Slashdot Mirror
UK Banks Dump Credentials in Bin Bags
Plutonite writes "BBC news is reporting that several UK banks face 'unlimited fines' for careless handling of sensitive client information. This apparently came after investigators found account details while rummaging through the trash outside the banks involved. In this age of online banking and related security problems, and in light of this scandal, where can we expect to find the greatest threat of ID theft?"
I am the real Anonymous Coward. Any other posts by Anonymous Coward in this topic have been made by an ID thief!!
Frank: Gentlemen, I propose we send a message to tobacco companies by fining the El Dorado Cigarette Company infinity billion dollars!
Congressman: That's the spirit, Frank! But I think a real number might be more effective.
Women are like electronics: you don't know how damaged they are until you try to turn them on.
There's no law, therefore no incentive to do anything about it.
Slashdot has gone ZDNet! I tried to RTFA, but there is a full-motion ad attached to the upper left of the browser window covering the link. Taco, are you going to change the tagline to "News for Marketing Tools. Flash and Felching"?
I don't use banks, I hide all my cash underneath my cat's litter box in my parents basement.
Nobody steals my identity!
I wish they would... I'm sooooo lonely down here...
Many financial institutions' IT departments in the US have no policies for paper shredding. I was always mindful to shred account information, but many of my coworkers were not. No rules were published and I've never heard it brought up as an issue by management.
You might be wondering why IT staff would have account information on paper. There are a variety of reasons. Periodic statements still go to most customers by paper, and the IT departments are responsible for their automation. A large percentage of people on the business side still like to see reports on paper and often the IT department is responsible for generating them. We are very far from having paperless companies. And in my experience paper disposal policies are largely missing or ignored.
Developers: We can use your help.
time to store all my money under the mattress now.
its not really easy to get money out the banks though. they open after i start work, close before i finish, they're difficult during the lunch hour. hell, they only people they're accessible to is bank robbers.
Why UNIX?
Most corporate Windows machines are behind firewalls. They're not perfect, but they're pretty good. Windows servers are almost always set up behind even more strict firewalls. Ideally servers exposed to the internet are on a different network segment than the internal servers containing even more data.
The greatest threat to ID theft has always been humans. The vast majority of security breaches are from social engineering.
Developers: We can use your help.
Its ok, I saw a whole load of fun data (like copies of client passports, proofs of Name and address) being sent from the US to the UK for processing using that well known data protection technique of a FedEx envelope for a the CDRs. The Information Security people hit the roof when they heard and insisted on proper encryption. The point is that neither the business nor the IT people concerned had the foggiest idea that there was a duty of care involved.
See my journal, I write things there
As long as we have stupid people who fail to understand that the information stored on the computer is much more valuable than the computer itself, we'll continue to have people throw away stuff like this, store information on unpatched machines, etc.etc.etc.
Therefore, don't deal with a company that employs, or outsources to companies who employ stupid people.
Of course....this is much easier said than done......
"City hall" in German is "Rathaus" Kinda explains a few things......
They should not have dumped the files in /usr/bin, but in /dev/null.
Maybe they got the idea from the airline industry, who in turn might have gotten it from the USA Dept of homerland security.
"We are all geniuses when we dream"
- E.M. Cioran
Oh these Microsoft bastards!
If they never existed people would never throw away printed plain-text passwords, never stick access codes on post-it notes to their monitor, and everyone would be immune to social engineering.
What's the average time before an unprotected Windows box with default safety configuration is rooted after connecting to the Internet? Something like three minutes?
Just because Windows "boxen" are connected to the Internet, doesn't mean they aren't properly secured by means of a firewall. You seem to be confusing the two. A Windows machine that houses a database will never be connected directly to the Internet when a bank has proper security measures and competent Administrators.
5 or 6 years ago my father came down with cancer, and his wife (now ex) took over the regular task of managing the finances of the household, etc. (This was in Wisconsin.) She also took it upon herself to fraudulently clean out his "Federally Protected" IRA, all of his *non-joint* accounts, filed false tax returns, and then ran up tens of thousands of dollars in debt in his name (hiding the statements and records to keep the game going as long as possible). She even bought a $20,000 diamond ring and a Mercedes for herself -- all while my Father was going through radiation treatment and surgery, etc. Finally, the house of cards came tumbling down, the police were notified, and she admitted everything.
The result, 5 years later: We found out that the bank had known this fraud was taking place on his accounts (we have one of their internal documents explicitly stating this), yet they covered this up during the discovery process and only gave it to us years later. She's never been arrested nor paid any restitution for what she did, the "Federally Protected" IRA was never reinstated, and a judge in Wisconsin had my father put in jail for refusing to give her his car, which the judge had mistakenly awarded to both of them during the divorce trial. My father sued the bank and has recovered nothing to date.
Your money is not safe, and no one cares.
2. I treat my personal data like it's already on billboards. Obviously the banks don't care about our privacy, so I try to use services where my personal information isn't needed. Using prepaid credit cards instead of a credit line at the bank, or money orders instead of a checking acount may be the way of the future if banks keep giving away our social security numbers.
The criminals already have all or our personal data. Now we need to act accordingly.
Conspiracy theory: the government told them to do it in order to increase identity theft, thus hoping that the public will become more accepting of the national identity register, and more willing to carry biometric ID cards.
-Stephen
Sorry but the conspiracy goes much deeper than that. Your (USD) cash is a fEDERAL rESERVE nOTE; which is what?.. A private bank. USD only has worth because the fED says so. It's a private bank designed to rob you of your real income.
