Slashdot Mirror

← Back to Stories (view on slashdot.org)

20 Million People Exposed In Massive South Korea Data Leak

Posted by timothy on from the at-least-everyone's-using-msie dept.

wiredmikey writes "While the recent data breach that hit Target has dominated headlines lately, another massive data breach was disclosed this week that affected at least 20 million people in South Korea. According to regulators, the personal data including names, social security numbers, phone numbers, credit card numbers and expiration dates of at least 20 million bank and credit card users was taken by a temporary consultant working at the Korea Credit Bureau (KCB). The consultant later sold the data to phone marketing companies, but has since been arrested along with mangers at the companies he sold the stolen data to. A similar insider-attack occurred at Vodafone late last year when a contractor made off with the personal data of two million customers from a server located in Germany. According to a study from PwC, organizations have made little progress developing defenses against both internal and external attackers, and insiders pose just as great a security risk to organizations as outside attackers."

53 comments

  1. So how do you defend against this? by Anonymous Coward · · Score: 2, Insightful

    The data at some stage will be unencrypted or there will be some developer or admin who knows how to unencrypt it.

    It doesn't matter if you pay your staff well - people can still be blackmailed / need money to pay of debts.

    1. Re:So how do you defend against this? by ShanghaiBill · · Score: 5, Insightful

      We need to get rid of the idiotic idea that quasi-public information like SSNs and CC numbers are "secret". Nobody should be able to impersonate you by knowing your SSN, anymore than they can by knowing your name. Likewise, we should get rid of mag-stripe CCs, and switch to a more secure system like much of the rest of the world already has. These data breaches are just a symptom of a deeper problem: No sane system should require that the same information be both secret and widely known.

    2. Re:So how do you defend against this? by rubycodez · · Score: 1

      let's not defend against it. Many, many IT people forced out of work by temps, contractors, outsourcing. This is come-uppance for the pointy-heads, let them burn.

    3. Re:So how do you defend against this? by war4peace · · Score: 1

      I say: take the other approach: outsource everything from all companies to the same contractors. That way, everyone will know everything about everyone else.
      (people who don't get the joke should have another beer)

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    4. Re:So how do you defend against this? by Dcnjoe60 · · Score: 1

      We need to get rid of the idiotic idea that quasi-public information like SSNs and CC numbers are "secret". Nobody should be able to impersonate you by knowing your SSN, anymore than they can by knowing your name. Likewise, we should get rid of mag-stripe CCs, and switch to a more secure system like much of the rest of the world already has. These data breaches are just a symptom of a deeper problem: No sane system should require that the same information be both secret and widely known.

      Mag-stripe CCs, while easy to copy at the point of transaction aren't any less secure than the new CCs for online purchases. Regardless of technology to record information about the card, the moment you enter that information online, and it is stored in a database, it is possible to steal the database. One way around this would be to use a key fob that generates a unique pass code every time you use it, like many banks have for business customers. Of course, that makes the CC much less convenient and much more costly to issue.

      Face it, anything online, is hackable, which means any method used to identify you is also hackable. Whether a social security number or something other unique identifier, it will eventually be compromised.

      In the old days, to steal your identity, somebody usually had to go through your physical trash to get the proper information and it was much easier to secure (shredding being a primary security). Now, they just need a keyboard.

    5. Re:So how do you defend against this? by Dcnjoe60 · · Score: 1

      let's not defend against it. Many, many IT people forced out of work by temps, contractors, outsourcing. This is come-uppance for the pointy-heads, let them burn.

      Unfortunately it is managment that makes the decisions, but the rank and file employees that would lose their jobs. Hardly seems like a just solution.

    6. Re:So how do you defend against this? by rubycodez · · Score: 1

      the point is the rank and file already lost their jobs, and this article's woes are the result of having replacement contractors do the work

    7. Re:So how do you defend against this? by Anonymous Coward · · Score: 0

      One way around this would be to use a key fob that generates a unique pass code every time you use it, like many banks have for business customers.

      What do you think the "chip" on all our credit cards is doing??? Oh... thats right, America doesnt have chips on their credit cards yet. Even though they have been on cards around the world for almost a decade. I believe their is a reason why credit card companies and banks want Americains to be subjected to credit fraud. I believe the reason is that they do not pay for it. The only people who pay for card fraud are customers and merchants. Not the banks and not the companies who run the payment networks. ie: fraud provides profit... so there is no need to protect you from it.

