Forgot your password?
typodupeerror
Privacy Security IT

Data Theft Soars to Unprecedented Levels 116

Posted by Zonk
from the never-been-easier-to-be-someone-else dept.
A Wired article reports on data loss in 2007, and the numbers aren't good. Credit card and social security theft was at an all-time high, with even more losses expected in 2008. Information thieves, it seems, are just one step ahead of IT security. "While companies, government agencies, schools and other institutions are spending more to protect ever-increasing volumes of data with more sophisticated firewalls and encryption, the investment often is too little too late. 'More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be,' said Linda Foley, who founded the San Diego-based Identity Theft Resource Center after becoming an identity theft victim herself."
This discussion has been archived. No new comments can be posted.

Data Theft Soars to Unprecedented Levels

Comments Filter:
  • by Slashdot Suxxors (1207082) on Sunday December 30, 2007 @09:20PM (#21860990)
    Just provide your credit card number to me and I will make sure no one steals it.
    • Once Throwaway Numbers Become Common I Will.
    • Re: (Score:3, Insightful)

      by peektwice (726616)
      You joke, but this type of problem is real. The reason spam continues to proliferate is because it, on some dark, evil plane, works. People answer it or by the products it hawks. The reason malware sites, such as the type of phishing sites you quipped about, continue to work, is primarily because people are easy marks.
      Now if you'll excuse me, I have to click this link that says my PayPal account needs updating.
      • I don't know about the rest of you, but I'm not a rich guy, and I'm a slave to debt just like most people. If the financial sector goes to hell in a hand basket and stops being sustainable, I'm not going to be losing anything.

        On the other hand, I'm smart, talented, healthy, educated, a problem solver, a useful person to have around. I don't rely on the interest return on my massive holdings to sustain some overinflated lifestyle.

        So, why should I give a shit about these problems? Seems like it will make m
        • by timmarhy (659436)
          are you kidding me, on the one hand you say your a slave to debt and on the other you don't think it will effect you?

          If the financial market goes to shit who are you going to borrow money off to sustain that debt? what if the banks call in all your loans (as they are entitled to do) would you be able to pay them all out tomorrow?

          more importantly, is someone stole your identify and racked up $10k in debts in your name, how would you feel about it? you'd be pretty stressed i imagine, so don't kid yourslef i

          • Worst case, I'd tell them to go to hell, go grab some land that someone used to own before everything went to shit but no one is actually using, build a house, grow some food, have some kids. If those services collapse, no one will be telling me I can't.
          • If the financial markets (nearly) completely go to shit then everyone will be in the same boat and the only way out will likely be a national jubilee http://en.wikipedia.org/wiki/Jubilee_(Christian) [wikipedia.org].

            There is talk of this happening along with other major financial changes because of how badly the financial markets in the US and elsewhere have been screwed up.
  • by lobiusmoop (305328) on Sunday December 30, 2007 @09:27PM (#21861032) Homepage
    This seems like a consequence of being able to carry gigabytes of data around in your pocket. It is probably all too easy for the odd database to duplicate into an employee's thumbdrive these days I suspect.
    • I'd argue that it was an effect of the growth of online transactions and companies retaining that data without proper safeguards more than a consequence of higher data capacities. The thumbdrives' capacity no doubt enable an employee to walk out with an entire database. There should only be a few people in an organization who have the access to do such a thing though. Even better would be a policy of not retaining any personal information such as credit card, SS, etc.

      Required car analogy: It's
      • Actually, I blame the problem squarely on the lack of motivation that financial institutions feel when it comes to preventing fraud. They can suck it up as a cost of doing business, but poor shmucks like us can end up dying a few years sooner because of the stress involved in fixing one's credit history.

        Instant credit without true identity verification is the problem here. Social security numbers and other PII are worth stealing because credit is so easy to obtain, including in someone else's name. Come
      • by dave562 (969951)
        Even traditional companies are retaining credit card information by default. I ordered a pizza from Round Table the other day and they asked me if I wanted to use the same card that I used last time. I drove down there and told the manager to delete any of my personal information and asked him where I ever signed anything or in any other way authorized them to retain my credit card information. Of course he wasn't able to provide any such documentation. I will never be giving Round Table my credit card
        • by mpe (36238)
          Even traditional companies are retaining credit card information by default. I ordered a pizza from Round Table the other day and they asked me if I wanted to use the same card that I used last time.

