Slashdot Mirror
Data Theft Soars to Unprecedented Levels
A Wired article reports on data loss in 2007, and the numbers aren't good. Credit card and social security theft was at an all-time high, with even more losses expected in 2008. Information thieves, it seems, are just one step ahead of IT security. "While companies, government agencies, schools and other institutions are spending more to protect ever-increasing volumes of data with more sophisticated firewalls and encryption, the investment often is too little too late. 'More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be,' said Linda Foley, who founded the San Diego-based Identity Theft Resource Center after becoming an identity theft victim herself."
Just provide your credit card number to me and I will make sure no one steals it.
Another MyMiniCity link. Don't click. You know the drill.
Comment removed based on user account deletion
This seems like a consequence of being able to carry gigabytes of data around in your pocket. It is probably all too easy for the odd database to duplicate into an employee's thumbdrive these days I suspect.
"I bless every day that I continue to live, for every day is pure profit."
Is data theft at an all-time high because of hackers or just dumb companies not encrypting their backup data that gets lost in transit?
I don't know what the trouble is with the 'myminicity' thing, so I'll just comment on the synopsis.
It has to be noted that since much data these days appears to be stored unencrypted, or removed from the premises by 'interns,' that much of the populace is 'one step ahead.' The advantage the bad guys have, beyond institutional stupidity and negligence, is that there's so many of them willing to exchange the data once acquired.
We hear about CC theft a lot and I am sure it does occur, but most of the time its embarrassment which is the real culprit.
...
"darling, the CC company says we owe them $2400 dollars."
"thats nonsense, I barely use my CC"
"it says there were hookers, gallons of gin and a blackjack tableset ordered to an address in Nevada."
"OMG it must have been the waiter in the diner I went in on the way to the 'conference' with work! (pray you are saying it with a straight face)"
liqbase
Irresponsible data handling by employees at retail stores probably contributes quite a bit.
One of my friends went dumpster diving at Compusa. On top of finding almost every cable you'd ever need to hook anything up, he found over 70 pages of daily reports disclosing full credit card numbers, expiration dates, first/last names, and card company. Personal checks that were used during that day listed the account #, routing #, first/last name, birthdate, drivers license #, address, phone number, and probably some other stuff. He found this on two separate occasions, with over 300 cards listed total. None of the papers were shredded/torn either. He didn't intend to find this stuff - Imagine how easy it must be for somebody who actually wants the information!
The majority of the population doesn't understand how seriously security needs to be taken when venturing online to make purchases. If people understood going onto unsecured networks/etc was pretty much the same as leaving your credit card/checkbook in the front seat of your car, leaving the doors unlocked, and parking it in a bad neighborhood they might take security more seriously.
Sure - Most of the time if you leave stuff in your car unsecured, it'll be there when you get back. But there's always that small chance it'll get stolen.
has itself grown in size to unprecidented levels, I suppose it shouldn't be too surprising that data THEFT has also grown to unprecidented levels. The real question is, when normalized for how much data is "out there", is data theft getting more or less rampant?
The more you regulate a company, the worse its products become.
Knowingly having an unsecure system or not doing basic security due-diligence causes penalties, a second offense and you lose your business license.
The post states that "Information thieves, it seems, are just one step ahead of IT security.". I disagree with this, but it all depends on your definition of IT security, mine being more on the tech side in relation to protection, countermeasures and network forensics. The article really does not make any claim that IT security is at fault, but rather that counter measures to known threats are not being empyloyed. In relation to the quoted statement above, I would say that information theives are five steps ahead of those of don't take measures to protect against threats, rather than being ahead of IT security. I guess it could be argued that IT security is indirectly responsible, or failing, as user education and policy are major parts of protecting corporate networks and data. The failure in these cases seems to be more related to a lack of user knowledge or failure to adhere to policy / weak policy, rather than a complete inability of IT security to protect information. Everyone knows that the internet is a dangerous place (TM), even my grandma. For those in government, schools etc to have data stolen and claim that they didn't know about the risks posed of using online data systems is just plain stupid. According to TFA, the biggest theft of information occurred due to the use of a wireless network. "What! Wireless isn't secure? I had no idea!" Only if you had your head firmly wedged up your own back passage could you as a security professional, or even semi professional ;) claim that you had no idea of the many vulnerabilities of wireless networks...