      Think of this: chip technology would protect your card data from being useful to theives. Chip technology needs to be implemented by the banks and the card companies. SO... who is actually responsible for your potential future losses? Who makes this data a target for theft in the first place? It is not Target. It is the card companies and financial institutions who have not done the work required to protect you. But... who pays for this? Target pays for this. And the customers who had their data stolen from Target may pay for this. So there is no incentive for the card companies or financial institutions to change. They both make money from fraud and use it as a mechanism to justify their percentage of payment every time you make a purchase. You pay about 2% to the card companies with each purchase. And fraud cases like this convince you that it is a good idea to pay this 2% to protect you from future fraud. But customers dont seem to understand that it is the card companies themselves that make the system weak. And so you are paying this insurance into the system which creates a need for such insurance. And in the end... you pay for all loses due to fraud anyways. Card users are suckers. And any discussion about fraud and finger pointing should not go to target at all, but the true vilians who create an enviroment for fraud to occur: The Card Companies and the Financial Institutions

  2. Mangers? by reboot246 · · Score: 1, Offtopic

    " . . . but has since been arrested along with mangers at the companies he sold the stolen data to."

    How do you arrest a manger? Why would you arrest a manger?!?

    1. Re:Mangers? by Anonymous Coward · · Score: 0

      How can you be so stupid that you can't figure out it's a typo? Fuckin idiot!

    2. Re:Mangers? by Anonymous Coward · · Score: 0

      It's the war on Christmas all over again!

  3. No surprise by Mashiki · · Score: 4, Insightful

    After all S.Korea uses an activeX plugin for all their security needs...massive single point of failure and all that.

    --
    Om, nomnomnom...
    1. Re:No surprise by ColdWetDog · · Score: 2

      They didn't need to. Inside physical access trumps dodgy software any day.

      Humans are always the weak link. /Skynet.

      --
      Faster! Faster! Faster would be better!
    2. Re:No surprise by Anonymous Coward · · Score: 0

      They didn't need to. Inside physical access trumps dodgy software any day.

      Humans are always the weak link. /Skynet.

      Including the humans who wrote the software.There's a lot of dodgy developers out there adept at talking big, not walking the walk and passing the buck. The "temporary consultant" in this case probably did not have physical access to the database server.

    3. Re:No surprise by Anonymous Coward · · Score: 0

      Hi @Skynet.

      Your data theft zombies are kicking ass. But they're just not getting past the fence. I recommend a few T1000 liquid metal editions with the latest service packs.

  4. Eventually by msobkow · · Score: 0

    Eventually we're just going to have to face the fact that there is no data privacy anymore, whether accidental or intentional. Rather than hiding information through obscurity and security, some day I foresee global systems that have the "official" data publicly available, including the public keys used to identify people when they access their information services.

    So the onus will be on retailers and others to have the user log in with their private key to identify themselves, rather than presenting a pin card with a weak identifier. Much though I loath to admit it, smart devices are going to take over for smart cards in due time, simply because you'll need to have some sort of carrier and key system for those private keys.

    Not that we've ever really had that much privacy in the first place -- anything but a social insurance number/social security number has always been fair game for corporations and organizations to use as an identifier. Here in Saskatchewan, our health card numbers are heavily abused by just about everybody as an identifier, because they're allowed to use that id by law, and because it's an id that everyone has, even underage children.

    --
    I do not fail; I succeed at finding out what does not work.
    1. Re:Eventually by rubycodez · · Score: 3, Insightful

      nonsense, this is result of very poor security and no obscurity, using credit card number or ss # is silliness. Transactions with private keys and verification are the way to do things, this is a solved problem that the governments and credit card companies are not using.

    2. Re:Eventually by msobkow · · Score: 1

      Umm. Yeah. We're saying the same thing: I was simply proposing that putting out the public keys as identifiers was the way to do things. "Signing" the private key is the verification.

      --
      I do not fail; I succeed at finding out what does not work.
    3. Re:Eventually by msobkow · · Score: 1

      But certain information is already publicly published, like your address in the online phone books. So why should it be a "big deal" if it gets stolen from some corporate database when the phone company is already publishing it for anyone to scrape? That's the other half of my point: we need to stop worrying about "private" data that is published. Theft of such data should be a non-issue.

      --
      I do not fail; I succeed at finding out what does not work.
  5. boooo hostile redirects by Mashdar · · Score: 2

    I did not access beta.slashdot.com. I accessed the main website. Breaking my UI is not welcome...

