100,000 More Social Security Numbers Exposed 325
ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through news.com, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."
Credit report monitoring (Score:5, Insightful)
Define "breach" (Score:5, Insightful)
-Charles
Terrifying quote ... (Score:5, Insightful)
That they weren't even willing to listen when someone pointed this out to them is appaling.
I wonder if their failure to actually do their job might land them in trouble. Saying that you've been audited for security and therefore no problem exists is kind of a cop-out.
They dont want o pay for syadmins (Score:2, Insightful)
Re:Credit report monitoring (Score:5, Insightful)
Why stop there... if my identity is stolen through the theft of their ideas; and someone cleans out my accounts the LAST thing I'm going to care about is them paying for "monitoring".
I want them to pay for the damages they caused by essentially being an accomplice to the thieves.
Sophisticated? (Score:5, Insightful)
I can't see what is so highly sophisticated about incrementing an ID passed as a URL parameter.
I think they are lucky to not have been visited by some real "sophisticated hackers"...
When will they learn (Score:0, Insightful)
Get your free MacMini [freeminimacs.com]
Re:Credit report monitoring (Score:5, Insightful)
You can't cover your ass if you screw up big time? It's simple......you......should.....NOT......be.....a
They don't get paid to be secure. (Score:2, Insightful)
The more people they sell to, the more money they make.
In
this case, keeping your data secure costs money, so it just doesn't pay.
Oh, you think they should care about you? For a price, maybe they will...
Yeah, it's insecure. So? (Score:4, Insightful)
Do you think it's bad that PayMaxx shows people's personal information on the web? Of course it is. But how about if you get it legally from the IRS instead [irs.gov]?
Re:Define "breach" (Score:2, Insightful)
Yes. Anybody who thinks there's a difference between those two choices shouldn't be allowed to set security policy, data retention policy, or have input into the design of any web application on any system that stores private (personally-identifiable) customer data.
I'd go further: they shouldn't be allowed within an airgap's distance of any system with confidential data on it. If you cannot explain, or worse, if it takes you less than 30 seconds to explain the distinction between poor design and being cracked, you, and everyone who works under you, use the sneakernet.
If you can't explain the difference - it's obvious that you're too clueless to be trusted with customer data. If you can explain the difference in soundbite fashion: "It's always because we were hacked!", you're part of the PR operation, and have been trained to speak in soundbites, and you're too slimy to be trusted with customer data.
If you come up with this post -- starting with a one-line quip, and then taking more than 30 seconds to explain it -- you might be enclued enough to come up with a trustworthy design that might be worth looking into implementing.
Re:As this becomes commonplace... (Score:2, Insightful)
It certainly does...along with just about everything else that requires you to furnish proof of your identity.
If people can't be bothered to pick a secure password, there's no way they'll be able to keep up with a scheme like the one you've just outlined.
Now, if you ask me if I have a better idea, sadly, the answer is no. If I did have a better idea, I'd be making money off it by now.
Caveat Webitor is pretty much the only suggestion I have on the topic, and it's woefully inadequate.
Not to worry! (Score:5, Insightful)
Re:Fingerprints/retnal scan (Score:2, Insightful)
and they'd probably sell that information as well, so other services can verify your fingerprint too...
so, we're back at square one.
Re:Define "breach" (Score:4, Insightful)
It means they were sloppy. People play with URL strings all the time.
It's trivial, especially so in ColdFusion, to make sure that the browser you authenticated is the only one you'll serve a particular document to. PayMaxx and their developer were negligent here without question.
common sense (Score:1, Insightful)
Everyone is just piggybacking off of the social security administration.
Atleast they could have created a password to use with your ssn so no one else can use it with the password instead of just knowing it.
Re:Credit report monitoring (Score:2, Insightful)
Casinos have to have enough cash on hand to cover every chip in play (at least in Nevada)...why can't data warehousing companies be held to at least similr expectations? It would certainly provide a little incentive for them to actually try to secure the data...
