact there are strict privacy acts that enforce rules upon them to protect such.
Byron Miller for Congress.
The old scheme of authenticating people using readily and widely copied information is a recipe for identity theft. If someone stores data on you, that data should be only sufficient for verification and insufficient for the opening of new lines of credit. Some form of encryption/hash should be used that lets someone verify that you are you, but does not let them take that info and reuse/abuse it for their own purposes. Moreover, in an ideal world, each copy of "your information' should be uniquely associated with the collector of that information. That way breaches would be readily traceable back to the leaky database.
Two wrongs don't make a right, but three lefts do.
I agree, and indeed I would go further and say that such companies should face criminal charges as well as lawsuit liability. They are essentially accomplices to the crime, as other posters mentioned. A company that keeps such records inappropriately and lets them get into the wrong hands should lose its corporate charter. I don't want to see this company pulling the same shit ten years from now with a different technology. We need real information privacy laws with teeth.
Of course while Bush speaks of "privatization" he means NOTHING of the sort. My take is the government will put out a list of "acceptable" companies and or mutual funds to invest in.
I bet Enron is on the list.
Learn to love Alaska
This is not really a new problem. Technology has just changed the way we deal with it. Before all of this computerization, if someone wanted to know about you, they had to ask you questions. The dialog might go like this:
Nowadays, you are not involved in any of this process. All of your personal information is flowing around behind the scenes between companies that trust each other, but *NOT* you. However, the amount of personal information is increasing to the point that the resulting questions might be more like this:
The catch is "our records" really is "your records" that they have collected without mentioning to you.
Solution: We need a legal principle that it is *YOUR* data and it is *YOUR* right to decide who knows it and what is done with it. (This is actually implicit in the Fifth and Sixth Amendments of the Bill of Rights.) We also need a technical principle that *YOUR* data should be stored on *YOUR* own computer. (This is the old "Possession is nine points of the law.")
How it works: If someone wants to record information about you, they should contact *YOUR* computer and store it there. They can include whatever signature they like to insure that you can't tamper with the content. They can include a binding request that you back up the data. However, if they want to see that information later, they must ask *your* computer to provide it, and *your* computer will only provide the information if *YOU* agree. (Actually, this means you would define privacy policies for your computer to enforce, including such things as "doublecheck with me anytime someone claims I owe them more than $10", etc.)
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Using an SSN as an ID is just fine. As the grandparent comment points out, however, the issue is in authentication. In theory, if I have your SSN, I should be able to do no more than refer to you. Sure, I might be able to get information about you with that information. What should never be allowed to happen is to pretend to be you. But if I want into a bank and produce some faked ID and give your SSN I can open an account in your name (with my fake of your signature on the signature card) and put in $250. Then when the checks arrive, I can write a whole bunch at once all over town, for small amounts ($100 here, $200 there) totalling thousands, and disappear with the goods, leaving you to clean up the mess in some town 1000 miles away from where you really live that you've never even been to. The fact that the bank ass-u-me-s I was really you is the flaw in the system.
There should at least be a law that says if you deny being the person who opened the above account, then that bank must produce proof that you (and not someone with your info) actually opened the account and passed the bad checks ... or drop the matter with respect to affecting you. Such a law should cover all businesses that use SSNs in any way, shape, or form. Of course, then banks will have to cover their ass and require fingerprints and photos to open an account.
A 25 year minimum mandatory prison sentence for conviction of identity infringement would help put a stop to this.
Then we still need to deal with the sloppy businesses that let identity infringers do this. Triple corrective costs, plus legal expenses, plus punitive to a million dollars, would send a clear message to such businesses ... as clean as driving an ice pick in their eyes.
now we need to go OSS in diesel cars