Slashdot Mirror
Over Half a Million Bank Accounts Breached
Gone Phishing writes "CNN is reporting that about 676,000 bank accounts in at least four banks (Bank of America, Wachovia, Commerce Bancorp, and PNC Financial Services) have had personal information "illegally sold". Over 60,000 customers have been notified so far."
Oftentimes, I'll complain about Slashdot dupes. Why can't this be one of those times?
Isn't there a US equivalent of the Data Protection Act?
h ttp://www.opsi.gov.uk/acts/acts1998/19980029.htm
http://www.opsi.gov.uk/acts/acts1998/19980029.htm
A few holes, especially principle eight, but overall it does what it's supposed to.
Deleted
Checks bank account...
shit!
I'm sure the answer will be higher fees though, so in the long run the banks will be fine.
Oh.... I'm screwed.
Fortunately, my account should be safe. I got a email from Bank of America telling me about their problem, and I filled out their form to resecure my account. Such at great company to take care of their customers like that!
I read about this a month ago, in a letter from Bank of America.
No, realy...
Good thing i've opted out of having my bank share information with other parties. Opting out of information sharing is a wise thing for everyone to do.
This is why I switched to a local credit union a few years ago. Seems like the bigger the bank, the bigger the security breach. Worse... they nickel-and-dime you on everything else.
I'm glad to know that about 1 in 10 people were notified
I have a feeling that most people's social security numbers have been harvested by people who shouldn't have them
Some people believe 1-1=3 and for the sake of being politically correct, we should respect their differences
OMG i have to go and check and my bank account fast. i feel so violated! so much for piracy. bet they were running windows :angry:.
Time to switch banks.
Crap. I use them.
Man, with inside hack jobs it does not what you are running or what you do, somehow you can still end up getting screwed.
Yikes!!!
ACK
"The case has led to criminal charges against nine people, including seven bank employees and alleged ring leader Orazio Lembo, who operated DRL Associates, a company that advertised as a skip-and-trace collection agency."
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
Funny how selling bank account information illegally makes money that you'll just have to put back into the bank. Or maybe not.
Mr. America walk on by your schools that do not teach Mr. America walk on by the minds that won't be reached
Our banks are supposed to be some of the most secure instituions available to us. I wonder if they will reverse the charge on my credit card if I claim I didnt make it and it was caused by my personal information being breeched...
Customer account numbers and balances were allegedly sold to a man who then sold the information to collection agencies, the Hackensack police department said in a statement. Reuters reports that the information has not been found to have been used in any identity theft schemes.
/snip/
The case has led to criminal charges against nine people, including seven bank employees and alleged ring leader Orazio Lembo, who operated DRL Associates, a company that advertised as a skip-and-trace collection agency.
Hmmm... working for a bank and a "collection agency". Sounds like a conflict of interest banks might want to look out for and possibly stipulate that working for a collection agency is not permitted while working for a financial institution.
I got an email the other day asking for my card numbers, pin numbers, social security number, etc. so that they could verify that my information had not been compromised.
I'm sure glad I took the time to fill all of that out.
The data-theft ring may have perpetrated the nation's largest ever banking security breach, a Hackensack, N.J., police statement quoted a Treasury Department representative as saying.
I only hope that Hackensack don't lack the knack to track this crack attack.
So, the people at the banks will face charges, as will the Lembo, the "mastermind".
But, what about the 40 collection agencies and law firms? Will they face civil charges? Criminal charges? Both? Surely they knew they were up to no good, and they were the ones funding the information theft in the first place -- all so that they could illegally harass debtors.
Will the Feds follow the money?
Support a few technologists in Washington.
...do the police intend to track down the information to and "reclaim" it from the collection agencies, advertisers, etc.?
If an individual or group intentionally leaked or sold this information it is most certainly a crime. Laws are a punishment, not a absolute way to prevent crimes. If the perpetrator is convinced they can get away with this and profit from it, then they are not going to be worried about the fine print of the numerous laws they are breaking.
I guess the hackers (or crackers if you'd rather) dared to dream?
of course?!?!
Bank of America (up $0.10 to $46.67, Research), the nation's No. 2 bank, has notified 60,000 customers of the problem. Wachovia (Research) has notified 48,000 customers.
Some people believe 1-1=3 and for the sake of being politically correct, we should respect their differences
Based on forensic examination of Lembo's computers, it was determined that he had employed upper-level bank employees to access and identify individual accounts in their respective banks," the police statement said.
It doesn't matter what laws you enact. If you RTFA, you'll see that this was an inside job done by corrupt upper-level employees. Setting aside security-Utopia for a second, at some point you have to trust your own employees, especially "upper level" ones. When that trust turns out to be misplaced, there's not a lot one can do to prevent malfeasance.
I'm a big tall mofo.
Are you also worried there won't be enough tellers for you after you wait in line for an hour to withdraw five dollars for lunch?
There are several thousand smaller banks in the United States and many smaller banks have lower fees than those giants and a customer actually means something to those banks.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
(Those from the UK may recall the curious scandal of "Phantom Withdrawls" from ATM machines, where mysterious, large withdrawls were taking place, even though nobody was apparently present to make those withdrawls. It was unimaginably difficult to prove the vitim was a victim, and even then it was next to impossible to get the bank to repay the money.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Why is there no link to Bank Of America in the summary?
I sure am glad that I did *some* time in the service. One would hope that this type of thing wouldn't happen with a bank that serves the armed forces.
"BitTorrent is responsible for this terrible identity theft.
We have information that the same individuals who leaked Mr. Lucas' new Star Wars movie, is also responsible for this round of identity theft.
Mr. and Mrs. BitTorrent have failed to respond to our communications, thereby proving their guilt in this matter."
--MPAA Spokesperson
Jail teh BitTorrent!!!
/me scans article ... wachovia, pennsylvania ... shit.
Wachovia says that they sent out letters to everyone they know to be affected. My mail service is spotty at times, so I gave them a call. 1-800-WACHOVIA (1-800-922-4684). Just keep pressing 0 till you get an operator. Their customer service workers were able to tell me over the phone if my account was compromised. It's not. w00t! Took them about five minutes, but I think everyone should double check.
Luckily, I don't use banks. I keep all my money in a thermos under a combination lock. I then tether the combination to a string in a mylor bag and swallow it tying it off on a rigged bicuspid that will send a charge to the bag signaling an incendiary device which will destroy the note unless the tooth is first properly removed. But the bicuspid is fake -- threaded backwards with a one-way screw head. Of course, an anal probe might easily by-pass the oral security, but I recently had my sphincter sewn shut and I only consume nutrient drinks which, by chance, I keep in the thermos....
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
My bank offers:
1. Higher interest rates
2. Interest-bearing checking accounts
3. No fees ever
4. Free online billpay
5. ATM fee refunds (since they don't have their own ATMs)
6. Postage paid envelopes for deposits
7. 24/7 Customer Service with almost 0 hold time
8. No BS
I switched to an internet bank a long time ago and I'll never look back. But I'm not going to tell you what the bank is because I don't want it to turn into a "big bank". Go find your own.
[figz@figz figz]$ kill -9 `ps -ef | awk '$1=="figz" { print $2 }'`
And by "breading grown" I assume you mean "breeding ground"
Everyone involved in this should be in jail Now! Ten years apiece is a good start.
And I don't mean Club Fed either.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Holders of mass amounts of critical info need to learn that if they lose it, or mismanage it, that they will be held liable for hundred of millions of dollars in civil penalties, and years in prison for the most egregious cases of negligence.
