Slashdot Mirror

← Back to Stories (view on slashdot.org)

Government-Aided Phishing

Posted by ryuzaki0 on from the i-like-hiding-personally dept.

Anonymous writes "A Florida county is posting the Social Security numbers, bank account info and other sensitive data of hundreds of thousands of current and former residents on its public Web site, Computerworld is reporting. A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records." From the article: "The breach stems from the county's failure to redact or remove sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents that are publicly available are dates of birth and Social Security numbers of minors, images of signatures. passport numbers, green card details and bank account information."

22 of 222 comments (clear)

  1. Local Politicians by DigiShaman · · Score: 4, Insightful

    Anyone want to bet information of local politicians have been exempt from this? Hmmm? Anyone?

    --
    Life is not for the lazy.
  2. Re:next news story by Anonymous Coward · · Score: 3, Funny
    What the hell made Florida ever think that this was a good idea?

    I think you answered your own question.
  3. FLORIDA by dteichman2 · · Score: 5, Funny

    From the same people who brought you Indecision 2000... here comes Identity Theft-O-Rama. 3 days in the future: 10:00 News: "For what seems to be no reason, thousands of individuals in Florida seem to be buying things online in mass. Oddly enough, none of the orders are being delivered to Florida. We'll have a video for you after the break. Over to you, Bob."

    --


    Silence is golden... and duct tape is silver.
  4. old news by Prophetic_Truth · · Score: 3, Interesting

    Have you ever been sued for a bad debt? If so, chances are your signature, along with your application for whatever loan or credit you defaulted on is all public record. That usually contains a whole lot of personal information, not just limited to your SSN.

    --
    time is a perception of a being's consciousness
    time is your 6th sense, the wierd ones are 7+
  5. bad year for boward by tehwebguy · · Score: 5, Interesting

    this is the same county who's police intimidated, threatened, and were just plain jerks to an undercover journalist attempting to find a "police officer complaint form":
    http://cbs4.com/topstories/local_story_033170755.h tml (watch part 1 and 2, videos on the right)

    and then retaliated against the journalist after the piece aired:
    http://cbs4.com/local/local_story_086232143.html

    --
    -- lol pwned
    1. Re:bad year for boward by techno-vampire · · Score: 3, Informative

      Just because they put a disclaimer on it doesn't mean they're not responsible. Back in the '50s, you started to see those "not responsible" signs in parking lots because the owners were tired of paying damages when people's cars were hit. The law hadn't changed, they were (I don't know if they still are) legally liable, but people believd the signs and stopped making claims. Same thing here. If they say they won't accept liability, most people won't try for compensation, even if they're eligable.

      --
      Good, inexpensive web hosting
  6. Why am I not surprised. by Sir+Unimaginative · · Score: 5, Funny

    Yeah, hello, Spain? You can have it back now.

    --
    The problem with your idea is that it makes sense.
    1. Re:Why am I not surprised. by Solra+Bizna · · Score: 3, Informative

      I need to get out more, that was the funniest thing I've read in a week.

      -:sigma.SB

      --
      WARN
      THERE IS ANOTHER SYSTEM
  7. They must do it! by mi · · Score: 4, Insightful
    Editing out the SSNs and DOBs is not only not required by law, it, likely, is against the law.

    This info was Public Records since, well, always :-)

    Anybody could go to town hall and browse the registry of deeds and other repositories. It just became more convenient to do it, but it was always possible.

    In a way, we always relied on "security through obscurity" keeping this information (kinda) private, and are now all upset at the obscurity withering out.

    --
    In Soviet Washington the swamp drains you.
  8. Re:let's open some bank accounts by boog3r · · Score: 3, Insightful

    what's going to convince them that this is a bad idea?

    maybe someone posting a link to the broward county public records site...

