Slashdot Mirror

← Back to Stories (view on slashdot.org)

100,000 More Social Security Numbers Exposed

Posted by Zonk on from the that-why-we-use-these-password-things dept.

ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through news.com, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."

27 of 325 comments (clear)

  1. Credit report monitoring by BWJones · · Score: 4, Insightful

    These guys (and everybody who violates the privacy laws like them) should be required to pay for in depth fraud monitoring and credit report monitoring. If you are going to warehouse our data especially without our knowledge, then they should pay for their own screwups.

    --
    Visit Jonesblog and say hello.
    1. Re:Credit report monitoring by Anonymous Coward · · Score: 5, Insightful
      required to pay for in depth fraud monitoring and credit report monitoring.

      Why stop there... if my identity is stolen through the theft of their ideas; and someone cleans out my accounts the LAST thing I'm going to care about is them paying for "monitoring".

      I want them to pay for the damages they caused by essentially being an accomplice to the thieves.

    2. Re:Credit report monitoring by BWJones · · Score: 4, Insightful

      There is no way that any company could conceivably recompense all 100,000 victims.

      You can't cover your ass if you screw up big time? It's simple......you......should.....NOT......be.....al lowed.....to......keep.......records on vast numbers of human beings with lives and financial histories to protect.

      --
      Visit Jonesblog and say hello.
  2. Uh oh... by Faust7 · · Score: 4, Funny

    Man, I hope Jon Stewart's wasn't in there!

    Oh wait...

    --
    The coolest voice ever.
    1. Re:Uh oh... by kill-hup · · Score: 4, Funny

      I'll bet Ted Hitler was watching and knows what it is ;)

      --
      Sinepaw.org: Grape Winos
    2. Re:Uh oh... by GillBates0 · · Score: 4, Insightful
      Good one :)

      I liked the way how he subtly hinted at the folly of using identifiers as passwords. An identifier is supposed to be public (akin to a login)... but it is increasingly being treated as a password....something which it was never designed to be.

      I have the same problem with credit card numbers too. They aren't supposed to be secret - a variety of persons have an opportunity to read/record/duplicate them every time you use it at a restaurant/merchant/online/etc. There should be some other "secret" mechanism to (the written signature is overrated, outdated and ineffective) Some debit cards do require a PIN (unfortunately not always), which is the proper way to go about it (assuming the swiping mechanism, keypad etc are not rigged).

      If enough news outlets spread awareness about this issue and enough people stop treating their SSN's as a secret or atleast protest against businesses using them as an authentication mechanism, maybe we could have a better system.

      --
      An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  3. Define "breach" by chill · · Score: 4, Insightful

    Does it mean something along the lines of "we were actively attacked by skilled persons who exploited a little-known/unknown flaw" or does it mean "we were sloppy".

    -Charles

    --
    Learning HOW to think is more important than learning WHAT to think.
    1. Re:Define "breach" by Ironsides · · Score: 5, Informative

      Well, since their security consisted of "So long as no one increments their unique number we assigned them by 1 in the browser location bar", I'd say that they were pretty much dumb idiots. Sloppy doesn't begin to cover this.

      --
      Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
    2. Re:Define "breach" by jonbrewer · · Score: 3, Insightful

      Does it mean something along the lines of "we were actively attacked by skilled persons who exploited a little-known/unknown flaw" or does it mean "we were sloppy".

      It means they were sloppy. People play with URL strings all the time.

      It's trivial, especially so in ColdFusion, to make sure that the browser you authenticated is the only one you'll serve a particular document to. PayMaxx and their developer were negligent here without question.

  4. Terrifying quote ... by gstoddart · · Score: 4, Insightful
    "we already cooperate with a significantly experienced testing agency and have been tested several times for security issues."


    That they weren't even willing to listen when someone pointed this out to them is appaling.

    I wonder if their failure to actually do their job might land them in trouble. Saying that you've been audited for security and therefore no problem exists is kind of a cop-out.

