Slashdot Mirror
Government-Aided Phishing
Anonymous writes "A Florida county is posting the Social Security numbers, bank account info and other sensitive data of hundreds of thousands of current and former residents on its public Web site, Computerworld is reporting. A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records." From the article: "The breach stems from the county's failure to redact or remove sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents that are publicly available are dates of birth and Social Security numbers of minors, images of signatures. passport numbers, green card details and bank account information."
i think it's time for me to head to the local bank.
what's going to convince them that this is a bad idea?
Florida county website sues slashdot for launching a distributed denial of service attack (FP!?)
Vehicle Stars used car search is my current project
This has "stupid" written all over it.
Anyone want to bet information of local politicians have been exempt from this? Hmmm? Anyone?
Life is not for the lazy.
Really, does it surprise anyone that it's Florida doing this?
.nosig
From the same people who brought you Indecision 2000... here comes Identity Theft-O-Rama. 3 days in the future: 10:00 News: "For what seems to be no reason, thousands of individuals in Florida seem to be buying things online in mass. Oddly enough, none of the orders are being delivered to Florida. We'll have a video for you after the break. Over to you, Bob."
Silence is golden... and duct tape is silver.
Have you ever been sued for a bad debt? If so, chances are your signature, along with your application for whatever loan or credit you defaulted on is all public record. That usually contains a whole lot of personal information, not just limited to your SSN.
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
When you are the victim of identity theft you know who to sue: Sue Baldwin,
Broward County, and the State of Florida. Two out of three deep-pockets isn't bad.
this is the same county who's police intimidated, threatened, and were just plain jerks to an undercover journalist attempting to find a "police officer complaint form":h tml (watch part 1 and 2, videos on the right)
http://cbs4.com/topstories/local_story_033170755.
and then retaliated against the journalist after the piece aired:
http://cbs4.com/local/local_story_086232143.html
-- lol pwned
...is post a link to the information! How else are we to know if the data is genuine?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
On the plus side, the more SSNs (not a secure identifier) and bank account numbers (everyone you've ever written a check to has it) are out in the open, the less valuable they become to fraudsters.
At least, they would be, if institutions recognized that they are pretty worthless identification to begin with.
Yeah, hello, Spain? You can have it back now.
The problem with your idea is that it makes sense.
This info was Public Records since, well, always :-)
Anybody could go to town hall and browse the registry of deeds and other repositories. It just became more convenient to do it, but it was always possible.
In a way, we always relied on "security through obscurity" keeping this information (kinda) private, and are now all upset at the obscurity withering out.
In Soviet Washington the swamp drains you.
I don't know if this could be considered "phishing" in the sense that I'm trying to lure people into giving me their information. It's right out there for all to see without going through all the bothersome effort of setting up a fake website and sending out the e-mails! Just some browsing, and then setting up the bank transfers and charging purchases!
And to think of all the effort that's being wasted on setting up phishing schemes, when Broward County will do all the work instead!
There's a reason the state looks like a flacid dingus.
I remember that this became an issue when someone got credit cards issued in Bill Gates's name. His SSN was listed on SEC filings because he was a majority holder of Microsoft stock. They have since changed the listing requirement with the SEC.
Come play Heroes of Might and Magic Mini online.
<Homer>Florida? But that's America's wang!</Homer>
If brevity is the soul of wit, then how does one explain Twitter?
Defending Yourself Against Identity Theft
...
According to the Federal Trade Commission (FTC), identity theft occurs when someone uses your personal information such as your name, Social Security number, credit card number or other identifying information, without your permission to commit fraud or other crimes. The FTC reports that there were 161,819 victims of identity theft in calendar year 2002. Florida has one of the highest
Back to top
Tips to Avoid Identity Theft
-Do not respond to phone calls or emails from unknown solicitors seeking personal information.
-Do not leave documents containing identifying information lying around your house or workplace. Keep them in a secure location.
-When discarding documents containing your social security number, credit or debit card information, or utility and phone bills, shred or destroy them. Don't just throw them away.
-Limit the contents of your wallet. Do not carry extra credit cards or important identity documents (social security card, passport, etc.) except when needed. Never carry passwords or PIN numbers in your wallet. -Photocopy, scan, or make a list of the contents of your wallet and keep it in a safe place. Copies or scans should include both sides of each item. A list should include account numbers, expiration dates, and customer service phone numbers for each item.
Maybe someone could point them to their own site? And why make copies if you can download for free???
Virginia has your SSN and a lot of information up too, in the virginia courts database that has everyone's criminal record, including traffic.
Most states have this.