I use a small, regional Credit Union. I had nothing but trouble when I was with Bank of America and Sun Trust (system outages, errors in reporting, etc.) and now this. I think using smaller credit unions or regional banks, while limiting in some cases, is better, because they don't get so big that they forget who their customers really are.
I'm not a troll, but I play one on Slashdot.
Let's make up a "Troll" moderation so that people who post off-tropic tripe to rant about inflammatory political issues can be modded down.
On second thought, let's just mod them Informative.
It has two purposes - the first purpose is to have financial institutions adopt measures to protect consumer data. The second purpose is to add a great deal of paperwork and extra compliance steps that bank staff must accomplish without adding any extra safety to the information.
I believe that in health care, HIPPA or HIPAA (which ever one it was!) accomplished much the same thing.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
How much are these guys getting?
Like, can I sell my personal information before someone else does?
How could they! Somebody must think of the children.
I keep forgetting my place. Jesus is for losers. Why do I still play to the crowd?
This is similar to the Choicepoint breach where account information was sold to an illegitimate company posing as a real customer. The main difference here is that there were "inside guys" who knew the selling of the data was to a bogus firm. What I find most interesting is that the main clients that the perpetrator (Orazio Lembo) sold to were.. wait for it... law firms and collection agencies! Talk about a vicious hive of scum and villiany.
I say it will only get worse because the Sarbanes-Oxley Act is coming into effect which requires companies to put into place access controls to monitor/audit who has access to what information (among other things). The SOX, in conjunction with the Gramm-Leach-Bliley Act are forcing corporations to get their financial house in order in such a way that this type of malfeasance is getting much harder to hide. Expect to see more of the same for quite some time.
While I think it's nice that these laws are having their desired effect I still envy those wacky europeans and their data protection laws.
Amoeba
Do not taunt Happy-Fun Ball
I have an account with Wachovia. About 6 months ago, I started putting rather significant sums in it. Enough that were the account to get robbed, I'd be seriously upset. What concerned me at the time was that I had used my check card for online transactions, though.
The thought that someone could wipe me out financially by cracking an online system got me worried enough that I opened a checking account at a local bank where I now keep a majority of my funds. I move enough into the Wachovia account for paying bills and stuff that are connected to it, but there's never enough in there to completely wipe me out anymore.
And obviously, with the new bank, I won't be using the check card online. It looks like mine wasn't affected and it doesn't look like the account info was being used for robbery, I still feel more secure with the new account.
I was just told that because I live in California and opened my account in this state, my account information should not be affected by a breach in New Jersey, where the incident occured. Can anyone corroborate this?
Stay sentient. Don't drink bad milk.
Will the Feds follow the money? The Fed's *are* the money, so in short, 'No.' (note: I'm well aware that the Federal Reserve is neither)
Companies are required to put "technical and organisational measures" in place to protect data.
# sch1ptI
If you can read legalese. The principles:
http://www.opsi.gov.uk/acts/acts1998/80029--l.htm
Course, I'm not entirely sure how big the teeth are.
Deleted
This is ridiculous, there is another story of 500,000+ people's data being stolen. How many have to happen before my institution is affected.
Tell it to Chief Thundercloud.
Customer Protection
Guard yourself against fraud and identity theft. Wachovia provides the highest levels of protection and stands ready to assist you should you become a victim.
Irony, anyone?
And this is why I keep all my money in a credit union. CU's are generally too small for this sort of thing to happen, and you get better rates with them as well (generally speaking).
Viral software licensing is not freedom, it is in fact GNU/Socialism.
"That information was then sold to his clients, which included more than 40 law firms and collection agencies."
I don't know whether the 40 law firms and collection agencies are criminally liable but if they ain't, they oughta be. An example should be made of them. Yes, those taking the data bear the brunt of the blame but the ones purchasing it have some culpability too.
Wansu, th' chinese sailor
Over 5 million. 5 million persons that had their personal information compromised in some form in the year 2005 alone. The Privacy Rights Clearinghouse is going to have a field day with this on their website.
Tell you what, they can have my info...
Someone stealing my identity might actually improve my credit
Of course, because personal data cannot be deliberately illegally copied using other operating systems, right?
Backup not found: (A)bort (R)etry (P)anic
You spend so much time worrying about how people steal your information from your mailbox, but when it comes down to it most of the fraud is probably being purpotrated in the back rooms like this one. Can't wait to see how this one plays out.
Bytes - IT Community
Actually, a lot of UK companies don't realise this yet either.
But the DPA requires:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Deleted
These things are less effective than 'Orders of Protection' from someone who's determined to cop your sh*t.
Securing your sh*t is the only viable alternative. But its an uphill battle with all the idiots out there trying to sell it.
Bah.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Feds said that was part of Phase 2.
"Lomia said the law firms that allegedly sought Lembo's services are part of "phase two" of the investigation."
Some states allow citizens to block use of their credit report. Thus, even if someone steals your SSN, your birth certificate, and your drivers license, they're unable to obtain any new credit in your name, because no one is going to give credit without first getting a credit report.
Sure, it doesn't solve all problems with ID theft, but it certainly helps.
If someone says he and his monkey have nothing to hide, they almost certainly do.
I just called BoA, and they told me that the incident was "mostly contained to accounts in the Northeast".
Anyone receive conflicting information from them on this?
Terrorists can attack freedom, but only Congress can destroy it.
Is there some place on the .net where a person can get an overview on what company owns what other companies? I know that First USA was taken over by Bank One and then by Chase in like less than a year. They could all be owned by one of the affected banks for all I know!
How can anybody reasonable know these things? Is there a www.CorporateTree.com or something?
Then, you have those logs checked by another person, not at that location. Was there a legitimate reason for the access (withdrawl/deposit)? Was that access initiated by the customer?
The people monitoring the logs will not have access to the personal information of the accounts.
Now, if the logs are checked on a random basis (Joe is NOT the only person who checks all of Seattle's logs) then that activity is much easier to spot.The key is to build a system where individuals are NOT allowed unchecked access to personal information.
The reason we don't have systems like that is because there isn't any financial incentive to implement them.
The US does NOT have the same privacy laws that other countries have so this kind of activity is MUCH easier to get away with.
This had nothing to do with technology...some hire ups at the bank stole the data and sold it off to a very high bidder. It doesnt matter what operating system you have...that data was going out.
I don't like Bush's policies either, but let's not just make things up, ok? First, not all class action suits are "forced" to federal court, only very large suits.
Second, they're moved to federal court not because federal courts are more business-friendly, but because of procedural differences in state court vs federal court. State courts tend to be more relaxed in due process procedures, and award ridiculous damages that are confiscated by private law firms. The ease with which a class action suit can be won in a small jurisdiction for enormous rewards has caused capitalistic law firms to seek out groups of marginally damaged people and organize them for a suit. This has caused a tenfold increase in class action lawsuits over the last decade.
Meanwhile, plaintiffs from multiple states with complaints against the same defendant could not organize on a federal level and file in federal court, due to procedural restrictions that prevented class action suits from being moved out of state. Thus you had the dangerous situation of one state's courts determining a case that would have national prescedent ramifications, and this seriously violates the principles of federalism. For a guy who bitched in his post about removing checks and balances, you're also complaining about legislation that was intended to prevent one state from determining national policy via state courts that are cherry-picked by millionaire attorneys.
The legislation in question removed some of the roadblocks to moving large cases with multistate plaintiffs to federal court by granting original jurisdiction of a case to the District Courts instead of the state courts for large suits in which there are multistate plaintiffs.