    1. Re:boooo hostile redirects by Anonymous Coward · · Score: 0

      Then let them know. Pick a day and tell everybody to not post any comments on slashdot that day, in protest. Repeat once a week until they announce that they will stop redirecting us randomly to the beta site.

  6. The beta will kill Slashdot if it goes live. by Anonymous Coward · · Score: 5, Interesting

    You're not alone.

    As somebody who has worked in the software industry for decades now, I find it stunning that the Slashdot beta project has not been terminated yet. It's a failure in every single sense. The users here almost all absolutely hate it. It looks worse than the existing site. It functions worse than the existing site. I think it's slower than the existing site. There is so much wasted empty space. The fonts are harder to read. The discussion is much, much more difficult to follow. It's harder to post a comment. Being forced to use it unexpectedly affects users trying to use the existing site!

    And those comparisons are to an existing Slashdot site that was Web 2.0-ified a while back, making it even shittier than the site that preceded it!

    While we should be accustomed to social media web sites shitting all over their users with bad redesigns, Slashdot is really taking it a step beyond with this beta site. I can sincerely see a Digg v4-style disaster happening again if the beta site goes live, it's just that bad. The beta will drive away the few remaining users of value.

    I sure hope that Slashdot does the right thing, and puts an end to this beta site project. Nothing good will come out of it, aside from lessons about what not to do. Everything about the beta site is just plain bad. Terminate the project, throw away the code, and move on. And do this well before the beta site ever replaces the current one!

    1. Re:The beta will kill Slashdot if it goes live. by Anonymous Coward · · Score: 0

      It really would be nice to hear an update from Slashdot administration regarding the beta. It goes back to October 1, 2013 when they asked feedback about the new site.

    2. Re:The beta will kill Slashdot if it goes live. by Anonymous Coward · · Score: 0

      Even if it isn't being said directly, I think there's an implicit message being sent based on how this whole beta project has been handled so far.

      In my opinion, that message is: "The Slashdot beta site will replace the current site sometime in the near future, even if it provides an inferior user experience."

      It's pretty clear at this point that just about everything with the beta site is flawed, and it's near-unanimously hated by all who have been subjected to it. It can't be salvaged.

      If the project weren't going ahead, then it would have been long gone by now. Users still wouldn't be subjected to the beta site as recently as today.

      Since we've only seen superficial improvements so far, none of which appear to solve any of the inherent problems with the beta site, I think we're just being gradually eased into accepting the new site pretty much as it is, bad experience and all. I anticipate that the switch will be thrown at some point soon, and this current site will be inaccessible.

      The most worthwhile commenters here will be driven away, likely leaving Slashdot as a mere shell of what it is today, which is itself a mere shell of what it was a few years ago.

    3. Re:The beta will kill Slashdot if it goes live. by Mashiki · · Score: 1

      It's funny, but this is the curse of "those who know best" and "you'll like it if we tell you to." See recent examples by Google, with G+, email, and 'tube commenting system. Universally hated by everyone, and they said fuck you. /. is doing the same thing. You can bet it'll be shoved down everyone's throat, and then they'll wonder why their viewership is dropping through the floor. Much like how google is wondering why ad revenue is falling through the floor on the 'tube, and their getting investigated for privacy breaches over their G+ "email anyone" crap.

      --
      Om, nomnomnom...
    4. Re:The beta will kill Slashdot if it goes live. by Anonymous Coward · · Score: 0

      Terminate the project, throw away the code, and move on. And do this well before the beta site ever replaces the current one!

      This.

      Dear Dice,
      What made you think it was a good idea? What's your bounce rate on the hostile redirects to beta.slashdot.org? Is it just office politics that keeps this beta thing alive? (If it's politics, and the guy who pushed for beta isn't in charge, why doesn't senior management realize what's going on? If it's politics and the pro-beta people are in charge but politically untouchable, why not just scrap the beta codebase, abort the project, and let them design something else from scratch? That way, they can still get paid and/or save their jobs, but at least the site that Dice bought and paid for doesn't get ruined, and it might be able to continue bringing in some marginal revenue.)

    5. Re:The beta will kill Slashdot if it goes live. by Anonymous Coward · · Score: 0

      As an alternative theory, I actually thought that after the feedback session they just figured that "wow, no one likes the changes, what are we going to do now?". And then the new site was just left sitting there, the actions to fix it being too burdensome to implement.

      This one does not, of course, explain why they have started to randomly redirect people to the beta lately...

