Slashdot Mirror
Government-Aided Phishing
Anonymous writes "A Florida county is posting the Social Security numbers, bank account info and other sensitive data of hundreds of thousands of current and former residents on its public Web site, Computerworld is reporting. A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records." From the article: "The breach stems from the county's failure to redact or remove sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents that are publicly available are dates of birth and Social Security numbers of minors, images of signatures. passport numbers, green card details and bank account information."
i think it's time for me to head to the local bank.
what's going to convince them that this is a bad idea?
Florida county website sues slashdot for launching a distributed denial of service attack (FP!?)
Vehicle Stars used car search is my current project
This has "stupid" written all over it.
Anyone want to bet information of local politicians have been exempt from this? Hmmm? Anyone?
Life is not for the lazy.
Really, does it surprise anyone that it's Florida doing this?
.nosig
From the same people who brought you Indecision 2000... here comes Identity Theft-O-Rama. 3 days in the future: 10:00 News: "For what seems to be no reason, thousands of individuals in Florida seem to be buying things online in mass. Oddly enough, none of the orders are being delivered to Florida. We'll have a video for you after the break. Over to you, Bob."
Silence is golden... and duct tape is silver.
Have you ever been sued for a bad debt? If so, chances are your signature, along with your application for whatever loan or credit you defaulted on is all public record. That usually contains a whole lot of personal information, not just limited to your SSN.
time is a perception of a being's consciousness
time is your 6th sense, the wierd ones are 7+
When you are the victim of identity theft you know who to sue: Sue Baldwin,
Broward County, and the State of Florida. Two out of three deep-pockets isn't bad.
this is the same county who's police intimidated, threatened, and were just plain jerks to an undercover journalist attempting to find a "police officer complaint form":h tml (watch part 1 and 2, videos on the right)
http://cbs4.com/topstories/local_story_033170755.
and then retaliated against the journalist after the piece aired:
http://cbs4.com/local/local_story_086232143.html
-- lol pwned
...is post a link to the information! How else are we to know if the data is genuine?
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Yeah, hello, Spain? You can have it back now.
The problem with your idea is that it makes sense.
This info was Public Records since, well, always :-)
Anybody could go to town hall and browse the registry of deeds and other repositories. It just became more convenient to do it, but it was always possible.
In a way, we always relied on "security through obscurity" keeping this information (kinda) private, and are now all upset at the obscurity withering out.
In Soviet Washington the swamp drains you.
I don't know if this could be considered "phishing" in the sense that I'm trying to lure people into giving me their information. It's right out there for all to see without going through all the bothersome effort of setting up a fake website and sending out the e-mails! Just some browsing, and then setting up the bank transfers and charging purchases!
And to think of all the effort that's being wasted on setting up phishing schemes, when Broward County will do all the work instead!
I remember that this became an issue when someone got credit cards issued in Bill Gates's name. His SSN was listed on SEC filings because he was a majority holder of Microsoft stock. They have since changed the listing requirement with the SEC.
Come play Heroes of Might and Magic Mini online.
<Homer>Florida? But that's America's wang!</Homer>
If brevity is the soul of wit, then how does one explain Twitter?
Defending Yourself Against Identity Theft
...
According to the Federal Trade Commission (FTC), identity theft occurs when someone uses your personal information such as your name, Social Security number, credit card number or other identifying information, without your permission to commit fraud or other crimes. The FTC reports that there were 161,819 victims of identity theft in calendar year 2002. Florida has one of the highest
Back to top
Tips to Avoid Identity Theft
-Do not respond to phone calls or emails from unknown solicitors seeking personal information.
-Do not leave documents containing identifying information lying around your house or workplace. Keep them in a secure location.
-When discarding documents containing your social security number, credit or debit card information, or utility and phone bills, shred or destroy them. Don't just throw them away.
-Limit the contents of your wallet. Do not carry extra credit cards or important identity documents (social security card, passport, etc.) except when needed. Never carry passwords or PIN numbers in your wallet. -Photocopy, scan, or make a list of the contents of your wallet and keep it in a safe place. Copies or scans should include both sides of each item. A list should include account numbers, expiration dates, and customer service phone numbers for each item.