"They looked deep into my soul and assigned me a number based on the order in which I joined"
The feds could initiate a program under which all citizens are issued key fobs similar to RSA Secure IDs with verification similar to that required for a passport. Without this fob, one could not open any sort of bank account or acquire a credit card or loan... The program could allow one to specify various levels of rigor beyond this basic minimum, such as pin+fob key verification to complete any sort of electronic monetary transaction.
It works for managing access to top secret material, hundreds of billions in monetary instruments and the most vital systems of companies in every industry worldwide... I suppose that on an individual basis, any person's assets, credit and livelihood just aren't as important. Or, perhaps the very industries that protect themselves with this system just don't give a fuck about their consumers.
If these folks were landlords, they'd tell every criminal they could find who you are and were you live, and they'd refuse to install a lock on your door.
Isn't this the type of crime that should be called software piracy?
take a chill pill.
Comment removed based on user account deletion
penis theft != data theft.
Yet another reason to be thankful that CompUSA is going under.
Name: Mr. Anon E Mouse; SSN: 555-55-5555
Or maybe the people who are supposed to guard the data are three steps behind in motivation.
What amazes me about "identity" (financial, blog or otherwise) in the Internet age is how similar it is starting to feel to the concept of identity in fantasy fiction (such as the Earthsea books) where people have disposable day-to-day common names, but also truenames that hold the real power of identity, shared only with the most trusted of companions.
it's all very well to say spending has increased, but what was actually DONE about the problem? Simple and cheap solutions are often the best.
for example, my bank sends me an sms with a code to complete all online transfers to new billers, rendering fishing useless. the only way to change the mobile number is to answer 2 very personal security questions, and even then the system alerts me of the change.
I think the next step forward for CC's is one time numbers and photo ID on the card itself. shouldn't be very hard, have it operate just like login tokens do now and require the code for online transactions, and when swiping the pyhsical card the photo is looked at to id that it belong to the right person.
If you mod me down, I will become more powerful than you can imagine....
Apart from "intellectual property", "identity theft" has to be the stupidest term ever. They don't steal your identity.. they "copy" it. Real identity theft would be taking over someone's identity (probably with some lame face exchange technology) so that the rightful owner can no longer utilize it. And what's most annoying is that there is already a legal term for the activities that "identity theft" is typically used to refer to.. fraud. So what the hell is wrong with "identity fraud"? Not sexy enough?
How we know is more important than what we know.
'More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be,' said Linda Foley, who founded the San Diego-based Identity Theft Resource Center after becoming an identity theft victim herself."
First off, do we really need another victim turned "security expert"?!? Please.
Secondly, how many "thefts" were actually sales of databaes by unscrupulous employees? And how many "thefts" were due to carelessness on the part of other employees who seem to have a great knack for leaving laptops laying about unsecured. It seems half the battle is an internal one.
I mean come on, what we really need here are some folks with plain old common sense to take a look at this.
My peace of mind does not depend on
So far, I've counted 4 myminicity accounts spamming slashdot: blah blah blah
And by comparison, I've given up counting the posts that discuss these links. This is worse than a mailing list letting slip through a spam message, and seeing countless folks take the opportunity to offer as many off-topic comments.
Deleting a mailing list thread gone nuts is easy, but deleting Slashdot posts isn't an option. Put another way, it's easy to ignore AC posts, off-topic posts (they tend to get modded down fairly quickly), or posts that are disruptive by nature (they also tend to get modded down), but multiple meta posts that try to be helpful but end up repeating what others have already pointed out?
If you're so inclined, write an email to the powers that be. Post an Ask Slashdot article. Hell, take the dog for a walk. Just don't make the problem worse than it is.