You then characaterize all this in your tired anti-Bush ranting as some pro-business move that Bush enacted for his cronies. First, that's not how a bill becomes a law, and you ought to know that by now. Presidents do not sponsor legislation in committee, nor vote on them in congress. They sign them.
There are a shitload of legitimate things to criticize President Bush about, but I'm tired of this hate-filled ranting that's misinformed. It's really hard to push for social evolution and progress when most of the people on your side are ignorant and more concerned with politics than anything else.
Oops, I forgot our legislature is too busy removing checks and balances (Senate) and debating corrupt members (House) to get anything else done.
I'm not sure what you're talking about here, so I can't really respond to you. The only major battle I know of in the Senate is over appelate court nominations, and I haven't read anything yet about changes to how nominations are handled.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
Banks are evil. Use Credit Unions.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Has anyone here received these notifications? What do they look like? Is it a separate envelope saying, "Your data may have been compromised, follow these procedures, shred these documents, take these precautions in the future. Please." Or is it a single line at the bottom of your monthly bank statement?
[o]_O
You'd have to wipe out all of their hard drives and tapes.
But that would, effectively, destroy their business.
Not that I, personally, have a problem with destroying their businesses, but I see long running court cases over it.
I use a "big bank", but as far as I can tell, they make no money off me.
Everything I do with them is "free" - free checking, atm use, etc.
Whenever I have excess money in the bank, it gets swept into an online bank account that pays decent interest, or I send it off to my brokerage account where I gamble it away on bad stock picks ;-)
I buy my checks from random cheapo check printers.
As far as I can tell, I get the benefit of the big bank (lots of atms, grocery store locations, etc) and if anything should happen to my account, security-wise, it's their problem, not mine.
This issue is a bit more complicated than you think.
that I should start responding to all those "Wachovia Bank Confidential Information" emails?
I have an account with one of those banks. And they've been rather good; their phone service is excellent, their web system is better than average...
Bah. So what happens now? I wait for the junk mail to start pouring in? This is... infuriating. Is there someone I can throw tomatoes at?
--grendel drago
Laws do not persuade just because they threaten. --Seneca
It's very important to note that their actual accounts were not compromised, only personal data and account numbers. While - yes, this is horrible, it's more of an "You asshole" issue than an "Shit, I better make sure all my money is there" issue.
Doesn't seem like the markets find this too interesting:
Bank of America (BAC): 46.61, +0.04 (+0.09%)
Wachovia (WB): 52.24, -0.18 (-0.34%)
Commerce Bancorp (CBH): 29.06, +0.44 (1.54%)
PNC Financial Services (PNC): 55.26, -0.15 (-0.27%)
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
A while back I got a call at around 4:30 P.M. from a credit card company requesting that I verify I had applied for a Home Depot card via one of those "just sign the line below" forms. I hadn't, so I immediately began the tedious process of requesting credit reports and contacting my bank to check up on unusual activity.
Later, at about 7:00 P.M. the same night, I got an pre-recorded call requesting that I call an 800 number and reference a specific "case code". I wrote down the telephone number and the code, and the next day spent a few minutes on Google shagging down the number. Turns out it was for a law firm in Utah that specialises in handling collection cases (unfortunately, I cannot remember their name). I remember thinking, a) "I don't owe anyone any money" and b) "how in the hell did they get my number?".
Now, I guess I know.
The story ended well for me - there were attempts to steal my identity, but they were all apparently stopped. I never did call the collection firm, so I have no idea what they may have wanted to chat about - seems to me if it was important, they would have used a human instead of a tape. The links I followed from Google were mostly to blogs and forum entries relating to how other folks had recieved similar calls from this agency, and upon returning them had been informed by the collection agency that they owed some form of money to an bank/credit card company they were representing. The kicker was that they also tried to add an additional fee (some as high as $275 US), payable to the collection agency alone. Other links mentioned how this same company had been banned from business in a lot of states for trying to add this extra fee, and, in essence, refusing to clear the original debt until their extra fee had been paid.
I'm not tense. I'm just terribly, terribly, alert.
I'm glad I do no business with them.
I'm sending out the RIAA to punish the BofA for copyright infringement.
My old bank fired me for reporting that all daily loan applications including first and last names, social security for borrower and co-borrower and full addresses were wide open on an unsecured windows fileshare with everyone/full control access. All 50,000+ bank employees plus contractors with any windows domain login had full access to view all daily loan applications. These poor people weren't even our customers yet. I knew my manager would do nothing about it, so I started with a standard IT helpdesk call. At least then my report would be logged. Nothing happened. I then tried several other channels and after a few days, I found the "dept in charge of keeping us off CNN". They immediately secured it and were very thankful of my report. Since I had also noticed many other unsecure servers in my time there like daily intra-bank mortgage trade activity and others, I proceeded to report over 15 servers to this group. They fixed everything I reported and were thankful. They advised me not to scan their network because that would be considered hacking, but if I came across unsecured servers over the course of my normal work, I should report it. All was fine until some other managers got back to my manager asking who was the busy-body in his department causing them this extra security work? At bonus review time, my manager all of a sudden gave me poor ratings, disqualifying me from my $6000 bonus. He had given me an out-of-cycle raise just 5 months earlier for good performance. Go figure. After no raise and no bonus, I was pretty ticked and started escalating the issue with his manager and the nice security group. No response. I then put in for a transfer. My manager then writes me up for a written performance issue, listing security as one of the issues, and made my transfer ineligible for 90 more days. I continued to escalate but a few weeks later, he fired me for not addressing the "performance" issues. I've thought about finding a lawyer, but I'm much happier with my new employer now and try to just let it go. Ray
"Band of America"?
I can assure you, the best way to get rid of dragons is to have one of your own.
You would trust any email with a link to go log in to your account? Man, I'm amazed you have any money left to check on!
--grendel drago
Laws do not persuade just because they threaten. --Seneca
Next, I'll walk outside and see my car covered in bird poop.
I work for a bank in New Jersey (that wasn't compromised). We received information about this a while ago. As I recall, bank employees were paid to provide information about specific individuals sought by collection agencies, which they would find by scanning lists furnished by these agencies and checking to see if the individuals were depositors with the bank. If you're not being sought by a collection agency, the odds are low that your information was compromised.
Bank of America only recently started operating in New Jersey, with the acquisition of Fleet. So I would assume that former depositors of Fleet as well as those who've opened accounts at area branches since the acquisition are vulnerable (as well as depositors at the other affected banks, obviously), but probably not Bank of America customers in other parts of the country.
My old bank fired me for reporting that all daily loan applications including first and last names, social security for borrower and co-borrower and full addresses were wide open on an unsecured windows fileshare with everyone/full control access. All 50,000+ bank employees and contractors with any windows login had full access to view all daily loan applications. These poor people weren't even our customers yet.
I knew my manager would do nothing about it, so I started with a standard IT helpdesk call. At least then my report would be logged. Nothing happened. I then tried several other channels and after a few days, I found the "dept in charge of keeping us off CNN". They immediately secured it and were very thankful of my report.
Since I had also noticed many other unsecure servers in my time there like daily intra-bank mortgage trade activity and others, I proceeded to report over 15 servers to this group. They fixed everything I reported and were thankful. They advised me not to scan their network because that would be considered hacking, but if I came across unsecured servers over the course of my normal work, I should report it.
All was fine until some other managers got back to my manager asking who was the busy-body in his department causing them this extra security work? At bonus review time, my manager all of a sudden gave me poor ratings, disqualifying me from my $6000 bonus. He had given me an out-of-cycle raise just 5 months earlier for good performance. Go figure.
