158 Million Records Exposed

Lucas123 writes "According to the The Privacy Rights Clearing House 158 million records have been exposed over the past two years as a result of inadequate security. Data's less secure today because as fast as banks, merchants and consumers add new layers of security to their storage systems and networks, new technologies — or simply careless users — create new security holes, according to Bob Scheier at Computerworld."

Fixed?

Nothing for you to see here, please move along Phew, at least they fixed the problem quickly!

Re:Fixed?

[SilentChris]

Yeah, it's all fixed. What the summary failed to mention is that those 158 million records were 158 million individual breakins for 1 record each. It actually was the same guy's record each time. So, it's not that bad. Sucks to be that guy, though.

Who's next?

10 to 1, some repository of Student papers is vulnerable to attack, too.

i read it somewhere else

[circletimessquare]

but all you would have to do is pass a law making the financial institutions responsible for all of the costs and hassles involved with identity theft, and it would never happen again. but as long as consumers shoulder that burden, or even a part of it, it will continue, as the consumer is not the one in a position to fix any of the problems that lead to identity theft

Re:i read it somewhere else

[krakelohm]

I agree to an extent, you also have to take some personal responsibility when dealing online. Your birthday or dogs name is not a 'secure' password.

Re:i read it somewhere else

[amccaf1]

The problem then would be that the responsible companies would suddenly stop reporting when their records were stolen / went missing. When person X's identity is stolen the burden would be on that person to prove that the information came via company Y...

Re:i read it somewhere else

[wizardforce]

it will continue, as the consumer is not the one in a position to fix any of the problems that lead to identity theft

Yes, that will motivate banks to use better security but in the end it all comes down to the fact that people need to do their part to uphold the security that is already there. Protecting passwords, keeping information secret unless absolutely needed, understanding computer security enough to avoid keyloggers, trojans, spyware etc.. a lot of the security is the bank's responsibility but it is also Joe sickpack's responsibility not to do stupid things that break security systems already in place.

Re:i read it somewhere else

This fellow expounded on this idea, but you're both missing one very important point: It would work in many countries, where the government is beholden to the voters, but not in the US where the government is beholden to the "campaign contributors". And since there is no law making bribery a crime (or a law against "contributing" to more than one candidate), it doesn't matter which one wins, they're not going to pass a law like you (or I or many other voters) would want them to.

Your vote is is as meaningless as a Nazi vote shortly before WWII or a Soviet vote shortly afterwards. We essentuilly have one party rule, and the party that rules is the banking/corporates.

It's going to take a rebellion, whether armed rebellion or convincing enough people who realise that their vote doesn't count, over half of those eligible, to go to the polls and vote third party.

Until they pass a law outlawing "contribution" to more than one candidate in any race, and another outlawing contributions to candidates one isn't eligibvle to vote for, I'm not voting Republicrat again.

I can hear the two wings of the Republicrat Party scheming now: "Ok, here's the deal - if you Republicans win you get to gut the fourth amendment, if we Democrats win we get to gut the second amendment, and if it's close we'll gut the first. Either way we'll pass bankrupcy reform , the Bono Act and the DMCA."

-mcgrew

Re:i read it somewhere else

I agree; it is shame that it has to be after the fact.

I have to laugh at institutions who entrust certain individuals to certain strategic data; In every post I have held, the managers of this kind of data, sometimes private, sometimes valuable, sometimes critical, always ignored or minimized the emerging security issues involved; their bosses were worse because they were busy with the annual golf outing... My perception was simple ignorance and arrogance; and, you don't hold those positions if you are *too* smart about emerging technology/issues to begin with.

Re:i read it somewhere else

[aldousd666]

They can't make companies that consume financial information responsible for it 100%, because the big huge wide open hole is the consumer themselves. They can type their password into a fake website faster than you can say 'anbesol' and what fault of the bank's is that? None. Consumers need to be smarter, BUT banks or merchants SHOULD be liable for any data exposure due to negligence. Which is something else entirely. If it's bad security practice on behalf of the institution, or someone accidentally left the firewall open, then they should eat the cost of cleaning up their spill. But, if someone misuses a login because you were dumb enough to phish out your password, or you got keylogged, sucks to be you.

Re:i read it somewhere else

[plover]

"all you have to do is pass a law...and it would never happen again"?

Oh, if it were that easy. Pass a law and Windows bugs are fixed. Pass a law and dishonest employees will never steal again. Pass a law and a hard drive will never be misplaced, or a delivery service will never lose a tape en route, or a destruction service will never hire a corporate spy.

California (and a few other states) has a law requiring notification. Minnesota has almost exactly the law you would like requiring the leaking parties to be responsible for the costs, yet continues to have breaches.

Laws aren't like some magical "wand of protection +5". Sure, they give people incentive to do something, but they can't actually stop the dishonest people, nor do they protect us from the incompetent until after the damage is done.

Re:i read it somewhere else

[Billosaur]

As many people will point out, at some point you have to take responsibility for your own information. It's not the data breaches themselves that are really the issue, but the fact that once your data gets into the wild, it can be used for nefarious and often illegal purposes, and that's there is no easy way to deal with the problem. Anyone who gets their identity stolen literally spends years writing letters and making calls to various companies to indicate that in fact their identity was stolen and they are not responsible for the misuse of it. When it comes to clearing things up with the major credit monitoring services, it can be downright frustrating to get them to make necessary and factual changes to your credit report in order to get the matter cleared up.

We don't just need laws to make companies liable, we need a system in place to make sure that when data breaches do occur, that those affected can restore some semblance of normalcy to their lives with the minimum of fuss. And we need laws in place to define just what data any particular company can collect (remember: your SS# is not supposed to be used as any kind of identifier except for tax purposes) and more importantly, how that data should be stored (mandatory encryption).

Re:i read it somewhere else

[Tom]

Pray, tell: How exactly is Citibank going to prevent John Dumb entering his credit card details into that fake ebay page that tells him they need it right now or all his bids will be cancelled?

Identity theft has many faces, and while some are the result of negligience on the part of corporations too worried about short-term growth and profits, only some of them are, and many others not.

Re:i read it somewhere else

All your identities are belong to us. All jokes aside .. financial institutions don't care. they just jack up their fees to cover fraud. I once had over $3,500 charged to my credit card for airline tickets from India to Hawaii! I luckily didn't have to pay for it. Granted it might take some time to recover that much but I'm sure they do as I use my credit card for so much. I bet they figure this is just the cost of doing business. The looser much of the time however is the small guy, the merchant companies as the credit companies take back the money. I know many businesses that only accept cash because of fraud. I'm sure fraud is growing more and more, and nothing will be done until some big company lobbies for government to pass a new law.

Re:i read it somewhere else

[pilgrim23]

"but all you would have to do is pass a law " -seems to be a solution for so many problems -NOT-

"-making the financial institutions responsible" Anything that costs any corp money gets passed on in the price of their service. Ultimately all you accomplish is giving some new pencil pushers a job counting more money that YOU LOOSE.

