Slashdot Mirror

← Back to Stories (view on slashdot.org)

Government-Aided Phishing

Posted by ryuzaki0 on from the i-like-hiding-personally dept.

Anonymous writes "A Florida county is posting the Social Security numbers, bank account info and other sensitive data of hundreds of thousands of current and former residents on its public Web site, Computerworld is reporting. A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records." From the article: "The breach stems from the county's failure to redact or remove sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents that are publicly available are dates of birth and Social Security numbers of minors, images of signatures. passport numbers, green card details and bank account information."

46 of 222 comments (clear)

  1. let's open some bank accounts by yincrash · · Score: 2, Insightful

    i think it's time for me to head to the local bank.

    what's going to convince them that this is a bad idea?

    1. Re:let's open some bank accounts by boog3r · · Score: 3, Insightful

      what's going to convince them that this is a bad idea?

      maybe someone posting a link to the broward county public records site...

      --
      signatures are for fools with hands
    2. Re:let's open some bank accounts by boog3r · · Score: 2, Funny

      Well... It WAS working. Then i did a search for 'Johnson' and now the webserver seems to be stuck in never-never land.

      *sigh*

      --
      signatures are for fools with hands
    3. Re:let's open some bank accounts by tomhudson · · Score: 5, Informative
      It's still working fine. What's worse, if you don't give a first name, it gives you by last name only, so you can just do a dictionary attack on last names,

      I just randomly picked a last name, and a couple of clicks later I know that (I've removed the names) L.A.P and A.J.P got a mortgage for 141,999.00 on 5/14/2004 from the CITY FEDERAL SAVINGS BANK.

      So, if I were a phisher, I now have two names, and a dollar amount. I already know approximately where, and by clicking on the other records I know that they've been there for about 20 years, and that they also had some legal problems back in 1991, again, I'm leaving out the details.

      W.T.F ?!?!?!?!

      I would be humongously upset that this sort of stuff is available just by clicking.

      Worse, by searching on the same two names + broward county plus a good guess as to another term, I found a link to a dump of 756k from google's cache. http://www.google.com/search?num=20&hl=en&lr=&safe =off&q=www.co.broward.fl.us%2Fdatabase%2Frecords%2 F03-24nme.txt&btnG=Search

      If I were a phisher, a few minutes with perl would give me a decent dictionary with which to start ...

    4. Re:let's open some bank accounts by Sylver+Dragon · · Score: 4, Interesting

      I'm doing a search now to test a theory:
      The site is an .aspx page, which means that it's probably an IIS server back-ended by a MSSQL database. Given that they would want the text search to be case insensitive, it is quite possible that they were sloppy and used a SELECT * WHERE [last_name] LIKE @search_string (ok, they probably listed only the columns they wanted, you get the idea though). It is also possible that there is no limit defined for the number of records to return.
      If all of the above is true, then the search I started should return everything between 1/1/1978 and 4/10/2006 in the database, assuming that their server survives the request. If this is true, this means that getting everything in their database is a trivial task, and that they are exposing a lot of people to identity theft, very easily. Further, even if they go through and redact the data later, it is probably too late, as the data would have been long since scraped. This is one time that I hope a slashdotting kills a server.

      --
      Necessity is the mother of invention.
      Laziness is the father.
    5. Re:let's open some bank accounts by Anonymous Coward · · Score: 2, Interesting

      You don't need to go to your bank. Just print up a "demand draft" on your printer with the holder's account information (available on any check) and home address. If you can get the account holder to answer "yes" to any question about their account (in my grandma's case, "Is your bank account held in this city?"), the banks won't even go after you for fraud. That's sufficient authorization.

      Surely, I must be exaggerating. Sadly, no. See:
      http://wamublamesgrandma.blogspot.com/2006/03/wamu s-response-to-my-letter.html

      Anyway, I've been flogging this dead horse for a while now, but the flip side of institutional laziness with sensitive information is what institutions -- in this case, Washington Mutual -- allow bad guys to do with the information.

