Slashdot Mirror

← Back to Stories (view on slashdot.org)

Long-Term Liability For One-Time Security Breaches?

Posted by Soulskill on from the neverending-can-of-worms dept.

An anonymous reader writes "Not a month goes by where we don't hear about a theft of some organization's laptop containing sensitive personal information, not to mention the even more frequent — but often kept secret — breaches into company networks and databases. It is definitely true that you should be responsible for the security of your information when you handle it, but what happens when the theft of your information is not your fault? You have handed over this information to a company or organization and trusted them to keep is secure, but they failed. They might notify you of the breach or theft, and they might even set up a credit monitoring service for you for a year or two, but the problem is that this information may be used years from now. Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?"

86 of 119 comments (clear)

  1. And a bunker too... by bragr · · Score: 1

    Well you could always change all the numbers and important information that you can. After that I recommend praying to your favorite diet(y|ies). That or keeping all of your money in a shoebox under your bed.

  2. Information wants to be free by countertrolling · · Score: 2, Interesting

    But we give it too much power to allow that. A much more fundamental change is needed. Until then, long term liability is probably the only alternative. It should never cost the victim anything at all. All costs should be laid on the leaker. And "Trust no one" with your info still applies.

    --
    For justice, we must go to Don Corleone
    1. Re:Information wants to be free by hedwards · · Score: 1

      Um, the only time I've had trouble with it is when my account was transferred to a new firm after acquision. Which makes it virtually impossible to account for without being psychic.

    2. Re:Information wants to be free by Anonymous Coward · · Score: 5, Funny

      Did you seriously just complain that you have to give out your home address in order to have something delivered to you?

    3. Re:Information wants to be free by fuzzyfuzzyfungus · · Score: 5, Insightful

      The submitter of TFA(TFAS?) has swallowed the "identity theft" myth, and all its deliberately problematic implications, hook, line and sinker.

      Whoever came up with the concept of "identity theft" needs to be given an award for sheer chutzpah, then clubbed to death. The problem isn't "identity theft", an "identity" in this context is simply a bunch of information that is only copied, not destroyed or removed when compromised. The problem is bank fraud and various other sorts of fraud perpetrated by people using those data, against institutions who, in a masterful display of doublethink, simultaneously ask you for your SSN when you do anything more sophisticated than taking 20 bucks out of the ATM and treat the SSN like a double-secret-super password that only you could possibly know, on the strength of which loans will be granted, accounts opened, and so forth.

      However, by using the term "identity theft", the implication is created that you are the responsible party. As a token, whoever was responsible for the breach might be forced by law or bad PR to offer you a year of credit monitoring or something; but that doesn't address the root problem: banks, and other such institutions will accept laughably trivial factoids as incontrovertible evidence that somebody is you, and then try to stick you with the bag when the mistake is discovered. The problem isn't that somebody knows my mother's maiden name and my SSN, the problem is that numerous financial institutions and other such entities will happily accept possession of those facts as evidence that just about anybody is actually me. However, because it is "identity theft", I'm the one who has to watch my credit vigilantly forever, and wonder what might bubble up on a background check done in my name, rather than it being "bank fraud" or "inadequate police work", which would place the burden of responsibility on the party who ought to be responsible.

      Between public records and massive data breaches, virtually all "identity" information is effectively public knowledge. Any institution who treats possession of that information as proof of identity should be treated as guilty of gross negligence, and responsible for the consequences. The idea that if those pesky consumers were just a little more careful, we wouldn't have this issue, is as elegantly malicious as it is utterly wrong.

    4. Re:Information wants to be free by Timothy+Brownawell · · Score: 2, Insightful

      Between public records and massive data breaches, virtually all "identity" information is effectively public knowledge. Any institution who treats possession of that information as proof of identity should be treated as guilty of gross negligence, and responsible for the consequences.

      I assume you have a better idea, then? About the only thing I can think of is government-signed (and revokable, such as in case of theft/loss) physical tokens that can do public-key cryptography, which (1) is only recently somewhat feasible, and (2) might not be that great an idea given how intertwingled all the functions of the government are.

    5. Re:Information wants to be free by wal9001 · · Score: 1

      I think he said you can't have pizza delivered without giving out your address.

    6. Re:Information wants to be free by Anonymous Coward · · Score: 3, Informative

      The system in place for internet banking in sweden is (usually) based around you being issued basically just ssuch a device. That is, you have a pin code (which is blocked after three wrong inputs) to log in to the device, and get a one-time code to log in with to the actual system. Any transaction are then further validated against the device, with transfers to a previously unknown person requiring you to not only validate the transaction, but the recipient as well.

      However, this is not the whole truth, as what you describe is something government-signed, which this (as far as I know) is not. That is, the existance of the device is (in theory) only known by you and the bank, and used only to communicate with the bank. You may have several devices for several banks/accounts/roles, and although you are expected to show who you are when getting the account/device in the first place, this is something which is normal procedure in Sweden.

      Two-factor authentication: it works, bitches.

    7. Re:Information wants to be free by Anon-Admin · · Score: 2, Insightful

      Ok, a better idea. No more central credit reporting. They all rely on that, and it is exactly what the information leads to. So if every bank had to manage there own credit reporting and rely on there report with the customer then there would be no identity theft.

      If the local branch of XYZ bank knows Joe Smith then it is hard for Jack to walk in and convince them that he is Joe. Add to it that Jack going to ABC bank and saying he is Joe does not get him any better chance of credit as he would have to take time and build a report with ABC Bank to get the credit.

      Banks and many others seem to take the information in the three major credit agency files as golden and they rely on it for everything from loans to apartment rentals. The problem is that any information that is used to verify the identity of the person and connect them to the report can be found out and used by those who are less than honest. This leads to fraud and thus to issues.

      Remove the three agencies and there is no more identity theft. When I have to work with the bank to build my credit at that bank it is hard for some one to steal it.