I found a way to generate ALL the SS#s from 000 00 0000 to 999 99 9999. Here is the pseudocode:
for i from 0 to 9999999999 do
print i;
od;
I really think they need to re-think the whole concept of data security, basically the current, "traditional" way of protecting data security is a form of 'Security by obscurity'. I think most of us know how well that method works. (To be fair, in the past this method was somewhat effective, if only because information was never that readily available to be transferred and copied (and stolen).) Instead, I think they have to design sensitive data based on the assumption that it WILL be stolen at some point. Encryption of data goes a long way, but the encryption needs to be built-in since the system breaks down as soon as someone forgot to encrypt (and that is bounded to happen). Perhaps some sort of public-key cryptography will be used, and your only *personal* information will be your private key, which you never need to give out. If such systems are implemented, it will at least go a long way to address the obvious deficiency of current *obsolete* system we implemented for personal data.
no mention is ever made of that. much of the rest is a gullible public serving up their inf. hoping to get something for nothing/less than it's worth. another day in paradise.
Studies have shown that auto theft reached unprecedented levels in 1911. In future news; flying car theft will reach unprecedented levels in 2057.
More and more common thieves are learning the value of data. So more of it is being stolen. I bet MP3 player and cell phone theft rates are reaching "unprecedented" levels as well.
There are some people that if they don't know, you can't tell 'em.
white hat hackers on staff full time who's sole job is to look for security breaches. I mean I guess it would make too much sense and having worked for the government, I know that if it makes sense it's not in the game plan.
We came,we saw, we kicked it's ass!
At $DAYJOB, we insert fake data in two ways: First, fake data that is in the database with known markers, second, more fake data generated each time a user logs in and present only during that log in for that user. In this way, we know if the data theift occured via authintication (and by whom, from where, and when), or via some hole in the app.
The way to make this more effective requres a huge amount of work: Longer CC numbers and SSNs. It's the same problem IT has had with users FOREVER. Users expect the moon, stars, and all the oort cloud between, yet do not want to provide the least effort. There's no "buy in" from Soc Sec and the CC companies. As long as they get to pass along the cost to someone else, then the current system is "good enough". No need to expend any of THEIR effort to find, track, and plug up problems.
But make THEM accountable in a tangable way, and I think we'll start to see effective measures to stop this nonsense. And no few RSG and 419'ers in jail to boot.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
Why don't Visa, Mastercard, American Express, Diners etc start putting pressure on companies to keep credit card numbers more secure (along with inventing and selling solutions to make that happen)
Even taking the simple step of changing the merchant agreements such that if the merchant suffers a breach or loss of credit card numbers, they are contractually obligated to notify the people who's numbers have been stolen (either via announcements in the media/on the merchants website or individually somehow) would make merchants do more to fix the problem.
Ever since I found out about Discover Card Secure Number I use that for all my online purchases to help reduce the risk of my real number being stolen. Complete Fraud Protection What this does is provide a one time use credit card number and CID number. Sure you can dispute false charges with your credit card company but who really wants to deal with that and any headaches.
At work (I work for one of the top 3 card issuers), I see our systems people continuing to harden defense against data loss.
- Wireless net cards are actively sought out and removed. Leaving the wireless in my co. provided laptop will get a visit from security. No wireless for the forseeable future, until they go through the whole WPK/VPN/MAC security scheme. Even then, I'm not hopeful we get it ever. Not like my last gig, but then they MAKE their own VPN and wireless stuff.
- External access is VPN and token like SecureID. Two passwords needed, and then I may not get access to the data I need, if it is deemed inappropriate for remote access. The system knows the difference.
- I work with merchant data, cardholder data, and corporate financial systems data as part of my job. My department regularly (weekly, sometimes) has to make a strong business case for access to every type of data we request. Our team is unique in many ways, being involved with merchants and cardholders. We have to justify every type of access, repeatedly.
- Our primary PC application is being re-written to fully encrypt data, mostly to comply with PCI-DSS. It also makes it simpler to maintain, for reasons to be left unspoken. We're also completing a scheme so that our users can enter, but not view, card numbers. Sounds wierd, but it's necessary.