After no raise and no bonus, I was pretty ticked and started escalating the issue with his manager and the nice security group. No response. I then put in for a transfer. My manager then writes me up for a written performance issue, listing security as one of the issues, and made my transfer ineligible for 90 more days. I continued to escalate but a few weeks later, he fired me for not addressing "performance" issues.
I've thought about finding a lawyer, but I'm much happier with my new employer and try to just let it go.
Ray
After all, problems will be found without any problem and fixed in a timely manner.
....
Um, why does my bank statement have a check for $6,587.21 to LEET Enterprises on it?
-- Tigger warning: This post may contain tiggers! --
Quis custodiet ipsos custodes? -- aparently a blind drunkard that's easily bribed.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Suppose the officers and directors of a corporation were to be held criminally liable whenever personal data in the custody of that corporation is used to harm the person or steal his money.
That law, by itself, will not stop data theft. But, it will give the officers and directors an incentive. A few dozen corporate officers and directors will go to jail for 20 years each. Then, immediately, all other corporations will do whatever is necessary to prevent data theft.
About a block from my house there's a small bank. It had a recognizable name, but not a major one. The building was small and it was run by locals. I had a small account in there to save up for college spending.
Anyway, about 2 years after I opened my account there was a small scandal. One of the owners was caught skimming funds from a number accounts; not wiping them out perse, but $100 here, $50, %300 there (depending on how big the account was).
So, there's no gaurantee. However, what you're doing should provide some comfort, as if someone got to your check card or whatever you wouldn't lose everything.
Checks your bank account... SHIT! I paid good money for this stolen personal information, and they're all deadbeats!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
At some level, though, it becomes just a cost/benefit calculation. The kind of security you describe sounds like it would be expensive to implement. Companies might well decide to stick with the tried and true approach of not implementing such a scheme, taking whatever fines they get when a leak occurs, and arranging {fines|lawsuits|jail} for the employees responsible. While not perfect, this approach may well be almost as effective and cheaper in the long run.
"It's not about selling sixty-thousand members' personal information. It's about selling one members' personal information, and then repeating the process 60,000 times."
In a separate case with the potential for identity theft, a laptop containing the names and
Social Security numbers of 16,500 current and former MCI Inc. employees was stolen last month from the car of an MCI financial analyst in Colorado, said company spokeswoman Linda Laughlin.
The car was parked in the analyst's home garage and the computer was password-protected, she said. MCI would not comment on whether the data was encrypted.
The Yahoo article mentions this, although the Slashdot article doesn't.
I bring this up because this case at least seems like a computer security issue, as oppossed to a human nature issue.
If the laptop data wasn't encrypted, all you need to do is mount its harddrive on another computer. That is hardly an arcane or technical procedure, and the article should mention how easy that is.
Personally, I think laptops are mostly good for watching funny flash videos with your friends in trendy coffee shops. You should never put important data on a laptop, and then lug it around.
Hopefully I didn't put any [] around my words.
I work at a school for the blind in Spartanburg, SC, and I just stopped in to see why I've received so many complaint calls about this site today. I see what the problem is now. Blind users are told to go screw themselves by the people that run this site. The state of SC has been looking for a high-profile web site to take to court over the ADA, and I've found the site I'm going to recommend. I hope you get nailed to the wall for this. It is not only illegal, but it is wrong.
Nope. It shouldn't be that hard to have every employee's access to every account logged.
I worked at a large financial institution (life insurance, in a branch of a bank. Hell what I'm saying is 100% accurate so let me say that I'm talking about RBC Insurance - Life, whose offices are in Mississauga, Ontario) a while back, and had full access to hundreds of thousands of customer's data, including specially separated "high net worth" clients. I looked around and realized that on any of the developer PCs (where the user was admin. Actually these morons set DOMAIN\Users as admins, which meant that there was no PC to PC security and any hack could occur by co-opting a coworker) a USB key or PDA could siphon off everything.
Realizes how insanely loose the controls were, I proposed initiative after initiative to tighten up the system, and to add some sort of read logging, but I learned firsthand that financial institutions, presuming this one was par for the course, are 95% politics, and 5% actual concern about customers. The only way any sort of checks and balances were going to be implemented is if it properly gave a handjob to every useless mid-level manager planning their next Machiavellian maneuver (and successfully ensured that I didn't look good out of it, as a shop like RBC is configured in such a way that only the mediocre persist. If you look good, the next time a management churn occurs some clueless twit will purge the clueful). It really was eye opening, and the status quo was maintained and everyone acted like nothing was wrong.
Of course you really have to work in a place like that to fully appreciate how terribly incompetent such organizations are, and to maek it more fun they churn their management around with no logic or thought. Remarkable stuff.
I agree with a lot of what you said. However, you will never have perfect security and to hold companies to a standard of perfection is unrealistic and unfair.
Nope. It shouldn't be that hard to have every employee's access to every account logged.
OK, what about an employee that installs a hardware keystroke logger onto a shared computer and runs the illegal reports under other employees' accounts? For every point you bring up, there is going to be a way around it. Admittedly, for every way around something, there's going to be a more secure counter measure. Which there is a way around. Which there is a counter measure for. (repeat forever)
Hold companies to a reasonable level of security, sure. Don't expect perfection from an imperfect system in an imperfect world, though.
I'm a big tall mofo.
Most major Luxembourgish bank use a system where in addition to your password, you have to enter 3 digits whose position is randomly from a card of 16. That way, even if a thief snoops the transaction, he's only got 3 digits from the card, and he will need to retry very often until those 3 come up again.
Ha! I also worked at RBC in a different division until the purge a quarter year ago. I'll definitely agree with what you said about incompetence.
For those who don't know, RBC did a purge where they cut 1800 or so employees in late 2004 and early 2005. They hilariously immediately put want ads out for almost all of the positions.
Here's the funny part...every employee that they cut, at least those that I saw (which was a large number), were white, Canadian born non-managers. Basically it was, or such is my impression, a Great White Purge. This allowed them to both restock with low paid immigrants that will dance and act grateful for every dime thrown their way, as well as improving their so-called "diversity" to help disguise the fact that mid- to upper-management is almost entirely classic white males.
RBC is a shithole. They paid a nice severence though.
Oh I should clarify one thing...white born-Canadians were actually already fairly rare in non-management positions at RBC before the purge, so the fact that the purge hit that group the most was really revealing.
Perhaps once everyone has had their identity stolen, the value of a stolen identity will be zero. Just be sure to take steps to prove you are who you say you are now (get a copy of your birth cert notarized, get a concealed handgun permit for the background check, etc.)
Where have you been?
Senate
House
Do you live in the USA?
The reason we don't have systems like that is because there isn't any financial incentive to implement them.
The reason we don't have this is because, in the USA, the crooks are writing our laws.
Avoid Missing Ball for High Score
I've often wondered what the point of encrypting customer information is if it's part of an online system.
I've often heard the suggestion that websites should encrypt their user database, which is great except for the fact that (sparing hardware encryption devices) they must also store the key. Hence anyone that steals the data can help themselves to the key too.
Surely its much better to keep the information on a secure backend system and have a closed interface for webservers to talk to it?
I've heard very similar stories from Wells Fargo stateside. No data security, no personal record security. It's a lawsuit timebomb.
PAY someone to do access security? ROFLTIPMP! Not until there are massive fines for data breaches is anything like that going to happen. And with this administration in office you can forget that.
