Slashdot Mirror
Government-Aided Phishing
Anonymous writes "A Florida county is posting the Social Security numbers, bank account info and other sensitive data of hundreds of thousands of current and former residents on its public Web site, Computerworld is reporting. A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records." From the article: "The breach stems from the county's failure to redact or remove sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents that are publicly available are dates of birth and Social Security numbers of minors, images of signatures. passport numbers, green card details and bank account information."
Anyone want to bet information of local politicians have been exempt from this? Hmmm? Anyone?
Life is not for the lazy.
From the same people who brought you Indecision 2000... here comes Identity Theft-O-Rama. 3 days in the future: 10:00 News: "For what seems to be no reason, thousands of individuals in Florida seem to be buying things online in mass. Oddly enough, none of the orders are being delivered to Florida. We'll have a video for you after the break. Over to you, Bob."
Silence is golden... and duct tape is silver.
this is the same county who's police intimidated, threatened, and were just plain jerks to an undercover journalist attempting to find a "police officer complaint form":h tml (watch part 1 and 2, videos on the right)
http://cbs4.com/topstories/local_story_033170755.
and then retaliated against the journalist after the piece aired:
http://cbs4.com/local/local_story_086232143.html
-- lol pwned
Yeah, hello, Spain? You can have it back now.
The problem with your idea is that it makes sense.
This info was Public Records since, well, always :-)
Anybody could go to town hall and browse the registry of deeds and other repositories. It just became more convenient to do it, but it was always possible.
In a way, we always relied on "security through obscurity" keeping this information (kinda) private, and are now all upset at the obscurity withering out.
In Soviet Washington the swamp drains you.
Defending Yourself Against Identity Theft
...
According to the Federal Trade Commission (FTC), identity theft occurs when someone uses your personal information such as your name, Social Security number, credit card number or other identifying information, without your permission to commit fraud or other crimes. The FTC reports that there were 161,819 victims of identity theft in calendar year 2002. Florida has one of the highest
Back to top
Tips to Avoid Identity Theft
-Do not respond to phone calls or emails from unknown solicitors seeking personal information.
-Do not leave documents containing identifying information lying around your house or workplace. Keep them in a secure location.
-When discarding documents containing your social security number, credit or debit card information, or utility and phone bills, shred or destroy them. Don't just throw them away.
-Limit the contents of your wallet. Do not carry extra credit cards or important identity documents (social security card, passport, etc.) except when needed. Never carry passwords or PIN numbers in your wallet. -Photocopy, scan, or make a list of the contents of your wallet and keep it in a safe place. Copies or scans should include both sides of each item. A list should include account numbers, expiration dates, and customer service phone numbers for each item.
Maybe someone could point them to their own site? And why make copies if you can download for free???
Virginia has your SSN and a lot of information up too, in the virginia courts database that has everyone's criminal record, including traffic.
Most states have this.
Don't attack the wrong people, the blame lies squarely with the credit card companies for using your SSN as identification and trusted authentication.
These are all public records and always were public records. It just saves you a drive to the court house of the respective county (or paying a PI network to do same) to have them online.
Yeah, I admit Florida is one fucked up state in so many ways, but don't blow this out of proportion.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
You break it you buy it!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I just randomly picked a last name, and a couple of clicks later I know that (I've removed the names) L.A.P and A.J.P got a mortgage for 141,999.00 on 5/14/2004 from the CITY FEDERAL SAVINGS BANK.
So, if I were a phisher, I now have two names, and a dollar amount. I already know approximately where, and by clicking on the other records I know that they've been there for about 20 years, and that they also had some legal problems back in 1991, again, I'm leaving out the details.
W.T.F ?!?!?!?!
I would be humongously upset that this sort of stuff is available just by clicking.
Worse, by searching on the same two names + broward county plus a good guess as to another term, I found a link to a dump of 756k from google's cache. http://www.google.com/search?num=20&hl=en&lr=&safe =off&q=www.co.broward.fl.us%2Fdatabase%2Frecords%2 F03-24nme.txt&btnG=Search
If I were a phisher, a few minutes with perl would give me a decent dictionary with which to start ...
Funny thing, they are public docments. Altering then to hide the information is illegal.
Funny thing is, you are wrong. The Privacy Act of 1974 covers what to do with private data in government records at the federal level, and many states have similar provisions. Essentially the documents are public property, but specific personal details are not. For example, citing a court case, evidence, its outcome, etc. is public record. Giving the SSN of the person found guilty and the bank account number used to pay the fine is NOT public record.
Another example is declassified documents. Yes, they are public, but usually redacted. For example, giving information on an old military operation while redacting information that identifies the specific people involved. People that may very well still be in the military performing similar operations.
Altering public documents to the extent of redacting personal information, which is what this article is about, most certainly is legal and often required. However, you are an anonymous coward -- obviously someone redacted your user account so I don't know who you are.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
I'm doing a search now to test a theory: .aspx page, which means that it's probably an IIS server back-ended by a MSSQL database. Given that they would want the text search to be case insensitive, it is quite possible that they were sloppy and used a SELECT * WHERE [last_name] LIKE @search_string (ok, they probably listed only the columns they wanted, you get the idea though). It is also possible that there is no limit defined for the number of records to return.
The site is an
If all of the above is true, then the search I started should return everything between 1/1/1978 and 4/10/2006 in the database, assuming that their server survives the request. If this is true, this means that getting everything in their database is a trivial task, and that they are exposing a lot of people to identity theft, very easily. Further, even if they go through and redact the data later, it is probably too late, as the data would have been long since scraped. This is one time that I hope a slashdotting kills a server.
Necessity is the mother of invention.
Laziness is the father.