We're already encrypting our workstation data folders, and all shared drives are being encrypted with certificates required. Most company workstations are getting full-disk encryption. Laptops are getting this at a fast uptake, and we'll be to the point where an unecrypted disk results in both an alert and no login. It's good enough encryption that users are warned, lose the certificate AND the password, and the only solution is ship the drive physically to the depot - wait 3-5 days for return.
My USB key is similarly encrypted. The goal is to be able to know that a lost laptop is a hardware expense. No data exposure without a nontrivial attack on the encryption. I wish they had used TruCrypt, but what they are using is recognized as unbreakable by anything short of a national agency or three. Yes, minimum password complexity is beyond 7 characters, symbols, numerics. Spellable password rejected.
Needless (?) to say, up to date anti-virus/anti-malware is installed and updated, and gets you shut out if it gets too old. A seperate app maonitor watches for unacceptable behavior. It doesn't like much of what I do. The team is writing specific exceptions for us, which include requiring valid logins, prompts to accept program behavior, testing for local/remote access, and checking for event- and alert-driven modifications to the rules, like when an intrusion is suspected and the system is shut down to evaluate an event. Can't wait for that, sort of like a fire drill for no apparent reason.
The emphasis is on both adequate encryption and prevention of access.
I'm not a seciurity expert, but it looks good and getting better. The corporate goal is entirely to prevent a loss.
And no one in Fraud or Security will discuss auditing, monitoring, or anything much beyond the dog-and-pony show of what it does, and precious little of that.
Oh, I do have it on good authority internally that looking at stuff you don't need is not recommended. I don't.
Where I work, security is as high a priority as service or growth. Possibly higher. It's about never having to say you're sorry. It's about being able to say you are certain, and secure.
Sorry, but posting anonymously is the best policy. Just to know, part of the financial industry is not reacting to their own failures - they are reacting to the known and UNknown threats, not waiting to see what holes get poked.
And one that too many companies are willing to put gamble with. Many IT shops haven't got the experience in house to maintain security so they shop around for the doitallforyousecuritygizmo to do it for them. These gizmos are usually 90% snake oil with a hefty support contract. There is also a big lapse in education and awareness across all facets of the security realm. Programmers think security is up to Layer 1 and that they are free to break all the rules at layer 7. Windows admins think security means that if Bitdefender doesn't complain, everything must be peachy and that having software installed through ActiveX by a remote website is just a prank. Management is made up more of bean counters than technically savvy personnel. In the end, it seems management views a spin-of-the-wheel as being more cost effective than re-training a bunch of people that can't see past the Whack-a-Monkey javascript they just got in their inbox.
boycott slashdot February 10th - 17th check out: altSlashdot.org
I'm a storage consultant and my hottest contracts right now is implementing different forms of media encryption. It can be disk, tape or data in-flight (IPsec for replication). There's plenty of solutions that prevent someone from accessing your data if they grab the media (disk/tape) and walk out the door. While this prevents someone from stealing a tape from the back of an IronMountain truck, it doesn't solve the problem of someone accessing the data from an point above the encryption point, the host/server itself.
This is one of the largest problems we face, somewhere the data has to be unencrypted. As one of our goals, we want to eliminate the number of points that someone could snoop or steal the data in an easily accessible or unencrypted format.
A storage engineer, can eliminate it in the disk array or tape library, so nobody can walk away with disks/tapes, but the filesystems are unencrypted.
A host admin can further limit it by creating encrypted filesystems that only specific users can access, but what about root, if he can 'vi secretfile.txt' and see it in a plaintext form, you've failed.
The answer, the application writes only encrypted data.
We're trying to enable a system where only the application that is supposed to access the data can easily access the data. We've all heard the statistics about how most security breaches are done by employees, and we put a lot of trust in our IT staff.
Protecting the data from the IT staff that is our next big problem.
It continues to astonish me that people think of "data theft" as the cause of identity theft.
Data theft is not the problem. The problem is that financial organizations are willing to accept transactions without authentication, or with very weak authentication. Supplying a 9-digit number which is a matter of public record is not a form of authentication. It does not prove that the person speaking is the account holder. Anybody can walk into a store with a fake credit card and buy stuff in my name, no questions asked. People can write checks with my account number on them, and it will be charged to my account. At no point is the slightest attempt made to authenticate the identity of the person making the transaction and certify that they are allowed to post transactions to the account.