I'm surprised Bush doesn't figure out some way to reward them for having your indentity stolen. As it is there's absolutely no down side for Chase, except some minor embarrassment. The credit monitoring is a largely symbolic effort aimed at trying to keep their customers from stomping off in disgust.
lol. Nice pipe dream, though.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
05/12/2005
Commerce Bank Launches Summer Reading Program with Readings in Four States
05/05/2005
Commerce Bank Launches Online Banking Site and Service Entirely in Spanish
04/19/2005
Commerce Bank Appoints Eric Pietras to Lead Government Contractor Lending Team
04/14/2005
Commerce Bank Supports Majority of Local March of Dimes' WalkAmericas
04/13/2005
Commerce Bancorp Net Income Up 24%
Not a damn thing about their (our - potentially MY) data breach. Oh, but they sure rake in the cash!
I'd like to see us have the ability to remove our data from places like ChoicePoint and Lexus/Nexus. It should be, afer all, MY data and therefore MY property. Until there is sufficient penalty for this type of carelessness I want my private data to remain private!
The way I see it, many of the companies that collect personal information, (banks, radioshack, etc) see little or no value in the information they are protecting, it's only their value of reselling it (e.g., like a pawn shop). As a old tired example, why does radioshack need a phone number when you buy a battery?
IMHO, the goal should be to make economics work for us. The cost of them collecting and securing it should balance the value the get from selling it. Then if the expected return on investment is zero, why would they even bother to collect it? It's just because right now it costs them little to collect it and they can resell it for more is why they do it right now.
One way to get this to assign big penalties to losing control of the info so that the expected cost is high. Another way is to just bill them up front (e.g., tax companies for collecting the information). I'm guessing that in the end, some combination of things would be optimal.
Another thing to look at is to licence people (not companies) to handle information. For example, it takes a registered notary public (not a flunky that the bank assigns) to witness signatures on major business transactions. Why can a company assign some skript kitty to process social security numbers? Why should a bank VP have any access at all? Getting notary public certification is trivial for anyone with a 1/2 a brain, but they make it very clear that your butt is on the line, not the company's butt, so most of them take it pretty seriously. Something about a few hours studying for a test and a name on a license and some personal responsibility makes most folks take their jobs less like a joke (although you occasionally get the rougue CPA or notary, it isn't very common)... Maybe it's time for a certified public information collection certificate or something like that...
Anyhow, that's just food for thought...
YOu know they used to HANG horse-thieves. How about we bring that back?
They will be apeshit over security for a while...
To see if your account has been compromised, please visit youraccount.ru/free_report.html.asp and type in your name and account number.
I heard, that in Austria, phonebooks have a 'bogus record' inside them. Well, maybe banks should create such bogus records an give them to Choicepoint and Co. to at least find out where such leaks are? Kind of 'Honeypot account project'.
Allegedly the affected customers have been notified by their banks. This leads to a question I have - with phishing being so common, when anyone receieves an e-mail from their bank, do they believe it's really from their bank anymore? Especially when it says it's about an alleged comprimise of their account?
One of the wost things about spammers is that they generate a "boy who cried wolf" problem for people sending legitimate e-mails.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
In criminal law, if the police acquire certain evidence illegally (e.g. w/o a search warrent), then that evidence and anything that follows from that evidence can't be used in a court case against them.
;^)
If we extended this principle to debt collection and say if the collection agencies did something illegal in the process of collecting a debt, then the debt (or at least some part of it) would be void, wouldn't that be something to think about...
Nah, that would be too easy...
Then you're not paying attention. Don't bother responding, though, I suspect your opinion will be ill-informed.
I don't need large brains to have a good time.
My credit sucks, so if anyone is dumb enough to steal mine, they'll end up wasting their time.
Mwahaha
Don't bother responding, though, I suspect your opinion will be ill-informed.
This has all the markings of a great sig.
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
You didn't read the article, did you? Of course not - otherwise you wouldn't have posted a stupid comment.
Here is perfectly good example of why RealID (tm) is a bad idea. Security is only as good as the people behind it. In case you don't know what RealID is, you'll know soon enough. It passed as part of an emergency war-funding bill. Your driver's license will be the new national ID card. Enjoy. Posting as an AC, because I'm just afraid of my ID being stolen.
No, nor did they promise the bank president wouldn't take all of my money to buy coke, hookers, and a ticket to Fiji.
In the law there are such things as due dilligence, and negligence. Some of these organizations need to get hit with a massive lawsuit in order for the message to be sent loud and clear.
The reason we don't have systems like that is because there isn't any financial incentive to implement them.
When it costs them several hundred million in federal fines, then they will fix the problem.
Somewhere, somebody has to have the root password.
Now matter how secure you build your system, you are still trusting the root user.
The filibuster has nothing to do with the nominating process. The filibuster is not in the constitution. It is simply a gentleman's agreement in the Senate. When one party abuses such an agreement, they should expect it to be abandoned.
The reason we don't have this is because, in the USA, the crooks are writing our laws.
As opposed to the rest of the world, where the laws are written by crooks in Parliament, juntas, dictatorships, and caliphates. Don't think the U.S. has a monopoly on crooked politicians. In fact, the term "crooked politician" is effectively redundant all by itself, just like "crooked lawyer."
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
No shit. I'm sure it doesn't help now that the damage has already been done, but I finally closed my BofA account. I was a Fleet customer who was dragged through the mud during their merger, and after being on the fence about closing my account this definitely shoved me off.
Good thing I don't have any money!
~Impr3ssion
Normally, the break ins involve Windows (in fact, Windows has some 40% of https space, Yet, has more than 95 % fo the thefts). But here windows is only 1 out of the 4. Solaris accounts for the other 3.
That assumes that they really are on the these sites. With the big break-in that occured with Visa/MC/Discover about 1-2 years ago, it took awhile, but they found a Nebraska clearing house running windows had been broken into, not the CC sites.
I prefer the "u" in honour as it seems to be missing these days.
Have you ever considered blowing the whistle on their lax security? Really -- contact some media outlets, try to contact large stockholders etc. It's the best thing you could do for the people whose data is held there. You'd be doing a service to society at large.
ERROR 144 - REBOOT ?
It's too bad that whistle-blower protection laws are still a joke in Canada. They were in the US too, until recently (i.e. Enron).
Yeah, because the party that currently controls the three branches of the US government is super-duper concerned with federalism.
May it please the court :
Both voter approved initiatives. Both under attack by that bastion of Federalism, the 21st century GOP nanny-state. This is just a small, off the cuff sampling of Bush & Friends egregious usurpation, er, attention to the rights of states.
HIPAA definitely has teeth, and there have already been successful civil and criminal prosecutions for violations. I'm not sure what you mean about the lack of an "enforcement mechanism"; if your protected health information is illegally disclosed (damages or no damages), you have the right to bring suit against the person or persons responsible. Depending on the violation, there may also be applicable federal criminal charges. None of that requires the designation of special "enforcement mechanisms" aside from the existing federal court infrastructure.
And HIPAA does not, AFAIK, require you to periodically show compliance; federal officials can spot audit you if you work with PHI, but there are no regular reports or paperwork to be sent in (of which I'm aware; when I worked in health insurance I had a lot of dealings with our HIPAA people, but of a different sort).
I don't know anything about this, but I have to point out the entire point of class action lawsuits is for groups of 'marginally damaged people' to come together and sue a company that insists on continuing to damage people in small ways.
If the company harmed them in large ways, they'd just sue individually! But no one's going to sue the phone company for their continual theft of two dollars a month or whatever.
