Slashdot Mirror
100,000 More Social Security Numbers Exposed
ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through news.com, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."
Why stop there... if my identity is stolen through the theft of their ideas; and someone cleans out my accounts the LAST thing I'm going to care about is them paying for "monitoring".
I want them to pay for the damages they caused by essentially being an accomplice to the thieves.
You know, the more of this I see, the more annoyed I become.
We're taking the wrong tack here... the problem isn't that SSNs and CC#s are so insecure - the problem is that we have become so dependent upon just one or two pieces of information that identity theft has to defeat only one or two "choke points" to screw us.
Instead of improving security at the choke points - which will always be under heavy attack - why not make identity theft harder by multiplying the potential number of choke points? If someone has to have, say, my Driver's License, Passport, Social Security Number, Credit Card Number, "Personal ID Password" and, say, a "Counter-Identity-Theft Number" suddenly ID theft becomes a heck of a lot harder.
Seriously... are we burying our heads in the sand and attacking the wrong thing here?
--AC
An upside to being unemployed.
Religion is a gateway psychosis. -- Dave Foley
"No system in the world is 100 percent secure from a sophisticated and determined hacker"
I can't see what is so highly sophisticated about incrementing an ID passed as a URL parameter.
I think they are lucky to not have been visited by some real "sophisticated hackers"...
Sinepaw.org: Grape Winos
From the article:
"No system in the world is 100 percent secure from a sophisticated and determined hacker," the Tennessee-based payroll company said in a statement sent to CNET News.com
And...
Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company's system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.
Instead of being denied access, Greenspan found that another person's W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers' data.
Sophisticated and determined my ass!!
Weaselmancer
rediculous.
Well, since their security consisted of "So long as no one increments their unique number we assigned them by 1 in the browser location bar", I'd say that they were pretty much dumb idiots. Sloppy doesn't begin to cover this.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
State and local governments, businesses, and eventually the military decided that since everyone had a unique SS number, they could save themselves some money and effort by simply requiring everyone to use their SS number as an ID number.
This is an incredibly STOOPID idea that 2600 magazine has been preaching against for many years now.
In short, I'm sorry, but you are mistaken in blaming this on the government.
We have always been at war with Eurasia!