Re:Credit report monitoring (Score:3, Insightful)
Re:Uh oh... (Score:5, Insightful)
I liked the way how he subtly hinted at the folly of using identifiers as passwords. An identifier is supposed to be public (akin to a login)... but it is increasingly being treated as a password....something which it was never designed to be.
I have the same problem with credit card numbers too. They aren't supposed to be secret - a variety of persons have an opportunity to read/record/duplicate them every time you use it at a restaurant/merchant/online/etc. There should be some other "secret" mechanism to (the written signature is overrated, outdated and ineffective) Some debit cards do require a PIN (unfortunately not always), which is the proper way to go about it (assuming the swiping mechanism, keypad etc are not rigged).
If enough news outlets spread awareness about this issue and enough people stop treating their SSN's as a secret or atleast protest against businesses using them as an authentication mechanism, maybe we could have a better system.
Re:But will this matter... (Score:4, Insightful)
S.U.C.K.E.R.
First off: By his own acknowledgement, a self-directed system of investment does nothing to resolve the financial problems facing social security.
Secondly: The problems facing social security are a direct result of decreases to taxes which require decreases in social spending.
Thirdly: Social Security is SUPPOSED to be money you can't fuck up. Its supposed to be money that isn't at risk. That's the definition of the word "SECURITY" you dumbass. If you turn it into "Risk Capital" you've got no security at all.
Do you also like the idea of homeless old people? Because if you get rid of social security that's EXACTLY what we'll have again. (Yes, its what we had before Social Security).
Once again the administration has fooled the gullible American public into believing that a correlation exists between his policy and some impending problem. World Trade Center get attacked? Let's invade Iraq. (total non sequitor). Social Security in Financial Jeopardy? Let's create private accounts. (and another non sequitor)
Want to control how your money is invested? Open a friggin e*trade account. Want to synthesize a bull market so you and your banker buddies can get rich? Flood the market with the biggest private investment in the history of the world.
I call bullshit. And so should you.
When will you dumbasses learn.
Re:Socials? (Score:5, Insightful)
Think about the following, in terms of being a terrorist, or just someone who wants to gain illegal entry into a country un-noticed:
With a W-2 (which is a statement of income for last year, I presume, like a T4 in Canada where I live) you now have:
- A valid name of a US Citizen
- That citizen's SSN
- thier place of employment complete with job title
- last years earnings, which should allow you to look the part if you decide to impersonate them
- thier home address
All of this put together would allow for the easy forging of identiy papers. Yup, it could allow a terrorist un-fettered entry into the US with a great degree of anonymity and secrecy.
Hi, Mr. Rumsfeld - feeling OK now?
Soko
Use of SSN fundamentally flawed. (Score:5, Insightful)
The fact that this (very real) failure by PayMaxx to protect thier customer's privacy escalated into the potential for identity theft is the fault of the government not PayMaxx. This is because the use of social security numbers as an authenticator is fundamentally flawed and insecure.
Every authentication system needs at least one identifier and one secret. The former is public information while the latter, obviously, must remain private. However, when the US government and other institutions use SSNs as a way to authenticate who you are, they are attempting to use a single piece of information as both the identifier and the secret. Since it is impossible for something to public and private at once, this is bound for failure.
For years, the "solution" to this problem has been to avoid giving-out your SSN unless at all necisarry. While this is a very good idea for privacy reasons, it is worthless advice for protecting your security. Imagine your computer admin telling you that you should "only" give out your password when necissary. And that meant writing it on every government, healthcare, banking, and educational form you fill out. Then imagine that admin expecting your account to be secure. If an computer admin instituted a policy like that he would be fired, and yet that is the policy we are using to secure our very identities!
The government needs to step up and institute a new secure way to authenticate people, as well as begin a campain to inform the public that SSN are not suitable for authentication, by any organization. We cannot expect to have any security of identity if everyone in the country autenticates our identity using a fundementally flawed manner.
Re:But will this matter... (Score:1, Insightful)
The plan is supposedly 1/3 of the current payroll tax that you are responsible for (6.2% of your payroll; the company you work for is responsible for the other 6.2%) will be allowed to be diverted into private accounts.