          Which is something they should never be doing.

          I drove down there and told the manager to delete any of my personal information and asked him where I ever signed anything or in any other way authorized them to retain my credit card information. Of course he wasn't able to provide any such documentation.

          Prob
  • Something fishy... (Score:5, Insightful)

    by creimer (824291) on Sunday December 30, 2007 @09:27PM (#21861036) Homepage
    Is data theft at an all-time high because of hackers or just dumb companies not encrypting their backup data that gets lost in transit?
    • I lost my credit card information logging into slashdot once...
    • by omeomi (675045)
      Or laws that don't adequately punish companies for losing personal data, or at least allow for civil suits. My SSN was lost twice last year, both by large organizations, and I had no choice in giving either of them my SSN. One of them had it for health insurance reasons from when I was a child, and the other one was a school I attended. I think it's ridiculous. There's no reason that companies, schools, and other organizations should be able to lose tens of thousands of social security numbers and basically
      • by QuantumG (50515)
        For those of us who don't live in your brain dead country, any chance you could explain what an SSN is, and what it is good for? If it is such an important magical number that you need to keep secret at all times but are required to give over to people who you don't trust maybe, just maybe, it is a stupid idea and not the fault of the health insurance companies or schools you have attended if it gets misused. That said, in my brain dead country you can get someone's electricity turned off if you know thei
        • by Torvaun (1040898)
          It's the U.S. analog to the Canadian SIN, and it's not really good for much other than being stolen, and taking your identity with it. Originally, it was intended to only be given to employers, so that they could appropriately give your money to the government, with the promise that it would be given back when you were retired. In fact, it was expressly stated that the SSN was not to be used as it is now being used, but like so many other things, this has been ignored more and more over the years.

          Yes, it
        • by mpe (36238)
          That said, in my brain dead country you can get someone's electricity turned off if you know their name, address and date of birth.

          You don't even need to know their mother's "maiden name"?
          I suspect that impersonating someone by knowing facts about them only actually works for some people. If you are well known or important enough there are actually secure available. Otherwise every celebrity's house would be easily identifiable by the presence of a generator... (A generator with a very large fuel tank in
        • If it is such an important magical number that you need to keep secret at all times but are required to give over to people who you don't trust maybe, just maybe, it is a stupid idea
          No shit. It's very stupid.

          By the way, accurate summarization of what a SSN is. I will be updating wikipedia article shortly.

      • by mpe (36238)
        My SSN was lost twice last year, both by large organizations, and I had no choice in giving either of them my SSN. One of them had it for health insurance reasons from when I was a child, and the other one was a school I attended. I think it's ridiculous.

        Why did either of them need it in the first place? Quite often when it comes to these kind of "loses" there is little rational reason for several of the fields being in the database. In the extreme this applies to the whole database.

        There's no reason th
    • Is data theft at an all-time high because of hackers or just dumb companies not encrypting their backup data that gets lost in transit?

      No, it's because we're using shared secrets (hey look, an oxymoron!) to establish identity.

      As far as your finances are concerned, anyone who knows your name/birthdate/SSN/address/card number/etc is *you*, and can do pretty much anything you can do. And of course anyone you do business with knows enough of these things that they or anyone who steals their database can pr

      • by mpe (36238)
        No, it's because we're using shared secrets (hey look, an oxymoron!) to establish identity.
        As far as your finances are concerned, anyone who knows your name/birthdate/SSN/address/card number/etc is *you*, and can do pretty much anything you can do.


        A rather fundermental part of the problem is that none of these actually are "shared secrets" in the first place. Technically they are what is know as "identifiers".
        In some cases, especially with web based systems, it can be possible to hack in actual shared sec
    • Considering the number of cases I've seen where it's a bunch of tapes with millions of social security data on them handed to an intern for the night...
      "Were they encrypted?"
      "No."
      "Why not?"
      "..."
  • One step ahead..? (Score:4, Insightful)

    by ricebowl (999467) on Sunday December 30, 2007 @09:29PM (#21861040)

    I don't know what the trouble is with the 'myminicity' thing, so I'll just comment on the synopsis.