    --
    Lost at C:>. Found at C.
  5. But will this matter... by popo · · Score: 4, Funny

    ...if President W does away with Social Security?

    --
    ------ The best brain training is now totally free : )
    1. Re:But will this matter... by popo · · Score: 4, Insightful

      YOU ARE A SUCKER.

      S.U.C.K.E.R.

      First off: By his own acknowledgement, a self-directed system of investment does nothing to resolve the financial problems facing social security.

      Secondly: The problems facing social security are a direct result of decreases to taxes which require decreases in social spending.

      Thirdly: Social Security is SUPPOSED to be money you can't fuck up. Its supposed to be money that isn't at risk. That's the definition of the word "SECURITY" you dumbass. If you turn it into "Risk Capital" you've got no security at all.

      Do you also like the idea of homeless old people? Because if you get rid of social security that's EXACTLY what we'll have again. (Yes, its what we had before Social Security).

      Once again the administration has fooled the gullible American public into believing that a correlation exists between his policy and some impending problem. World Trade Center get attacked? Let's invade Iraq. (total non sequitor). Social Security in Financial Jeopardy? Let's create private accounts. (and another non sequitor)

      Want to control how your money is invested? Open a friggin e*trade account. Want to synthesize a bull market so you and your banker buddies can get rich? Flood the market with the biggest private investment in the history of the world.

      I call bullshit. And so should you.

      When will you dumbasses learn.

      --
      ------ The best brain training is now totally free : )
  6. As this becomes commonplace... by Anonymous Coward · · Score: 5, Interesting

    You know, the more of this I see, the more annoyed I become.

    We're taking the wrong tack here... the problem isn't that SSNs and CC#s are so insecure - the problem is that we have become so dependent upon just one or two pieces of information that identity theft has to defeat only one or two "choke points" to screw us.

    Instead of improving security at the choke points - which will always be under heavy attack - why not make identity theft harder by multiplying the potential number of choke points? If someone has to have, say, my Driver's License, Passport, Social Security Number, Credit Card Number, "Personal ID Password" and, say, a "Counter-Identity-Theft Number" suddenly ID theft becomes a heck of a lot harder.

    Seriously... are we burying our heads in the sand and attacking the wrong thing here?

    --AC

  7. Finally by Monkelectric · · Score: 5, Funny

    An upside to being unemployed.

    --

    Religion is a gateway psychosis. -- Dave Foley

  8. Hell, I already knew all that. info by Anonymous Coward · · Score: 3, Funny

    just by going thru your trashcan. By the way, you really should ask for a raise.

    Rocky Raccoon.

    p.s., please stop dumping the bathroom trash can in with the kitchen's. Thanks.

  9. Sophisticated? by kill-hup · · Score: 5, Insightful

    "No system in the world is 100 percent secure from a sophisticated and determined hacker"

    I can't see what is so highly sophisticated about incrementing an ID passed as a URL parameter.

    I think they are lucky to not have been visited by some real "sophisticated hackers"...

    --
    Sinepaw.org: Grape Winos
  10. Alternate link by caryw · · Score: 3, Informative

    There is a more in-depth article about this at the Boston Globe.
    First ChoicePoint now this? How long until a major government database like one from the IRS gets hacked and information on almost every US citizen is available? Scary thought.
    - Cary
    --Fairfax Underground: Where Fairfax County comes out to play

  11. Yeah, it's insecure. So? by dmccarty · · Score: 3, Insightful
    There's a common misconception here in the US that "my" social security number and "my" income data is personal information that belongs to me only. Breaking news: it's not. Once you file your taxes, buy stock, etc. these become public records. And public records, thanks to the FOIA (Freedom of Information Act), are documents that can be accessed by the public at large.

    Do you think it's bad that PayMaxx shows people's personal information on the web? Of course it is. But how about if you get it legally from the IRS instead?