The simple way to solve this is what I have done for many many years: when someone asks you for your personal information: LIE. Give them a mis-spelled name, transposed SSN, a zip code in Roswell New Mexico, etc. Only a very very few of the institutions you deal with actually really NEED this information yet all are anal retentive and careless. Never raise a question by refusing the clerk's request, just give them the wrong information. Once your REAL information is lost in a sea of bogus info, the threat to you personally is reduced and you took charge of doing it. Come on people! It only takes a few million of us to throw a monkey wrench in the system.

Re:i read it somewhere else

[jfengel]

By making something more than the knowledge of 16 digits required for a loan (which is what they're doing when they authorize a credit transaction). Or even deducting the money directly from my account. Or, God forbid, knowing 9 measly digits from my SSN, as if that somehow were a secret.

It continually baffles me that credit card numbers are assumed to be somehow secret, despite the fact that you hand a waiter making $2.15 an hour a little piece of plastic with that number written on it without a thought.

The customer is in no position to create a new technology that ends this "open secret" way of verifying identities. There are much better mechanisms available, using public-key cryptography and some combination of passwords (entered into a smart card, not passed over the Internet), biometrics, and physical identity tokens.

That's up to the credit card companies. The reason people steal the numbers is that all they have to do is steal the number. Make it harder to steal and they'll stop stealing it. Until then it will continue to shock me that mere knowledge of a password which is regularly transmitted all over the place, and can be stolen from my wallet or my mail, is used as an identifier.

They blame it on the customer because they can, not because it's the customer's fault.

Re:i read it somewhere else

[natebarney]

I think you missed the point. The point circletimessquare seems to be making is that if the financial institutions were held liable, they would more actively address the problem of identity theft, and that they have a much greater capability in this regard than does the consumer. Whether this is correct or not, your response arguing that passing laws doesn't eliminate crime doesn't really seem relevant.

Re:i read it somewhere else

[plover]

So who is "responsible" then if a phisher puts up a fake website that looks like YourBank.com? Is YourBank responsible for your stupidity at falling for the phish?

What about a DNS attack, where legitimate customers going to the legitimate YourBank.com site are redirected to a man-in-the-middle site? Everything looks legit (albeit slow) and it's a near-picture-perfect real-time clone of the bank's site and the user's account info. Who has to pony up in this case? Linksys/Cisco for making a router susceptible to DNS hijacking? IE or Firefox for somehow not recognizing the MITM? Verisign for legitimately issuing a certificate to a hacker that he then later misused?

At some point a lot of these fall into the category of technological failings. Are we suddenly going to see disclaimers on routers and ethernet switches claiming "Not suitable for secure financial transaction data"?

The only way to truly end this is to remove the ability to use the data online, and require face-to-face authentication. Shut down commercial use of the internet. Not a likely scenario.

The next best solution would be to train employees and end-users how to safely transact business over the internet. Joe Sixpack can't even identify every button on his TV remote control -- what are the chances he can learn how to check certificates for authenticity? Even if he could be trained, would you then shoulder the responsibility for training him how to spot hacks just in time to have a new hack come out and steal his account information anyway? "Mr. Trainer, I followed your instructions exactly and I still got hacked. Here's a lawsuit for damages due to your incompetence."

And before you place too much faith in IPV6 to solve all these problems, you should take a look at every other piece of technology claiming to solve security problems. They're all flawed -- some more than others. It's just that we don't know IPV6's vulnerabilities yet.

Re:i read it somewhere else

[Anonymous+Brave+Guy]

We don't just need laws to make companies liable, we need a system in place to make sure that when data breaches do occur, that those affected can restore some semblance of normalcy to their lives with the minimum of fuss. And we need laws in place to define just what data any particular company can collect

Yes and yes. I've been arguing the same way ever since a probably inadvertent mistake by a minimum wage local government staffer screwed up my tax record by linking me to someone else. The mistake itself wasn't too damaging, fortunately, but the really nasty things were the fact that the first I knew about it was when my paycheque was well short one month because of over-charged tax, and that it took me several months contacting several different tax offices to get it fixed. (Hint to tax offices: if I'm complaining that my tax records have been corrupted, possibly by cross-linking with someone else's given the context, then it's not very sensible to stonewall me completely because the address and employer details I'm giving you aren't what's in my tax record. If I'm not currently working for that employer, why are you deducting tax on my wages from them?)

I believe we are long overdue for things like robust privacy/anti-collection of personal data laws, and that such laws should also require that anyone dealing with any sensitive personal information must provide a fast, low-cost, effective mechanism for fixing screw-ups or face unlimited fines in court for any damage resulting and to compensate for any distress and wasted time for the victim. And this should go double for any organisations that you are legally compelled to supply with personal information.

Re:i read it somewhere else

[octaene]

The poster's reply does sound a bit glib, but he's not far off. Of course no law magically causes bugs to be patched; the point is, hit these data custodians (companies) in the pocketbook.

Ask yourself: why do these kinds of thing happen so infrequently in the EU? The reason is that they have a more comprehensive approach to data security and personally identifiable information (PII) that permeates government and private industry. In the U.S., our laws take a sectoral approach. This myriad of laws and regulations leaves plenty of holes and gaps, which results in data theft. Companies that store PII hire lawyers to help them find the bare minimum of data security compliance.

Re:i read it somewhere else

[plover]

I was aiming only at his hubristic claim that it will "never" happen again. We have plenty of laws against robbery, extortion, murder, etc., yet they seem to continue to happen. More laws may make some improvements in the situation, but are certainly not a panacea, and should never be thought of in that way.

Re:i read it somewhere else

[JonXP]

"The only way to truly end this is to remove the ability to use the data online, and require face-to-face authentication."

Because, as we all know, fraud and identity theft did not exist before the advent of the internet.

Re:i read it somewhere else

[cowplex]

Very true. Technology, as it stands now, is very open to phishing, etc. You're entirely right - the technology needs to change.

However, such failings of technology is only a part of the problem. It seems like every time I visit /. there's a new article about how some company or another just lost the SSN, bank account numbers, passwords, identification numbers, DNA signatures and biometric iris scans of another 40 million people. It seems like these companies are actually at fault for this lost data, so where do we draw the line? If you get phished you're not liable but if you lose the laptop the personal information of everyone in the state is on you are? What about a weak implementation of security?

Re:i read it somewhere else

[LordPhantom]

This..... would be why banks are using those goofy pictures to authenticate the site - basically if you don't see the image you normally do, you shouldn't type in your password. It won't work for someone targeting someone individually, but they're banking (pun, sorry) on most phishers not going after all the images or detecting them if they do. It won't work forever, but banks -are- working on better ways of doing things.