    It has to be noted that since much data these days appears to be stored unencrypted, or removed from the premises by 'interns,' that much of the populace is 'one step ahead.' The advantage the bad guys have, beyond institutional stupidity and negligence, is that there's so many of them willing to exchange the data once acquired.

    • myminicity.com is an online game, where the city grows as you get people to visit your city (by clicking a link to it). AC's are posting links to their cities all over slashdot, disguised as tinyurl or the like links.
    • by OECD (639690)

      The advantage the bad guys have, beyond institutional stupidity and negligence, is that there's so many of them willing to exchange the data once acquired.

      Huh. So the more "open source" approach of the crackers is beating the "closed source" defensive model of the defenders?

      I'm not a zealot one way or the other (in particular I've always thought that "security through obscurity" actually has some value) but that point seems telling.

  • by LiquidCoooled (634315) on Sunday December 30, 2007 @09:29PM (#21861046) Homepage Journal
    We hear about CC theft a lot and I am sure it does occur, but most of the time its embarrassment which is the real culprit.

    "darling, the CC company says we owe them $2400 dollars."

    "thats nonsense, I barely use my CC"

    "it says there were hookers, gallons of gin and a blackjack tableset ordered to an address in Nevada."

    "OMG it must have been the waiter in the diner I went in on the way to the 'conference' with work! (pray you are saying it with a straight face)" ...
    • Oh! So you're saying credit card fraud fraud is skyrocketing!
    • Re: (Score:3, Interesting)

      by gmack (197796)
      You laugh but I used to work for a small credit card processing company and that was exactly the reason for many, many charge backs.

      wife: Honey what's this charge for porn on our creditcard?
      man: Oh you know I would never look at THAT. Someone must have stolen our credit card.
      • by Kjella (173770)
        Heh, I'm sure the porn vendors have figured out discrete billing by now. I bet it goes more like:

        wife: Honey do you know what this charge on our creditcard is for?
        man: Never heard of them. Someone must have stolen our credit card.

        Not that I understand how you manage to avoid finding free porn on the Internet.
  • Not a big surprise (Score:5, Insightful)

    by gta3mobster (1096151) on Sunday December 30, 2007 @09:36PM (#21861084)
    Irresponsible data handling by employees at retail stores probably contributes quite a bit.

    One of my friends went dumpster diving at Compusa. On top of finding almost every cable you'd ever need to hook anything up, he found over 70 pages of daily reports disclosing full credit card numbers, expiration dates, first/last names, and card company. Personal checks that were used during that day listed the account #, routing #, first/last name, birthdate, drivers license #, address, phone number, and probably some other stuff. He found this on two separate occasions, with over 300 cards listed total. None of the papers were shredded/torn either. He didn't intend to find this stuff - Imagine how easy it must be for somebody who actually wants the information!

    The majority of the population doesn't understand how seriously security needs to be taken when venturing online to make purchases. If people understood going onto unsecured networks/etc was pretty much the same as leaving your credit card/checkbook in the front seat of your car, leaving the doors unlocked, and parking it in a bad neighborhood they might take security more seriously.

    Sure - Most of the time if you leave stuff in your car unsecured, it'll be there when you get back. But there's always that small chance it'll get stolen.
    • Yet another reason to be thankful that CompUSA is going under.
    • Makes you wonder how much of the Info "stolen" off "the computer" or "the internet" was really just thrown into a dumpster don't it. I have been fighting with people at work to shred everything if they shred anything.
      • by mpe (36238)
        Makes you wonder how much of the Info "stolen" off "the computer" or "the internet" was really just thrown into a dumpster don't it.

        Most of which may well have been "in a computer" before being printed...

        I have been fighting with people at work to shred everything if they shred anything.