Do the math.
In the year 2000, the average per capita income was $42,000 per household.
$42,000 x (1/3) x 6.2% = $868 per year
If you work for 30 years,
$868 x 30 = $25140 (assuming no interest or income increase of course).
Lets say you made out like a king on your interest/payroll increses and your account had even $50k in it. What good is that going to do you over your next 20-30 years of retirement life? Absolutely squat. Plus you'll have the proportion of people who are too stupid to manage that $50k themselves and they will blow it.
In short, people are dumb, and they need SS to provide them at least enough to pay a heating bill and buy food staples.
Re:Free credit reports... (Score:3, Insightful)
Re:Use of SSN fundamentally flawed. (Score:5, Insightful)
State and local governments, businesses, and eventually the military decided that since everyone had a unique SS number, they could save themselves some money and effort by simply requiring everyone to use their SS number as an ID number.
This is an incredibly STOOPID idea that 2600 magazine has been preaching against for many years now.
In short, I'm sorry, but you are mistaken in blaming this on the government.
Re:Credit report monitoring (Score:3, Insightful)
Instead they'll will waste time and money passing more laws against those who misuse these shoddily protected servers in a classic "close the barn door after the horse has escaped" federal maneuver.
Do Over! (Score:3, Insightful)
I think its time to adopt something like a Sweden model of smartcards for a national id.
No smartcard is worth its salt without a personal user-definable PIN number.
And forget this Bio-authentication crap. Bio-authentication is never revokable once stolen.
Re:Use of SSN fundamentally flawed. (Score:2, Insightful)
It should have never been allowed.
Re:Yeah, it's insecure. So? (Score:2, Insightful)
Dump SSN for authentication (Score:4, Insightful)
Re:But will this matter... (Score:2, Insightful)
Actually, the problems facing Social Security have nothing to do with tax cuts, but instead with the facts that...
(A) Social Security is a pay-as-you-go program with a fundamental disconnect between inflow and outflow (benefits owed are not related to inflow).
(B) There is not and never has been a "trust fund"; instead, the money was promptly borrowed and spent in lieu of additional general revenue.
(C) The "baby boomers" are about to become extremely numerous retirees compared to the number of workers paying into the system.
(B)'s role is making it difficult to solve (A) and (C). By 2018, courtesy of (A) and (C) benefits owed under the present system are projected to exceed inflow, which means that general revenue will need to be used to replenish the "trust fund" that should be there, but never has been.
It's a pathologically absurd system in which those making more money pay in at a lower tax rate (due to the backwards system of capping taxable income rather than a floor of tax-exempt), outflows are not means-tested (will Gates need his SocSec? Will Buffett? Surely it makes sense to redirect the outflow constrained by limited inflow to those who need it!), and it's pretended that Social Security money is somehow separate when in fact it's been mingled with general revenue for years and will need to be replenished from it.
Re:As this becomes commonplace... (Score:3, Insightful)
Instead of improving security at the choke points - which will always be under heavy attack - why not make identity theft harder by multiplying the potential number of choke points? If someone has to have, say, my Driver's License, Passport, Social Security Number, Credit Card Number, "Personal ID Password" and, say, a "Counter-Identity-Theft Number" suddenly ID theft becomes a heck of a lot harder.
As pointed out, the thieves would just steal all the information, however, I think this could be worked into a partial solution. When all this information, and more, is recorded by the company to check your identity and processes your request, they should do a consistency check. They should have access to several databases and make sure all this information is consistent with itself including your current address, phone number, job, etc. If it's not consistent then a more formal procedure can be put in place to investigate possible identity theft and/or make you records consistent.