Re:i read it somewhere else

[Gryffin]

Laws aren't like some magical "wand of protection +5". Sure, they give people incentive to do something, but they can't actually stop the dishonest people, nor do they protect us from the incompetent until after the damage is done.

You're missing the point.

Right now, the companies whose data is stolen have no financial incentive to beef up their security, but they have plenty of PR incentive to cover up breaches. If such breaches were to hurt their bottom line, the shareholders would make them take their security seriously.

As for the effectiveness of laws, look at Sarbanes-Oxley: corporations have created whole departments just to manage compliance. Sure, they bitch and moan abotu the hassle, but they comply because it's the law. Why can't they be obligated to put the same effort into customer data security?

Re:i read it somewhere else

[bxbaser]

it is if my dogs name is kjGO6375nto87TONkj35jv25jh235

Re:i read it somewhere else

[bogjobber]

Speak for yourself. My dog's name is a#D)3ma*7@K

Re:i read it somewhere else

[aztektum]

At some point a lot of these fall into the category of technological failings. Did you scan the list? I saw far more data loss because of shoddy management than average Joe's being scammed via a technical exploit. Dumpsters filled with paper records of employee SSN's and DL's. Backups being lost on non-encrypted media. Systems containing data that are stolen. Some people got scammed via e-mail, but most of this was because of shoddy physical security.

Put in place real penalties for these corporations (Kaiser fined 200k for putting patient info online? Their whole legal department probably costs them 10 times that easy to operate!) and I bet phishing attacks as a whole would barely make a newsworthy headline.

Re:i read it somewhere else

[Deanalator]

It would be nice if there were international standards for best practices of secure data storage in industry that whose mathematical model lined up with a set of internet standards also governed over by various international bodies.

Even if this was done right, the information would still not be "secure". There are implementation issues that will always leave data open. The point is, however, that you would always know who to blame, and could create laws accordingly.

Re:i read it somewhere else

[legirons]

"you also have to take some personal responsibility when dealing online. Your birthday or dogs name is not a 'secure' password."

All banks in the UK (I've dealt with several) use your birthday as one of the "secrets" for authenticating when you telephone them. They also use your mother's maiden name and place of birth, both of which are a matter of public record.

Oh, and for the extra-secure part of their password, most places prompt you to use a "memorable name" or "memorable date", so no prizes for guessing how many of those are secure.

In the U.S., I believe lots of companies use the social security number (e.g. in the HP fraud case) where the employer has access to that number, but the telephone company uses it as your password

Re:i read it somewhere else

[Tom]

Make it harder to steal and they'll stop stealing it. I dare say you've not been actively fighting spam for the past 10 years or so.

A lot of people have put a lot of effort into making spamming harder. Know what? Spammers have not stopped spamming. They've worked equally hard to get around the anti-spam features.

Credit card fraud is likewise a big, profitable business. So you have this fancy biometrics smart card thing. Then the scammers will run a man-in-the-middle attack, instead of grabbing your CC number they'll steal an actual transaction. Or they will find other, more creative ways to part you and your money.

Re:i read it somewhere else

[Lally+Singh]

I think that when they let their employees have laptops full of my (unencrypted) personal data, which subsequently gets lost or stolen, that they should bear the responsibility.

For phishing sites, etc. There are technological solutions to this sort of problem. Just require better verification than 'the domain name matches the SSL certificate'.

Re:i read it somewhere else

[Xichekolas]

all you would have to do is pass a law making the financial institutions responsible for all of the costs and hassles involved with identity theft, and it would never happen again.

The reason it would never happen again is because banks would take away all online banking and access to their customer information. Yep, back to the days of going into the branch to check a balance and sending money orders to buy things on ebay. What a great idea!

It's all about risk management for them. They don't care about about whether an individual gets taken for all he is worth, as long as it's a small percentage of the individuals they manage. To keep their good names they will even compensate the individual (most of the time). But if they were slapped with punitive damages related to each security breach, they'd just as soon make it 100% secure by taking it away.

Re:i read it somewhere else

[Heembo]

but all you would have to do is pass a law making the financial institutions responsible for all of the costs and hassles involved with identity theft, and it would never happen again. No so much. The banks will do some bean counting cost analysis, do little more than they are doing, and just pass that extra most of doing business onto the consumer.

Re:i read it somewhere else

[CRWeaks23]

In my opinion, I don't really see the debate here. It's very simple to me: whoever is at fault for exposing the personal data should be liable for all costs related to correcting the issue. If a consumer's data is compromised because they got phished, that's on them. If the VP of sales loses a laptop containing a million customer records, that's on the company.

Re:i read it somewhere else

[krakelohm]

Not anymore...

Re:i read it somewhere else

[WGR]

Phishers can't operate as readily if the banking site can be identified by proper two way TSL certificates. That is, the banking certificate is given to the user by the bank branch directly so that all transactions with the bank are encrypted with the bank's public key and a shared key that only the bank knows. The user's password only unlocks the PKI certificate so even if the phisher's get the password, they will not have the actual certificate to be able to transact business with the bank.

The problem is that bank's would rather lose a few dollars to phishers than pay for proper security for online transactions.

In the late 90s my bank required a separate Entrust certificate process to run to be able to do business. But they lost business to banks that used the simpler (and less secure) one way SSL connection with a password that they changed to SSL themselves. As long as banks don't suffer the consequences of inadequate security and consumers don't require good security, we will still have problems.

Re:i read it somewhere else

[elh_inny]

Could you guys quickly brief me in on how Identity Theft works in US?
  I live in Eastern Europe and communism left us with so much bureaucracy, that it's impossible to arranage even the simplest thing without being there in person and signing in on a leaflet of paper and showing your ID.
I'd say it's very difficult for us to do something when it's legitimate even harder for an impersonator and, not surprisingly you don't hear about many abuses of id theft in eastern Block.

Can you give some examples how personal data can be used to commit frauds in US?
While I might consider a career in con art, I'm actually asking, because as well develop, we evolve to a more liberal model and I can see many oversight here already, for instance cashiers not checking the signatures on credit cards (which are a novelty here) etc..

Re:i read it somewhere else

[tekrat]

at some point you have to take responsibility for your own information.

And how exactly am *I* supposed to do that? There are hundreds, perhaps thousands of companies who are continuously buying and selling information about *me*. And you can bet that when these companies sell someone else information they have collected about me, I am the last person on the notification list.

Furthermore, these companies actively resist you being able to contact them. Thanks to modern voice-mail trees, it's pretty much impossible to speak to a human at any of these companies, and assuming that you can make contact with some of the smaller ones, you can bet the first question they ask is "What's your social security number?", which, is information you're not supposed to give out over the phone if you want to protect your identity!

So far, the only way I have ever seen to have these companies take you seriously is to sue them. But you can't sue them if you're not sure they even have information about you. And it's very difficult to find out if they information about you unless you sue them.