    8. Re:Information wants to be free by fuzzyfuzzyfungus · · Score: 3, Insightful

      I don't think that there is any one silver-bullet solution; I just think that the allocation of responsibility to the helpless rather than to the responsible is A)massively unjust and B) definitely does retard the development of better methods.

      The fact that a bank will hand somebody a loan for some thousands because they know a couple pieces of biographic trivia about me is idiotic; but I am OK with that. It's their money, if they think that they can maximize profits by trading off security for convenience, more power to them. What really pisses me off, though, is that, after they do that, I am the "victim of identity theft" who has to watch his credit report forever, and fight an endless battle by certified mail with some Kafkaesque division of Equifax in order to rectify things. In a remotely just world, the response would be "You, a financial institution who really ought to know better, gave some guy ten grand because he knew a few pieces of public information? You dumb shit, I guess you are out the money."

      There is no perfect defense against fraud; but I bet they'd come up with something better than what we currently have, if the costs fell on them.

    9. Re:Information wants to be free by Hognoxious · · Score: 4, Funny

      In a remotely just world, the response would be "You, a financial institution who really ought to know better, gave some guy ten grand because he knew a few pieces of public information? You dumb shit, I guess you are out the money."

      Actually, it should be "The CEO of your bank has agreed to waive the alleged debt, pay my outstanding legal and other costs and indemnify me against any future, plus an ex-gratia payment of fifty grand for my trouble. I have it in writing, with his photo ID right here. All witnessed and notarized".

      You then hand over a note written with a crayon in childish writing, with a picture of a smiling face at the top and the bank officer's name scrawled underneath. In a different coloured crayon it says "it tru dat, signed my best pal", superimposed with a mucky handprint.

      Well why not? Basically, that's what they've got against you.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    10. Re:Information wants to be free by AshtangiMan · · Score: 1

      In this day and age.

    11. Re:Information wants to be free by marcansoft · · Score: 1

      A system like that got implemented in Spain a few years ago. All new Spanish national ID cards are smartcards which allow you to cryptographically sign documents with similar validity to a physical signature. It is expected that they will be increasingly used by banks and the like (and they are already being used in order to e.g. file tax documents on-line). The card is protected by a "PIN" (actually a password) and locks you out after a few incorrect attempts.

      It's by no means perfect, but it will be interesting to see what comes out of it.

    12. Re:Information wants to be free by profplump · · Score: 1

      How about requiring a notary public's seal on loan documents for them to be enforceable? That would require lending institutions to reasonably verify someone's identity before issuing them credit, and works with 17th century technology.

      It's not impossible to fool -- you could also have false ID, etc. -- but it's a lot more reliable than simply writing down a different SSN, and requires an additional fraud against the government to pull off.

    13. Re:Information wants to be free by Timothy+Brownawell · · Score: 1

      With everything moving to online (or sometimes fax), I'd think you could just get something notarized and scan it to get a digital copy of the notary seal that you could paste over your document image. Still, I suppose that is more work than just entering a couple numbers and would take more skill to automate.

    14. Re:Information wants to be free by mandelbr0t · · Score: 1

      banks, and other such institutions will accept laughably trivial factoids as incontrovertible evidence that somebody is you, and then try to stick you with the bag when the mistake is discovered.

      Not to mention that it's more of an annoyance to the end user than it is security. I can never remember exact capitalization/spacing/punctuation to those "security questions". And sometimes I wonder if there's someone out there, compiling a list of these trivial factoids. One day, they will know more about me than I do myself.

      It's the same story it's been for the last decade. Massive problems with current methods of government/financial institution/credit bureau validating your identity, better technicial solutions exist, but are expensive to implement, and require skilled individuals to do so. Most large organizations would rather make it a legal problem than hire people capable of making the transition. Of course, the enforcement has been a problem for a long time. And so the cycle continues, until those who are employed are more skilled than those who are not. In addition, proposed changes usually involve some kind of central government ID database that includes your retinal scan, fingerprints, DNA and some frozen zygotes. No wonder this news seems like it's from the nineties -- that's where the government still is.

      --
      "Please describe the scientific nature of the 'whammy'" - Agent Scully
    15. Re:Information wants to be free by fuzzyfuzzyfungus · · Score: 1

      No need to wonder if there is somebody out there.(though they are no longer an independent entity, having merged with Lexis-Nexis under the Reed Elsevier banner, thus assembling an even more comprehensive collection...)

    16. Re:Information wants to be free by Comrade+Ogilvy · · Score: 1
      It is even worse than you indicate.

      As a twice victim of identity theft (once stolen checks, once false credit cards), I have strong circumstantial evidence that "insiders" were involved in both cases. One might wonder if that is not the norm...

      Vigilance can only limit the damage. If the criminals are within the banking/credit system, it is not even theoretically possible for you to fully protect the banks from themselves in your name.

      Based on my experience I am a strong believer in NEVER using debit cards. The inherent weakness of debit cards is that they take money right out of your bank account.

      A credit card company has a strong incentive to reasonable in resolving disputes: if push comes to shove, you can simply walk away from debt you deem fraudulent (and the burden of proof and costs of getting the court case rolling will be on their shoulders). This level of indirection protects you, and allows you to put food on the table and gas in the car while straightening out the mess.

      A bank has a strong incentive to screw you over with regards to debit cards: any monies that have falsely left your account are costs they may have to eat. Banks will swear up and down that debit cards offer "all the protections" of credit cards. At one time that was close to true. Sort of. But when someone ugly goes wrong with your checking account, it is easy to rack up lots of late fees quickly left and right. And the banks are happy to label straightening these issues your problems, while hemming and hawing over whether you get access to any of the money that should be rightfully in your account.

      Fradulent credit card debt is a "paper" problem, and have future headaches. Debit card fraud can mean you are truly screwed in the here and now.

    17. Re:Information wants to be free by Jason+Levine · · Score: 1

      The problem isn't that somebody knows my mother's maiden name and my SSN, the problem is that numerous financial institutions and other such entities will happily accept possession of those facts as evidence that just about anybody is actually me.