Solution: A class action suit, where a large group of people can get together and sue for several hundred thousand.
Now, I'll be the first to admit that the amount lawyers get out of class action suits is absurd, and maybe Federal jurisdiction is the solution. But the fact you think it's somehow bad that, recently, large groups of slightly harmed people have started suing companies shows you don't know that's exactly what class action suits are for.
If corporations are people, aren't stockholders guilty of slavery?
1) The FBI is in both cases investigating those with intent to break the law. That includes the fraud, the insiders, and the kiddies. The bank did not have intent here, and (legal guessing mode on) can only by tried in a civil court for negligence.
2) Sort of agree with you here. People want to remain detatched from the responsibility of mantaining their liberty and security so they may erronously place the entire blame others. I keep in touch with my congressman, as well as exercise my right to keep and bear arms.
3) You gave Wachovia your money willingly. And like any contractual relationship with a business, they can bill you for whatever they please. You don't have to agree, and can dispute the charge as well as its addition to your credit report. I wouldn't bet the contract you willingly signed with Wachovia affords you much success here, however.
4) Nope, it'll be all over the news, as its something bad for the sheeple to be afraid of.
since customers are notified, all they have to do is now change their names, ages, and addresses to regain their privacy...
thank you america, where this is all possible!
Thank god I'm dirt poor. Please, I am almost begging someone to steal my identity/debts.
If someone tried to use my identity to get a credit card or a bank account they would be laughed out of the bank.
It's plain old fraud and the onus should be on the merchants and lenders who fail to verify the identity of the person they are extending credit to.
But no, this is too costly, so they try to put it back on the person who's information is used in the fraud.
It's NOT RIGHT! If someone else borrows money in your name, it's the lenders problem, not yours. Your identity was not stolen. You are still you. The lender is at fault because he failed to exercise due diligence in a climate where fraud is rampant.
Just think about it for a minute. You are NOT the victim of identity theft. You are still you and the other guy screwed some third party. Why should it cost you any money or any time... Instead, the idiots who carelessly or out of greed failed to verify that it was indeed you and not someone else requesting a credit report and credit should pay.
There's a simple solution too.
The credit reporting companies need to stop selling information to anyone other than the person who owns the information. Mainly you if it's your information. You want a loan, you request the information. Hell, if it takes a photo ID and a visit with a rep from the reporting company, then that's what it takes... But it's their problem to solve, NOT yours.
Posting details of an insecure system to slashdot? I'd say the whistle has been blown.
When the secret service walks in and gives you a choice of destroying all the data, proving you did so, and signing a sworn statement under the penalty of perjury that you did so, or being thrown in jail, odds are you do as they tell you.
/. wants due process thrown out the window and the people put away immediatly, but if you spend the time to follow the case, I bet you find that's just what will happen. You'll notice those that actually did the stealing are already arrested pending trail, they have said the next phase is going after those who purchased the information. I'm betting arrests are made and charges leveled in some cases, and fines plus removal of teh data in all cases.
I know that when something like this happens much of
However if you want to know, you'll need to be patient and do your research. The legal process is slow, and something like this could take well over a year.
The era of cavalier stock market margin (debt) buying abuse crashed in 1929, taking the world economy down the tubes with it. If identity theft repeats history, the crash will be even harder, falling from a greater height. Congress didn't really reform banking until 1934, when the industry was reregulated. It would probably take at least as long for new laws again, with the more corporate Congress less likely to regulate anything. And even those 1934 laws were mostly thrown out in the late 1990s, in deference to Citigroup's remerger of "integrated financial services", previously protected by "firewalls" of nonownership across banking, insurance and brokerages. When they blow it this time, a mere decade of Depression might look like a little hangover.
--
make install -not war
Ah! Yes, the filibuster. I'll summarize this the best that I can.
The President is nominating judges for various vacancies in our various court systems. Some/many of them are considered by the minority party to be too extreme and thus unqualified for the offices to which they are being appointed. The names of these judges have been enumerated by the Democrats, and they have threatened to filibuster the nominations if they leave committee.
The Republicans have responded to this by threatening to change the senate rules regarding the filibuster of judicial nominations unless the Democrats allow a floor vote on the Senate on these judges. I'm unsure if they wish to disallow the filibustering of judges entirely or change the number of votes required for cloture.
Democrats responded to that by claiming that Republicans are threatening to break with Senate tradition, and frequently cite that Bush has had a very high percentage of nominations approved.
Republicans respond by claiming that it's the Democrats who are breaking tradition by filibustering judges, which has never been done, and that the approval rating quoted by Democrats for Bush is misleading because they're ignoring appelate court nominations.
The Democrats counter that Republicans blocked Clinton's nominations. The Republicans counter that they just voted them down or didn't allow them out of committee, which is somehow different from filibustering.
So basically, everybody is pointing fingers at what a douchebag the guys on the other side are and how nobody is getting their way so the other side is just a bunch of big meany doodie heads.
I have not observed, in any of this political onanism in the Senate, a genuine threat to our system of checks and balances. Judges require a majority of the Senate to approve the nomination. If they go to a floor vote (i.e., the Republicans change the rules to break the filibuster without cloture), they will still need a majority of votes for the nomination to become a nominee. It's possible that the Republicans could trigger this "nuclear option" and still not get the appointments made. I do not, therefor, see a threat to checks and balances. I see a part that held power in the legislature for forty years acting like children because they're not getting their way anymore, and I see the party that has recently come into power having no clue how to conduct business as the majority, or how to engage in the least bit of diplomacy or debate.
If you wish to label my opinion as "ill-informed" simply because I don't agree with you, feel free. The smug intellectual superiority in that comment is sufficient for me to conclude that you're not really interesting in discussing or debating anything either. Most likely, you're a well-intentioned liberal who is angry first at the Republicans for the various atrocities of public policy they have visited (or are threatening to visit) upon our society, and secondly you're angry at the sheer incompetance of the Democrats, their inability to win elections, and the utter vacuum in that party of any leadership, intellectualism, ideas, or the semblance of a platform.
So don't worry. You're angry at your dad, basically, not me. I won't take it personally.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
Les Miserables Volume 1 now up with my reading of
Wells Fargo has *THE* worst security of all the large financial institutions.
Last year, I received a notice that my personal info was on a system of theirs that was compromised. I called the customer support number given and inquired about what happened. Turns out, a laptop at a billing facility (yeah, i know...a laptop) was stolen along with a few others in a physical security breach.
On that laptop was the personal info (SS numbers, addys, everything) of 300,000 account holders. Yes, that's right...300,000! Worse part is that this same scenario has occurred 3 times in the last 2 years!
Wells Fargo's CSO and CISO should be flipping friggin' burgers instead of providing security as they are
setting the standard for how bad you really can be.
Hey Wells Fargo asshats, ever heard of getting some kind of policy and compliance audits going?
That's not strictly true. A class-action lawsuit is, at its most basic, a lawsuit filed on behalf of a large number of injured parties who share a common complaint, generally with a common defendant. The group of injured individuals doesn't necessarily need to be identified individually for the lawsuit to be filed on their behalf. I can benefit from a class action lawsuit without having ever even known it took place, because a group of people went forward on behalf of all injured parties, with or without their consent. The severity of the injury is irrelevent.
And, in truth, it's also irrelevent in my post. The plaintiffs could be marginally damaged or severely, it's not really the point. The point is that where groups of commonly-injured plaintiffs would at one time self-organize and hire counsel, now the counsel finds injuries and solicits for lawsuits. The system had been previously organized such that counsel could cherry-pick soft targets in the state courts that would award massive and (sometimes) disproportionate damages. Counsel would often chew through an alarmingly high percentage of that, leaving the truely damaged parties with little or nothing (and sometimes in the hole!) while the true award went to counsel.