    6. Re:The beta will kill Slashdot if it goes live. by Bearhouse · · Score: 1

      Gloriously offtopic, but spot on.

    7. Re:The beta will kill Slashdot if it goes live. by jd2112 · · Score: 1

      You're not alone.

      As somebody who has worked in the software industry for decades now, I find it stunning that the Slashdot beta project has not been terminated yet. It's a failure in every single sense. The users here almost all absolutely hate it. It looks worse than the existing site. It functions worse than the existing site. I think it's slower than the existing site. There is so much wasted empty space. The fonts are harder to read. The discussion is much, much more difficult to follow. It's harder to post a comment. Being forced to use it unexpectedly affects users trying to use the existing site!

      Completely screwing up something that has worked fine for years for no apparent benefit. That works for Microsoft, Google, Apple and others. Sound's like it's good to go.

      --
      Any insufficiently advanced magic is indistinguishable from technology.
  7. Mangers? by Rick+Zeman · · Score: 1

    I guess you don't have much physical security when your servers are at a horse farm!

  8. Not "just as great", much greater by swillden · · Score: 2

    Insiders don't pose "just as great" a risk, they're by far the bigger risk.

    Nearly any attack vector usable by an outsider is also usable by an insider, but the converse is not true. This means that insiders are the primary risk to consider, in fact insiders are almost the only risk you need to think about. "Almost" because attack vectors aren't the only consideration, you also have to look at motivations and capabilities, and it may be that external attackers have motivations or capabilities that insiders do not. In most contexts, though, if you can protect against insiders, addressing the remaining external risks will be trivial.

    My day job is about securing a substantial database of very sensitive information, in a commercial context that has highly capable insiders. Insiders are, to a first approximation, the only attackers I think about. This sometimes annoys people who really want to say "But I can be trusted!" (but mostly are smart enough not to actually say it).

    In my previous job, I was a security consultant, working with many fortune 500 firms, and the same viewpoint was the right perspective nearly all of the time there as well. Of course, most clients didn't want to hear that, because protecting against insider threats is generally hard, tedious and unsexy.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  9. Stone Age by thcfrombe · · Score: 1

    The whole technical implementation of a credit card is flawed. The banking industry desperately needs another solution, magnetic stripe and pin is toast, magnetic stripe, pin and chip is also toast (man in the middle attack) and to do an online payment you have to provide a card number, pin code and CCV. On an internet which is full of personal information, provided by users or hacked out of badly secured databases. And instead of replacing what is flawed, insurances pay for the losses which are then charged back to users of the cards, by increasing fees or whatever. Yet, several institutions and countries mark Bitcoin as dangerous, it's a strange world we live in.

  10. Defending against inside attackers is hard by joh · · Score: 3, Interesting

    Really. You'd need military-grade security and strictly planned access levels -- and then look at what Snowden did.

    Even more, in most companies there's just no way to implement this. Data is just what they're working with and often the most basic security is bypassed or never implemented just because it's too bothersome while being without any immediately visible gain.

    Come on, every admin out there will know that just too well. Security against attacks from the outside, yes. Security against attacks from the inside? Forget it. People need to work with the data and even just to make sure that people have only the access they really need often is so much bother that nobody wants to start with that.

    1. Re:Defending against inside attackers is hard by 93+Escort+Wagon · · Score: 2

      Really. You'd need military-grade security and strictly planned access levels -- and then look at what Snowden did.

      Seems like we read, a while back, that at least some of what he grabbed was off a Sharepoint server - not exactly military-grade security.

      --
      #DeleteChrome
  11. Social Security Numbers? by deconfliction · · Score: 1

    We need to get rid of the idiotic idea that quasi-public information like SSNs and CC numbers are "secret".

    I'm 38, my father is about twice my age. When I was a child I remember some philosophically strong arguments against the use of SSNs in any venue other than the government program they were created for. My father wasn't religious, though later I discovered myself the whole "number of the beast" thing (i.e. christian prophecy about things like the tattooed ID numbers on jewish prisoners of the nazis. To a lesser extent, the idea of humans viewed as consumer cattle by society. I.e. you can't buy or sell or basically function in society without providing your unique numerical identifier to help you be tracked to that level of detail.

    Now it seems we've infected south korea with our Social Security Number system. Que Sera Sera.

    1. Re:Social Security Numbers? by Dcnjoe60 · · Score: 1

      We need to get rid of the idiotic idea that quasi-public information like SSNs and CC numbers are "secret".