      Full details here:
      http://wamublamesgrandma.blogspot.com/

  2. Local Politicians by DigiShaman · · Score: 4, Insightful

    Anyone want to bet information of local politicians have been exempt from this? Hmmm? Anyone?

    --
    Life is not for the lazy.
    1. Re:Local Politicians by HaeMaker · · Score: 2, Informative

      They are not. Was able to look up records of at least one elected official.

      Make checks payable to... well you can look up that info yourself!

    2. Re:Local Politicians by patio11 · · Score: 2, Interesting

      No, they're definately in there. Some quick Googling (heck, one name is in TFA) finds them pretty quick. I was kind of suprised that I could access the site from a foreign IP, as its pretty routine nowadays to limit that (I can't get my own credit reports without using a US based proxy, presumably because they were worried about fraud, and I had a devil of a time reading Dubya's campaign site during the 2004 election) for sensitive sites. Now, generally when we're talking about, say, e-mail delivery I'm 100% in favor of non-discrimination at the institutional level... but could you folks in Flordia strongly consider doing something about this if you start getting a lot of accesses from, say, *.ru?

      --
      Help poke pirates in the eyepatch, arr.
  3. Re:next news story by JordanL · · Score: 2, Interesting

    Hmm... posting it on slashdot DEFINATELY won't draw phisher's attention to it...

    What the hell made Florida ever think that this was a good idea?

    --
    FanFictionRecs.net
  4. Re:next news story by Anonymous Coward · · Score: 3, Funny
    What the hell made Florida ever think that this was a good idea?

    I think you answered your own question.
  5. FLORIDA by dteichman2 · · Score: 5, Funny

    From the same people who brought you Indecision 2000... here comes Identity Theft-O-Rama. 3 days in the future: 10:00 News: "For what seems to be no reason, thousands of individuals in Florida seem to be buying things online in mass. Oddly enough, none of the orders are being delivered to Florida. We'll have a video for you after the break. Over to you, Bob."

    --


    Silence is golden... and duct tape is silver.
  6. old news by Prophetic_Truth · · Score: 3, Interesting

    Have you ever been sued for a bad debt? If so, chances are your signature, along with your application for whatever loan or credit you defaulted on is all public record. That usually contains a whole lot of personal information, not just limited to your SSN.

    --
    time is a perception of a being's consciousness
    time is your 6th sense, the wierd ones are 7+
  7. Identity theft by thomaswahl · · Score: 2, Interesting


        When you are the victim of identity theft you know who to sue: Sue Baldwin,
      Broward County, and the State of Florida. Two out of three deep-pockets isn't bad.

  8. bad year for boward by tehwebguy · · Score: 5, Interesting

    this is the same county who's police intimidated, threatened, and were just plain jerks to an undercover journalist attempting to find a "police officer complaint form":
    http://cbs4.com/topstories/local_story_033170755.h tml (watch part 1 and 2, videos on the right)

    and then retaliated against the journalist after the piece aired:
    http://cbs4.com/local/local_story_086232143.html

    --
    -- lol pwned
    1. Re:bad year for boward by Anonymous Coward · · Score: 2, Interesting

      They also managed to misplace 58,000 absentee ballots.

      Dammit, why'd I have to take a job down here? I did some digging and, sure enough, there are documents about me freely available on the web.

    2. Re:bad year for boward by techno-vampire · · Score: 3, Informative

      Just because they put a disclaimer on it doesn't mean they're not responsible. Back in the '50s, you started to see those "not responsible" signs in parking lots because the owners were tired of paying damages when people's cars were hit. The law hadn't changed, they were (I don't know if they still are) legally liable, but people believd the signs and stopped making claims. Same thing here. If they say they won't accept liability, most people won't try for compensation, even if they're eligable.

      --
      Good, inexpensive web hosting
  9. C'mon, the least Slashdot could do... by jd · · Score: 2, Funny

    ...is post a link to the information! How else are we to know if the data is genuine?