I once recieved a letter from a collection agency I never heard of claiming I owed $28 for an AOL account, and unless I sent them a check, it would go into my credit report that I was delinquent. I called the company, and the first thing I was asked by the rude person over the phone was to give them my social security number. I refused to give this person a number since I felt this was a scam - I've never been and never will be an AOL customer. They hung up on me. So I called back, asking to speak to a supervisor. Again, I was asked for my social. I refused. They hung up.

So, I contacted AOL. AOL claimed I had an account that was unpaid. I told them I've never been an AOL customer. They said I had to fill out a form claiming that, and they needed my address. I pointed out that they should already have my address, since they were able to give that info to the collection agency.

In the end, I wound up sending complaints to AOL, the State Attouney General and Better Business, but, as far as I know, it did get resolved. But the point is, I have no idea how AOL got my information, and I only found out I had an AOL account after I was asked by a collection agency for money. AOL never once contacted me.

So exactly how am I supposed to "secure" and be responsible for my information, when I can't even tell who's got what about me?

What's worse is the amount of time I spent on this, because two dumbass companies can't even get their information about me straight. If AOL had contacted me FIRST, for example, it could have been resolved with one phone call. Instead, they just shuffled it off to a collection agency, which made the whole thing much more complicated.

Re:i read it somewhere else

[NMerriam]

The essential thing in the US is that the banking system has become quite enamored of easy credit in the last few decades -- the policy of extending credit to essentially anyone for any reason, based on nothing more than an application and a promise to pay it back at some later date. In a fight to get more customers for such credit, lenders competed with each other to make it as convenient as possible to apply, and therefore as convenient as possible to commit fraud. Simply knowing some easily available information about someone is enough to get you credit in their name.

So long as the creditors themselves don't suffer too much financially from fraud (which they don't, thanks to their generous campaign contributions and strict avoidance of responsibility through their merchant contracts) it's a winning business strategy because it also brings in more legitimate customers.

The fundamental problem is that we benefit from the convenience of easy credit, the banks profit from it, but when anything goes wrong all of a sudden the customer and the merchant (but not the bank) are left with all the costs of fraud. Any solution would inherently restrict the convenient availability of credit to some degree, and the American economy purrs along quite well in large part due to consumer spending that is largely tied to credit.

Re:i read it somewhere else

I agree to an extent, you also have to take some personal responsibility when dealing online. Your birthday or dogs name is not a 'secure' password. So now you need to be aware of security implications to consume financial services online? Why would my grandmother expect this to be a security issue? My pin number is 4 digits, why is that any less adequate over the internet? Hell, all I need is a signature to take money out of my account at the teller. I don't know how these things work but my bank is offering me no fees and a better interest rate if I use this internet thingo.

Given the protection against bad passwords is such a simple thing....

Re:i read it somewhere else

[Magada]

Let's look at this from another perspective, shall we? As long as personal data remains in the hands of for-profits and governments which have no intention to share it (not even with those it was collected from), we are all unsafe. Here's to hoping that a legitimate, open market in such information is created sooner rather than later.

Re:i read it somewhere else

[MartinG]

Why the hell are such using simple password based authentication anyway?

We should be using personal pass-phrase protected keys and certificates to encrypt and sign our communications (in addition to the current certificate based authentication we use to verify their identity on secure web sites), and everything required to do this should be provided to us by the banks by snail mail.

--
Martin.

Re:i read it somewhere else

[Anonymous+Brave+Guy]

The essential thing in the US is that the banking system has become quite enamored of easy credit in the last few decades -- the policy of extending credit to essentially anyone for any reason, based on nothing more than an application and a promise to pay it back at some later date. [...] So long as the creditors themselves don't suffer too much financially from fraud (which they don't, thanks to their generous campaign contributions and strict avoidance of responsibility through their merchant contracts) it's a winning business strategy because it also brings in more legitimate customers.

Perhaps you didn't notice, but exactly such an attitude as you described is the reason the US economy is in danger of collapsing into deep recession, and taking a significant chunk of the rest of the world with it. Have you looked at the stock markets in the past fortnight, or noticed the sub-prime mortgage lenders in financial difficulties or outright going bust?

Solution is simple...

[Bomarc]

At a state level (We could never get our Fed legislative critter to do something for the people) have a 'data protection' right. Bottom line: You lose data: you pay the people who's data you had. You fail to notify the people you pay double. If the information is actually used, damages are double plus ACTUAL / ON GOING losses.

Bottom line: Lock up your data!. We learned this back in the days of the wild west. Now we must - relearn; reinvent the safe for the 21st century data.

Sucks

[Poppler]

My own information, including bank account numbers, has been stolen and sold. I received a letter from a company I've never done business with, explaining how it wasn't their fault that they lost information I didn't give them, and trying to reassure me that nothing bad would happen.

The people running these companies should be considered criminally negligent. Maybe then they'll start to take security seriously.

stats on what the breaches were

[wizardforce]

http://www.privacyrights.org/ar/DataBreaches2006-A nalysis.htm human/software incompetence took up 44% in the public sector, hackers 52% in higher education and theft(s) were 55 and 57% for private and medical respectively

Numbers

[ArcadeX]

I'm guessing that's a global number (RTFA? who has time... besides me), but if that was just America, that would be more than half of the population... wonder how many of those numbers are dupes.

Re:Numbers

[wizardforce]

below the index in TFA it tells what the breaches were, how many were affected and where they happened. from what I can tell the vast majority if not all are in the USA. there are dozens of pages of them and at least some are the same people getting multiple breaches...

Re:Numbers

[janrinok]

It appears to be just US records - which is frightening. The laws that people are calling for in other comments to this thread already exist here in Europe, but it is debatable how effective they have been. Certainly European companies and organisations have been fined for losing data but it doesn't necessarily stop the losses from occurring.

Always going to be a problem

[TubeSteak]

Data breaches are always going to exist.
The big question is: What can be done to minimize the impact of the breaches.
The short answer - make it harder to get credit cards, loans, etc.

Once you change the way that money is handed out by financial institutions, all that stolen data becomes worthless.

But... that will never happen. Easy access to credit is the lifeblood of the debt driven American economy. So really, no matter how much moaning goes on about fraud, they still want a system that allows everyone to easily have access to debt at the drop of a hat.

Re:Always going to be a problem

[Watson+Ladd]

Your logic is wrong. If a bank waits five weeks to grant credit to do a criminal background check it won't help a bit if the guy they are giving the cash to is not the guy who they checked out.

Re:Always going to be a problem

[CastrTroy]

A criminal background check probably wouldn't help much. You are right. However, they should do other checks. They should make it more difficult to prove that you are who you say you are. Giving them a ssn, dob, and mother's maiden name shouldn't be valid credentials for determining your identity. They don't accept that when giving you a driver's license or passport, and it shouldn't be accepted when applying for credit. It is entirely too easy to get credit under a false identity. In the same way that people are expected to not follow phishing emails, and always check that the website they are logging into is in fact the bank's website, the banks should be required to be a lot more diligent on verifying the identity of the person applying for credit.