    --
    Have fun: Join D.N.A. (National Dyslexics Association)
  12. Sophisticated and determined??? by Weaselmancer · · Score: 5, Interesting

    From the article:

    "No system in the world is 100 percent secure from a sophisticated and determined hacker," the Tennessee-based payroll company said in a statement sent to CNET News.com

    And...

    Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company's system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.

    Instead of being denied access, Greenspan found that another person's W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers' data.

    Sophisticated and determined my ass!!

    --
    Weaselmancer
    rediculous.
  13. Not to worry! by BLKMGK · · Score: 4, Insightful

    The moment you decide to require ALL of those things to be validated some dumbass will put them all in a database record side by side unencrypted with no password protection. The end user will be forced to endure more hoop jumping but the sum total of added security would be quickly nullified by the morons of the IT world. It only takes one village idiot to ruin things.

    --
    Build it, Drive it, Improve it! Hybridz.org
  14. Re:Socials? by Soko · · Score: 4, Insightful

    No kidding. Hey, let's put Carnivore to good use for once - let's put this into terms that will send a red flag up over Washington:

    Think about the following, in terms of being a terrorist, or just someone who wants to gain illegal entry into a country un-noticed:

    With a W-2 (which is a statement of income for last year, I presume, like a T4 in Canada where I live) you now have:

    - A valid name of a US Citizen
    - That citizen's SSN
    - thier place of employment complete with job title
    - last years earnings, which should allow you to look the part if you decide to impersonate them
    - thier home address

    All of this put together would allow for the easy forging of identiy papers. Yup, it could allow a terrorist un-fettered entry into the US with a great degree of anonymity and secrecy.

    Hi, Mr. Rumsfeld - feeling OK now?

    Soko

    --
    "Depression is merely anger without enthusiasm." - Anonymous
  15. Re:Free credit reports... by borawjm · · Score: 3, Informative

    I believe they are doing it in phases.

    From ftc.gov...
    Free reports will be phased in during a nine-month period, rolling from the West Coast to the East beginning December 1, 2004. Beginning September 1, 2005, free reports will be accessible to all Americans, regardless of where they live.

    Consumers in the Western states -- Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, and Wyoming -- can order their free reports beginning December 1, 2004.

    Consumers in the Midwestern states -- Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, and Wisconsin -- can order their free reports beginning March 1, 2005.

    Consumers in the Southern states -- Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, Oklahoma, South Carolina, Tennessee, and Texas -- can order their free reports beginning June 1, 2005.

    Consumers in the Eastern states -- Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, Pennsylvania, Rhode Island, Vermont, Virginia, and West Virginia -- the District of Columbia, Puerto Rico, and all U.S. territories can order their free reports beginning September 1, 2005

  16. Use of SSN fundamentally flawed. by pavon · · Score: 4, Insightful

    Why stop there... if my identity is stolen through the theft of their ideas;

    The fact that this (very real) failure by PayMaxx to protect thier customer's privacy escalated into the potential for identity theft is the fault of the government not PayMaxx. This is because the use of social security numbers as an authenticator is fundamentally flawed and insecure.

    Every authentication system needs at least one identifier and one secret. The former is public information while the latter, obviously, must remain private. However, when the US government and other institutions use SSNs as a way to authenticate who you are, they are attempting to use a single piece of information as both the identifier and the secret. Since it is impossible for something to public and private at once, this is bound for failure.

    For years, the "solution" to this problem has been to avoid giving-out your SSN unless at all necisarry. While this is a very good idea for privacy reasons, it is worthless advice for protecting your security. Imagine your computer admin telling you that you should "only" give out your password when necissary. And that meant writing it on every government, healthcare, banking, and educational form you fill out. Then imagine that admin expecting your account to be secure. If an computer admin instituted a policy like that he would be fired, and yet that is the policy we are using to secure our very identities!

    The government needs to step up and institute a new secure way to authenticate people, as well as begin a campain to inform the public that SSN are not suitable for authentication, by any organization. We cannot expect to have any security of identity if everyone in the country autenticates our identity using a fundementally flawed manner.