      Of course, sometimes the thief doesn't know the right mother's maiden name and the financial institution still approves the new line of credit.

      And then the thief changes the address immediately (before the card is even activated) and the financial institution doesn't red flag it.

      And then the thief tries to get a $5,000 cash advance and the financial institution denies it but doesn't red flag the activity.

      And, when the fraud is discovered (thanks only to the thieves paying to get rush-delivery of the card and financial institution sending it out before the address change went through), the financial institution refuses to give any information to the victim because the victim "might go and shoot the person and then we'd be liable." (Actual quote)

      And when the police contact the financial institution, they might give them the runaround also.

      Yes, this happened to me and this is why I won't do business with that financial institution *cough*Capital One*cough* ever again.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    18. Re:Information wants to be free by AigariusDebian · · Score: 1

      Basically the same is true in Latvia - the only true root document is your government-issue passport. Only after the bank teller has seen you with you passport in hand and matched your face to the photo in the passport (and verified the passport as valid and also taken a photocopy of the passport for long term records), only then the bank can consider you to be the person you claim to be. Only then you can sign contracts, open accounts or withdraw money.

      For the electronic transactions the banks issue you a random numeric ID, a password (that you can change) and a physical ID token - the token is either a simple card with 30 numbers where the system asks you to enter one specific number from your card, or a 'calculator' device where you enter your PIN and it will generate a one-time password.

      And the same thing as in Sweden - each bank has their own device. And to get the device you first need to prove your identity using a passport in the bank.

    19. Re:Information wants to be free by AigariusDebian · · Score: 1

      The problem is that organisations with the write privileges to the system do not bother to check if the person is who he claims to be. If the SSN was printed in your passport and everyone was required to show the passport (with the SSN and a photo inside) for any action that would require a credit check, then all these identity theft problems would simply disappear.

    20. Re:Information wants to be free by AigariusDebian · · Score: 1

      It is pretty retarded to trust a digital document without a digital signature verification or a trust chain. Either you are in the bank in person with your photo-id in hand, or the document can be used for information purposes only and is not legally binding.

    21. Re:Information wants to be free by AigariusDebian · · Score: 1

      You must have pretty stupid banks.

      It is much safer to refuse all checks and all credit cards and use only one debit card with overdraft explicitly forbidden. At least it is so in the EU where government regulations actually protect the consumers against lazy banks.

    22. Re:Information wants to be free by AigariusDebian · · Score: 1

      How about "government-signed (and revokable, such as in case of theft/loss) physical tokens" also know as PASSPORTS!!! And then you go to a bank and show your passport to get a physical token to allow you to get access to your account in that bank! It is a fantastic idea, right!

  3. Contract by decipher_saint · · Score: 3, Insightful

    Not to sound condescending, but when you hand your stuff over to a third party generally there is a contract signed between you and them, what you are looking for *should* be in that contract.

    --
    crazy dynamite monkey
    1. Re:Contract by morgan_greywolf · · Score: 1

      Contracts simply state what is agreed to, and to some extent, what happens when what specifically agreed-to elements of the contract are not met -- usually this mostly means termination of the agreement. Contracts might contain verbiage about keeping data and equipment secure; if security is breeched, that's where the contract ends and liability law begins.

      When someone makes a mistake and a laptop gets stolen because someone failed to secure it properly, this is called 'negligence' and it's an actionable tort, meaning people get sued. If the laptop contained sensitive data, such as credit card information or other sensitive financial data, and that data was secured, then the owner of laptop bears some responsibility as well. That's where they would get sued by their customers for negligence.

      But I'm not a lawyer and you should definitely pay for a competent attorney anytime something like this comes up.

      --
      My blog
    2. Re:Contract by morgan_greywolf · · Score: 1

      s/data was secured/data wasn't secured/

      --
      My blog
    3. Re:Contract by Errol+backfiring · · Score: 1

      Not really. That is an internal thing between you and the third party company. When you outsource a job, you are still 100% liable for it. So outsourcing should be done with good checks, apart from the good contract. In programmer's speak: it is like encapsulation. The customer should not be able to tell the difference between you doing the job or a subcontractor doing it. And if the customer can tell the difference, it is your liability (which you may be able to outsource as well, but it starts end ends with you).

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  4. A nice point. by Anonymous Coward · · Score: 1, Interesting

    Ironically, the four UK Credit Reference Agencies have announced today that you can do a web based credit check on youself for the sum of £2.00. PReviously only one of them allowed web one time (ie non annual contract) checks.

    If they make it quick and also cheap then maybe more people will take responsibilty for checking their own details on a regular basis.

    Posting anon for obvious reasons....

    1. Re:A nice point. by MoonBuggy · · Score: 1

      Quick question: is it worth getting the statutory £2 report from all of the companies (incidentally, the ICO only lists three) or will it be sufficient to go with one?

      Not that it particularly matters at £2 per go, I suppose, but it'd still save some time if it turns out they're all working from shared info.

    2. Re:A nice point. by Sir_Lewk · · Score: 1

      Posting anon for obvious reasons....

      Yes of course, perfectly understandable.

      --
      "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
    3. Re:A nice point. by Zerth · · Score: 1

      They don't necessarily have the same info and they definitely don't share "this is bogus information" notices. They are competitors.

    4. Re:A nice point. by Anonymous Coward · · Score: 1, Informative

      Sorry the reason for your anonymity evades me, I guess its not as obvious as you think.

      The reason reason for my anonymity is because I don't have a Slashdot account (I've never been able to decide on a pseudonym to use).

  5. the real reason by Bizzeh · · Score: 2, Interesting

    the real reason we hear more about it and hear of more of them every day is because they are the media topic of the moment, just like when northern rock was in trouble, suddenly, all the banks where in trouble and everyone took their money and caused the financial meltdown.

    in short, this sort of thing isnt happening more frequently than it previously was, its just being reported on more

    --
    portfolio
  6. Two oddities by vlm · · Score: 2, Insightful

    The first oddity is why the author believes that the data would sit around for years before being used. Like there's an "exploit bank" where you can deposit your collection of stolen data and gain interest on it until you "cash them in". I'd think far more likely it'll get used fairly rapidly, or never. How you fence or launder millions of records is kind of a mystery to begin with.