Hum...

[GodCandy]

Did I do the math wrong or does that add up to just over 200,000 a day give or take.

2 years = 365*2 = 730
158,000,000/730 = 216,438.36

wow thats a lot of data to be "compromised." I think some of these people should have had better measures in place to prevent this type of thing. Others just shouldn't piss off there staff to the point that they sell company information to the highest bidder. Especially when that information is mine.

I Have A Gut Feeling

that these exposures are RIGGED.

Insincerely As Always,
Michael Chertoff
Secretary of Homeland Insecurity

That's only partly true

[MikeRT]

Why should the banks be liable for phishing? That is the failure of the user to remember proper security and/or make a good decision. However, the banks should be 100% responsible for all fraudulent credit issues and such.

One thing we need is a new court order from each state government that allows a citizen or legal immigrant to simply walk up to a credit institution, post identity theft, and say "purge those records, NOW!" at the penalty of fines and being liable for libel and slander if not acted upon in a reasonable time period.

Re:That's only partly true

[dgatwood]

Why should the banks be liable for phishing?

Because phishing is easily 100% preventable through technological means. All a bank has to do is use digest authentication for the website. Then, even if somebody set up a fake phishing site on an actual https link, they could not obtain your password. If the bank's website implemented digest auth correctly, an attacker could only obtain the authorization needed to make a single specific HTTP request to the bank's website on the client's behalf. Of course, since that would effectively be a man-in-the-middle attack, the attacker might be able to get enough information from the actual web page that the bank provided to be useful in some other way (e.g. stealing the account number and using social engineering to gain access via the telephone or in person at the bank), but they could not get online access to the account in this way.

In short, all losses caused by phishing are the fault of banks not doing a reasonable job of security, and thus, they should be held responsible for 100% of the cost of losses due to phishing.

Re:That's only partly true

[lgw]

Digest authentication would appear to do nothing to prevent a man-in-the-middle phishing attack. The MiM just forwards the authentication request response, and once the endpoints are happy simply hijacks the connection.

Either you have to sign all traffic both ways with a shared secret (such as the username and password), or you have to build endpoint authentication into HTTPS in a way that *includes* the username and password for the web site.

Re:That's only partly true

[NMerriam]

Why should the banks be liable for phishing?

Because the banks are the professionals whose job it is to protect the money they are holding on behalf of others?

There are numerous ways to prevent phishing from working, they just all cost more than blaming the customer. Right now we have banking security that is only slightly more rigorous than making people pinkie-swear they are who they say they are.

Re:That's only partly true

[dgatwood]

I would note that most phishing attacks aren't actually trying to get access to passwords. They're trying to obtain other secret information by presenting pages that rarely look much at all like any legitimate page from the bank, asking for things like SSN, etc. with the goal of full blown identity theft. These are, of course, only such a crisis because of the fundamentally weak authorization used when granting credit.

All it would take to permanently prevent the bulk of identity theft would be a law that mandates that all credit lines over $100 require callback confirmation, and that any credit over $100 without that callback confirmation may not be reported on your credit report or alter your score. The credit bureau contacts you by phone at your last known phone number and simultaneously by mail. Either way, the contact provides a confirmation number which you must then provide to them in order to confirm the information. In the case of an address change, you should have to present/fax a government issued photo ID to obtain credit unless you can still receive mail/phone calls at your old address/number.

Either you have to sign all traffic both ways with a shared secret (such as the username and password), or you have to build endpoint authentication into HTTPS in a way that *includes* the username and password for the web site.

Read more about digest auth. That's basically what it does.

Short description of the way it works: the client makes a request. The server says "Authorization required." The client says "let's do this with authorization." The server says "here's a randomly-generated value. Use the user-entered password to hash that value." The client hashes the random value (referred to as a "nonce") with the user-entered password and sends that value. The server checks that the request was made using a nonce that it sent which has not expired. It then takes the user's password and encrypts the same random value (nonce) with the user's password. If the value doesn't match, the user doesn't get in.

All that is necessary, then, to guarantee that the connection cannot be transparently hijacked (without the user seeing some kind of error) is to never allow a nonce to be reused. At most, you'll get to generate exactly one single fraudulent URL request, and even doing that will disrupt the user's web page load, and thus it cannot be transparent.

To guarantee that the connection cannot usefully be hijacked, you need to then ensure that no transaction can occur unless it could reasonably have been issued from the last page the user accessed and you have to ensure that no significant transaction cannot occur without multiple requests (enough to be noticed). This can be largely accomplished by using a random, server-generated value in the page to request things like a wire transfer which is then checked and a different random, server-generated value in the page to confirm the request. Expire those values in a short period of time. This change, coupled with digest auth, would then require you to break the user's page load three times in a row for a wire transfer request (for example) in a short period of time, which would probably be noticed.

This statefulness might slightly annoy users who like to have more than one browser window open for the bank, but you can largely alleviate that through good site design that opens certain links in new windows (e.g. an "open in new window" icon next to the link) and limits where you can go from those secondary windows so that you can't use those secondary windows to do anything nasty.

(*) Technically, there's no way to make things perfectly stateful in such a way that they couldn't be simulated through a very clever man-in-the-middle attack, but you could make it so hard that it wouldn't be practical. The obvious change would be to make it so that requesting any operation that isn't described on the current page cause an immediate purge of the temporary field

Re:That's only partly true

[lgw]

How digest auth works is simple enough, but it's just a mechanism with which to sign a resuest/response, and so is not by itself enough to solve the problem. Buying a horse does not make you a rider. As I think we both said "you have to sign all traffic both ways".

Mandatory callback on opening lines of credit would be a big help, though it wouldn't solve the problem of someone just taking all the money one has in the bank (more of a threat for some than others, I guess).

Monster.com data theft today

[bakuun]

And just recently, about 1.6 million data records were stolen from the job application site monster.com - including among other things name, email, telephone numbers, address and which area a user would like to work in. Quite the wet dream of any spammer. http://www.infoworld.com/article/07/08/20/Monster. com-identity-attack_1.html

But it has to be reasonable for Joe Sixpack

[Anonymous+Brave+Guy]

Yes, that will motivate banks to use better security but in the end it all comes down to the fact that people need to do their part to uphold the security that is already there.

The problem with that is that current mechanisms are far too much of a burden for the average member of the public to avoid carelessness and/or social engineering attacks.

It simply isn't reasonable to expect people to create and remember a different, properly secure password for each of numerous services, some of which will only be accessed occasionally, perhaps as little as once per year or less. Nor is it reasonable to expect average people using typical software on typical computers to understand all the dangers of phishing attacks, the need to patch immediately against cross-site scripting vulnerabilities, and other geeky gobbledegook.