      I'm 38, my father is about twice my age. When I was a child I remember some philosophically strong arguments against the use of SSNs in any venue other than the government program they were created for. My father wasn't religious, though later I discovered myself the whole "number of the beast" thing (i.e. christian prophecy about things like the tattooed ID numbers on jewish prisoners of the nazis. To a lesser extent, the idea of humans viewed as consumer cattle by society. I.e. you can't buy or sell or basically function in society without providing your unique numerical identifier to help you be tracked to that level of detail.

      Now it seems we've infected south korea with our Social Security Number system. Que Sera Sera.

      It doesn't matter that it is an SSN. An SSN is basically a unique identifier and whatever unique identifier would replace the SSN, it is still just as unsafe for all of the same reasons. If all of your banking, credit card, purchasing info is tied to one unique identifier, then anybody who gets that info could steal your identity.

      The only real solution is to have separate identifiers for separate systems. That way if a system is compromised, only that one system is impacted. Of course, it would be as inconvienent as hell for the consumer, but that is the price of having an online presence, where everything about you is public.

    2. Re:Social Security Numbers? by ShanghaiBill · · Score: 1

      The only real solution is to have separate identifiers for separate systems.

      NO NO NO!!! This is NOT the solution. The solution is to use identifiers for IDENTIFICATION and to use something completely different for AUTHENTICATION. Identifiers, by their very nature, are public or quasi-public information, and knowledge of them should never be used to authenticate anything.

    3. Re:Social Security Numbers? by plover · · Score: 1

      This is the answer. Your identity never was, and still is not a secret. Only your authorization to draw money from your bank account needs to be reserved to you alone.

      Chip and PIN does a good job of this. The card will readily give up your identity, but that's not a problem. It requires you to enter your PIN into that exact chip that provides the authorization to access your money, and that authorization is tied to one and only one transaction.

      What it does not do is defend against the insider threat. The opposite end of the Chip and PIN cryptography needs to terminate in a Hardware Security Module that can't be tampered with, even by the bank employees.

      --
      John
    4. Re:Social Security Numbers? by Dcnjoe60 · · Score: 1

      The only real solution is to have separate identifiers for separate systems.

      NO NO NO!!! This is NOT the solution. The solution is to use identifiers for IDENTIFICATION and to use something completely different for AUTHENTICATION. Identifiers, by their very nature, are public or quasi-public information, and knowledge of them should never be used to authenticate anything.

      That is what we currently have. Target was hacked and the identifier and the code for authorization was stolen. My authorization code for Discover Card is totally different than VISA. However, if I used my Discover Card at Target (or evidently in Korea), then it is no longer secure and purchases can be made with it. In addition, since most online sites use your credit card to validate that you are a real person, the theives can validate as me on sites I have nothing to do with. At that point, they can do all sorts of damage.

      So, unless I am misreading what your are saying, what you describe is the current situation.

    5. Re:Social Security Numbers? by Dcnjoe60 · · Score: 1

      This is the answer. Your identity never was, and still is not a secret. Only your authorization to draw money from your bank account needs to be reserved to you alone.

      Chip and PIN does a good job of this. The card will readily give up your identity, but that's not a problem. It requires you to enter your PIN into that exact chip that provides the authorization to access your money, and that authorization is tied to one and only one transaction.

      What it does not do is defend against the insider threat. The opposite end of the Chip and PIN cryptography needs to terminate in a Hardware Security Module that can't be tampered with, even by the bank employees.

      Chip and pin won't correct what happened with Target. As long as the pin is constant. Most commercial bank customers, at least in our area use a key fob that generates a unique pin and changes every minute. My bank knows me by a certain user name and password. That combination is unique. But even if that were hacked, with out the separate key fob tied to that unique combination, you still cannot authenticate.

      But, unless the CC is going to have a screen for the randomly generated pin, all you are doing is substituting a chip for the mag stripe. In the case of Target, it wouldn't have made a difference, because it wasn't the physical reader that was hacked, but the database containing all of the IDs and validation pins. The database doesn't care where these come from (mag strip chip) and neither did the hackers. As long as you have both, they can use it.

      While mag strips aren't very secure and could easily be duplicated, chips in cards only protect stealing info from the card reader. Most online purchased don't use a card reader. And, it is unlikely that credit card companies and retailers will maintain two systems, one for instore purchases and one for online purchases. As long as somebody is storing your credentials in their database, things won't be secure, at least not without some way to generate one use only pins that expire.

      Wit Target, and evidently Korea, it wasn't that the cards weren't secure. It was the database that held the transactions wasn't secure.