    The second oddity is we are mostly dealing with the bottom percentiles of personnel, equipment, hardware, software, and design. So the article blissfully dreams "Let's hope that these reasonable measures will include the use of encryption." But you know that fools are just going to add another column to the database called "encryption key" so as to decode the other columns. Or store the key in C:\key.txt. Or go all ROT-13 or whatever the unicode version is of ROT-13. If you're dealing with screwups, adding more conditions just makes their screwups more rube goldberg and hilarious, it doesn't prevent them from screwing up.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:Two oddities by Anonymous Coward · · Score: 1, Insightful

      Yeah, I agree. Also this falls into the category of "Yeah, so?". Lots of things are unfair, and yeah, we should probably try to change them, but the feasibility is the issue: most people have probably been part of some security breach in the past 30 years. Do we monitor credit for everyone? Okay, where does it end?

      Also these credit monitoring services, while helpful, aren't foolproof. Just look at that lifelock jackass.

      I'm not saying it isn't unfair - it is - it just seems a lot like wishful thinking, kind of like: WOULDN'T IT BE NEAT IF EVERYONE GOT ALONG AND THERE WASN'T WAR? WOULDN'T IT BE NEAT IF WE ALL HAD NO IDENTITY THEFT PROBLEMS DO TO MAGICAL CREDIT MONITORING SERVICES THAT WE GET FOR FREE? And if I had four wheels, I'd be a wagon...

    2. Re:Two oddities by RobertM1968 · · Score: 4, Informative

      The first oddity is why the author believes that the data would sit around for years before being used. Like there's an "exploit bank" where you can deposit your collection of stolen data and gain interest on it until you "cash them in". I'd think far more likely it'll get used fairly rapidly, or never. How you fence or launder millions of records is kind of a mystery to begin with.

      There are - and it's been covered here, even if not called those terms. There are "organizations" that do nothing but collect this info and then sell it off over time to whoever wants to buy it. I'm sure they dont put expiration dates on their data, and will gladly sell you a collection of records with 10 day old data and 10 year old data, all mixed together.

      --
      StarTrekPhase2 - The Five Year Mission Continues!
    3. Re:Two oddities by mysidia · · Score: 1

      A record "encryption key" column in a database is fine as long as that encryption key is (A) generated in a sufficiently strong manner that it cannot be guessed, for example a SHA256 hash of a strong shared key salted with a pseudorandom value and the record id, and (B) accompanied by an initialization vector generated from truly random data, and (C) the encryption key in the enc. key column is itself encrypted using a strong public crypto, and (D) the secret key is not stored in the database, is preferably controlled using a hardware crypto device, and only the application that needs the sensitive fields will be granted access to the particular fields associated with that particular application.

      (Each application having its own API key and public/private key pair to submit requests to the security server to decrypt certain fields of certain records)

    4. Re:Two oddities by Mr.+Underbridge · · Score: 4, Informative

      There are - and it's been covered here, even if not called those terms. There are "organizations" that do nothing but collect this info and then sell it off over time to whoever wants to buy it. I'm sure they dont put expiration dates on their data, and will gladly sell you a collection of records with 10 day old data and 10 year old data, all mixed together.

      You beat me to it. Why would we expect exploit lists to differ substantially from marketing lists - and just how separated do we really think these groups are? I'd expect that data to get passed around like a bottle of cheap wine.

      As to using it - it may be true that CC#s for exploitation are only used from "fresh" lists. But what about all your other data, depending on where they got it? You probably won't move due to this event. Your SSN won't expire - or if it does, you have bigger problems than identity theft. So yeah, if your ID gets out there it's not good news, and not something I'd expect to cease being a threat.

      Incidentally, some might be surprised how long lists stay in the wild. I recall once getting snail mail spam addressed to the previous owner of the house. This wouldn't have been remarkable, except that *we'd* lived in the house 20 years or so.

    5. Re:Two oddities by shentino · · Score: 4, Insightful

      The problem is that identity theft is profitable for more than just the thief.

      The credit bureaus make shitloads of money from identity thieves taking out loans and triggering credit reports.

    6. Re:Two oddities by The+Moof · · Score: 1

      The first oddity is why the author believes that the data would sit around for years before being used

      Some stolen information does. Credit cards and the like ("short term" data) usually is 'use as fast as possible' due to its nature (not going to be around long). However, when it comes to data that cannot be changed/very difficult to change, ie, Social Security Numbers, they sometimes sit around for years before ever being used.

      My local paper ran an article about this a year or two ago. A man in his 20's apparently had his SSN stolen when he was 13, and it just started getting used. The paper covered it due to the credit institutions making the whole fight to repair his credit messy. The thieves know that this type of information isn't easily changed, so they can sit on it until it's useful.

    7. Re:Two oddities by mea37 · · Score: 1

      The first oddity is why you think data would stop being used after some finite time period.

      The second oddity is that you clearly don't understand how corporate organizations use encryption on laptops once they decide to do it.

  7. Its a cost we all must bear by davidwr · · Score: 1, Insightful

    The more financial liability we push off to those who make the mistakes, the more we will pay in the costs of goods and services and/or the more companies will play organizational games like incorporating overseas or contracting out data-gathering to "independent third parties" who can simply file liquidation bankruptcy in the event of a too-expensive data breach.

    Or, when that is not possible, goods and services may not be offered at all because no company will sell them at a price that the public will pay after factoring in liability costs.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Its a cost we all must bear by SpongeBob+Hitler · · Score: 1

      The more financial liability we push off to those who make the mistakes, the more we will pay in the costs of goods and services and/or the more companies will play organizational games like incorporating overseas or contracting out data-gathering to "independent third parties" who can simply file liquidation bankruptcy in the event of a too-expensive data breach.