Since large organisations only tend to understand responsibilities in terms of the bottom line impact if they fail to live up to them — and that includes the responsibility to obey the law — the law needs to impose a sufficient burden on those handling sensitive personal information improperly that it becomes more economic for them to invest in proper security, both on their own side and in terms of what they expect of their clients. With sufficient pushing in the right direction, we could have not only much better security in terms of software and protocols, but also practically effective means of identifying people more reliably and with less susceptibility to casual crime.

This doesn't need to be rocket science, either: consider that switching from using signatures to using PINs to authenticate card transactions has reduced card fraud by something like 80% in several European countries. The new PIN-based systems are simple enough for almost everyone to understand, were well advertised prior to their takeover, are backed by software and equipment that work pretty well, and are based on the tried-and-tested security policy of combining a physical token with some information known only to the legitimate user. Just like that, you've removed a common mechanism for card fraud, saving businesses billions and saving hassle for thousands of would-have-been victims every year.

We have the technology to do this. A simple card and public key cryptography suffice for most purposes, after all. We just need the will to do it more widely, so the complexity is dealt with by the system and not by the user.

Re:But it has to be reasonable for Joe Sixpack

[petermgreen]

This doesn't need to be rocket science, either: consider that switching from using signatures to using PINs to authenticate card transactions has reduced card fraud by something like 80% in several European countries.
It also makes it much harder to prove that you have been stolen from. I wonder how much of the reduction you claim is due to actual reduction and how much is due to people being unable to prove the crime ever happened.

Re:But it has to be reasonable for Joe Sixpack

[Anonymous+Brave+Guy]

It also makes it much harder to prove that you have been stolen from. I wonder how much of the reduction you claim is due to actual reduction and how much is due to people being unable to prove the crime ever happened.

Interesting theory, but it's much harder to commit that casual fraud in the first place now, so I suspect the effect you describe is insignificant in practice. People got wise very quickly to the fact that you check the amount before keying in your PIN, and the hardware set-up is pretty effective for preventing casual fraud by shop staff and the like, so PIN-verified transactions are usually legitimate.

There's always been the problem of someone using a card to pay for something over the phone or Internet, where no PIN is entered now, but no signature was required before either. You can challenge these with the bank or credit card company just like you always could, and in general the burden is on the retailer to prove that the transaction was in order: in cases of doubt, the bank will typically charge-back first and ask questions later.

I am getting spam to my gmail account

[crovira]

and NOBODY knows about the account because I have NEVER used it to send mail to ANYONE not referred to it in any other email or web communication.

This is REALLY sad.

Re:I am getting spam to my gmail account

[jafiwam]

Dictionary attack.

"aaaaaaaaa@gmail.com"
"aaaaaaaab@gmail.com"
"aaaaaaaac@gmail.com"

If you dig through your SMTP logs every once in a while, you see that stuff. Usually coming from a compromised home machine in short bursts of fifteen or thirty tries.

A few minutes later, another block is tried from another IP on the other side of the planet.

Plus, did you read the fine print on your Gmail account agreement? Did they SAY they wouldn't sell the address? Or did they SAY the wouldn't sell delivery of email to accounts? (Without releasing the list, they can do anything they want with the headers, it's their server after all.

And there are potentially 22 million more

[faloi]

That they've counted and not included in the total. What I've learned from reading over the list, is that I shouldn't trust and government agency with sensitive data. Ever. Private industries seem to be fairing better (or not uniformly reporting their issues). My data has been exposed thanks to the VA theft a while back, my wife's was recently compromised by a third party check clearing service that we weren't knowingly doing business with.

And to top it all off, there's talk in some areas about sending private data over sees to cut the costs of processing it locally. I bet that won't get screwed up at all.

Re:And there are potentially 22 million more

[mpapet]

Private industries seem to be fairing better

It's reasonable to assume lots of data is being compromised because there is very little, if any regulation.

Given that data collection is an industry makes billions annually, I'd argue they behave like the tobacco companies. Cancer? What cancer? Addiction? Nah. That's a personal problem. Roughly translated to "Your personal data is safe with us!"

Re:And there are potentially 22 million more

[El_Oscuro]

My data too. But the FBI said the data had not been accessed when the laptop was found. Of course, no one would ever think to change the BIOS date prior to copying the file, so I feel SO MUCH safer...

Re:And there are potentially 22 million more

[NMerriam]

I shouldn't trust and government agency with sensitive data. Ever. Private industries seem to be fairing better (or not uniformly reporting their issues).

I would guess that it is more beneficial for a public entity to admit to a data breach than for a private entity. Private companies get bad publicity and lose customers if they admit to a security problem, so they do everything they legally can to keep it hushed up. Government agencies, however, get immediate priority to security funding when there is a security breach. Sure, some people will be put on the hot seat and possibly lose their jobs, but the agency as a whole probably gains when a massive problem occurs causing a public outcry.

Wrong! Wrong! Wrong!

[mpapet]

1. The source of "identity theft" is not the banks!!!!!!
There are private companies collecting all kinds of data about you and I. It's why you get junk snail mail when you buy a house or have a child to name two examples.

2. The notion of "identity theft" is a tactic to legitimate personal data warehousing.
It separates the Evil identity thieves and the Good identity vendors. Except the root of this evil is the companies and institutions collecting and storing your personal data for decades beyond it's useful period.

Please examine the issue more carefully before spouting quickie-mart solutions.

Re:Wrong! Wrong! Wrong!

[fishbowl]

>It's why you get junk snail mail when you buy a house

You get junk mail with frighteningly accurate details about your loan, value of your house, equity position, etc.

>have a child

What's really scary is that when someone in your household dies, the junk mail *stops*.

Re:Wrong! Wrong! Wrong!

[Vegeta99]

Not necessarily. My grandmother still gets the phone bill in my grandfather's name, and my grandfather is still listed in the phonebook. I've never met the man - he was dead 20 years before I was born, and I'm 21 years old.

Re:Wrong! Wrong! Wrong!

[fishbowl]

"Not necessarily. My grandmother still gets the phone bill in my grandfather's name, and my grandfather is still listed in the phonebook. I've never met the man - he was dead 20 years before I was born, and I'm 21 years old."

Phone bill and phone book aren't junk mail. Besides, your grandmother might legally be "Mrs. Your Grandpa". I'm talking about gift and gardening catalogs, coupon books, etc., and I've seen this stuff *stop* with no action taken (other than people dying.)

Bah!

[mpapet]

we need a system in place to make sure that when data breaches do occur

You aren't addressing the core issues though.

1. It's perfectly legal to collect personal information and resell it. Criminalize both issues and the "identity theft" problem improves dramatically.

2. It's perfectly legal to keep decades-old records available on-demand. This is the Data At Rest problem which is only getting bigger.

Don't use personal info for identification!

Your date of birth, your mother's maiden name, and miscellaneous other personal facts should be of no value to criminals. Identity theft should not be a serious problem. It is easy and cheap to construct systems that do not directly rely on personal information.