Don't attack the wrong people, the blame lies squarely with the credit card companies for using your SSN as identification and trusted authentication.
These are all public records and always were public records. It just saves you a drive to the court house of the respective county (or paying a PI network to do same) to have them online.
Yeah, I admit Florida is one fucked up state in so many ways, but don't blow this out of proportion.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Look at it this way. SSN's aren't what they were meant to be. They are your "everything" number now. In some respects, is the value of the SSN being diminished because they are so easy to use and get a hold of now? It could possibly be a big plus because now we get into a situation where they just aren't worth using so everyone stops using them for important transactions. Lets hope...
You break it you buy it!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Something phishy's going on here.
*ducks*
The thing is these records are required to be public. A lot of counties in Florida just decide to blank out all important information, or simply not publish the entire document on their web sites. I would have to argue that the county in question is actually do what is required by law, and nothing less.
It's really not fair at all to say that a record is "Public" if you have to drive to the office and pay $4/hr for a parking spot (if you're lucky enough to find one). Besides, most courhouses have rules like "no weapons", where you will see every officer in the place carrying a gun.
Should people be subjected to phishing? no. The information that is on record at courthouses shouldn't be enough to make phishing targets, but that's not the fault of the courthouse.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Just yesterday I was looking at wanted posters, and each one had an SS number on it. So this doesn't seem surprising at all.
It's spelled "definitely." The root of the word is "definite," not "definate." The root of that word is "finite," not "finate."
There is no 'a' anywhere in the word. Ever. Under any circumstances. If you're going to put something in ALL CAPS, please, for the love of God, people, spell it correctly.
Other that that, I agree with you completely.
You struggle and struggle to protect your own identity and something like this sponsored by our own inept government happens. It's enough to make you honstly consider that 7x9 shack in the woods as a viable alternative to modern existence.
The federal government needs to do this on a nationwide scale. The SSA should give a deadline, say one year, then publish all SSN data. SSN is not supposed to be used as an identifier, nor as a secret. Doing this will force organizations to change their procedures, thus hampering identity thefts and other security issues that result from treating a public, non-unique identifier as a secret.
Same thing in L.I. N.Y.
Several Politicians where there too.
Funny thing, they are public docments. Altering then to hide the information is illegal.
"A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records."
If all things in compliance with the law are perfect, then what the hell we need politicians to change/update the laws for? Fire the bastards.
Has no one heard of the Privacy Act of 1974? Things such as SSN, birth dates, telephone numbers, addresses, etc are all protected. Somehow, it only makes sense to blank that out, even when it comes to freedom of information actions. I'm ashamed to call Florida my state of residence now.
Dumbfuckistan !!
Can someone explain to a poor Brit just *why* you need to keep your SSN safe - which being as it's publicly accessible seems to be an impossibility. Is it the only thing needed to apply for credit in your name or just a convenient stepping stone to a little social engineering to get what info you would need?
I started searching for my friends and family. I found a number of their documents online with just a couple of clicks. Absolutely ridiculous! I called my senator (state and federal) and I urge you to do the same.
Mid-Eastern Pennsylvania Gaming Convention
For X-billion dollars. Send a link to your "favorite" law-shark. I presume grotesque stupidity and wanton negligence bordering on malfeasance(?) is actionable. Any lawyers have an opinion on this crap?
If you want your life to be different, live it differently.
That's easy. Identify who "them" is, and narrow down all the SSN's, driver's license info, etc. and just publish that for the people who are responsible for posting this stuff. If you really wanted change the situation, just add a few of the high ranking politicians for the county to the list.
There are even ways of making this stuff a permanent part of the Internet, though I'll refrain from giving the less technically clueful some ideas.
I have a strong suspicion that the officials responsible for this would change their tune fairly quickly once they became educated on how having too much public information can be abused.
And, just to be clear, I'm not advocating that anyone do this. I wouldn't advocate this even for those beaurecrats in Florida.
On the positive side of things, if all the counties in the U.S. did this, it would certainly force the banking industry to change.
The best way to predict the future is to create it. - Peter Drucker.
Do you think identity thieves and other scammers are interested in people with bad credit?
I'm never surprised to see that it's from Florida. What's with those people? Is corruption and stupidity among governmental officials, like, MORE prevalent there than everywhere else?
