Slashdot Mirror

← Back to Stories (view on slashdot.org)

100,000 More Social Security Numbers Exposed

Posted by Zonk on from the that-why-we-use-these-password-things dept.

ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through news.com, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."

19 of 325 comments (clear)

  1. Credit report monitoring by BWJones · · Score: 4, Insightful

    These guys (and everybody who violates the privacy laws like them) should be required to pay for in depth fraud monitoring and credit report monitoring. If you are going to warehouse our data especially without our knowledge, then they should pay for their own screwups.

    --
    Visit Jonesblog and say hello.
    1. Re:Credit report monitoring by Anonymous Coward · · Score: 5, Insightful
      required to pay for in depth fraud monitoring and credit report monitoring.

      Why stop there... if my identity is stolen through the theft of their ideas; and someone cleans out my accounts the LAST thing I'm going to care about is them paying for "monitoring".

      I want them to pay for the damages they caused by essentially being an accomplice to the thieves.

    2. Re:Credit report monitoring by BWJones · · Score: 4, Insightful

      There is no way that any company could conceivably recompense all 100,000 victims.

      You can't cover your ass if you screw up big time? It's simple......you......should.....NOT......be.....al lowed.....to......keep.......records on vast numbers of human beings with lives and financial histories to protect.

      --
      Visit Jonesblog and say hello.
  2. Uh oh... by Faust7 · · Score: 4, Funny

    Man, I hope Jon Stewart's wasn't in there!

    Oh wait...

    --
    The coolest voice ever.
    1. Re:Uh oh... by kill-hup · · Score: 4, Funny

      I'll bet Ted Hitler was watching and knows what it is ;)

      --
      Sinepaw.org: Grape Winos
    2. Re:Uh oh... by GillBates0 · · Score: 4, Insightful
      Good one :)

      I liked the way how he subtly hinted at the folly of using identifiers as passwords. An identifier is supposed to be public (akin to a login)... but it is increasingly being treated as a password....something which it was never designed to be.

      I have the same problem with credit card numbers too. They aren't supposed to be secret - a variety of persons have an opportunity to read/record/duplicate them every time you use it at a restaurant/merchant/online/etc. There should be some other "secret" mechanism to (the written signature is overrated, outdated and ineffective) Some debit cards do require a PIN (unfortunately not always), which is the proper way to go about it (assuming the swiping mechanism, keypad etc are not rigged).

      If enough news outlets spread awareness about this issue and enough people stop treating their SSN's as a secret or atleast protest against businesses using them as an authentication mechanism, maybe we could have a better system.

      --
      An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  3. Define "breach" by chill · · Score: 4, Insightful

    Does it mean something along the lines of "we were actively attacked by skilled persons who exploited a little-known/unknown flaw" or does it mean "we were sloppy".

    -Charles

    --
    Learning HOW to think is more important than learning WHAT to think.
    1. Re:Define "breach" by Ironsides · · Score: 5, Informative

      Well, since their security consisted of "So long as no one increments their unique number we assigned them by 1 in the browser location bar", I'd say that they were pretty much dumb idiots. Sloppy doesn't begin to cover this.

      --
      Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
  4. Terrifying quote ... by gstoddart · · Score: 4, Insightful
    "we already cooperate with a significantly experienced testing agency and have been tested several times for security issues."


    That they weren't even willing to listen when someone pointed this out to them is appaling.

    I wonder if their failure to actually do their job might land them in trouble. Saying that you've been audited for security and therefore no problem exists is kind of a cop-out.

    --
    Lost at C:>. Found at C.
  5. But will this matter... by popo · · Score: 4, Funny

    ...if President W does away with Social Security?

    --
    ------ The best brain training is now totally free : )
    1. Re:But will this matter... by popo · · Score: 4, Insightful

      YOU ARE A SUCKER.

      S.U.C.K.E.R.

      First off: By his own acknowledgement, a self-directed system of investment does nothing to resolve the financial problems facing social security.

      Secondly: The problems facing social security are a direct result of decreases to taxes which require decreases in social spending.

      Thirdly: Social Security is SUPPOSED to be money you can't fuck up. Its supposed to be money that isn't at risk. That's the definition of the word "SECURITY" you dumbass. If you turn it into "Risk Capital" you've got no security at all.

      Do you also like the idea of homeless old people? Because if you get rid of social security that's EXACTLY what we'll have again. (Yes, its what we had before Social Security).

      Once again the administration has fooled the gullible American public into believing that a correlation exists between his policy and some impending problem. World Trade Center get attacked? Let's invade Iraq. (total non sequitor). Social Security in Financial Jeopardy? Let's create private accounts. (and another non sequitor)

      Want to control how your money is invested? Open a friggin e*trade account. Want to synthesize a bull market so you and your banker buddies can get rich? Flood the market with the biggest private investment in the history of the world.

      I call bullshit. And so should you.

      When will you dumbasses learn.