    --
    signatures are for fools with hands
  9. From the website itself.... by bvdbos · · Score: 4, Informative

    Defending Yourself Against Identity Theft

    According to the Federal Trade Commission (FTC), identity theft occurs when someone uses your personal information such as your name, Social Security number, credit card number or other identifying information, without your permission to commit fraud or other crimes. The FTC reports that there were 161,819 victims of identity theft in calendar year 2002. Florida has one of the highest

    Back to top

    Tips to Avoid Identity Theft
    -Do not respond to phone calls or emails from unknown solicitors seeking personal information.
    -Do not leave documents containing identifying information lying around your house or workplace. Keep them in a secure location.
    -When discarding documents containing your social security number, credit or debit card information, or utility and phone bills, shred or destroy them. Don't just throw them away.
    ...
    -Limit the contents of your wallet. Do not carry extra credit cards or important identity documents (social security card, passport, etc.) except when needed. Never carry passwords or PIN numbers in your wallet. -Photocopy, scan, or make a list of the contents of your wallet and keep it in a safe place. Copies or scans should include both sides of each item. A list should include account numbers, expiration dates, and customer service phone numbers for each item.

    Maybe someone could point them to their own site? And why make copies if you can download for free???

  10. Attacking the wrong people by GigsVT · · Score: 5, Informative

    Virginia has your SSN and a lot of information up too, in the virginia courts database that has everyone's criminal record, including traffic.

    Most states have this.

    Don't attack the wrong people, the blame lies squarely with the credit card companies for using your SSN as identification and trusted authentication.

    These are all public records and always were public records. It just saves you a drive to the court house of the respective county (or paying a PI network to do same) to have them online.

    Yeah, I admit Florida is one fucked up state in so many ways, but don't blow this out of proportion.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  11. The more SSN's out there the better? by hsmith · · Score: 3, Insightful

    Look at it this way. SSN's aren't what they were meant to be. They are your "everything" number now. In some respects, is the value of the SSN being diminished because they are so easy to use and get a hold of now? It could possibly be a big plus because now we get into a situation where they just aren't worth using so everyone stops using them for important transactions. Lets hope...

  12. No way by Opportunist · · Score: 4, Funny

    You break it you buy it!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  13. OK it had to be said by Spy+der+Mann · · Score: 3, Funny

    Something phishy's going on here.
    *ducks*

  14. This is good! by Electrum · · Score: 3, Insightful

    The federal government needs to do this on a nationwide scale. The SSA should give a deadline, say one year, then publish all SSN data. SSN is not supposed to be used as an identifier, nor as a secret. Doing this will force organizations to change their procedures, thus hampering identity thefts and other security issues that result from treating a public, non-unique identifier as a secret.

    1. Re:This is good! by ScrewMaster · · Score: 3, Insightful

      No it won't. Congress will have to do it by making use of the Social Security number for anything but governmental purposes illegal. If a corporation wants to assign me a unique I.D. number ... that's fine so long as that number exists only within that organization's database. The credit bureaus like the SSN as a sort of personal GUID that allows them to track us more easily. Tough, I say: they feel entitled to our personal financial data but they're not, and given how badly they're mismanaging it maybe it's time for some changes. The system as it stands is becoming more and more dangerous to individuals every day, and unfortunately we don't really have the option to opt out of it. If you have a bank account you're part of the system, like it or not.

      --
      The higher the technology, the sharper that two-edged sword.
  15. Re:let's open some bank accounts by tomhudson · · Score: 5, Informative
    It's still working fine. What's worse, if you don't give a first name, it gives you by last name only, so you can just do a dictionary attack on last names,

    I just randomly picked a last name, and a couple of clicks later I know that (I've removed the names) L.A.P and A.J.P got a mortgage for 141,999.00 on 5/14/2004 from the CITY FEDERAL SAVINGS BANK.

    So, if I were a phisher, I now have two names, and a dollar amount. I already know approximately where, and by clicking on the other records I know that they've been there for about 20 years, and that they also had some legal problems back in 1991, again, I'm leaving out the details.

    W.T.F ?!?!?!?!

    I would be humongously upset that this sort of stuff is available just by clicking.

    Worse, by searching on the same two names + broward county plus a good guess as to another term, I found a link to a dump of 756k from google's cache. http://www.google.com/search?num=20&hl=en&lr=&safe =off&q=www.co.broward.fl.us%2Fdatabase%2Frecords%2 F03-24nme.txt&btnG=Search

    If I were a phisher, a few minutes with perl would give me a decent dictionary with which to start ...