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:C'mon, the least Slashdot could do... by the-amazing-blob · · Score: 2, Informative

      http://www.broward.org/records/ great starting point

  10. Why am I not surprised. by Sir+Unimaginative · · Score: 5, Funny

    Yeah, hello, Spain? You can have it back now.

    --
    The problem with your idea is that it makes sense.
    1. Re:Why am I not surprised. by Solra+Bizna · · Score: 3, Informative

      I need to get out more, that was the funniest thing I've read in a week.

      -:sigma.SB

      --
      WARN
      THERE IS ANOTHER SYSTEM
  11. They must do it! by mi · · Score: 4, Insightful
    Editing out the SSNs and DOBs is not only not required by law, it, likely, is against the law.

    This info was Public Records since, well, always :-)

    Anybody could go to town hall and browse the registry of deeds and other repositories. It just became more convenient to do it, but it was always possible.

    In a way, we always relied on "security through obscurity" keeping this information (kinda) private, and are now all upset at the obscurity withering out.

    --
    In Soviet Washington the swamp drains you.
    1. Re:They must do it! by LiquidCoooled · · Score: 2, Informative

      Its not that it was ever private.
      Its that the criminals have found a use for the information.

      --
      liqbase :: faster than paper
    2. Re:They must do it! by Detritus · · Score: 2, Interesting
      It violates federal law, which trumps state law. Specifically, the privacy act of 1974

      Wrong. The Privacy Act of 1974 only applies to the executive branch of the federal government.

      --
      Mea navis aericumbens anguillis abundat
  12. Bill Gates SSN by ajakk · · Score: 2, Informative

    I remember that this became an issue when someone got credit cards issued in Bill Gates's name. His SSN was listed on SEC filings because he was a majority holder of Microsoft stock. They have since changed the listing requirement with the SEC.

    --
    Come play Heroes of Might and Magic Mini online.
  13. Re:Florida: comic relief for a stressed-out nation by Shadow+Wrought · · Score: 2, Funny
    Obligatory:

    <Homer>Florida? But that's America's wang!</Homer>

    --
    If brevity is the soul of wit, then how does one explain Twitter?
  14. From the website itself.... by bvdbos · · Score: 4, Informative

    Defending Yourself Against Identity Theft

    According to the Federal Trade Commission (FTC), identity theft occurs when someone uses your personal information such as your name, Social Security number, credit card number or other identifying information, without your permission to commit fraud or other crimes. The FTC reports that there were 161,819 victims of identity theft in calendar year 2002. Florida has one of the highest

    Back to top

    Tips to Avoid Identity Theft
    -Do not respond to phone calls or emails from unknown solicitors seeking personal information.
    -Do not leave documents containing identifying information lying around your house or workplace. Keep them in a secure location.
    -When discarding documents containing your social security number, credit or debit card information, or utility and phone bills, shred or destroy them. Don't just throw them away.
    ...
    -Limit the contents of your wallet. Do not carry extra credit cards or important identity documents (social security card, passport, etc.) except when needed. Never carry passwords or PIN numbers in your wallet. -Photocopy, scan, or make a list of the contents of your wallet and keep it in a safe place. Copies or scans should include both sides of each item. A list should include account numbers, expiration dates, and customer service phone numbers for each item.

    Maybe someone could point them to their own site? And why make copies if you can download for free???

  15. Attacking the wrong people by GigsVT · · Score: 5, Informative

    Virginia has your SSN and a lot of information up too, in the virginia courts database that has everyone's criminal record, including traffic.

    Most states have this.

    Don't attack the wrong people, the blame lies squarely with the credit card companies for using your SSN as identification and trusted authentication.

    These are all public records and always were public records. It just saves you a drive to the court house of the respective county (or paying a PI network to do same) to have them online.