There is no way to "plug" these leaks; most of these names and numbers are a matter of public record and must be surrendered in order to make a transaction in the first place. The identity theft problem will not abate until account holders have enhanced authentication options, and the financial institutions are required to use them. Biometrics, physical security tokens, PINs, it doesn't really matter what solution we use. We just need to use something to verify the identify of the person making the transaction. It's the only solution.
The problem is that the organizations that lose the data, and the people who work there, are not the ones who bear the pain of the result. Furthermore, we usually have no choice in handing over the personal data, most of which is completely unnecessary (but very useful for marketing), in order to get things we need.
Unless and until that changes, all the hand-wringing in the world won't make a hill of beans of difference.
It will take something like Sarbanes-Oxley, making the officers of companies and non-profits, and government workers, who handle our data personally criminally liable for failure to take due care, before there is any change. As it is now, it is a simple cost calculation, and security is pure cost. The people in charge are betting that they can cash in their stock options or get promoted/transferred before the failure to protect data causes a problem.
Last, but by no means least, everything that the naysayers said about Social Security when it was first proposed have come true: the SSID is a national ID number, and is routinely abused; and the Ponzi Scheme has run afoul of demographics. It's time to end the charade: outlaw the use of SSIDs by anyone except the SSA, and to allow people to opt out of SS.
This information doesn't surprise me. I think the increase is do to the increasing ease of standing up a website. Anybody with minimal computer/coding/security experience can stand up a website that takes your credit card information. I've dealt with COUNTLESS sites that have horrible file permissions, no security apps (like mod_security), and their DB connection password is weak. It's unbelievable how little effort folks will put into securing their business operations. On top of that, customers who repeatedly get hacked won't be willing to go through the hassle of auditing their customers or upgrading their software, so the same vulnerabilities get exploited again.
Ok, myminicity .com assholes. Playtime is over.
.com people hopefully more traffic than they were bargaining for.
I've really had it with the myminicity.com crowd, and to put a stop to this nonsense I've set up a little website.
Stop posting your myminicity links here and elsewhere, if myminicity.com wants to grow they can surely find a way to do it without inconveniencing others.
If you don't then I'm calling on the rest of the audience here to report those links to the site above and if they want to help a little further to place a 1 pixel image tag on their website which will give the myminicity
For starters I've placed one on http://ww.com/ , feel free to come and help.
This is just another spam wave and if this doesn't get stopped now then it will be seen as a vindication of the principle and before long there will be 100's of sites doing this.
Rewarding your users for bad behaviour has to be one of the most annoying marketing tactics that has ever been devised.
MP3 Search Engine
Back when only "computer nerds" and IT professionals used the internet you could safely browse without a firewall or antivirus, one consequence of almost every segment of the population now using it is that there are scammers and people susceptible to scamming. Just like people fall for sales pitches or get their card details stolen in real life. When a tool that tells people whether a site in genuine is popular (i.e. they are unable to tell without it) you know that only a minority are immune to scamming.
As a side note I thought spammers, virus makers etc. were out to wreck the internet and it surprises me that they actually earn money from it, and explains why it will never go away.
Given the complete disaster that digitisation of sensitive information has quickly proven itself to be in the hands of bean counters rather than those of developers who take pride in their work, it falls upon me as a concerned citizen to alert UK readers to a system which was brought to my attention today, which is going live with NO security protocols in place, which will hold the entire medical histories and personal details (including residential addresses and telephone numbers), in fact, enough information to ensure covincing and total identity theft, of over sixty million people, and without any sort of audit, be accessible by over one million public sector workers including temporary staff and Central Government staff. This system is known as The Spine, to be used primarily by NHS Primary Care Trust hospitals and clinics. It is with the depest concern for my own private data that I forward the following link to you in the hope that word gets spread as far as possible and that any UK resident who is capable of lifting a pen and writing semi-intelligibly, write their General Practitioner and demand that their personal and sensitive information not be uploaded to this mine of information for potential use by criminal elements not only inside the public sector, but also outside of it. The link is: http://www.nhsconfidentiality.org/
Operation Guillotine is in effect.