Broward County isn't just any county, it is right above Miami. Ft Lauderdale also is in that county, one of the largest cities in Florida. So this is not about some thousand people in the middle of nowhere, but about a couple of million.
consider a company where the CEO and the division head are brothers...
if one is an idiot, it hurts everything below.. and due to genetic stats, it's more likely they both are.
if you work for a division, who's brother is an idiot ceo,
now- substitute division with state, division head with govenor.. and ceo with president..
imagine, they are under TWO bushes...
every day http://en.wikipedia.org/wiki/Special:Random
They prefer the Sunshine State
Here's the link to search the records. None of this is new information, all counties everywhere have this information "publicly" available. Usually you have to drive there and ask for it.
Given the huge amount of poor people with massive debt, sure.
The problem with having bad credit isn't not being able to get credit, it's not being able to get credit at a reasonable interest rate. Identity theives, not planning on paying the bills, don't give a shit about the interest rate.
I found a record dating back to 1970. I wonder how much older info is in there. Also a mortgage that was discharged may have info from I'm guessing as far back as about 1958. The one document I found was for a mortgage that was paid off before 1975 but was show as discharged in 1995.
Federal Gov't does it too... Pacerweb has all the details of bankruptcies online for a few cents a page.
(At least, last I was in there a year or two ago)
Why bother trying to steal ID anywhere else when Broward County has offered itself up as a sacrifice for the surfing?
When they finally did clear it, they didn't bother to let me know.
I sent them a letter detailing this (and the names of all the people I'd spoken to for the last four months of the process - I was keeping notes) and they never bothered to reply.
I wouldn't trust WAMU with my pennies.
Fly some airplanes into skyscrapers. Now I know why the 9/11 terrorists went to Florida to reside and prepare for the attack.
The fact that Florida never stopped providing the perfect data for ID theives is really challenges any notion that Homeland Security is coordinating anything with the states, or that they are competent in anything at all.
3 things about computers: they're alive, they're self-aware, and they hate your guts.
Touche - interesting point.
Oddly enough, after perusing the website, I have some ideas on how I'm going to fund my letter writing campaign.
"Can you split that bill up onto these 4 credit cards?"
One official said "recorders have no statutory authority to automatically remove Social Security, bank account and driver's license numbers". As soon as your organization is so big that nobody will do the right thing unless you specifically order them to in writing, then you need a security/privacy policy. You may need one anyway, but situations like this are why you should fight to stay awake when your security consultant talks about pollcy instead of interesting things like cross-site request forgery.
This is not Phishing.
Phishing is the attempt to get someone to submit information to you by pretending to be someone else.
What the government is doing is publicizing information.
These two activities have almost nothing in common.
Hopefully I didn't put any [] around my words.
What we need is a law that says that any organization that uses a SSAN as a password does so entirely at its own risk and thereafter cannot take any action whatsoever which would be financially adverse to the holder of the SSAN.
I agree, this is a good thing. Let the use of SSN collapse as a means of granting information. Trying to hide a small number from birth to death is ridiculous. It's equally aweful that companies can claim that you did something because that number was used for the transaction.
Links to Broward County's database lead directly to tiff images. To get the full records, copy the bracketed instrument number and search by instrument.
Broward County Bar Association:
Verna Sue Baldwin
Broward County Records Division
115 South Andrews Avenue
Suite 120
Fort Lauderdale, Fl 33301
954-357-7271 Voice
954-357-5573 Fax
sbaldwin@broward.org
www.broward.org/records
According to the Broward County Phone Directory, the above phone number is the director's number, not the general dept. number. This is further evidence that Verna is Sue.
Here is Verna Sue Baldwin's Notary Certificate, notary ID 620591 [92386313].
In November 1994, Verna Sue Baldwin and David D. McLauchlin (her husband) sold their condo to [name withheld]. Warranty deed [94569014].
Verna Sue Baldwin then purchased a home:
4011 Thomas Street
Hollywood, FL 33021-3540
Parcel number 11208-11-03500
Folio number 514208110350
Warranty Deed for 4011 Thomas Street [94565427].
According to that warranty deed, Verna Sue Baldwin's Social Security Number is 234-74-8234 [94565427].
In May 2000, she added a 14x28 swimming pool [100293267].
In July 2004, Verna Sue Baldwin and David D. McLauchlin paid off their mortgage [104151876].
Note: I didn't list all of Sue Baldwin's loans. Be sure to do that before ordering her credit report. Equifax uses that information for "security".
It looks like Verna Sue Baldwin still lives at 4011 Thomas Street. Parcel sales history. 2005 property taxes. Map.
Verna Sue Baldwin's mother is Dora B. Baldwin, as stated in her Durable Family Power of Attorney document [101676908]. Dora isn't currently married, so Baldwin might be her maiden name. Perhaps try searching West Virginia's public records.