      --
      ------ The best brain training is now totally free : )
  6. As this becomes commonplace... by Anonymous Coward · · Score: 5, Interesting

    You know, the more of this I see, the more annoyed I become.

    We're taking the wrong tack here... the problem isn't that SSNs and CC#s are so insecure - the problem is that we have become so dependent upon just one or two pieces of information that identity theft has to defeat only one or two "choke points" to screw us.

    Instead of improving security at the choke points - which will always be under heavy attack - why not make identity theft harder by multiplying the potential number of choke points? If someone has to have, say, my Driver's License, Passport, Social Security Number, Credit Card Number, "Personal ID Password" and, say, a "Counter-Identity-Theft Number" suddenly ID theft becomes a heck of a lot harder.

    Seriously... are we burying our heads in the sand and attacking the wrong thing here?

    --AC

  7. Finally by Monkelectric · · Score: 5, Funny

    An upside to being unemployed.

    --

    Religion is a gateway psychosis. -- Dave Foley

  8. Sophisticated? by kill-hup · · Score: 5, Insightful

    "No system in the world is 100 percent secure from a sophisticated and determined hacker"

    I can't see what is so highly sophisticated about incrementing an ID passed as a URL parameter.

    I think they are lucky to not have been visited by some real "sophisticated hackers"...

    --
    Sinepaw.org: Grape Winos
  9. Sophisticated and determined??? by Weaselmancer · · Score: 5, Interesting

    From the article:

    "No system in the world is 100 percent secure from a sophisticated and determined hacker," the Tennessee-based payroll company said in a statement sent to CNET News.com

    And...

    Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company's system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.

    Instead of being denied access, Greenspan found that another person's W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers' data.

    Sophisticated and determined my ass!!

    --
    Weaselmancer
    rediculous.
  10. Not to worry! by BLKMGK · · Score: 4, Insightful

    The moment you decide to require ALL of those things to be validated some dumbass will put them all in a database record side by side unencrypted with no password protection. The end user will be forced to endure more hoop jumping but the sum total of added security would be quickly nullified by the morons of the IT world. It only takes one village idiot to ruin things.

    --
    Build it, Drive it, Improve it! Hybridz.org
  11. Re:Socials? by Soko · · Score: 4, Insightful

    No kidding. Hey, let's put Carnivore to good use for once - let's put this into terms that will send a red flag up over Washington:

    Think about the following, in terms of being a terrorist, or just someone who wants to gain illegal entry into a country un-noticed:

    With a W-2 (which is a statement of income for last year, I presume, like a T4 in Canada where I live) you now have:

    - A valid name of a US Citizen
    - That citizen's SSN
    - thier place of employment complete with job title
    - last years earnings, which should allow you to look the part if you decide to impersonate them
    - thier home address

    All of this put together would allow for the easy forging of identiy papers. Yup, it could allow a terrorist un-fettered entry into the US with a great degree of anonymity and secrecy.

    Hi, Mr. Rumsfeld - feeling OK now?

    Soko

    --
    "Depression is merely anger without enthusiasm." - Anonymous
  12. Use of SSN fundamentally flawed. by pavon · · Score: 4, Insightful

    Why stop there... if my identity is stolen through the theft of their ideas;

    The fact that this (very real) failure by PayMaxx to protect thier customer's privacy escalated into the potential for identity theft is the fault of the government not PayMaxx. This is because the use of social security numbers as an authenticator is fundamentally flawed and insecure.

    Every authentication system needs at least one identifier and one secret. The former is public information while the latter, obviously, must remain private. However, when the US government and other institutions use SSNs as a way to authenticate who you are, they are attempting to use a single piece of information as both the identifier and the secret. Since it is impossible for something to public and private at once, this is bound for failure.

    For years, the "solution" to this problem has been to avoid giving-out your SSN unless at all necisarry. While this is a very good idea for privacy reasons, it is worthless advice for protecting your security. Imagine your computer admin telling you that you should "only" give out your password when necissary. And that meant writing it on every government, healthcare, banking, and educational form you fill out. Then imagine that admin expecting your account to be secure. If an computer admin instituted a policy like that he would be fired, and yet that is the policy we are using to secure our very identities!

    The government needs to step up and institute a new secure way to authenticate people, as well as begin a campain to inform the public that SSN are not suitable for authentication, by any organization. We cannot expect to have any security of identity if everyone in the country autenticates our identity using a fundementally flawed manner.

    1. Re:Use of SSN fundamentally flawed. by CyberLord+Seven · · Score: 5, Insightful
      Social Security numbers were never intended to be identity numbers by the Federal Government.

      State and local governments, businesses, and eventually the military decided that since everyone had a unique SS number, they could save themselves some money and effort by simply requiring everyone to use their SS number as an ID number.

      This is an incredibly STOOPID idea that 2600 magazine has been preaching against for many years now.

      In short, I'm sorry, but you are mistaken in blaming this on the government.

      --
      We have always been at war with Eurasia!