The changes to the class action lawsuit system were intended to mitigate this problem in the case of large suits that involve multistate plaintiffs. The issue is then given original jurisdiction in the federal district courts. Note that counsel can still move for a change of venue, and, as far as I know, get the case moved back to the state, whereas before it was almost impossible to do the opposite.
This could result in, say 15,000 injured parties in California being represented in New Mexico state courts over something that happened in Colorado, because the attorneys hand-picked a generous and sympathetic court that they felt was likely to decide in their favor and decide big. And we all know that the courts can be effective legislative instruments. There has never been any legislation passed to specifically allow or ban abortion, and yet it's unquestionably legal; not through an act of Congress, but through the court system.
Maybe that's more clear, I don't know. :)
But the fact you think it's somehow bad that, recently, large groups of slightly harmed people have started suing companies shows you don't know that's exactly what class action suits are for.
I don't think that's bad, and I never said or implied I did, you read that from my post due to your own bias as a reader. I did not pass any kind of judgment on the idea of the class action lawsuit. I also further submit that you don't truly understand the purpose of the class action lawsuit. It is not to benefit marginally damaged people. That's what small claims courts are far (and they're structure to discourage legal action for minor damaged, instead encouraging citizens to work it out on their own as far as possible). It's so that a large (and often unidentified) body of injured parties who share a common injury/interest/agenda can be represented by a sample of plaintiffs.
come together and sue a company that insists on continuing to damage people in small ways.
Also not true. The company need not still be causing damaged. In fact, it may have ceased causing any damage quite some time ago (I am unclear as to how statutes of limitations apply in class action cases). The company could still be found liable. McDonald's put HOT labels on their coffee, and they still lost the case with the elderly woman who scorched herself. The tobacco industry has been putting warning labels on cigarettes for ages and they still lost. Wrongdoing needn't be current and ongoing.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
Remember, it's not about losing 676,000 accounts - it's about losing 1 account, then repeating the process 675,999 times.
Marco...that was Portugese.
This is a hilarious treat to come across (God bless score:5 skimming). I actually worked at that organization for a short period of time. Sort of soul destroying, but it was an enjoyable stint.
While I can't confirm or deny the parent's claims (although I'm prone to believing their claims given the use of the term "machiavellian", which is one that I heard used by quite a few coworkers. It sort of lost its uniqueness), I will give the organization props by saying that there were efforts afoot to implement a secure infrastructure, so obviously at some point there were some changes. Perhaps the parent has outdated info.
Anyhoo, definitely enjoy how small of a world it is.
No it isn't. The only requirement is their consent if the nominee is to be confirmed. Your reading something that isn't there. The Senate can, and has throughout the history of the republic, just take a pass. In such a case the consent of the senate hasn't been obtained and the nominee can't be appointed. It's their perogative.
Very lame of banks to sell personal data.
Banks are supposed to be professional and and very very concerned about their customers privacy and security!
What a shame...
Of course you really have to work in a place like that to fully appreciate how terribly incompetent such organizations are
Actually, as a customer I get a pretty good sense of it too.
---
"I can't complain, but sometimes still do..." Joe Walsh
No, the point was that laws and typical awards vary from state to state. It used to be that you could just pick a state: if a company does business in five states and screws people in all five of them, you could pick any one of the five. If one of the five is friendly to plaintiffs, you'd pick that one. That doesn't mean that all states are plaintiff-friendly.
You could say that the old way was unfair, but I think if you do business in a state you should be subject to its laws. It's certainly more fair than all these companies incorporated in Delaware, where they have no customers but lots of friendly courts.
Also, it makes no sense to claim that the President can't be responsible for a law. I don't know how hard he pushed this particular bill, but he's the most powerful person in the country and the leader of the majority party. His support makes a huge difference in whether a bill gets passed, as he or any member of Congress will tell you.
-- . . ramblin' . . .
background: I work in a large asian Bank.
No one person has a root password, domain admin password or any privledged password. Its all under dual control, meaning the actual password is split in two, one half held by the security team, the other half in a safe thats only opened when the right forms are presented.
Use the root password? if your the second half password holder, you can't check out the password, so no one knows the root password.
Just think how easy it'll be for theives to steal our identities when the national id card is implemented. And they said that social security numbers should never have been used to ID people.
Maybe this is why Commerce asked me weird questions when I called for a balance. Usually it's address and SSN....this time she asked who was giving me direct deposits, the amounts, and the last few debit card transactions, places and amounts.
Did you see the picture of Gerri Willis on the same page? Va-va-voom!
As an aside, as an ironic twist on BofA and "identify theft", when I was at my bank robbery sentencing hearing, the Presentence Investigation report said that BofA was unable to confirm I had ever been an employee there, either by name or by SSN, despite my having worked there for two and a quarter years. My attorney brought this up to the judge, saying we could supply former supervisor names, etc. The judge dismissed it as unimportant, saying "It makes you real confident about how they keep track of your money."
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
You can get more details at the Federal Trade Commission website: http://www.ftc.gov/
The secret of making this work is not to work for morons.
In my company (a big ass bank) they thank us for helping to keep them off of CNN.
that's why you haven't seen us on there (yet..)
My previous post is only considered "flamebait" because the typical readers of Slashdot who get mod points can only perceive things in an emotional sense and behave irrationally. The facts stand for themselves. Our society was built by people who have the drive and the ability to excel. Without that kind of drive, society would be a shambled, primitive mess. The people involved in this so-called "crime" visioneered an opportunity into a successful and very highly moral business. The percieved crime of "invasion of privacy" is simply an expression of sick emotion. There was no crime. If anything, the authorities bringing these charges against these upright citizens are the criminals. The real crime is that our society puts too much value on those who do little for society. Any other Objectivists with mod points, please correct the moderation so that a rational point of view gets more eyes. Atypical fro Slashdot to be sure, but required nonetheless.
The people who stole this info were insiders, high-level employees of the bank. They committed the theft, they're responsible. The bank employed them, and was responsible for their actions. Just like if their security guards stole the money you deposited from a vault, before computers, they're responsible. Unless they found that the employees had breached the security protocols in some unpredictable way, not that the protocols were inadequate. Like relying purely on unaccountable trust of single employees without witnesses, as apparently in this case.
When we put our money in the bank, we reasonably expect they won't leave the door unlocked. When they do, or trust someone with a key, they are responsible. It's not each customer's responsibility to audit their security: that's what we have the Treasury, many other government organizations, and professional integrity to rely on. When a bank enables damages by allowing cracks in that security apparatus, they've got to pay the cost.
--
make install -not war
I had a temp job, once upon a time - preparing photocopies of documents, verifying they were the same as the originals, and binding them. Have to make bills somehow.
The irony was, that these were financial and operational control documents for a hospital group that was being sued for failure to exercise diligence in implementing their financial and operational controls - and here I was, making this month's car payment by riffling through customer and patient data that was supposed to be absolutely confidential and protected under HIPAA - but had been unceremoniously provided to a copy shop, and temp employees, neither of whom had any idea of what HIPAA was, nor had any training nor agreements to enforce it.
The very THING I was doing is the kind of thing they were being SUED for!
If your credit union isn't based in a state that has a law requiring disclosure, like California, you may not hear anything if your account security gets breached.
