Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security Businesses

100,000 More Social Security Numbers Exposed 325

ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."
This discussion has been archived. No new comments can be posted.

100,000 More Social Security Numbers Exposed

Comments Filter:
  • by BWJones ( 18351 ) * on Friday February 25, 2005 @05:26PM (#11781813) Homepage Journal
    These guys (and everybody who violates the privacy laws like them) should be required to pay for in depth fraud monitoring and credit report monitoring. If you are going to warehouse our data especially without our knowledge, then they should pay for their own screwups.

    • by Anonymous Coward on Friday February 25, 2005 @05:29PM (#11781844)
      required to pay for in depth fraud monitoring and credit report monitoring.

      Why stop there... if my identity is stolen through the theft of their ideas; and someone cleans out my accounts the LAST thing I'm going to care about is them paying for "monitoring".

      I want them to pay for the damages they caused by essentially being an accomplice to the thieves.

      • The more of this stuff that goes on, the more likely it is going to bring the big foot of the Federal Gov down on these people. It moves slow but when it does, it is going to hurt somebody.
        • You know, sadly enough, my cynical mind believes that the government won't step in with tough regulation of data that these companies handle.

          Instead they'll will waste time and money passing more laws against those who misuse these shoddily protected servers in a classic "close the barn door after the horse has escaped" federal maneuver.
      • by pavon ( 30274 ) on Friday February 25, 2005 @05:49PM (#11782149)
        Why stop there... if my identity is stolen through the theft of their ideas;

        The fact that this (very real) failure by PayMaxx to protect thier customer's privacy escalated into the potential for identity theft is the fault of the government not PayMaxx. This is because the use of social security numbers as an authenticator is fundamentally flawed and insecure.

        Every authentication system needs at least one identifier and one secret. The former is public information while the latter, obviously, must remain private. However, when the US government and other institutions use SSNs as a way to authenticate who you are, they are attempting to use a single piece of information as both the identifier and the secret. Since it is impossible for something to public and private at once, this is bound for failure.

        For years, the "solution" to this problem has been to avoid giving-out your SSN unless at all necisarry. While this is a very good idea for privacy reasons, it is worthless advice for protecting your security. Imagine your computer admin telling you that you should "only" give out your password when necissary. And that meant writing it on every government, healthcare, banking, and educational form you fill out. Then imagine that admin expecting your account to be secure. If an computer admin instituted a policy like that he would be fired, and yet that is the policy we are using to secure our very identities!

        The government needs to step up and institute a new secure way to authenticate people, as well as begin a campain to inform the public that SSN are not suitable for authentication, by any organization. We cannot expect to have any security of identity if everyone in the country autenticates our identity using a fundementally flawed manner.
        • by CyberLord Seven ( 525173 ) on Friday February 25, 2005 @05:56PM (#11782257)
          Social Security numbers were never intended to be identity numbers by the Federal Government.

          State and local governments, businesses, and eventually the military decided that since everyone had a unique SS number, they could save themselves some money and effort by simply requiring everyone to use their SS number as an ID number.

          This is an incredibly STOOPID idea that 2600 magazine has been preaching against for many years now.

          In short, I'm sorry, but you are mistaken in blaming this on the government.

        • by sjames ( 1099 ) on Friday February 25, 2005 @07:33PM (#11783211) Homepage Journal

          There are many who are responsable. However, PayMaxx KNOWS WELL the problems they create by leaking SSN and other data. You'd have to live under a rock to NOT KNOW it's a serious problem that can cost someone thousands of dollars and hundreds of hours. The problem was repeatedly brought to their attention and they willfully ignored it.

          They are not alone in their negligence, but they sure seem to be leading the pack at the moment.

          The real solution would be for the courts to acknowledge the facts of the matter. That is, SSN proves nothing, and DL proves little or nothing.

          Given that, credit cards, etc have literally NO idea who they are lending money to. Given that, before making any disparaging remarks on someone's credit reports, or make a single harassing phone call, they had better have a photo of the person with the signed credit application in hand, and they'd better make sure it matches the appearance of the person they're pestering. If not, they may be guilty of harassment and and libel and should be treated accordingly.

    • Instead, they sell you identity theft insurance and "PrivacyGuard" and stuff. I have never done this before, but I can't resist:

      1. Design system to make money
      2. Sell insurance against the flaws in the system
      3. Profit!
  • Uh oh... (Score:5, Funny)

    by Faust7 ( 314817 ) on Friday February 25, 2005 @05:27PM (#11781827) Homepage
    Man, I hope Jon Stewart's wasn't in there!

    Oh wait...
    • Re:Uh oh... (Score:5, Funny)

      by kill-hup ( 120930 ) on Friday February 25, 2005 @05:34PM (#11781930) Homepage
      I'll bet Ted Hitler was watching and knows what it is ;)
    • Re:Uh oh... (Score:2, Informative)

      by learn fast ( 824724 )
      This is a reference from yesterday's Daily Show.