Maybe someone could point them to their own site? And why make copies if you can download for free???
You mean, like a driving license as a proof of ID or a proof of a stay permit?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Virginia has your SSN and a lot of information up too, in the virginia courts database that has everyone's criminal record, including traffic.
Most states have this.
Don't attack the wrong people, the blame lies squarely with the credit card companies for using your SSN as identification and trusted authentication.
These are all public records and always were public records. It just saves you a drive to the court house of the respective county (or paying a PI network to do same) to have them online.
Yeah, I admit Florida is one fucked up state in so many ways, but don't blow this out of proportion.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Look at it this way. SSN's aren't what they were meant to be. They are your "everything" number now. In some respects, is the value of the SSN being diminished because they are so easy to use and get a hold of now? It could possibly be a big plus because now we get into a situation where they just aren't worth using so everyone stops using them for important transactions. Lets hope...
You break it you buy it!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Something phishy's going on here.
*ducks*
The thing is these records are required to be public. A lot of counties in Florida just decide to blank out all important information, or simply not publish the entire document on their web sites. I would have to argue that the county in question is actually do what is required by law, and nothing less.
It's really not fair at all to say that a record is "Public" if you have to drive to the office and pay $4/hr for a parking spot (if you're lucky enough to find one). Besides, most courhouses have rules like "no weapons", where you will see every officer in the place carrying a gun.
Should people be subjected to phishing? no. The information that is on record at courthouses shouldn't be enough to make phishing targets, but that's not the fault of the courthouse.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
In CA at least, to get a driving license you need to:
- have your photo taken
- have your thumbprint taken
- take a test
- copies or originals of various identifying documents
and in return you are issued a card that is difficult to copy. The card's a bit better than a 9-digit number. Item 3 at least must keep some of the identity thefts at bay! B-)Just yesterday I was looking at wanted posters, and each one had an SS number on it. So this doesn't seem surprising at all.
Good in theory. But, correct me if I'm wrong, there is nothing on the license telling if you're actually a citizen of the US. On the other hand, the driving license is the primary ID card.
Let's put it that way, the border cops near San Diego were quite glad I had my passport with me...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's spelled "definitely." The root of the word is "definite," not "definate." The root of that word is "finite," not "finate."
There is no 'a' anywhere in the word. Ever. Under any circumstances. If you're going to put something in ALL CAPS, please, for the love of God, people, spell it correctly.
Other that that, I agree with you completely.
You struggle and struggle to protect your own identity and something like this sponsored by our own inept government happens. It's enough to make you honstly consider that 7x9 shack in the woods as a viable alternative to modern existence.
The federal government needs to do this on a nationwide scale. The SSA should give a deadline, say one year, then publish all SSN data. SSN is not supposed to be used as an identifier, nor as a secret. Doing this will force organizations to change their procedures, thus hampering identity thefts and other security issues that result from treating a public, non-unique identifier as a secret.
"A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records."
If all things in compliance with the law are perfect, then what the hell we need politicians to change/update the laws for? Fire the bastards.
Has no one heard of the Privacy Act of 1974? Things such as SSN, birth dates, telephone numbers, addresses, etc are all protected. Somehow, it only makes sense to blank that out, even when it comes to freedom of information actions. I'm ashamed to call Florida my state of residence now.
Can someone explain to a poor Brit just *why* you need to keep your SSN safe - which being as it's publicly accessible seems to be an impossibility. Is it the only thing needed to apply for credit in your name or just a convenient stepping stone to a little social engineering to get what info you would need?
I started searching for my friends and family. I found a number of their documents online with just a couple of clicks. Absolutely ridiculous! I called my senator (state and federal) and I urge you to do the same.
Mid-Eastern Pennsylvania Gaming Convention
For X-billion dollars. Send a link to your "favorite" law-shark. I presume grotesque stupidity and wanton negligence bordering on malfeasance(?) is actionable. Any lawyers have an opinion on this crap?
If you want your life to be different, live it differently.