    1. Re:Use of SSN fundamentally flawed. by CyberLord+Seven · · Score: 5, Insightful
      Social Security numbers were never intended to be identity numbers by the Federal Government.

      State and local governments, businesses, and eventually the military decided that since everyone had a unique SS number, they could save themselves some money and effort by simply requiring everyone to use their SS number as an ID number.

      This is an incredibly STOOPID idea that 2600 magazine has been preaching against for many years now.

      In short, I'm sorry, but you are mistaken in blaming this on the government.

      --
      We have always been at war with Eurasia!
    2. Re:Use of SSN fundamentally flawed. by sjames · · Score: 3, Insightful

      There are many who are responsable. However, PayMaxx KNOWS WELL the problems they create by leaking SSN and other data. You'd have to live under a rock to NOT KNOW it's a serious problem that can cost someone thousands of dollars and hundreds of hours. The problem was repeatedly brought to their attention and they willfully ignored it.

      They are not alone in their negligence, but they sure seem to be leading the pack at the moment.

      The real solution would be for the courts to acknowledge the facts of the matter. That is, SSN proves nothing, and DL proves little or nothing.

      Given that, credit cards, etc have literally NO idea who they are lending money to. Given that, before making any disparaging remarks on someone's credit reports, or make a single harassing phone call, they had better have a photo of the person with the signed credit application in hand, and they'd better make sure it matches the appearance of the person they're pestering. If not, they may be guilty of harassment and and libel and should be treated accordingly.

  17. Dump SSN for authentication by G4from128k · · Score: 3, Insightful

    The old scheme of authenticating people using readily and widely copied information is a recipe for identity theft. If someone stores data on you, that data should be only sufficient for verification and insufficient for the opening of new lines of credit. Some form of encryption/hash should be used that lets someone verify that you are you, but does not let them take that info and reuse/abuse it for their own purposes. Moreover, in an ideal world, each copy of "your information' should be uniquely associated with the collector of that information. That way breaches would be readily traceable back to the leaky database.

    --
    Two wrongs don't make a right, but three lefts do.
  18. Why does someone HE have YOUR information? by shanen · · Score: 3, Insightful
    The fundamental problem here is that these companies are selling something that belongs to you, *YOUR* personal information. Who suffers if they screw up and let the wrong people get it? How many guesses do you need? Hint: It isn't them.

    This is not really a new problem. Technology has just changed the way we deal with it. Before all of this computerization, if someone wanted to know about you, they had to ask you questions. The dialog might go like this:

    "What is your salary?"
    "Why do you want to know?"
    "Well, if you want to borrow money from our bank, then you must provide us with the certain information and evidence."
    "Okay. In that case I am willing to tell you..."

    Nowadays, you are not involved in any of this process. All of your personal information is flowing around behind the scenes between companies that trust each other, but *NOT* you. However, the amount of personal information is increasing to the point that the resulting questions might be more like this:

    "From checking our records, we see that you had dinner in El Torito on the night of February 22nd. Did you know that a suspected terrorist was dining with you? Were you really there for a secret rendezvous? We also see that on the previous Saturday..."

    The catch is "our records" really is "your records" that they have collected without mentioning to you.

    Solution: We need a legal principle that it is *YOUR* data and it is *YOUR* right to decide who knows it and what is done with it. (This is actually implicit in the Fifth and Sixth Amendments of the Bill of Rights.) We also need a technical principle that *YOUR* data should be stored on *YOUR* own computer. (This is the old "Possession is nine points of the law.")

    How it works: If someone wants to record information about you, they should contact *YOUR* computer and store it there. They can include whatever signature they like to insure that you can't tamper with the content. They can include a binding request that you back up the data. However, if they want to see that information later, they must ask *your* computer to provide it, and *your* computer will only provide the information if *YOU* agree. (Actually, this means you would define privacy policies for your computer to enforce, including such things as "doublecheck with me anytime someone claims I owe them more than $10", etc.)

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.