  16. Re:Nope by The+Snowman · · Score: 5, Informative

    Funny thing, they are public docments. Altering then to hide the information is illegal.

    Funny thing is, you are wrong. The Privacy Act of 1974 covers what to do with private data in government records at the federal level, and many states have similar provisions. Essentially the documents are public property, but specific personal details are not. For example, citing a court case, evidence, its outcome, etc. is public record. Giving the SSN of the person found guilty and the bank account number used to pay the fine is NOT public record.

    Another example is declassified documents. Yes, they are public, but usually redacted. For example, giving information on an old military operation while redacting information that identifies the specific people involved. People that may very well still be in the military performing similar operations.

    Altering public documents to the extent of redacting personal information, which is what this article is about, most certainly is legal and often required. However, you are an anonymous coward -- obviously someone redacted your user account so I don't know who you are.

    --
    24 beers in a case, 24 hours in a day. Coincidence? I think not!
  17. Re:let's open some bank accounts by Sylver+Dragon · · Score: 4, Interesting

    I'm doing a search now to test a theory:
    The site is an .aspx page, which means that it's probably an IIS server back-ended by a MSSQL database. Given that they would want the text search to be case insensitive, it is quite possible that they were sloppy and used a SELECT * WHERE [last_name] LIKE @search_string (ok, they probably listed only the columns they wanted, you get the idea though). It is also possible that there is no limit defined for the number of records to return.
    If all of the above is true, then the search I started should return everything between 1/1/1978 and 4/10/2006 in the database, assuming that their server survives the request. If this is true, this means that getting everything in their database is a trivial task, and that they are exposing a lot of people to identity theft, very easily. Further, even if they go through and redact the data later, it is probably too late, as the data would have been long since scraped. This is one time that I hope a slashdotting kills a server.

    --
    Necessity is the mother of invention.
    Laziness is the father.
  18. This is not Phishing by Glowing+Fish · · Score: 3, Informative

    This is not Phishing.

    Phishing is the attempt to get someone to submit information to you by pretending to be someone else.

    What the government is doing is publicizing information.

    These two activities have almost nothing in common.

    --
    Hopefully I didn't put any [] around my words.
  19. Florida.Query("Verna Sue Baldwin") by Anonymous Coward · · Score: 3, Informative

    Links to Broward County's database lead directly to tiff images. To get the full records, copy the bracketed instrument number and search by instrument.

    Broward County Bar Association:
    Verna Sue Baldwin
    Broward County Records Division
    115 South Andrews Avenue
    Suite 120
    Fort Lauderdale, Fl 33301
    954-357-7271 Voice
    954-357-5573 Fax
    sbaldwin@broward.org
    www.broward.org/records

    According to the Broward County Phone Directory, the above phone number is the director's number, not the general dept. number. This is further evidence that Verna is Sue.

    Here is Verna Sue Baldwin's Notary Certificate, notary ID 620591 [92386313].

    In November 1994, Verna Sue Baldwin and David D. McLauchlin (her husband) sold their condo to [name withheld]. Warranty deed [94569014].

    Verna Sue Baldwin then purchased a home:
    4011 Thomas Street
    Hollywood, FL 33021-3540
    Parcel number 11208-11-03500
    Folio number 514208110350
    Warranty Deed for 4011 Thomas Street [94565427].

    According to that warranty deed, Verna Sue Baldwin's Social Security Number is 234-74-8234 [94565427].

    In May 2000, she added a 14x28 swimming pool [100293267].

    In July 2004, Verna Sue Baldwin and David D. McLauchlin paid off their mortgage [104151876].

    Note: I didn't list all of Sue Baldwin's loans. Be sure to do that before ordering her credit report. Equifax uses that information for "security".

    It looks like Verna Sue Baldwin still lives at 4011 Thomas Street. Parcel sales history. 2005 property taxes. Map.

    Verna Sue Baldwin's mother is Dora B. Baldwin, as stated in her Durable Family Power of Attorney document [101676908]. Dora isn't currently married, so Baldwin might be her maiden name. Perhaps try searching West Virginia's public records.