    Yeah, I admit Florida is one fucked up state in so many ways, but don't blow this out of proportion.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  16. The more SSN's out there the better? by hsmith · · Score: 3, Insightful

    Look at it this way. SSN's aren't what they were meant to be. They are your "everything" number now. In some respects, is the value of the SSN being diminished because they are so easy to use and get a hold of now? It could possibly be a big plus because now we get into a situation where they just aren't worth using so everyone stops using them for important transactions. Lets hope...

  17. No way by Opportunist · · Score: 4, Funny

    You break it you buy it!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  18. OK it had to be said by Spy+der+Mann · · Score: 3, Funny

    Something phishy's going on here.
    *ducks*

  19. Re:Wanted Posters by Bill+Dimm · · Score: 2, Funny

    I was looking at wanted posters, and each one had an SS number on it.

    Yeah, but were you really tempted to steal the identity of someone the police were looking for?

  20. This is good! by Electrum · · Score: 3, Insightful

    The federal government needs to do this on a nationwide scale. The SSA should give a deadline, say one year, then publish all SSN data. SSN is not supposed to be used as an identifier, nor as a secret. Doing this will force organizations to change their procedures, thus hampering identity thefts and other security issues that result from treating a public, non-unique identifier as a secret.

    1. Re:This is good! by ScrewMaster · · Score: 3, Insightful

      No it won't. Congress will have to do it by making use of the Social Security number for anything but governmental purposes illegal. If a corporation wants to assign me a unique I.D. number ... that's fine so long as that number exists only within that organization's database. The credit bureaus like the SSN as a sort of personal GUID that allows them to track us more easily. Tough, I say: they feel entitled to our personal financial data but they're not, and given how badly they're mismanaging it maybe it's time for some changes. The system as it stands is becoming more and more dangerous to individuals every day, and unfortunately we don't really have the option to opt out of it. If you have a bank account you're part of the system, like it or not.

      --
      The higher the technology, the sharper that two-edged sword.
  21. Shocking: laws do NOT replace common sense by suv4x4 · · Score: 2, Insightful

    "A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records."

    If all things in compliance with the law are perfect, then what the hell we need politicians to change/update the laws for? Fire the bastards.

  22. Re:next news story by BigBlockMopar · · Score: 2, Funny

    Speaking of attracting undesireables, I appear to have picked up a stalker, nyahahah! Eh any ACs or GuloGulo (959533) that respond to this message, everyone remember the name, this one is truly half baked.

    Hah! Stalkers? Gimme a break. Try carrying around my sig and see how many disgusting uncircumcised Europeans or "I was robbed at birth!" wackos hit me up.

    I hope they all get phimosis. Savages.

    --
    Fire and Meat. Yummy.
  23. found in five clicks by drkich · · Score: 2, Interesting

    I started searching for my friends and family. I found a number of their documents online with just a couple of clicks. Absolutely ridiculous! I called my senator (state and federal) and I urge you to do the same.

    --
    Mid-Eastern Pennsylvania Gaming Convention
  24. Re:Privacy Act by Detritus · · Score: 2, Informative

    Try reading it again. It doesn't apply to the states.

    --
    Mea navis aericumbens anguillis abundat
  25. Re:Nope by The+Snowman · · Score: 5, Informative

    Funny thing, they are public docments. Altering then to hide the information is illegal.

    Funny thing is, you are wrong. The Privacy Act of 1974 covers what to do with private data in government records at the federal level, and many states have similar provisions. Essentially the documents are public property, but specific personal details are not. For example, citing a court case, evidence, its outcome, etc. is public record. Giving the SSN of the person found guilty and the bank account number used to pay the fine is NOT public record.

    Another example is declassified documents. Yes, they are public, but usually redacted. For example, giving information on an old military operation while redacting information that identifies the specific people involved. People that may very well still be in the military performing similar operations.

    Altering public documents to the extent of redacting personal information, which is what this article is about, most certainly is legal and often required. However, you are an anonymous coward -- obviously someone redacted your user account so I don't know who you are.