That's easy. Identify who "them" is, and narrow down all the SSN's, driver's license info, etc. and just publish that for the people who are responsible for posting this stuff. If you really wanted change the situation, just add a few of the high ranking politicians for the county to the list.
There are even ways of making this stuff a permanent part of the Internet, though I'll refrain from giving the less technically clueful some ideas.
I have a strong suspicion that the officials responsible for this would change their tune fairly quickly once they became educated on how having too much public information can be abused.
And, just to be clear, I'm not advocating that anyone do this. I wouldn't advocate this even for those beaurecrats in Florida.
On the positive side of things, if all the counties in the U.S. did this, it would certainly force the banking industry to change.
The best way to predict the future is to create it. - Peter Drucker.
Funny thing, they are public docments. Altering then to hide the information is illegal.
Funny thing is, you are wrong. The Privacy Act of 1974 covers what to do with private data in government records at the federal level, and many states have similar provisions. Essentially the documents are public property, but specific personal details are not. For example, citing a court case, evidence, its outcome, etc. is public record. Giving the SSN of the person found guilty and the bank account number used to pay the fine is NOT public record.
Another example is declassified documents. Yes, they are public, but usually redacted. For example, giving information on an old military operation while redacting information that identifies the specific people involved. People that may very well still be in the military performing similar operations.
Altering public documents to the extent of redacting personal information, which is what this article is about, most certainly is legal and often required. However, you are an anonymous coward -- obviously someone redacted your user account so I don't know who you are.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Do you think identity thieves and other scammers are interested in people with bad credit?
Altering public documents to the extent of redacting personal information, which is what this article is about, most certainly is legal and often required. However, you are an anonymous coward -- obviously someone redacted your user account so I don't know who you are.
If I had mod points I dunno whether I'd give you a Funny or Informative.
The higher the technology, the sharper that two-edged sword.
But, correct me if I'm wrong, there is nothing on the license telling if you're actually a citizen of the US.
Of course not. For one, it's a driver's license. That has nothing to do with citizenship or residency. Also, the state issued driver's licenses are not linked to federal citizenship status. If you've ever gotten a job, you know what proves identity, and what proves citizenship. You can use a valid passport to prove both (I think the only civilian ID a natural born citizen can have that proves both identity and citizenship). Without that one document, which you can't use as a driver's license, you have to have two separate documents. Something like a license to prove identity, and something that proves citizenship, like a Social Security card or birth certificate for natural born citizen or the appropriate paperwork from INS for the others.
Let's put it that way, the border cops near San Diego were quite glad I had my passport with me...
Did you check the requirements before leaving the country? Even though it is "just Mexico" it still is a completely different country. I was told that an American leaving the US should, at a minimum, take a birth certificate and ID, no matter where they are going. Without that, it is possible that reentry could be denied or delayed. And if you have a passport, it is silly to not take it with you when you leave the country, even for "just Mexico."
Learn to love Alaska
I'm never surprised to see that it's from Florida. What's with those people? Is corruption and stupidity among governmental officials, like, MORE prevalent there than everywhere else?
Broward County isn't just any county, it is right above Miami. Ft Lauderdale also is in that county, one of the largest cities in Florida. So this is not about some thousand people in the middle of nowhere, but about a couple of million.
consider a company where the CEO and the division head are brothers...
if one is an idiot, it hurts everything below.. and due to genetic stats, it's more likely they both are.
if you work for a division, who's brother is an idiot ceo,
now- substitute division with state, division head with govenor.. and ceo with president..
imagine, they are under TWO bushes...
every day http://en.wikipedia.org/wiki/Special:Random
They prefer the Sunshine State
Here's the link to search the records. None of this is new information, all counties everywhere have this information "publicly" available. Usually you have to drive there and ask for it.
Given the huge amount of poor people with massive debt, sure.
The problem with having bad credit isn't not being able to get credit, it's not being able to get credit at a reasonable interest rate. Identity theives, not planning on paying the bills, don't give a shit about the interest rate.
I found a record dating back to 1970. I wonder how much older info is in there. Also a mortgage that was discharged may have info from I'm guessing as far back as about 1958. The one document I found was for a mortgage that was paid off before 1975 but was show as discharged in 1995.