So you will have to convert that stash under the litter box to gold if you want to be free from the talons of corrupt banking institutions.
Believe it.
People that don't care about or don't know how to secure their personal data, institutions run by people with shoddy security practices or that just don't give a damn and all levels of government run by people that seem to refuse to use readily available, inexpensive and reliable security techniques and technology.
Oh, they mean trash bags. Those crazy Brits. They should've used Hefty! Hefty! Hefty! instead of wimpy wimpy wimpy.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
I'm the real Anonymous Coward!
All the other Anonymous Cowards are actually just sock puppets of mine.
Interesting someone should mention that, there's a site that explains why bank charges in the UK are most likely illegal penalty charges and classed as unfair contract terms
http://www.bankcharges.info/
I'm sure UK readers will really enjoy reading the site and sending off those letters to their banks.
If only I had mod points :(
This sounds unbelievable!
How can they handle sensitive customer data like that?
It is not hard to shred documents, burn them or in other ways securely destroy them.
It truly is a shame, that they can something this careless with something this important.
If there is such a thing as banking license or something, I think those bank should get their revoked...
A former manager of mine used to be the IT director at a bank. There, when they upgraded computers, they went out to the dump and had a 'hard drive party". They removed the hard drives from the computers before tossing them in, disassembled them, and beat the platters throughly with hammers, then frisbee'd them into the hole and watched them be coverd up by the dozer.
I was under the impression that banks always were anal about destruction of customer records.
The US Navy has an interesting method also. They have these three level shredders. First level does strips. Second level does squares. Thrid level can best be described as "paper dust", it's the consistency of fine sawdust. Then they flush that out below decks directly into the water. Good luck getting that back.
I work for the Department of Redundancy Department.
Often the greatest threat and the greatest security hole are not necessisarily in the same place.
Okay, why does this get an Interesting-Rating?
As if it was Microsoft's fault that managers came up with the idea that passwords were the culprit in our security problems. Sure, some users have quite weak passwords. That's sub-optimal. But when you make them use like 8 digit passwords with letters, special characters and at least one capital letter they will immediately start writing them down. Especially when they have to change it every month.
Happened in my company. Why? Because there's data from the italian branch of our company on our system. And they require us to have this "security".
I have to remember a shitload of passwords myself. None of them are exceptionally strong and it's hard enough to remember them. How can people expect users would be able to remember such passwords when they have trouble even comming up with them?
Sounds like an excellent argument for the Paperless Office. Yeah, that's not a perfect solution, but it could sure put an end to dumpster diving.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The Chief Executive of the British Bankers' Association was interviewed on the BBC's (RAM) flagship radio news programme this morning. He claimed that the problem was either: (a) it was a very small number of rogue employees, or most likely (b) the customers' fault! The journalist doing the interview was rendered close to speechless by this anwer. The BBA was upholding a long-established UK tradition whereby banks claim that their systems are infallible, and accuse customers who have the cheek to complain (about, e.g. phantom withdrawals) of commiting fraud.
so you are assuming a A+B=C thing
A: roll 60 on a d100 (no save)
B: roll 90 on a d100 (no save) hmm grabbing my pda and doing 5 sets
27 and 50
72 and 17
39 and 62
84 and 29
51 and 74
looks like somebody needs some class bonuses or something
Any person using FTFY or editing my postings agrees to a US$50.00 charge
When I worked at the processing center of a bank, there was one big rule: cash slips (internal documents with no personal info on them that only represent money put into or taken out of vaults) can go in trash, everything else in shred box..... Stupid banks.....
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
>>> ... so the banks may well be in for quite the can of whoopass.
... fined them a tiny percentage of their profits.
c le346803.ece). You can buy quite a lot of lawyers (and probably politicians, at least in the European Parliament) for that.
Or not. Just look at what the water regulators have done to the water companies that allow their pipes to leak so much that they have to impose hosepipe bans and standpipes in some places
A reasonable sum to hurt a bank and make them be careful is going to be about 10% of their profits : 25 million or so for Barclays highstreet banking I gather (http://news.independent.co.uk/business/news/arti
I think management should be held to account for such failures as with corporate manslaughter. I predict however that the regulator will either do nothing but make a suggestion ("naughty banks") or fine them something like £50k (twice the annual paperclip bill!).
Interestingly HSBC is the 3rd most profitable UK company (source: http://news.bbc.co.uk/1/hi/business/4303653.stm, one site says they make £1m per hour) yet they don't produce anything! That to me is like paying your richest employee the most even if he does nothing, screwy.
More to the point, why does the US not take such a serious attitude towards the reckless use of personal data?
Comment removed based on user account deletion
But when you make them use like 8 digit passwords with letters, special characters and at least one capital letter they will immediately start writing them down.
Requiring special characters, capital letters and such just makes the keyspace smaller and makes it easier to do a brute-force attack on a password. The only somewhat sensible requirement in there is a minimum length.
Questionable firms continue to receive medical and insurance industry outsourcing business.
Decisions based on pure greed; choosing between a $50000 security expenditure or $10000 fine.
Switch those numbers around, and they'll still factor in whether they get caught and then fined.
More laws are needed. Then enforce the existing ones with criminal as well as civil penalties.
I wish the sods would dump some of mine, maybe then I'd stop getting the vast number of unsolicited invitations to take out loans, credit cards and various insurance/assurance deals that I do now. One look at my balances and they'd run for the hills!
Democracy is being able to elect your own megalomaniac, a dictatorship cuts out the middle man.