      Or, when that is not possible, goods and services may not be offered at all because no company will sell them at a price that the public will pay after factoring in liability costs.

      Great idea. Let's just let all corporations do anything they want. After all, we wouldn't want them to actually be accountable for anything, would we?

      --
      Wollt ihr den totalen Krieg?
    2. Re:Its a cost we all must bear by Chowderbags · · Score: 1

      Seriously? It would cost a fraction of what the board of directory on any of these companies makes in order to actually protect data. Not only that, but why is "well, the companies will just try to find ways around it" a good excuse for just letting them do what they want anyway. Yes, we might have to play whack-a-mole with some oddly structured corporations (huh, funny, this group of privately held corporations funneling money to each other is all run by the same group of people. Maybe we should look into that...). This whole notion that we must respect legal fictions and ignore reality when dealing with "artificial persons" is nonsense. When company A owns companies B, C, and D, we shouldn't let them sever all ties with B, C, and D at a whim (or as a shell game to avoid responsibility for their actions). I'm not saying we should go after the individual shareholders of a publicly traded company (because by and large they don't have any power), but I've no compunction against taking a good hard look at CEOs and the like when things get fishy.

    3. Re:Its a cost we all must bear by mcgrew · · Score: 2, Insightful

      The cost of a company's mastakes are a cost of doing business. Why should I pay for your mistakes? I'd rather the company go out of business, even all companies like it, than let them continue with shoddy security that may cost me dearly. If they aren't made to pay for their mistakes, the mistakes will continue to be made.

      You have morals, but corporations do not.

      --
      Free Martian Whores!
  8. Re:Is it fair? by Soilworker · · Score: 2, Insightful

    Yes, seriously, if the informations is that important, why is it on a unencrypted laptop HDD ??

  9. Screwup? by girlintraining · · Score: 3, Insightful

    Your security should be more costly to bypass than what the security is protecting. If you can't do this, you're making a business proposition to the world: "Hey, free profit at my expense. Inquire Within." If you don't want to pay to protect it properly, then the best you can hope for is that someone else's stuff is more shiny than yours.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Screwup? by ThosLives · · Score: 2, Insightful

      This isn't security in the first place. True information security would be a situation where even if someone had all your "authentication data" it wouldn't be possible to abuse. (I'm not claiming I know how to obtain such security, and I admit it is an idealized statement.)

      It seems to me that the current situation we experience related to (financial) authentication is due to the fact that we have traded the necessity of actually knowing your banker or clients personally for what are essentially anonymous transactions. In the past, someone had to try quite hard to mimic your identity physically if they wanted to walk into a bank and raid your account, and they could only mimic one person at a time.

      Now, all someone has to do is steal keys, so to speak, because nobody at the bank really knows who you are; all they have is a database entry. We have actually given up some control over our accounts for the "convenience" of forgoing relationships with our financial institutions.

      As an aside, I actually hate the fact that this type of event is called "identity theft" because identity cannot be stolen. What is stolen (or copied or misappropriated or whatever) is authentication information, which is not the same thing as identity. It's very alarming to think that your authentication information and records define an identity.

      The real problem with the system isn't that people can get your authentication information but that you can do too much with that authentication information.

      --
      "There are a dozen opinions on a matter until you know the truth. Then there is only one." - CS Lewis (paraprhase)
  10. Re:fair? by SpongeBob+Hitler · · Score: 1

    Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?

    you're demanding fair credit? what gives you the right? you don't have any credit. if you want credit, there are terms. if you don't like the terms, you don't get credit. this has nothing to do with "fair".

    Well, if someone uses your personal info to get a big loan in your name that you then have to pay back, it can be a bit of a problem. Sorry if understanding simple things like this is too difficult for you.

    --
    Wollt ihr den totalen Krieg?
  11. infinite lifetime considered harmful by khb · · Score: 4, Insightful

    That all of the really useful data tends to have infinite life (birthdate, SSN or equiv for non-US, place of birth) compounds the problem (the "use case" that comes to mind is some aged drive surfaces in the used parts market and some scofflaw procures it and uses it long after the breach itself).

    Obviously, each organization should have their own ID numbers, and any given "customer" ID should be able to be associated with various time varying external credentials and really good stuff which isn't time varying shouldn't be in the hands of third parties.

    Regulators (e.g. SOX, HIPPA, UK data protection act(s)) all seem to miss the boat about limiting the scope of breeches. Legislating that no breech ever occur is laudable, but impractical. So minimizing the harm done should be the focus.

  12. when IRS or Social Security loses data? by peter303 · · Score: 1

    More a matter of when, not if, should a large government agency loses a massive amount of business records.

    Their main protection is government systems are "self-encrypting", that is written mostly in pre-1980 OS-360 COBOL.

  13. Of course by John+Hasler · · Score: 3, Insightful

    > Is it fair that you have to worry for decades and pay for further credit
    > monitoring when they are to blame for your information ending up in the
    > wrong hands?

    You are liable for the actions of your agents. If they screwed up you can sue them but you are still responsible to your customers.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  14. They should be penalized for failure to disclose. by jtownatpunk.net · · Score: 1

    I'm 99.44% sure that my check card info was compromised in a data theft incident but I have no proof. One day, I got a call from my bank saying that my current check card was susceptible to fraud and that a new card had been sent to my mailing address. Please call if you have not received this card.

    That set off a couple WTF questions in my head. First of all, it was implied that my replacement card should have arrived which means they'd sent it at least 2-3 days earlier. If fraudulent activity had been detected, they should have notified me immediately and blocked the Visa number. But I'd used the card the day before and that call was the first I heard about fraud.

    I took a closer look at my account activity for the previous few months and every payment and credit was legit. I called my bank and spent almost an hour talking to several different people to get an explanation. The best I got was, "Well, they want to upgrade the gold check card holders to platinum." I asked if there would be a new Visa number and expiration date on the card because I had to update some autopayments if that was changing. "Nope. The number won't change." If that was the case, why couldn't they just wait another 6 months until my gold card expired? And why follow up the early mailing with a phone call talking about fraud?

