South Carolina Shows How Not To Do Security
CowboyRobot writes "Earlier this year, the state's Department of Revenue was storing 3.3 million bank account numbers, as well as 3.8 million tax returns containing Social Security numbers for 1.9 million children and other dependents, in an unencrypted format. After a state employee clicked on a malicious email link, an attacker was able to obtain copies of those records. It's easy to blame the breach on 'Russian hackers' but who is really to blame? 'The state's leadership, from the governor on down, failed to take information security seriously or to correctly gauge the financial risk involved. As a result, taxpayers will pay extra to clean up the mess. Beyond the $800,000 that the state will spend — and should have already spent — to improve its information security systems, $500,000 will go to the data breach investigation, $740,000 to notify consumers and businesses, $250,000 for legal and PR help, and $12 million for identity theft monitoring services.'"
So $2 million to actually respond to and work on fixing the problem, and $12 million to snake oil. Brilliant.
I generally find it safe to assume that State of South Carolina does not show the way on how to do anything.
Who's to blame? In good part it's every single company and organization in this country that tries to use people's SSNs as some kind of secret PIN or ID. It's not.
It's a non-changing lifetime number that you have to hand over to just about every doctor's office receptionist, insurance agent, and offshored credit card phone lackey that you deal with. *Nothing* of value should depend on SSNs being kept private in any way, shape or form. You reveal this number to thousands of people over your lifetime, few of which you have any reason to trust.
Lately, companies seem to try to address this issue by truncating the SSN to its last 4 digits, then treating that portion as both the secret PIN and the part that can be publicly shown. Sheer idiocy.
What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?
At least in the U.S., there is none. But pretending that the SSN is one does not make it so.
This is modded insightful? There are plenty of reasons why a Gov.employee should be able to access the internet from their work device(s). Would be better to say that 1. Such access should be better protected and, 2. internal systems should be isolated from anything that (inevitably) slipped through
it would be incumbent on the financial institutions to NOT use it as their primary means of ID for purposes of granting credit.
The laws must be changed to say that a Social Security number, by itself, proves nothing. It should not prove that a debt exists or that any other legally binding agreement was entered into by anyone. As long as businesses can get away with using the SSN as both an identifier and an authentication, which is how this whole "identity theft" nonsense got started in the first place, they will continue to do so. Therefore, the only viable solution is to render the Social Security Number legally worthless as proof of anything. They ought to be just numbers, nothing more.
What public identifier of a unique person should insurers and lenders use to make sure that one person doesn't try to fraudulently establish two distinct customer histories by pretending to be two people?
Easy answer: SSNs. There is nothing wrong with using SSNs for identification . The problem is that we pretend like they are some sort of secret, and use them as authentication . That is stupid and it should be illegal for an financial institution to use them that way. People should be free to hand out their SSN, or even paint it on their mailbox, without fear of any consequences. We should just assume they are public knowledge.
Will whoever was responsible for failing to implement a proper IS policy be expecting a similar visit from the Feds?
No, because gaining unauthorised access to a system and failing to do your job properly are two entirely different things.
systemd is Roko's Basilisk.