As long as brain-dead morons at financial institutions and in government insist on using personal information for identification we will have issues. This is such a flawed approach that it really is negligent.

At least you knew!

[ChilyWily]

Well, at least you knew who and where the information was leaked.

In my case, I got a letter from my credit card saying that a merchant whom I had transacted with, was the source of a breach. No more information on when this occurred, who the merchant was, how many people were impacted or how long they knew of the situation, before they informed me. Instead, the Credit Card company re-issued me a new credit card, at 'my request' prior to me doing or asking for anything.

The letter in fact was so unsettling, it was written to evoke a feeling that I had somehow reported fradulent activity... I called the company and spent 45 minutes before realizing that there was one of me and a seemingly unending supply of pod-people who kept repeating the same line to me. I obtained my own credit report a few weeks after and guess what, the aforementioned account was "closed at the customer's request".

The outrage in me continues, and I wonder what kind of risk I'm exposed to, but I don't know what to do against an army of droid? May be a letter will do some good? How much time should I invest in all of this without the faintest glimmer that anything will happen?

I second your thoughts on higher penalties. With credit cards being an increasing singular means of carrying out transactions, I would certainly modify my business behaviors with people who are not careful with my information!

Re:At least you knew!

[TubeSteak]

Instead, the Credit Card company re-issued me a new credit card, at 'my request' prior to me doing or asking for anything.
...
I obtained my own credit report a few weeks after and guess what, the aforementioned account was "closed at the customer's request". Maybe it's some internal metric they want to have low numbers for, or maybe there is some higher SEC/other reporting requirement they're trying to look good for.

But they probably did it "at your request" because it looks better for them than having to declare "XYZ accounts were closed due to fraud".

The outrage in me continues, and I wonder what kind of risk I'm exposed to, but I don't know what to do against an army of droid? May be a letter will do some good? A letter to the Better Business Bureau may get you some response.
Complaining to your State Attorney General's office is also a productive move.
You could also try getting a reporter interested in your story.

As always, when you're going to complain, it helps to have all the problem interactions with [company] documented beforehand

please edit

Data's less secure today because as fast as banks, merchants and consumers add new layers of security to their storage systems and networks, new technologies -- or simply careless users -- create new security holes, according to Bob Scheier at Computerworld.

Wow. If ever there was a sentence that needed some major rewriting, this one is it.

Security is an illusion

[rbanzai]

When it comes to your personal information there is no thing as security once it has left your control. None of it is really protected. Companies engage in "security theater" to give the appearance of protection but that is a sham. Why? THERE IS NO PENALTY FOR BREACHES.

Genuine security costs companies millions of dollars. Insecurity costs them NOTHING. They could expose every single piece of every person's information and it would have no penalty. None.

The government and corporations have no interest in protecting your information. So much is in the wild already that it makes no difference to them. 158 million people? What's 50 million more? 100 million more?

Stop complaining about this. The horse was out of the barn a long time ago. Security and privacy are illusions. They are gone and they are NEVER coming back. Your security and privacy have no value to the government or corporations.

Re:Security is an illusion

[TranscendentalAnarch]

Companies engage in "security theater" to give the appearance of protection but that is a sham. Kind of like DHS and airport security.

Re:Security is an illusion

[Mister+Whirly]

"They could expose every single piece of every person's information and it would have no penalty. None."
Unless is is protected medical information, if they release that information they are facing serious fines. See the Health Insurance Portability and Accountability Act (HIPAA) for more. "Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to an individual."

Some states, including Minnesota where I live, force institutions to contact any users that may have been affected by a security breach. Even if there aren't explicit fines of civil penalties, the bad publicity is incentive enough for most companies to make sure their security isn't lax. Even top executives are starting to understand that the actual costs of a breach are far more severe than laying out some extra money on security.

But HOW would it "never happen again"?

[emarkp]

This would immediately impose a massive increased financial risk on all online servies, perhaps even making them more expensive than they're worth. My first guess is that all the nice convenient services would be shut down immediately.

Does the consumer win in that case?

Re:But HOW would it "never happen again"?

Does the consumer win in that case?

I don't know, is the consumer too stupid to ask their bank for one of those keygen dongles so that they can do business online when the website tells them that they'll need to obtain a secure method of payment in order to make a purchase from them?

TJX

[darthfracas]

One thing I'm surprised I haven't seen here is the TJX breach http://it.slashdot.org/article.pl?sid=07/08/16/207 215&from=rss caused by insecure terminals for job applications. The data that was stolen was not given online, but by giving a credit card to a clerk in a store. 45 million credit card numbers were stolen in this breach, which is nearly one third of the 158 million reported here. This is not a case of a consumer being duped by a phishing scam or DNS attack, this was a corporation not taking security seriously. In the end, it was the trusting consumers that were harmed.

Need a New form of ID

[JoeCommodore]

A lot of the problems are based n antiquated systems still out there storing (then) not so sensive data loosely. The problem created itself when institutions used this old passive ID (name, SSN) as THE ID.

If I were "king 'o the world" I would get some international org together to develop an ID standard, then require all employers, agencies, and lenders and such to convert over (say in five years) to use that for all transactions, etc. Also set up laws and education curriculum about "your ID" and punish those who abuse them.

Kludging together christian names, birthdates and social security numbers may have been a neat hack in the 60s but it's a bit outdated now. The only way to get past it is if we can reinvent a better wheel (Yeah, Im a programmer).

Re:Need a New form of ID

[TheRaven64]

I would propose the opposite solution, although it's unlikely to be popular with governments. Make it easier to make throw-away identities. The identity I use for buying a house, I would protect very carefully. One I used for buying something cheap on eBay I wouldn't. Because there is less information associated with the unimportant identity, it has a lower credit rating, and can maybe only buy things worth $100 per week. If it's compromised, I don't lose much, I just destroy the identity and carry on with my life.

Much of the problem with identity theft is that once someone has stolen your digital identity it is very hard to create a new one. If it were common for people to have a large number, then this would not be such an issue. The identity I use to get a credit card with a $1000 credit limit (for example) doesn't need anything like the amount of information associated with it as the identity I use to get a $100,000 mortgage. All the credit card company needs to know is that I am likely to be able to repay $1000 at some point, while the mortgage broker needs to know that I have collateral to cover a $100,000 debt. I wouldn't associate a house with the identity the credit card company uses, and I might not even declare my entire salary to them.

Rather than try to make your real identity 100% safe, it seems easier to make your virtual identities more useful.

Re:Need a New form of ID

[MLease]

I like the idea in theory, but the problem I see with that is that creditors use payment history on other accounts and total debt load as criteria for creditworthiness. Virtual identities would mean that they would have to go strictly on income, without knowing whether you have too much debt to have any hope of ever paying it back. 100 debts of $1000 each is just as much as a single debt of $100,000, but if the creditors don't know about each other, they don't really know that you can pay them all back.