Federal Gov't does it too... Pacerweb has all the details of bankruptcies online for a few cents a page.
(At least, last I was in there a year or two ago)
Why bother trying to steal ID anywhere else when Broward County has offered itself up as a sacrifice for the surfing?
Fly some airplanes into skyscrapers. Now I know why the 9/11 terrorists went to Florida to reside and prepare for the attack.
The fact that Florida never stopped providing the perfect data for ID theives is really challenges any notion that Homeland Security is coordinating anything with the states, or that they are competent in anything at all.
3 things about computers: they're alive, they're self-aware, and they hate your guts.
Touche - interesting point.
Oddly enough, after perusing the website, I have some ideas on how I'm going to fund my letter writing campaign.
"Can you split that bill up onto these 4 credit cards?"
One official said "recorders have no statutory authority to automatically remove Social Security, bank account and driver's license numbers". As soon as your organization is so big that nobody will do the right thing unless you specifically order them to in writing, then you need a security/privacy policy. You may need one anyway, but situations like this are why you should fight to stay awake when your security consultant talks about pollcy instead of interesting things like cross-site request forgery.
This is not Phishing.
Phishing is the attempt to get someone to submit information to you by pretending to be someone else.
What the government is doing is publicizing information.
These two activities have almost nothing in common.
Hopefully I didn't put any [] around my words.
What we need is a law that says that any organization that uses a SSAN as a password does so entirely at its own risk and thereafter cannot take any action whatsoever which would be financially adverse to the holder of the SSAN.
I agree, this is a good thing. Let the use of SSN collapse as a means of granting information. Trying to hide a small number from birth to death is ridiculous. It's equally aweful that companies can claim that you did something because that number was used for the transaction.
Links to Broward County's database lead directly to tiff images. To get the full records, copy the bracketed instrument number and search by instrument.
Broward County Bar Association:
Verna Sue Baldwin
Broward County Records Division
115 South Andrews Avenue
Suite 120
Fort Lauderdale, Fl 33301
954-357-7271 Voice
954-357-5573 Fax
sbaldwin@broward.org
www.broward.org/records
According to the Broward County Phone Directory, the above phone number is the director's number, not the general dept. number. This is further evidence that Verna is Sue.
Here is Verna Sue Baldwin's Notary Certificate, notary ID 620591 [92386313].
In November 1994, Verna Sue Baldwin and David D. McLauchlin (her husband) sold their condo to [name withheld]. Warranty deed [94569014].
Verna Sue Baldwin then purchased a home:
4011 Thomas Street
Hollywood, FL 33021-3540
Parcel number 11208-11-03500
Folio number 514208110350
Warranty Deed for 4011 Thomas Street [94565427].
According to that warranty deed, Verna Sue Baldwin's Social Security Number is 234-74-8234 [94565427].
In May 2000, she added a 14x28 swimming pool [100293267].
In July 2004, Verna Sue Baldwin and David D. McLauchlin paid off their mortgage [104151876].
Note: I didn't list all of Sue Baldwin's loans. Be sure to do that before ordering her credit report. Equifax uses that information for "security".
It looks like Verna Sue Baldwin still lives at 4011 Thomas Street. Parcel sales history. 2005 property taxes. Map.
Verna Sue Baldwin's mother is Dora B. Baldwin, as stated in her Durable Family Power of Attorney document [101676908]. Dora isn't currently married, so Baldwin might be her maiden name. Perhaps try searching West Virginia's public records.
Nope, didn't leave the country. I was just driving back up from San Diego to LA.
I should mention, though, that I do have an accent, being no native speaker. It's not a Spanish accent, though (I was told I sound a bit like the Nazis in the old war movies... makes sense, most of them were German actors who fled the Nazi regime. Must be interesting to play one of those that kick you out of your country...).
Anyway. I find it highly interesting that the main ID is the DL (I rarely needed anything but it), which is pretty easy to get, even as a foreigner. Now, add that it's not that hard to forge certain certificates from certain countries (and the fact that the people working at the DMV rarely know what a legitimate certificate from some country ending in -stan should look like) and you'll find that it's not so hard to get a valid ID with a false name on it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You don't have to be a US citizen to get a CA driver's license, but you do have to have an SSN, which means you 1) are a citizen or 2) have DHS permission to work in the country.