I had a something to say but someone stole my idea.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"More and more common thieves are learning the value of data."
Yes they are.
"So more of it is being stolen."
Yes it is.
"I bet MP3 player and cell phone theft rates are reaching "unprecedented" levels as well."
Someone should change the definition of "property" so I can own my data and seek redress from those who "steal" it.
Seriously, let's reserve the phrase "data theft" to refer to data that is lost due to someone taking the only copy of it. A basic test for theft is whether the owner still has the thing that was stolen. If he still has it, it wasn't stolen, though possibly copied.
You can't steal information dude. Information just wants to be free.
/sarcasm
You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
Blaming the tech is a cop-out - firewalls and encryption mean nothing if these people are entering their details into any website that asks for it. Paper/card shredders are cheap now (even/especially for the home) and people have been told for years not to click on links in unsolicited emails, *especially* if they're from a bank/ebay/PayPal.
Instead of spending more on (company-side) tech there should be more spent on user-side education. Only those who've been a victim of identity theft and the paranoid (waves!) tend to realise exactly how much value there is in our personal information.
I quite regularly enter junk into websites that I feel ask for too much information - no, you don't need my full address and telephone number before I download that article. If there is a legitimate reason why they do need my information (delivery/billing) and the site looks okay then that's fine, but too many websites and for too much information before they'll let you do anything.
In the olden days (like 10+ years ago), if someone wrote a check in someone else's name, it was called "fraud". It is, in fact, a crime where someone steals money from the bank.
:(
At some point, someone changed the vocabulary, and now we call this "identify theft", and so we make the crime against the person who's name was forged. In fact, this person has nothing to do with this crime, and is an innocent bystander. The bank is charged with protecting my assets, and if they fail to do so, they should be liable, just as much as if someone walked into the bank with a gun and took it!
By convincing society at large that the crime is "identity theft" and not "fraud", the corporations, while not solving the problem of fraud, has made it someone else's problem; namely their customers. And the customers accept this, and direct their ire against the criminals, instead of against the company. (Admittedly the criminals are Bad People, so they do deserve to be feared and hated.)
In some ways, it is a stroke of genius by the corporate world. But not one that we should celebrate.
Reduce, reuse, cycle
Information thieves, it seems, are just one step ahead of IT security.
No. IT security would be doing just fine if users and administrators protected themselves with existing security recommendations.
As long as people act like sheep they will be lambs to the slaughter.
Having to work for a living is the root of all evil.
While you are correct that it's not "theft" at all, this is simple fraud. Yes, computers are involved, but that doesn't turn the crime into something else.
That said, if they get the data by stealing laptops or similar things, I guess you could call it data theft, because they really did steal the data, rather than copying it and using it for fraudulent purposes.
Im surprised there havent been a large number of class-action suits for data-theft. Many data-owners seem irresponsible.
I've never blamed the criminals for this, but then again I'm in IT and I know better...
My view is that they are criminals and we'll always have criminals. Therefore we need to protect ourselves from those who would take advantage of us by making those responsible for the problems pay for their failures, as you stated. When we pass a law that says that the corporate world and specifically banks are responsible for these breaches you will see things change practically overnight.
There are several other things that need to be done to help rid of this problem and other personal security breaches, mainly from data aggregators. If we had Constitutional guarantees that our private information is ours and companies have to explicitly ask us to opt in to maintain our data and they can't give it out to others without our explicit consent (as it is in the EU) then you would see a lot issues resolved.
Lastly, there needs to be laws stating that if credit bureaus want our information that we have access to it at all times for free (it's our information after all) and we can dispute any part of it. Furthermore anytime that a part is in dispute that we can get the item temporarily removed until it is fixed. All records should be locked by default. This requires everyone to ask for it to be unlocked in order to open a new account or to do a check your credit history and provide proof that they are the person asking for more credit.
We have four boxes with which to defend our freedom: the soap box, the ballot box, the jury box, and the cartridge box.