-Mike

Re:Need a New form of ID

[TheRaven64]

It would work, as long as there is a good delegation process in place. For example, if your total income is $50K, then you might delegate $5K of this to an identity that serviced your credit cards. Your other identities would then only be able to divide the remaining $45K between them. Each individual identity would have to be able to service the debts associated with it. For large loans, there are two options; either use multiple identities, or have you various identities arranged hierarchically so that you can use an identity which contains others for larger things.

Re:Need a New form of ID

[MLease]

I see what you mean, but income isn't the whole story. There are other issues, such as living expenses, history of on-time payment vs. default, etc. I've heard of truck drivers who get driver's licenses from multiple states (in the US), using some of them when they get pulled over for speeding or get involved in accidents, and another one known as the "White Lady" for job applications; that way, they can claim a pristine driving record. I'd wonder whether someone who wasn't really a good credit risk might be able to set up a "White Lady" identity or three.

-Mike

Pay the customers who get hurt

[martyb]

I've said it before and I'll say it again, there's a great opportunity here for an enterprising business to make money by providing insurance against ID theft, IF THEY PAY THE AFFECTED CUSTOMERS!

Summary: Leverage best practices and reward for it AND involve the customer to demand better protection.

Imagine if insurance companies offered a policy that would:

• clean up the customer's credit,
• reimburse for losses,
• AND pay an "inconvenience fee" TO THE CUSTOMER whenever data is lost.

This might play out as follows:

Mary: "Hey Joe! Why are you still dealing with "OldFoo, Inc." after they lost your data? You spent so much time and money trying to get it cleaned up! I just heard that "NewFoo, Inc." has insurance that not only will clean up from any mistake they make, but it will also pay me $100.00 for my inconvenience! Why don't you check it out?"

Joe: Calls up NewFoo, Inc. and gets the scoop on the protection plan.

Mary: "So, did you call?"

Joe: "Sure did, and I'm sure glad I did, too! I just found out that NewFoo underwent a comprehensive security review and got a 3-star rating! Because they put new security measures in place, they will now pay ME up to $1,000.00 if they lose my data!"

Mary: "That's great news! I wonder what the ratings are for the other companies I do business with?"

Joe: "That's easy, all you have to do is go to ID-Theft-Star-Rating.com and look them up!"

Now, insurance companies are not around to lose money. They provide all kinds of risk coverage. They have developed means to assess risk, provide varying amounts of coverage, and charge appropriate premiums to cover those costs. Many will even come out to your site(s), perform a risk assessment, provide recommendations for how to mitigate them, and would offer lower insurance premiums or better coverage (payments) as a result.

For example: I can pay *higher* premiums on my car insurance to increase my coverage. I can pay *lower* premiums if I install a car alarm. Or, I could combine the two to end up with more protection for the same money.

IANAIG (I Am Not An Insurance Guy) so this is surely over-simplified, but I believe it could form a good starting point for discussion. Comments?

Merchants need to take responsibility

It's been mentioned before, but the biggest problem I see is not idiot consumers but merchants not adequately protecting data. I work in retail at an independently-owned small business and while I doubt anyone else working there knows it, getting someone's full CC number out of the system takes seconds, and finding the expiry is a matter of digging through receipts. I didn't even have to find the security hole; during normal day-to-day operations I noticed that the CC number was retained. The merchants have a responsibility to ensure that your data is protected internally and externally, just as financial institutions have a responsibility to reasonably investigate and combat fraud and identity theft and consumers have a responsibility to make a good-faith attempt to protect their data, both online and off.

weakest link

[SolusSD]

security is only as good as the weakest link. unfortunately, this means, in general, as the number of people in the chain grows, the number of vunerabilities increase... seemingly exponentially.

EU More Secure - Wrong

[cdrguru]

No, the issue is that in the EU you do not have people throwing credit at you. If you walk into a furniture store in the US they will immediately offer you a finance plan and discount the furniture if you take it. The furniture store doesn't administer the plan either - that is handled by a third party finance company.

I've not bought furniture in the EU or other big-ticket items but from what I understand it doesn't work that way at all. You could get a loan from a bank but that is about it. Finance companies do not exist the way they do in the US.

So if you "steal someone's identity" you don't have very much to do with it at all in the EU.

Could this be for another reason?

[Vitriol+Angst]

Tracking the numerous laptops left with huge databases of personal information out of various government agencies,... one is left to wonder why anyone is surprised by all this data theft. Didn't someone send out a memo?

Could it be, that the Total Information Awareness project (TIMA), run by federal criminal John Poindexter, just went privatized? Could it be that he and other people are doing an end-run around spying on citizens, and creating a massive database for this purpose and subsidizing the costs with taxpayer money and sales of information to private companies?

Is there anything in the current law to stop them -- other than catching them red handed with grabbing the laptops out of someone's car?

Re:Could this be for another reason?

[dbIII]

Leading slightly off topic here (I hope) this is what wikipedia has to say about his recent adventures.

In January 2007, Poindexter was elected to the Board of Directors of BrightPlanet Corporation, a company that designs and develops search, harvest, and document federation technology.

So BrightPlanet is working on "document Federation" for the Enterprise? I thought we were supposed to be the silly nerds and not ex-uncontrolled spooks like Poindexter?

America - where petty crims lose the ability to vote but selling weapons to a declared enemy doesn't stop you from getting a government sinecure later. Nice country with good ideas but a bit less overt corruption would be nice.

Reporting agency

[njandtmp]

Is there a reporting agency that we can contact regarding blatent disregard for personal data? A friend works for a foot doctor (podiatrist,sp). The dosctor forces a different nurse to take the laptop home with them, and return it to the office the next day. The doctor has multiple office locations, so he cannot leave it locked in the current office.

Glass walls

[unchiujar]

So how long until all of it is stolen ? There are only 300 million people in the US.

records ...

... you mean records from EMI, Sony, BMG ... ?

Gartner says identity theft is up 50% since 2003

[jdp]

According to TFA, "approximately 15 million Americans were victims of identity-theft related fraud in the 12 months ending in the middle of 2006. According to Gartner, that's a 50% increase since 2003, and the average loss per incident was $3,257, more than twice the level for the same period a year earlier, according to the survey."

So at least at first impression, the routine leaks of personal information correlate with increased identity theft. Of course it might just be coincidence ...

jon

Not THE Bob Scheier?

[PavementPizza]

It sucks to be Bob Scheier, saddled with a cheap copy of Bruce Schneier's name and writing about security. Scheier's like the Chery to Scheneier's Chevy.

Coincidentally...

[LilGuy]

I just started reading The Art of Deception by K. Mitnick today. Good read.

so this doesn't really matter, does it?

why do so many people here at /. act like these things aren't Real Problems®?

a *nonce*?

[RMH101]

For the sake of our UK readers, you might want to rethink that term: http://en.wikipedia.org/wiki/Nonce_(slang)