    6. Re:Social Security Numbers? by Anonymous Coward · · Score: 0

      Chip and pin won't correct what happened with Target.

      Yes it would. You seem to think that the chip simply stores the data like a magnetic strip. Thats not correct.

      With chip embedded cards, the merchant does not collect enough information to charge the same card at a later time. The merchant (or a theif of the merchant's data) would have to obtain the card with the chip and also know the 4 digit PIN to charge the customer without their knowledge.

      US Banking and payment security is very weak in the US. Here in Canada, most stores will not even take a Credit card for payment unless it has a chip on it. I dont know why US merchants are not demanding chip technologies from your banks and financial providers or why the citizens are not requesting theses institutions to protect their information from theft.

      An even more secure solution is to use Bitcoin. There is no known way to charge a customer at a later data when the initial transaction was made through Bitcoin. And this does not depend on any merchant or the payment network controller. With Bitcoin, nobody can move your funds without your private key, and there is no need to disclose the private key to anyone to us it.

  12. South Korea uses SSNs? by RubberDogBone · · Score: 1

    South Korea uses SSNs? AND they misuse them just like the US?

    This is baffling. Any decent country would look at the way the US uses these numbers and learn from our mistakes. I.e. have a number but don't make it the key to unlock credit or subject to tax refund abuse or any of the dozens of other ways SSNs are misused.

    --
    Sig for hire.
  13. The price of top notch security is too high by millertym · · Score: 1

    It's fairly easy to get to 'mostly secure' with off the shelf appliances and training/education. But each percentage more secure a network becomes beyond that point becomes exponentially more expensive in both IT implementation costs and user productivity lost. Unfortunately this cost is too much for a very large percentage of companies when it comes to their overall profitability from both the implementation and productivity end.

    Personally I think the corporate world needs to shift away from maintaining any sort of data that should be considered 'highly sensitive' in the first place. Instead of such data being desired, it should be shunned. And only in the most required of circumstances allowed by leadership. As it stands now leadership is grasping for this highly sensitive data like random citizens grasping for cash falling from an overturned armored truck on a bridge - and they don't want to put the money and resource into keeping it safe.

  14. Bring back respect and job security by Bearhouse · · Score: 1

    OK, ensure that punishment fits the crime by all means, and crooked employees have been yielding to temptation for centuries.
    Still, I can't help thinking that maybe, just maybe, if financial institutions developed their employees properly, and had enough of them, plus paid them just a fraction of their traders and CEOs, then they would have loyal, competent and trustworthy staff instead of having to rely on contractors.

    Hey, they might even not have to spend that much money; I've been in plenty of situations where there were dozens of contractors, and not one of them costing less than 1000 per day...and usually plenty more than that.

  15. Contractors! Contractors! Contractors! by Anonymous Coward · · Score: 0

    I see a pattern here -- "contractor", "temporary consultant", "external employee", and so on.

    You tell your workers up front that you don't give enough of a fuck about them to actually hire them. Then, you feign shock and indignation when it turns out that they don't have your best interests at heart. Yes, you really must be that fucking stupid. Reap what you sow, bastards, and I will shed no tear for you.

  16. When will they learn by Anonymous Coward · · Score: 0

    Repeat after me: “Security is a process, not a product.”

  17. Good defense by manu0601 · · Score: 1

    They managed to arrest the guy, that is good defense. Who want to steal stuff if the outcome is guaranteed to be jail?

    1. Re:Good defense by Shalhav · · Score: 1

      They managed to arrest the guy, that is good defense. Who want to steal stuff if the outcome is guaranteed to be jail?

      Most criminals don't think long term, or think they'll get caught. For that matter, humans in general are only partly influenced by reason.

    2. Re:Good defense by manu0601 · · Score: 1

      Sure, but I bet there would be more criminals without the fear of punishment.

  18. Bitcoin Users Not Affected by Anonymous Coward · · Score: 0

    Luckily, South Korea is soon to have its first VC-backed Bitcoin exchange. Soon such privacy breaches will be a thing of the past.

  19. Why are they saving this info? Hmmm by Anonymous Coward · · Score: 0

    Maybe its time retail companies didn't record these things for posterity? Rather a record of the transaction, and a one-way hash of the last 4 numbers of the CC, but never the CC number in total or the expiration. Are these retail parties keeping this info to sell demograpic data?

    Its time for a change here too. JW

  20. south korea has by Anonymous Coward · · Score: 0

    social security?