Moreover, the feds have threatened that if states don't collect SSN information, you won't be allowed to use that state's DL to board a plane or enter a federal office building. There is a definite push towards linking one's legal ability to operate a motor vehicle with citizenship.
People with bad credit have (often) demonstrated an inability to manage their finances effectively. That makes it more likely that they'll overlook strange and unexpected financial transactions, so a fraudster is likely to go undiscovered much longer.
Somebody with an excellent credit rating might be expected to be paying attention.
What we need is a law that says that any organization that uses a SSAN as a password does so entirely at its own risk and thereafter cannot take any action whatsoever which would be financially adverse to the holder of the SSAN.
We basically already have such a law, but it depends how you see "financially adverse". Is it "financially adverse" for someone to have to spend hours on the phone cleaning up their credit? I guess it is, but I don't think anything stops you from suing the bank that put the information on your credit report for libel. It's just that most people aren't going to go through the trouble of doing that. Maybe what we need is a few really big class action suits.
I know that if something like this were to come to my attention regarding anywhere I have lived I would look up the names of the politicians; The mayors, city councils, police commissioners and print it out and mail it to them. There's probably more than a couple people who have already started collecting this priceless data about particular people because you know them, have a grudge or just because you can see their mortgages and know how much money they have!! I like government making itself more transparent through these means, in this case someone made a decision about this program without knowing enough about what it would do... I can't believe a politician in this country would do something like that.
This is my first slashdot post so please be kind..... It seems with all of the current problems identifying somebody a centralized active identification system is needed. What if the government were to have a verification system with a username, like social security number (public), and password(private) required. The password could be changed at any time by the individual. An individual could go into an office, like the RMV, and the clerk could use the picture on file and/or biometric scanning to verify identity. The interface could be as simple as a web page which simply returns a verified/not-verified field. Since the individual controlls the password it would greatly improve the security of their identity and records could be public without risk of them being used for fraudulent identification. Does this not seem like the type of service a government should provide? I know its rather idealistic but all ideas must start someplace. Any thoughts?
*sigh*
/. losing its punch?
I contacted both my County Mayor and Commisioner regarding this issue. To date, the only response I've gotten was from an aide to the County Mayor stating that she is unavailable, but that I can take my concerns to the county records office. They say they will fulfill requests to remove personal information on an individual basis. That's fine for me, but what about my family and friends? What about all the other taxpayers who don't even know this is going on. And as another astute reader put it, it's probably too late as the site no doubt has been scraped already. Great to see my tax dollars at work.
If ever a sight deserved a slashdotting, this one does. Sadly, it looks like I can still negotiate around. Is
What if the Hokey Pokey really is what it's all about?
The problem is they treat it like a secret password. "Oh you know the last 4 digits of the SSN? You MUST be the real deal!" I have no problems with banks wanting SSNs. An SSN is a good unique identifier. A name doesn't cut it, you get collisions with names all the time. Even name and date of birth result in collisions. However name + DOB + SSN and you can be almost 100% certian to have no collisions. But that means, just like your name or DOB, it shouldn't be something you have to keep secret. There should be no power from people knowing it. I don't keep my birthday secret, but I do have to keep my SSN secret.
That's what the GP meant. CC companies need to find another way of confirming identity.
I was just driving back up from San Diego to LA.
Then you don't have to provide them with a passport. Just state your citizenship and give appropriate ID, like a driver's license. There's no requirement that you be able to prove your citizenship just for wandering around. I hate how we have become a "papers please" country, even though that's supposedly illegal for law enforcement to do.
you'll find that it's not so hard to get a valid ID with a false name on it.
It certainly isn't hard, but one thing you'll get with the ID is that they fingerprint with most DLs now, as well as store the picture indefinately. So, you may have ID under a different name, but they can still identify you later. So it may screw them up the first time you misuse the ID, but if you go for more under different names, it may backfire on you when they associate you with the different IDs.
Learn to love Alaska