    --
    24 beers in a case, 24 hours in a day. Coincidence? I think not!
  26. Re:Like that's a problem by ceejayoz · · Score: 2, Interesting

    Given the huge amount of poor people with massive debt, sure.

    The problem with having bad credit isn't not being able to get credit, it's not being able to get credit at a reasonable interest rate. Identity theives, not planning on paying the bills, don't give a shit about the interest rate.

  27. Re:It's sorta obvious if you think about it.. by _Sharp'r_ · · Score: 2, Funny

    That's right Broward County, home of all those Republican officials... oh wait, what's that, the county is heavily Democrat without any elected Republican officials, as in all nine of the County Commissioners are Democrats? Well... must be Bush's fault somehow anyway!

    See, when a /. story says something negative about politician's actions, but doesn't emphasize their party affiliation, there's an extremely high correlation that the politicians in question are Democrats. Hence, you wouldn't even have to RTFA, but just the summary, to figure out that the unnamed County and officials are Democrats.

    --
    The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
  28. Re:It's sorta obvious if you think about it.. by Wilson_6500 · · Score: 2, Insightful

    Stupidity and corruption transcend petty human notions of party lines.

  29. This is not Phishing by Glowing+Fish · · Score: 3, Informative

    This is not Phishing.

    Phishing is the attempt to get someone to submit information to you by pretending to be someone else.

    What the government is doing is publicizing information.

    These two activities have almost nothing in common.

    --
    Hopefully I didn't put any [] around my words.
  30. SSN shouldn't be used by Ardemus · · Score: 2, Insightful

    I agree, this is a good thing. Let the use of SSN collapse as a means of granting information. Trying to hide a small number from birth to death is ridiculous. It's equally aweful that companies can claim that you did something because that number was used for the transaction.

  31. Florida.Query("Verna Sue Baldwin") by Anonymous Coward · · Score: 3, Informative

    Links to Broward County's database lead directly to tiff images. To get the full records, copy the bracketed instrument number and search by instrument.

    Broward County Bar Association:
    Verna Sue Baldwin
    Broward County Records Division
    115 South Andrews Avenue
    Suite 120
    Fort Lauderdale, Fl 33301
    954-357-7271 Voice
    954-357-5573 Fax
    sbaldwin@broward.org
    www.broward.org/records

    According to the Broward County Phone Directory, the above phone number is the director's number, not the general dept. number. This is further evidence that Verna is Sue.

    Here is Verna Sue Baldwin's Notary Certificate, notary ID 620591 [92386313].

    In November 1994, Verna Sue Baldwin and David D. McLauchlin (her husband) sold their condo to [name withheld]. Warranty deed [94569014].

    Verna Sue Baldwin then purchased a home:
    4011 Thomas Street
    Hollywood, FL 33021-3540
    Parcel number 11208-11-03500
    Folio number 514208110350
    Warranty Deed for 4011 Thomas Street [94565427].

    According to that warranty deed, Verna Sue Baldwin's Social Security Number is 234-74-8234 [94565427].

    In May 2000, she added a 14x28 swimming pool [100293267].

    In July 2004, Verna Sue Baldwin and David D. McLauchlin paid off their mortgage [104151876].

    Note: I didn't list all of Sue Baldwin's loans. Be sure to do that before ordering her credit report. Equifax uses that information for "security".

    It looks like Verna Sue Baldwin still lives at 4011 Thomas Street. Parcel sales history. 2005 property taxes. Map.

    Verna Sue Baldwin's mother is Dora B. Baldwin, as stated in her Durable Family Power of Attorney document [101676908]. Dora isn't currently married, so Baldwin might be her maiden name. Perhaps try searching West Virginia's public records.

  32. Re:Wanted Posters by DoraLives · · Score: 2, Insightful
    were you really tempted to steal the identity of someone the police were looking for?

    What better identity to commit a crime under could there possibly be?

    --
    Is it fascism yet?