    So I went home and checked the mail. There was my new platinum check card with a new Visa number and expiration date. Why the new number? I'd had the old one for 12 years and it was burned into my brain.

    So all I can figure is the details of my old card were lost in a security breach but hadn't been used yet. Why else would I get bumped to a new card 6 months early and a new Visa account number for the first time in over a decade? I'm sure if I pressed hard enough, I could get an answer but their first and second tier people are doing a good Sargent Schultz imitation and I'd wasted enough time on it.

    But I shouldn't have to dig and probe. I should have received a letter with my new card explaining EXACTLY why the new card and account were necessary. The name of the processor that lost the data, the date/time the data was compromised, and the action taken against the company that lost the data.

  15. important links by Anonymous Coward · · Score: 2, Informative

    TFA is the summary segued into mentioning the Data Accountability and Trust Act is before the Sentate. Here is the tracking site for that act, and the important Summary:
    http://www.govtrack.us/congress/bill.xpd?bill=h111-2221
    http://www.govtrack.us/congress/bill.xpd?bill=h111-2221&tab=summary

    It's fairly straightforward. It defines terms and requires the information holders to follow a structured method of protection and reporting. Places oversight with the FTC. Notably "Prohibits the FTC ... from requiring the deployment or use of any specific products or technologies." Does not mention encryption.

    But also note this is hardly the first time such a bill has been presented.
    http://www.govtrack.us/congress/bill.xpd?bill=h111-2221&tab=related

    Nor is there mention of what bizarre shotgun-marriage legislation this bill is combined with, or indicates what kind of support there currently is for this bill.

    I don't know... I'm horribly cynical about this sort of thing. But one good result might be that legislated and audited & enforced care of personal information (simple as name + credit card number) might finally make sites and services not just a little more careful with databases, but start to question whether they should have them at all. Right now, there's nearly no costs or responsibility overhead for collecting everything you can about your customers, and passers by. This bill makes it costly; that'll limit businesses to acquiring (and holding) only the information they need to conduct business.

    Still, I'd like to see specific time limits on holding things like credit card number after a transaction, and very specific limit on sharing that information with "partners" etc. Also I'd like to see my "conduct business" above limited to processing the original transaction with you; that the personal information acquired cannot be used to make money in any other way whatsoever.

    (Sorry for doing your job, Soulskill, by supplying those links. Perhaps you could add the car analogy?)

  16. Why do they need so much private info anyway? by craftycoder · · Score: 2, Insightful

    I feel that the information I share is at my own peril. Perhaps we should worry less about data security and invest more energy in learning how to get stuff done without the need to share important info in the first place.

  17. NASD fines go back 5 to 10 years by charnov · · Score: 1

    The NASD has been known to levy multimillion dollar fines and pull dealer licenses for offenses made by previous staff. Their reasoning is that any competent professional would see and correct pre-existing issues. To be fair, they gave me and my staff 6 months to fix some stuff related to email auditing and retention and even made suggestions...

    --
    [RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
  18. Independent ID-Checking Service by pwilli · · Score: 3, Insightful

    This is probably about identity theft and getting e.g. loans by simply knowing the "magic" numbers of someone else's life.

    Why is it still possible to get these things in the US without going into e.g. a bank and showing them a valid photo ID (passport, driver license, ...) to let them check if you are really the person you claim to be? Makes it a lot more difficult to get these things, and shifts liability back to the banks (if you can show you never went there to prove your identity, they screwed up by giving that loan - their fault).

    If you've got a problem with a bank seeing you in person (why?), maybe a new institution could be founded that does only that: Check IDs of people for others. Like this:
    1. Request a loan
    2. Get a unique magic number of your bank that doesn't carry any information but the bank knows it belongs to you and that loan
    3. go to the ID-check-service and let them sign that number, e.g. with: "Person xyz has proven his identity" (if paperwork, or better get a digital signature)
    4. Give signed number back to the bank

    Bank knows you are you, without you ever going there in person and the ID-check-service doesn't know what you needed that signature for (they just got a "random" number and signed it for a fee).

    Expand this scheme for other services (governmental, etc.) and you get all the privacy you got now with a whole bunch of more security.

    1. Re:Independent ID-Checking Service by CaptainZapp · · Score: 1
      It surprises me that it is possible at all to open a bank account in the US without proper identification.

      In Switzerland, the country with super-seekrit-numbered accounts (at least according to some bad fiction writers) it is impossible to open an account (even a super-seekrit one) without personally identifying yourself to the bank with proper documents (i.e. passport).

      While you may find a more shady financial institution that takes a more flexible approach on the "know your customer" rule, this will not happen with the more reputable banks.

      --
      ich bin der musikant

      mit taschenrechner in der hand

      kraftwerk

    2. Re:Independent ID-Checking Service by kbeyer · · Score: 1

      Online Banks and other internet companies in Germany use Post-Ident for this.

      It's a service by the post office where you have to go to the next shop, show your personal identification card and they send the post-ident back to the company:

      http://www.deutschepost.de/dpag?tab=1&skin=hi&check=yes&lang=de_EN&xmlFile=1016309

  19. Google by lymond01 · · Score: 1

    We ditched Google for Faculty and Staff at our university and this was one of the reasons why. Too much information given to a third party and no true liability if some of it were lost or stolen. If you're working on potentially patentable research, and you send it through Google's servers, and some "glitch" lets someone else look at your email...well, you might have lost a patent. And Google doesn't pay. And Google could argue that, well, what do you want for free? At which point, we say, "Nothing, thanks. We'll move our services in-house." Which is what we're doing.

    Truthfully, important documents don't belong on email. You can link to a password-protected SSL site from an email (like the certified email at the US Post Office) but attaching critical documents is just not a good idea.