        Let me guess, instead they want some policy for only shredding the stuff which matters. (It also dosn't help that there are some strange attitudes towards paper recycling around.)
    • by kc2keo (694222)
      I used to work at CompUSA (which I mentioned before and was the worst job I ever had) and saw firsthand the mishandling of private information of customers. The hardware I saw thrown out was shocking. Lots of hardware was usable in some way. Service requests were not shredded (can't remember a shredder being in the store). Thats how I got my nice HP machine for almost nothing (had to replace the system board for $140.00). The machine is 2.8GHZ Intel P4 HT... etc.. Still using it and functioning well. I'm pr
  • by LaughingCoder (914424) on Sunday December 30, 2007 @09:38PM (#21861098)
    has itself grown in size to unprecidented levels, I suppose it shouldn't be too surprising that data THEFT has also grown to unprecidented levels. The real question is, when normalized for how much data is "out there", is data theft getting more or less rampant?
  • by schwit1 (797399) on Sunday December 30, 2007 @09:41PM (#21861108)
    Knowingly having an unsecure system or not doing basic security due-diligence causes penalties, a second offense and you lose your business license.
  • by Blittzed (657028) on Sunday December 30, 2007 @09:42PM (#21861110)
    The post states that "Information thieves, it seems, are just one step ahead of IT security.". I disagree with this, but it all depends on your definition of IT security, mine being more on the tech side in relation to protection, countermeasures and network forensics. The article really does not make any claim that IT security is at fault, but rather that counter measures to known threats are not being empyloyed. In relation to the quoted statement above, I would say that information theives are five steps ahead of those of don't take measures to protect against threats, rather than being ahead of IT security. I guess it could be argued that IT security is indirectly responsible, or failing, as user education and policy are major parts of protecting corporate networks and data. The failure in these cases seems to be more related to a lack of user knowledge or failure to adhere to policy / weak policy, rather than a complete inability of IT security to protect information. Everyone knows that the internet is a dangerous place (TM), even my grandma. For those in government, schools etc to have data stolen and claim that they didn't know about the risks posed of using online data systems is just plain stupid. According to TFA, the biggest theft of information occurred due to the use of a wireless network. "What! Wireless isn't secure? I had no idea!" Only if you had your head firmly wedged up your own back passage could you as a security professional, or even semi professional ;) claim that you had no idea of the many vulnerabilities of wireless networks...
  • RSA Secure ID... (Score:4, Insightful)

    by hxnwix (652290) on Sunday December 30, 2007 @09:42PM (#21861112) Journal
    The feds could initiate a program under which all citizens are issued key fobs similar to RSA Secure IDs with verification similar to that required for a passport. Without this fob, one could not open any sort of bank account or acquire a credit card or loan... The program could allow one to specify various levels of rigor beyond this basic minimum, such as pin+fob key verification to complete any sort of electronic monetary transaction.

    It works for managing access to top secret material, hundreds of billions in monetary instruments and the most vital systems of companies in every industry worldwide... I suppose that on an individual basis, any person's assets, credit and livelihood just aren't as important. Or, perhaps the very industries that protect themselves with this system just don't give a fuck about their consumers.

    If these folks were landlords, they'd tell every criminal they could find who you are and were you live, and they'd refuse to install a lock on your door.
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      The feds could initiate a program under which all citizens are issued key fobs similar to RSA Secure IDs with verification similar to that required for a passport.

      As much as I like RSA keyfobs, they are pricy. Presumably you would get a better price when you buy millions of them though.

      However, I'm betting that 5% of the population are going to lose their keyfob every year, 5% will forget the PIN, and another 5% will write the PIN on the keyfob.
    • by RAMMS+EIN (578166)
      How does having your RSA SecureID stolen improve your situation over having, for example, your credit card stolen?
      • by hxnwix (652290)
        It adds another factor. Unless you also give the thief the pin associated with the fob, the fob is utterly useless.
    • The feds could initiate a program under which all citizens are issued key fobs similar to RSA Secure IDs with verification similar to that required for a passport ... It works for managing access to top secret material

      I salute your dongle scheme, sir, and the clever way you slipped it past prior commentators. I too have never heard of counterfeit passports or leaks of top secret material. As for hundreds of billions in monetary instruments, I am confident that the alleged losses on "sub prime" mortgages c

      • by hxnwix (652290)

        I am confident that the alleged losses on "sub prime" mortgages could never have happened if all concerned had secure key fobs.
        Did identity theft cause the sub prime crisis?

        What _ the _ fuck.
  • Isn't this the type of crime that should be called software piracy?
  • by Fractal Dice (696349) on Sunday December 30, 2007 @10:16PM (#21861332) Journal

    What amazes me about "identity" (financial, blog or otherwise) in the Internet age is how similar it is starting to feel to the concept of identity in fantasy fiction (such as the Earthsea books) where people have disposable day-to-day common names, but also truenames that hold the real power of identity, shared only with the most trusted of companions.