Of course, some people would not like such a scheme because it may decrease our amount of privacy. (Or at least make it more obvious how much privacy we have already lost.) Also, there is the difficulty of keeping peoples records consistent between several different databases and which databases to use. It may require some government infrastructure which could further reduce privacy. However, it would make identity theft much more difficult.
criminal penalties (Score:3, Insightful)
Why does someone HE have YOUR information? (Score:4, Insightful)
This is not really a new problem. Technology has just changed the way we deal with it. Before all of this computerization, if someone wanted to know about you, they had to ask you questions. The dialog might go like this:
Nowadays, you are not involved in any of this process. All of your personal information is flowing around behind the scenes between companies that trust each other, but *NOT* you. However, the amount of personal information is increasing to the point that the resulting questions might be more like this:
The catch is "our records" really is "your records" that they have collected without mentioning to you.
Solution: We need a legal principle that it is *YOUR* data and it is *YOUR* right to decide who knows it and what is done with it. (This is actually implicit in the Fifth and Sixth Amendments of the Bill of Rights.) We also need a technical principle that *YOUR* data should be stored on *YOUR* own computer. (This is the old "Possession is nine points of the law.")
How it works: If someone wants to record information about you, they should contact *YOUR* computer and store it there. They can include whatever signature they like to insure that you can't tamper with the content. They can include a binding request that you back up the data. However, if they want to see that information later, they must ask *your* computer to provide it, and *your* computer will only provide the information if *YOU* agree. (Actually, this means you would define privacy policies for your computer to enforce, including such things as "doublecheck with me anytime someone claims I owe them more than $10", etc.)
Re:But will this matter... (Score:3, Insightful)
Sort of. The SSA is required to put excess revenue into US Treasury Bonds. So looking at the SSA as a seperate entity, there is a trust fund in the form of many many bonds.
Now taking the US government as a whole, the money doesn't exist because we've been running deficits practically consistently since Vietnam.
Here's the thing though. The bonds held by the SSA are the same as any others. They are binding and if the government were to default on even the internally held bonds, the whole house of cards comes crashing down.
Re:Use of SSN fundamentally flawed. (Score:4, Insightful)
There are many who are responsable. However, PayMaxx KNOWS WELL the problems they create by leaking SSN and other data. You'd have to live under a rock to NOT KNOW it's a serious problem that can cost someone thousands of dollars and hundreds of hours. The problem was repeatedly brought to their attention and they willfully ignored it.
They are not alone in their negligence, but they sure seem to be leading the pack at the moment.
The real solution would be for the courts to acknowledge the facts of the matter. That is, SSN proves nothing, and DL proves little or nothing.
Given that, credit cards, etc have literally NO idea who they are lending money to. Given that, before making any disparaging remarks on someone's credit reports, or make a single harassing phone call, they had better have a photo of the person with the signed credit application in hand, and they'd better make sure it matches the appearance of the person they're pestering. If not, they may be guilty of harassment and and libel and should be treated accordingly.
SSN as an ID is just fine (Score:2, Insightful)
Using an SSN as an ID is just fine. As the grandparent comment points out, however, the issue is in authentication. In theory, if I have your SSN, I should be able to do no more than refer to you. Sure, I might be able to get information about you with that information. What should never be allowed to happen is to pretend to be you. But if I want into a bank and produce some faked ID and give your SSN I can open an account in your name (with my fake of your signature on the signature card) and put in $250. Then when the checks arrive, I can write a whole bunch at once all over town, for small amounts ($100 here, $200 there) totalling thousands, and disappear with the goods, leaving you to clean up the mess in some town 1000 miles away from where you really live that you've never even been to. The fact that the bank ass-u-me-s I was really you is the flaw in the system.
There should at least be a law that says if you deny being the person who opened the above account, then that bank must produce proof that you (and not someone with your info) actually opened the account and passed the bad checks ... or drop the matter with respect to affecting you. Such a law should cover all businesses that use SSNs in any way, shape, or form. Of course, then banks will have to cover their ass and require fingerprints and photos to open an account.
A 25 year minimum mandatory prison sentence for conviction of identity infringement would help put a stop to this.
Then we still need to deal with the sloppy businesses that let identity infringers do this. Triple corrective costs, plus legal expenses, plus punitive to a million dollars, would send a clear message to such businesses ... as clean as driving an ice pick in their eyes.