  20. The "secret information game" by erroneus · · Score: 5, Insightful

    This is a ridiculous game we keep playing over and over again. We have "secret information" we entrust to every business entity with which we do transactions. They aren't quite as secret any longer. And these other entities have people in them... not all of them can be trusted and you will never know who or how many whos have had access to the information. It's a very flawed system especially in light of modern communications technologies available today.

    We need a system in which credentials for transactions are good for one-time-only. I present my credit/debit card and this information doesn't change again until either the expiration date arrives or I have it changed. But if I do something with my account "device" that issues a payment ticket number (rather like a cheque in many respects) that is then presented to the business entity to be used only by that business entity and only works once, twice or however often it can be used as approved by you. That code would only be useful for the other side of the transaction because of their encryption key token must work with the ticket number I issued. Then these stupid open secrets won't need to be a concern any longer.

    The big problem isn't that people can or can't securely store this information because we already know it can't ever be stored safely and also be useful. So it needs to be stored "safely enough" but also with limited usability. What it all comes down to is a system that requires end-to-end user accountability. As it stands now, "identity theft victims" are held accountable for EVERYONE's mistakes. It's just not fair.

    1. Re:The "secret information game" by Zironic · · Score: 1

      As far as I know a number of banks offer virtualised credit cards with a specified limit and expiration date. If you generate those cards with the exact amount of money your transaction is worth then the card is useless their database gets hacked.

    2. Re:The "secret information game" by cduffy · · Score: 1

      About a decade ago I got a research grant for a system for generating one-time per-transaction keys -- you had a card you carried with you with a display sufficient to display the price of the item you authorized and to allow a PIN to be entered if you wanted to approve a transaction; the card had a public identifier, a private key, and a counter; it generated a token consisting of the public identifier and a hash of the private key, the counter and the transaction data.

      Didn't go anywhere -- not economically feasible -- and I may be misremembering some of the details, but the point is that the idea isn't new at all.

    3. Re:The "secret information game" by noidentity · · Score: 1

      As it stands now, "identity theft victims" are held accountable for EVERYONE's mistakes. It's just not fair.

      Actually, the victims of identity impersonation aren't even held accountable, which is why it keeps going on. The victims of course are the banks, who mistook someone else for you and gave out some of their money. They say it was you who are at fault, so they don't give a shit.

    4. Re:The "secret information game" by tool462 · · Score: 1

      Yup. My bank offers this as well, and I've started making use of it after having some invalid charges show up on my account a couple of times. It's quite simple and useful, though only useful for online purchases.

  21. "Breach", not "Breech" by natehoy · · Score: 3, Informative

    The correct term is "data breach", not "data breech."

    A "breech" is either a pair of short pants ("breeches"), the hind end of the body or a birth where the baby is coming out backward ("breech birth"), or the rear of the barrel of a firearm.

    So the term "data breech" means short pants made from data, data that is coming out of a system backward, or the back end of an Ethernet cable, I suppose.

    This teaching moment sponsored a chunk of my karma from the inevitable "Offtopic" and "Troll" mods this post will undoubtedly earn me.

    --
    "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    1. Re:"Breach", not "Breech" by Cro+Magnon · · Score: 1

      Well, considering that companies are losing data out their rear-ends, maybe that spelling is more accurate than you thought.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    2. Re:"Breach", not "Breech" by natehoy · · Score: 1

      I find your argument... compelling. :)

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  22. Re:Is it fair? by shentino · · Score: 3, Insightful

    Not everyone has the choice to "man up".

    I could go on numerous examples but the biggest would be mandatory disclosure of information to an incompetent government.

    And don't even think of telling me that "I could always choose to go to jail" when doing so means I get my prints and mug shot forcibly taken anyway.

  23. Thee points. by gurps_npc · · Score: 1
    1. We need to upgrade our personal information security rules. The standard right now is too low, in part because of the way we assign financial responsibility. By outsourcing it to credit card companies, who truly don't care because of the huge profits they make and relatively small cost of fraud, we have in effect allowed and encouraged ID theft. This needs to change.

    2. If the financial fraud was all that mattered, then this wouldn't really be a big deal. But the huge problems certain people have when their credit is destroyed are not being properly dealt with by the courts. We need to modernize our credit laws to negate the personal problems created when fraud destroys someone credit history. Among other things, changing the rules for social security number re-issuing (right now this is very hard to do, even if fraud is proven).

    3. This combination of lax credit companies encouraging fraud, then ignoring the huge personal problems because the financial cost is low needs to be dealt with. For example, we could pass a simple law that solves the problem in a two step manner: a) allow a second social security numbers to be issued to anyone willing to have their fingerprints, retina patterns, and photo attached to the new number, at a cost of $1000. b) Allow the consumer to force their credit card company to pay that $1000 if the company did not properly and ACTIVELY investigate any potential fraud. "We did nothing wrong" should not be enough, they need to do things right.

    --
    excitingthingstodo.blogspot.com
    1. Re:Thee points. by Haffner · · Score: 1

      You would really be willing to pay the government $1000 to permanently document your retinal prints? I certainly would not.

      --
      "Going to war without the French is like going deer hunting without your accordion." ~General Norman Schwarzkopf
  24. Re:fair, huh? by shentino · · Score: 1

    Life isn't fair because the money men running the show make it that way.

  25. FFS... by Bigjeff5 · · Score: 1

    Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?

    For fuck's sake, is it fair that someone stole your data in the first place? No, of course it isn't. But ultimately, it's your problem and nobody else's. Trying to make it someone else's problem is childish and irresponsible. They did their best (at least for the amount of money you spent on the service), but there hasn't been a security system invented that is 100% foolproof. So now you have to watch your information like a hawk because someone is a thief. You can hire that out too if you want, but there is a chance it will happen again. There was a chance it could happen even if you were managing your information security yourself. Thieves take shit that doesn't belong to them. It sucks but it's reality.

    Life isn't fair - deal with it!

    Christ.