  • One big issue i see in this and other problems in todays society, is there is too much focus on how was spent on a problem and not what was actually done.

    it's all very well to say spending has increased, but what was actually DONE about the problem? Simple and cheap solutions are often the best.

    for example, my bank sends me an sms with a code to complete all online transfers to new billers, rendering fishing useless. the only way to change the mobile number is to answer 2 very personal security questions,

    • by mpe (36238)
      for example, my bank sends me an sms with a code to complete all online transfers to new billers, rendering fishing useless. the only way to change the mobile number is to answer 2 very personal security questions, and even then the system alerts me of the change.

      Actually you probably don't want to be using personal information for bank security questions at all.

      I think the next step forward for CC's is one time numbers and photo ID on the card itself. shouldn't be very hard, have it operate just like l
  • Apart from "intellectual property", "identity theft" has to be the stupidest term ever. They don't steal your identity.. they "copy" it. Real identity theft would be taking over someone's identity (probably with some lame face exchange technology) so that the rightful owner can no longer utilize it. And what's most annoying is that there is already a legal term for the activities that "identity theft" is typically used to refer to.. fraud. So what the hell is wrong with "identity fraud"? Not sexy enoug
    • Re: (Score:3, Insightful)

      Real identity theft would be taking over someone's identity (probably with some lame face exchange technology) so that the rightful owner can no longer utilize it.

            I've seen interviews of people who say they no longer can utilize their identity to do the things they expect to be able to do, buy a house, open a credit account, and have their previous credit rating.

            So they feel their identity has been stolen.

        rd
       
      • by QuantumG (50515)
        That's the kind of retarded thinking that should be kept out of law. If someone takes a shit on your windshield you don't claim your car has been "stolen" because you have to clean it up before you can drive it again. Fuckin' morons.

        • If someone takes a shit on your windshield you don't claim your car has been "stolen" because you have to clean it up before you can drive it again.

                But you would claim it was stolen if you couldn't drive it again because of it. Same thing.

            rd
          • by QuantumG (50515)
            Seriously, no, you wouldn't. If I burnt your car to the ground with gasoline you could claim I destroyed your property. You could claim I was a vandal. You could put in an insurance claim for "fire". But you couldn't claim I "stole" it. In *any* case, your identity is not your credit rating - at least I fuckin' hope the world hasn't become that consumerist just yet.

            • It has. It's your name, SSN, address, birthdate, credit history. That's what becomes effectively not yours anymore because you can't use it. You can try, but it's no good anymore with all the uses made of it after it was stolen.

              So you try to recover it, and yet at any time a new mortgage application can come in to a credit bureau with your name on it. Takes a lawyer and a lot of money to get it back. So call it recovering stolen goods, ot getting your name back.
    • by timmarhy (659436)
      " Real identity theft would be taking over someone's identity -snip retarded quote- so that the rightful owner can no longer utilize it"

      way to contridict yourself in one sentence dumbass. once an identity thief gets his hands on your details, he will run debts and bring all kinds of grief to your name so that using it again is impossible. it'd be easier to change your name and start again then go through the court system attempting to prove each infraction wasn't you.

      • by QuantumG (50515)
        Gapping malfunction of the credit history system (which is evil in the first god damn place) makes stupid term seem slightly less stupid to people with poor understanding of legal terms. Popular usage makes stupid term seem common place. You call me a dumbass for questioning all this.
  • 'More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be,' said Linda Foley, who founded the San Diego-based Identity Theft Resource Center after becoming an identity theft victim herself."
    • by jpfed (1095443)
      The real question is- how can we be sure that the real Linda Foley did and said all these things?
  • I really think they need to re-think the whole concept of data security, basically the current, "traditional" way of protecting data security is a form of 'Security by obscurity'. I think most of us know how well that method works. (To be fair, in the past this method was somewhat effective, if only because information was never that readily available to be transferred and copied (and stolen).) Instead, I think they have to design sensitive data based on the assumption that it WILL be stolen at some poin
  • in related news (Score:3, Insightful)

    by Darth_brooks (180756) <clipper377@gmail ... om minus painter> on Sunday December 30, 2007 @10:57PM (#21861584) Homepage
    Studies have shown that auto theft reached unprecedented levels in 1911. In future news; flying car theft will reach unprecedented levels in 2057.