You don't have to be a US citizen to get a CA driver's license, but you do have to have an SSN, which means you 1) are a citizen or 2) have DHS permission to work in the country.
Moreover, the feds have threatened that if states don't collect SSN information, you won't be allowed to use that state's DL to board a plane or enter a federal office building. There is a definite push towards linking one's legal ability to operate a motor vehicle with citizenship.
People with bad credit have (often) demonstrated an inability to manage their finances effectively. That makes it more likely that they'll overlook strange and unexpected financial transactions, so a fraudster is likely to go undiscovered much longer.
Somebody with an excellent credit rating might be expected to be paying attention.
What we need is a law that says that any organization that uses a SSAN as a password does so entirely at its own risk and thereafter cannot take any action whatsoever which would be financially adverse to the holder of the SSAN.
We basically already have such a law, but it depends how you see "financially adverse". Is it "financially adverse" for someone to have to spend hours on the phone cleaning up their credit? I guess it is, but I don't think anything stops you from suing the bank that put the information on your credit report for libel. It's just that most people aren't going to go through the trouble of doing that. Maybe what we need is a few really big class action suits.
...now that you've moved out - who & where please?
The thing you have to remember is the vast majority of people of voting age in Florida were not actually born here. Off the top of my head I can think of 5 people I know who are natives and that is including myself and my sibling. So if you northern states (I'm looking at you New York) would stop exporting the shallow end of the gene pool we might have a fighting chance.
I know that if something like this were to come to my attention regarding anywhere I have lived I would look up the names of the politicians; The mayors, city councils, police commissioners and print it out and mail it to them. There's probably more than a couple people who have already started collecting this priceless data about particular people because you know them, have a grudge or just because you can see their mortgages and know how much money they have!! I like government making itself more transparent through these means, in this case someone made a decision about this program without knowing enough about what it would do... I can't believe a politician in this country would do something like that.
Just simply open up a DOS prompt (if in windows) and type the following command before leaving your computer for the day, or even when you are using it.....
Start->Run:"cmd"
Then type:
ping -t -l 1024 -f www.broward.org
and be done with their foolishness (in time).
This is my first slashdot post so please be kind..... It seems with all of the current problems identifying somebody a centralized active identification system is needed. What if the government were to have a verification system with a username, like social security number (public), and password(private) required. The password could be changed at any time by the individual. An individual could go into an office, like the RMV, and the clerk could use the picture on file and/or biometric scanning to verify identity. The interface could be as simple as a web page which simply returns a verified/not-verified field. Since the individual controlls the password it would greatly improve the security of their identity and records could be public without risk of them being used for fraudulent identification. Does this not seem like the type of service a government should provide? I know its rather idealistic but all ideas must start someplace. Any thoughts?
*sigh*
/. losing its punch?
I contacted both my County Mayor and Commisioner regarding this issue. To date, the only response I've gotten was from an aide to the County Mayor stating that she is unavailable, but that I can take my concerns to the county records office. They say they will fulfill requests to remove personal information on an individual basis. That's fine for me, but what about my family and friends? What about all the other taxpayers who don't even know this is going on. And as another astute reader put it, it's probably too late as the site no doubt has been scraped already. Great to see my tax dollars at work.
If ever a sight deserved a slashdotting, this one does. Sadly, it looks like I can still negotiate around. Is
What if the Hokey Pokey really is what it's all about?
Hmmmmmm, let's trade a little bit of freedom for some more security....
Biometric data, that can't be faked (wrong, but believe what they tell you!)
How about we all get our fingerprints and iris scans and give that to the government.
No more of this social security ID theft nonsense, right?
I'm being ironical, just throwing a prediction out there, i pray it doesn't come true. But if you can't see a pattern forming...step back!
The problem is they treat it like a secret password. "Oh you know the last 4 digits of the SSN? You MUST be the real deal!" I have no problems with banks wanting SSNs. An SSN is a good unique identifier. A name doesn't cut it, you get collisions with names all the time. Even name and date of birth result in collisions. However name + DOB + SSN and you can be almost 100% certian to have no collisions. But that means, just like your name or DOB, it shouldn't be something you have to keep secret. There should be no power from people knowing it. I don't keep my birthday secret, but I do have to keep my SSN secret.
That's what the GP meant. CC companies need to find another way of confirming identity.
Cool... I guess all this data about Governor J. Bush should be available then... I can't wait and see...
Maricopa county in AZ has had this for years, in fact I designed a datamining app for some real estate guys to mine specific documents on a daily basis.a Select.asp
http://recorder.maricopa.gov/recdocdata/GetRecDat
More like PHISTING.
My 2c.