    --
    Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
    1. Re:FFS... by fuzzyfuzzyfungus · · Score: 1

      Your post is arguably correct in its claims; but really misses the point.

      Yes, it is arguably the case that it is the submitter's fault that somebody made off with some personal trivia concerning him. However, are those trivia valuable in themselves? No. They are just some random chunks of data. Why are they valuable? Because all kinds of third parties will, idiotically, accept knowledge of them as being identical to being the submitter, and do things like hand out loans. The value and the danger of what would otherwise be some innocuous little strings are 100% the faults of various other parties, who treat them as being equivalent to identity because it is cheap and convenient, and then will turn around and smear the submitter's record when their own incompetence catches up with them.

    2. Re:FFS... by PeanutButterBreath · · Score: 1

      Its not even "arguably correct". If someone makes off with my SSN etc., even if it is my fault, having this information is not a crime AFAIK and I am neither culpable for exposing it nor a victim of someone obtaining it. The crime occurs when some other party is defrauded, and they are a victim of both the fraud and their own lack of diligence.

      This only becomes a problem for me when these third parties take their problem and make it mine via a central credit reporting system that I am forced to be subject to.

      GP needs to vent his spleen at the banks and lenders, not 100% innocent bystanders who are being screwed.

  26. Easy... by eth1 · · Score: 1

    If you store someone's sensitive information, and their ID is compromised using any of the information you store, you're liable (along with everyone else that stores that info) for reimbursing any costs or lost assets that the victims incur.

    As a bonus, this system would be a strong disincentive to storing crap about us that companies don't absolutely require.

  27. How can this problem even exist? by chx1975 · · Score: 1

    The chain of events should look like: you go into a bank and ID yourself with a piece of government issued photo id. Then you can open an account or get a mortgage. Otherwise, you can't. Next up, to do a credit transaction when the card is not physically present, you get a text on your mobile phone that you need to send back. Everyone has a goddamned mobile phone capable of sending messages. By the way? This is how it works in many European countries. Also, for online purchases, virtual cards especially one-time virtual card numbers should be used...

    1. Re:How can this problem even exist? by sconeu · · Score: 2, Insightful

      What if you're trying to get your first mobile phone?

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  28. Re:Is it fair? by Anonymous Coward · · Score: 1, Insightful

    No. Who told you life was fair?

    You're responsible for protecting yourself. Don't expose your data unless you need to; then change it if you can. Don't put your money where it can be stolen. Etc. (Wo)Man up. The world is not here to wrap you in cotton balls.

    Yes. Don't ever accept a job (you'll have to show some sort of ID.) Likewise, don't ever open an account with a bank or credit union. Don't ever attend an institution of higher learning.

    As for living, just move into a cardboard box. Not only is it cheap, which you'll need with no job, but you'd need to provide tax information to buy a residence, and apartments won't lease to you without some sort of proof employment, which you won't have. Or move to some third-world country and live in a shack.

    And for best results, cover your shack or box in tinfoil. Also, consider making a hat....

    It's your information, sheeple! Don't just fritter it away for the trappings of modern conveniences!

  29. Re:O RLY? by decipher_saint · · Score: 1

    Having dealt with a few offsite storage places I can tell you that they have SLAs that cover theft/fire/nuclear bombs/etc.

    --
    crazy dynamite monkey
  30. Re:fair? by mcgrew · · Score: 1

    Let me guess... the bank you're CEO of got a government bailout?

    --
    Free Martian Whores!
  31. 30 million illegals prove it isn't so by Anonymous Coward · · Score: 1, Informative

    There are thrity million illegal aliens in the US. They work without showing ID or showing laughable ID. I have personally watched one open a bank account without showing a single blessed thing. Stood right there and watched the entire sign up process, the bank did NOT ask for any ID, took the illegals word on everything, and had a convenient foreign language speaker teller do the assisting. I was three feet away standing in line, saw it happen. They get drivers licenses in a lot of places, and all sorts of other goodies, can open any utility service they want, etc. free medical care for any sniffle at any emergency room. Free schooling for their anchor babies. The feds are now going to sue a state to keep that "no ID verification needed" practice up and running. They can sign up for and receive free or heavily subsidized college education, whereas legal citizens have to pay through the nose and show valid ID.

    ID that is even remotely verifiable is only for the legal honest citizens, if you are illegal, the government doesn't seem to care very much. Heck, they will arrest (for committing some nasty crime) and deport illegals numerous times in a row, but they still come back and can do whatever they want, no ID of any consequence or verification required. ID is the last thing they worry about, it's a joke.

  32. A reason to use foreign banks... by Radtoo · · Score: 1

    Maybe you should find a bank that will just let you have access with the SSN or such blocked and tell them to let you withdraw with your ATM card or against (nationally issued) ID verification only. You may not have realized this but signatures on checks / credit cards are also ridiculously insecure, same as your SSN.

    At worst, you'll only find such a bank account abroads - however, they're easy to find anywhere else but in the US. Put your savings there, use the national account only for more frequent payments - if it only has a few thousand bucks in there and won't allow overdraft, the risk is very limited.

  33. Re:fair? by SpongeBob+Hitler · · Score: 1
    My, you're such a pathetic angry little worm, aren't you.

    You specifically spewed forth:

    you're demanding fair credit? what gives you the right? you don't have any credit. if you want credit, there are terms. if you don't like the terms, you don't get credit. this has nothing to do with "fair".

    So, you basically think that banks should be able to give out credit on whatever terms they want, even if it involves giving out loans in other people's names. That's why, in an actual civilized society, we have these things called "laws" which punish harmful behavior like this.

    I know people like you hate the idea that people might actually have to obey laws and not screw innocent people over, but those of us who like living in reality prefer to have some semblance of civilization around.

    --
    Wollt ihr den totalen Krieg?
  34. Re:Is it fair? by AigariusDebian · · Score: 1

    Or move to EU, where the information on your ID is not enough to do you any kind of damage. It is just a login name, and the physical ID document with your real world face next to it is the password.