    More and more common thieves are learning the value of data. So more of it is being stolen. I bet MP3 player and cell phone theft rates are reaching "unprecedented" levels as well.
  • white hat hackers on staff full time who's sole job is to look for security breaches. I mean I guess it would make too much sense and having worked for the government, I know that if it makes sense it's not in the game plan.
  • by buss_error (142273) on Sunday December 30, 2007 @11:26PM (#21861776) Homepage Journal
    At $DAYJOB, we insert fake data in two ways: First, fake data that is in the database with known markers, second, more fake data generated each time a user logs in and present only during that log in for that user. In this way, we know if the data theift occured via authintication (and by whom, from where, and when), or via some hole in the app.

    The way to make this more effective requres a huge amount of work: Longer CC numbers and SSNs. It's the same problem IT has had with users FOREVER. Users expect the moon, stars, and all the oort cloud between, yet do not want to provide the least effort. There's no "buy in" from Soc Sec and the CC companies. As long as they get to pass along the cost to someone else, then the current system is "good enough". No need to expend any of THEIR effort to find, track, and plug up problems.

    But make THEM accountable in a tangable way, and I think we'll start to see effective measures to stop this nonsense. And no few RSG and 419'ers in jail to boot.
  • Why don't Visa, Mastercard, American Express, Diners etc start putting pressure on companies to keep credit card numbers more secure (along with inventing and selling solutions to make that happen)

    Even taking the simple step of changing the merchant agreements such that if the merchant suffers a breach or loss of credit card numbers, they are contractually obligated to notify the people who's numbers have been stolen (either via announcements in the media/on the merchants website or individually somehow) wo
    • by mpe (36238)
      Why don't Visa, Mastercard, American Express, Diners etc start putting pressure on companies to keep credit card numbers more secure

      Including the most secure method, not storing them at all. Also in order for a company to store numbers they should need a special merchant account.
  • Ever since I found out about Discover Card Secure Number I use that for all my online purchases to help reduce the risk of my real number being stolen. Complete Fraud Protection [discovercard.com] What this does is provide a one time use credit card number and CID number. Sure you can dispute false charges with your credit card company but who really wants to deal with that and any headaches.
  • by bl8n8r (649187) on Sunday December 30, 2007 @11:51PM (#21861986)
    And one that too many companies are willing to put gamble with. Many IT shops haven't got the experience in house to maintain security so they shop around for the doitallforyousecuritygizmo to do it for them. These gizmos are usually 90% snake oil with a hefty support contract. There is also a big lapse in education and awareness across all facets of the security realm. Programmers think security is up to Layer 1 and that they are free to break all the rules at layer 7. Windows admins think security means that if Bitdefender doesn't complain, everything must be peachy and that having software installed through ActiveX by a remote website is just a prank. Management is made up more of bean counters than technically savvy personnel. In the end, it seems management views a spin-of-the-wheel as being more cost effective than re-training a bunch of people that can't see past the Whack-a-Monkey javascript they just got in their inbox.

  • I'm a storage consultant and my hottest contracts right now is implementing different forms of media encryption. It can be disk, tape or data in-flight (IPsec for replication). There's plenty of solutions that prevent someone from accessing your data if they grab the media (disk/tape) and walk out the door. While this prevents someone from stealing a tape from the back of an IronMountain truck, it doesn't solve the problem of someone accessing the data from an point above the encryption point, the host/s
  • by RickRussellTX (755670) on Sunday December 30, 2007 @11:57PM (#21862052)

    It continues to astonish me that people think of "data theft" as the cause of identity theft.

    Data theft is not the problem. The problem is that financial organizations are willing to accept transactions without authentication, or with very weak authentication. Supplying a 9-digit number which is a matter of public record is not a form of authentication. It does not prove that the person speaking is the account holder. Anybody can walk into a store with a fake credit card and buy stuff in my name, no questions asked. People can write checks with my account number on them, and it will be charged to my account. At no point is the slightest attempt made to authenticate the identity of the person making the transaction and certify that they are allowed to post transactions to the account.