Most states have no requirement for notification, as far as I know.
So I should start creating a fake identity to open a bank account so that my personal information is safe?
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
The incident is shocking, coming from a leading bank such as Bank of America. Its a classic case of social engineering. Phishing attacks are hard to prevent, since they are directed towards bank customers, with little or no information on banking security. However, attacks like these where the Bank employees are targeted need to be prevented. When a bank customer errs, he/she compromises his/her own information, but when bank employees err, they compromise thousands of identities, to say the least. Banks should conduct security workshops to educate employees, if they are not already doing so.
Exactly. If you look the advancement made in Anti Money Laundering software (AML) that allows banks to track customer transactions to a fine grain detail and raise flags as per variable rule sets, I am sure a similar software can be developed for taking care of customer information. Banks need to be more accountable.
FUCKING ARMED REBELLION
In Soviet Russia laws create criminals but in America criminals create laws
In financial institutions, you have all the changes and transactions securely logged - but it's generally assumed that any phone-monkey is able to view all customer information, because how else they are supposed to answer customer enquiries ?
The same is for IT and accounting people - what they can do and change is very limited and logged, but they have full read access. Forget about privacy if it slows down workflow - this is business after all.
Of course you really have to work in a place like that to fully appreciate how terribly incompetent such organizations are, and to maek it more fun they churn their management around with no logic or thought. Remarkable stuff.
What do you expect from an industry uses imaginary money and then charges you for it? They don't have to do anything for the actual service, just the computers to keep up the illusion.
There was no way for any developer to get your hands on real customer data. You had to physically access the data center passing a couple of guarded security doors. Of course this would not happen unless you had proper authorization. You could not take any briefcase or even an envelope into the data center. It was absolutely verboten to take out even a scrap of paper and it's needless to say that a USB stick doesn't do you a lot of good with a Unisys 1100 and dumb terminals. The sytsems where completely isolated from the developer environment, which in itself was pretty well secured. Needless to say that every access was loged and provided strictly on a need to know basis.
There where also specific restrictions in the front office. For example: A normal teller could not look at accounts owned by bank employees without proper authorization from personel. PC's where never resold and the hard disks where shredded.
Yeah, it was a pretty restrictive environment and pissed us off on occasion. Searching through wades of data in a dark, cool and not very pleasent data center in a fortified building for hours on end isn't everybodies idea of fun. The difference with all that shit currently going on with US financial companies is probably that revealing bank customer data in Switzerland - intentional or not - is a criminal offense and the consequence is not just just the obligation to write a whoopsie, sorry letter, but actual jail time
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
I have some serious problems with the way that most financial institutions treat personal information. And particularly in the manner that they try to establish identity in the first place.
/.) across multiple platforms. Face it, you can't remember 1000 passwords to access all of the accounts you need to get at.
In most American financial instititions, all you need to know in order to access a bank account is just your name, with your social security number as the password. Anybody who has designed computer authentication and identification systems (confirming that the person signing onto a computer system/network really does belong there) should know that is really a stupid idea. Here is why:
Your Social Security number is really a part of your name. OK, it is a serialized number issued by the government guarenteed to be unique, but otherwise is public information. And considering the number of institutions that have that information (schools, banks, mortgage companies, utilities, credit reporting agencies, accountants, etc.) you can hardly expect it to stay private.
Imagine if you had a really cool password (like Blink187 as an example) that is long enough that a random alphanumeric generator would take a substantial amount of time to crack doing a brute force attack. Often people will use that same password to log into their accounts (like your user account here on
This is the same as the SSN, however one critical thing becomes apparent. If you have been issued a SSN, it is nearly an act of Congress in order to get a new SSN number issued to you. Once somebody breaks the layer of trust (as in what happens by a banker that is careless with this supposed SSN password they use), you are forever in the cold. With your own homegrown password you can at least come up with a new password.
For my own use, I tend to have a heirarchy of about 3-5 passwords, with one for throwaway accounts that I could care less if the password gets published in a public place, and a couple reserved for machine logins that I consider very sensitive. I also am willing to drop a password completely from this heirarchy if I think I accidentally gave the information to somebody that I should not have (choose your own criteria here), or if I suspect the information is being shared against my will. I will go back and change the passwords in the accounts that I regularly access, and in some cases review the heirarchy. For financial information, however, this is usually not an option.
To further illustrate the ineptitude of banks, the only other piece of information that they use to "protect" your personal information (access your account, do money transfers, etc.) is the "PIN", or personal ID number. This is almost always a 4 digit number, and even then you can pretty much stick with just the numbers 1-9 for most of them. That gives only a little over 6500 different passwords, and you can do some social engineering to drop that number down a bit more. (like assume that no digit will repeat itself... reducing the number of possible PINs to about 3000). How hard would it be to brute force that many PINs? And this is considered a secure technology for a bank?
Banks want to make it easy for not-so-bright customers to be able to access their account, but at the same time make sure that only the person who opened the account (presumably... or a trusted representative of that person like a parent or lawyer) can access the information and more importantly... the money in that account. IMHO, banks and related organizations (like credit bureaus) are too fast and loose with that information, and make it far too easy for people who are not the account owner to be able to conduct financial transactions. (Like a scam artist that simply wants to drain any money you have in your account.)
They don't care what your credit is. There is always a bank that will open a credit line for you no matter what your credit is.
Your problem will just get worse.
Yes, you should and if I live in Missouri and am doing business with your company in Missouri, and I sue you, then the case is handled in Missouri barring a change of venue.
But if me and 50,000 other people from 9 different states sue your company, it's ridiculous to allow the attorneys to pick a plaintiff-friendly state to maximize damages, out of which they'll take the largest bite.
It's certainly more fair than all these companies incorporated in Delaware, where they have no customers but lots of friendly courts.
Companies incorporate in Delaware because the Chancery has written most of the nation's corporate law and is regarded by almost any legal expert on business and corporate law as an expert body on business matters. In short, yes, the state government is very friendly to businesses. Small businesses like to incorporate in Delaware due to relaxed personal information requirements (which we on Slashdot are always in favor of, remember? Personal privacy and information security is important!). The state doesn't tax revenue earned outside of its borders either, which is awful nice of them.
Why is this a problem in your eyes, and what would you to do fix it? Have the federal government step in and tell Delaware what its laws about incorporation will be? Why bother having states if that's the direction we're moving?
Also, it makes no sense to claim that the President can't be responsible for a law.
I agree. Good thing I didn't claim that.
I don't know how hard he pushed this particular bill, but he's the most powerful person in the country and the leader of the majority party.
I'm guessing he cut some deals. This particular president is legendary for lavishing rewards upon loyal party hacks.
His support makes a huge difference in whether a bill gets passed, as he or any member of Congress will tell you.
Yes, I'm sure he would. However, your primary grievance, if you dislike this legislation, is with these men, who wrote and sponsored the legislation.
Once you're done with them, your beef is with the Senate and eventually the President who could have vetoed it and did not, and finally the courts for failing to see it the way you do.
Although the executive office is very powerful at this moment in history, there are other cogs in the wheel of government towards whom you should deservingly direct your ire.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
Yes. 2000 Pro. But its locked up as tight as windows gets...
All good things...
I prefer Mark Twain's analysis:
Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself.
In other words, "do not attribute to malice that which can be explained by stupidity."
"I do not agree with what you say, but I will defend to the death your right to say it"
Maybe my logic is bad, but if account info on 500k accounts was sold and some people had more than one account, it seems to me that the number of PEOPLE affected may go DOWN and not UP?? What am I missing??