    There is no way to "plug" these leaks; most of these names and numbers are a matter of public record and must be surrendered in order to make a transaction in the first place. The identity theft problem will not abate until account holders have enhanced authentication options, and the financial institutions are required to use them. Biometrics, physical security tokens, PINs, it doesn't really matter what solution we use. We just need to use something to verify the identify of the person making the transaction. It's the only solution.

    • by RAMMS+EIN (578166)
      I completely agree with your post. The problem isn't that it's easy to get the magic numbers relating to a person, it's that we are willing to believe someone knowing the magic numbers is the person they relate to, even though we should _know_ how easy it is to know those numbers if you're not the person in question.

      On the other hand, the examples you gave (credit card and cheque payments) aren't about authentication. They are about payment. I don't know why anybody (including myself) buying anything with m
      • I used credit card and check payment as examples of financial transactions that should require strong authentication, but it doesn't end there, of course. Opening accounts, getting loans, purchasing on credit (e.g. a car or furniture or whatever), etc. are all types of transactions that should be using better authentication methods.

        However, and this was the point of my post, you don't have to be "careless with credit cards or checks" to get in trouble. All that is required to create a fake check is an acc

        • by RAMMS+EIN (578166)
          ``However, and this was the point of my post, you don't have to be "careless with credit cards or checks" to get in trouble. All that is required to create a fake check is an account number. And credit transactions can be easily faked using the information printed on the card (number and verification code) along with your publicly available address and phone number.''

          Perhaps, then, if these systems are so insecure, _any_ use you make of them is careless.

          ``How many people have an opportunity to memorize your
          • Hey, if you've got the time to make all purchases with cash, if you never buy stuff on-line or via mail order and choose not to maintain a credit card, if you pay all your bills in cash by going to the billing office for each utility instead of mailing a check or providing your check routing information for payment... then more power to you. Fight the man, brother! Just don't waste a lot of fossil fuel in the process :-)

            Many people, myself included, need the convenience that non-cash mechanisms provide. It'
            • by RAMMS+EIN (578166)
              ``Hey, if you've got the time to make all purchases with cash, if you never buy stuff on-line or via mail order and choose not to maintain a credit card, if you pay all your bills in cash by going to the billing office for each utility instead of mailing a check or providing your check routing information for payment... then more power to you. Fight the man, brother! Just don't waste a lot of fossil fuel in the process :-)''

              That's what I did when I lived in the States. Now I live in the Netherlands. I pay w
      • On the other hand, the examples you gave (credit card and cheque payments) aren't about authentication. They are about payment. I don't know why anybody (including myself) buying anything with my cheques or credit card (neither of which are actually common forms of payment in Europe, where I live) would have anything to do with my identity. These are just payment methods. The money may be mine, but, other than that, it has nothing to do with me.

        The authentication is to make sure that the person spending

        • by Deadplant (212273)
          (identity)Authentication and Authorization:

          [Cash]
          Authorization: The person holding the cash is authorized to spend it.
          Authentication: None required. If someone hands you some cash that is sufficient authentication of their identity as 'the person holding some cash'.

          [Cheques]
          Authorization: Identity based; The individual in whose name the bank account was opened is authorized to spend the money.
          Authentication: Possession of a blank cheque and the ability to sign it in a manner which closely resembles a s
          • All the card-based systems are migrating towards chip-based cards which should make it harder to create copies of them.

            Migrating but failed. I got an American Express Blue card back in 2002 or so precisely because they offered a card with an embedded chip that is supposed to enhance security. They were supposed to issue a USB smart card reader to the card holders so they could swipe the card to make on-line purchases too.

            The chip would be required for all purchases, but... to date, I have never seen the USB reader and the chip in my card has never been used. The advertised features silently disappeared from AMEX's mark

  • by ZWithaPGGB (608529) on Monday December 31, 2007 @12:10AM (#21862162)
    The problem is that the organizations that lose the data, and the people who work there, are not the ones who bear the pain of the result. Furthermore, we usually have no choice in handing over the personal data, most of which is completely unnecessary (but very useful for marketing), in order to get things we need.

    Unless and until that changes, all the hand-wringing in the world won't make a hill of beans of difference.

    It will take something like Sarbanes-Oxley, making the officers of companies and non-profits, and government workers, who handle our data personally criminally liable for failure to take due care, before there is any change. As it is now, it is a simple cost calculation, and security is pure cost. The people in charge are betting that they can cash in their stock options or get promoted/transferred before the failure to protect data causes a problem.

    Last, but by no means least, everything that the naysayers said about Social Security when it was first proposed have come true: the SSID is a national ID number, and is routinely abused; and the Ponzi Scheme has run afoul of demographics. It's time to end the charade: outlaw the use of SSIDs by anyone except the SSA, and to allow people to opt out of SS.
  • by Omniphobic (1210274) on Monday December 31, 2007 @12:14AM (#21862188)
    This information doesn't surprise me. I think the increase is do to the increasing ease of standing up a website. Anybody with minimal computer/coding/security experience can stand up a website that takes your credit card information. I've dealt with COUNTLESS sites that have horrible file permissions, no security apps (like mod_security), and their DB connection password is weak. It's unbelievable how little effort folks will put into securing their business operations. On top of that, customers who repeatedly get hacked won't be willing to go through the hassle of auditing their customers or upgrading their software, so the same vulnerabilities get exploited again.
  • Back when only "computer nerds" and IT professionals used the internet you could safely browse without a firewall or antivirus, one consequence of almost every segment of the population now using it is that there are scammers and people susceptible to scamming. Just like people fall for sales pitches or get their card details stolen in real life. When a tool that tells people whether a site in genuine is popular (i.e. they are unable to tell without it) you know that only a minority are immune to scamming.
  • Given the complete disaster that digitisation of sensitive information has quickly proven itself to be in the hands of bean counters rather than those of developers who take pride in their work, it falls upon me as a concerned citizen to alert UK readers to a system which was brought to my attention today, which is going live with NO security protocols in place, which will hold the entire medical histories and personal details (including residential addresses and telephone numbers), in fact, enough informat
  • I had a something to say but someone stole my idea.
  • Seriously, let's reserve the phrase "data theft" to refer to data that is lost due to someone taking the only copy of it. A basic test for theft is whether the owner still has the thing that was stolen. If he still has it, it wasn't stolen, though possibly copied.
  • You can't steal information dude. Information just wants to be free.
    /sarcasm
  • PEBKAC (Score:2, Insightful)

    by MurkyGoth (690195)
    Blaming the tech is a cop-out - firewalls and encryption mean nothing if these people are entering their details into any website that asks for it. Paper/card shredders are cheap now (even/especially for the home) and people have been told for years not to click on links in unsolicited emails, *especially* if they're from a bank/ebay/PayPal.

    Instead of spending more on (company-side) tech there should be more spent on user-side education. Only those who've been a victim of identity theft and the paranoid (wa
  • In the olden days (like 10+ years ago), if someone wrote a check in someone else's name, it was called "fraud". It is, in fact, a crime where someone steals money from the bank.

    At some point, someone changed the vocabulary, and now we call this "identify theft", and so we make the crime against the person who's name was forged. In fact, this person has nothing to do with this crime, and is an innocent bystander. The bank is charged with protecting my assets, and if they fail to do so, they should be liable, just as much as if someone walked into the bank with a gun and took it!

    By convincing society at large that the crime is "identity theft" and not "fraud", the corporations, while not solving the problem of fraud, has made it someone else's problem; namely their customers. And the customers accept this, and direct their ire against the criminals, instead of against the company. (Admittedly the criminals are Bad People, so they do deserve to be feared and hated.)

    In some ways, it is a stroke of genius by the corporate world. But not one that we should celebrate. :(
    • I've never blamed the criminals for this, but then again I'm in IT and I know better...

      My view is that they are criminals and we'll always have criminals. Therefore we need to protect ourselves from those who would take advantage of us by making those responsible for the problems pay for their failures, as you stated. When we pass a law that says that the corporate world and specifically banks are responsible for these breaches you will see things change practically overnight.

      There are several other thing
  • by sgt scrub (869860) <saintium@yaho[ ]om ['o.c' in gap]> on Monday December 31, 2007 @12:36PM (#21866702)
    Information thieves, it seems, are just one step ahead of IT security.
    No. IT security would be doing just fine if users and administrators protected themselves with existing security recommendations.
    As long as people act like sheep they will be lambs to the slaughter.
  • Im surprised there havent been a large number of class-action suits for data-theft. Many data-owners seem irresponsible.

Any program which runs right is obsolete.

Working...