      But, I noticed, that couldn't be Jon Stewart's real social security card, because the name that would appear would be his real name, which is Jonathan Stuart Leibowitz.
    • Re:Uh oh... (Score:5, Insightful)

      by GillBates0 ( 664202 ) on Friday February 25, 2005 @05:41PM (#11782038) Homepage Journal
      Good one :)

      I liked the way how he subtly hinted at the folly of using identifiers as passwords. An identifier is supposed to be public (akin to a login)... but it is increasingly being treated as a password....something which it was never designed to be.

      I have the same problem with credit card numbers too. They aren't supposed to be secret - a variety of persons have an opportunity to read/record/duplicate them every time you use it at a restaurant/merchant/online/etc. There should be some other "secret" mechanism to (the written signature is overrated, outdated and ineffective) Some debit cards do require a PIN (unfortunately not always), which is the proper way to go about it (assuming the swiping mechanism, keypad etc are not rigged).

      If enough news outlets spread awareness about this issue and enough people stop treating their SSN's as a secret or atleast protest against businesses using them as an authentication mechanism, maybe we could have a better system.

      • "I liked the way how he subtly hinted at the folly of using identifiers as passwords."

        Have you seen "Chip and PIN"? The PIN which is used with a credit or debit card to gain complete access to your bank account, you now have to type in, in plain view, in front of a queue of customers, every time you want to use that card to pay for groceries.

        Secure? Betcha.

        And now of course, there are no signatures. So when authentication fails, the bank doesn't have to prove that the transaction is valid (because "yo
  • Define "breach" (Score:5, Insightful)

    by chill ( 34294 ) on Friday February 25, 2005 @05:28PM (#11781836) Journal
    Does it mean something along the lines of "we were actively attacked by skilled persons who exploited a little-known/unknown flaw" or does it mean "we were sloppy".

    • Re:Define "breach" (Score:5, Informative)

      by Ironsides ( 739422 ) on Friday February 25, 2005 @05:36PM (#11781965) Homepage Journal
      Well, since their security consisted of "So long as no one increments their unique number we assigned them by 1 in the browser location bar", I'd say that they were pretty much dumb idiots. Sloppy doesn't begin to cover this.
    • Re:Define "breach" (Score:2, Insightful)

      by Tackhead ( 54550 )
      > Does it mean something along the lines of "we were actively attacked by skilled persons who exploited a little-known/unknown flaw" or does it mean "we were sloppy".

      Yes. Anybody who thinks there's a difference between those two choices shouldn't be allowed to set security policy, data retention policy, or have input into the design of any web application on any system that stores private (personally-identifiable) customer data.

      I'd go further: they shouldn't be allowed within an airgap's distance

    • Re:Define "breach" (Score:4, Insightful)

      by jonbrewer ( 11894 ) * on Friday February 25, 2005 @05:38PM (#11781999) Homepage
      Does it mean something along the lines of "we were actively attacked by skilled persons who exploited a little-known/unknown flaw" or does it mean "we were sloppy".

      It means they were sloppy. People play with URL strings all the time.

      It's trivial, especially so in ColdFusion, to make sure that the browser you authenticated is the only one you'll serve a particular document to. PayMaxx and their developer were negligent here without question.
  • by gstoddart ( 321705 ) on Friday February 25, 2005 @05:28PM (#11781837) Homepage
    "we already cooperate with a significantly experienced testing agency and have been tested several times for security issues."

    That they weren't even willing to listen when someone pointed this out to them is appaling.

    I wonder if their failure to actually do their job might land them in trouble. Saying that you've been audited for security and therefore no problem exists is kind of a cop-out.

  • With guardians like this, pretty soon the whole XXX-XX-XXXX range will be p0wn3d!
  • Usually financial companies like this feel its a waste to pay a good experienced sysadmin to keep their shit secure. Its only recently that all companies have started adopting IT as part of thier Business Model.
  • by popo ( 107611 ) on Friday February 25, 2005 @05:29PM (#11781845) Homepage
    ...if President W does away with Social Security?
  • by Anonymous Coward on Friday February 25, 2005 @05:29PM (#11781846)
    You know, the more of this I see, the more annoyed I become.

    We're taking the wrong tack here... the problem isn't that SSNs and CC#s are so insecure - the problem is that we have become so dependent upon just one or two pieces of information that identity theft has to defeat only one or two "choke points" to screw us.

    Instead of improving security at the choke points - which will always be under heavy attack - why not make identity theft harder by multiplying the potential number of choke points? If someone has to have, say, my Driver's License, Passport, Social Security Number, Credit Card Number, "Personal ID Password" and, say, a "Counter-Identity-Theft Number" suddenly ID theft becomes a heck of a lot harder.

    Seriously... are we burying our heads in the sand and attacking the wrong thing here?

    • If someone has to have, say, my Driver's License, Passport, Social Security Number, Credit Card Number, "Personal ID Password" and, say, a "Counter-Identity-Theft Number" suddenly ID theft becomes a heck of a lot harder.

      It certainly does...along with just about everything else that requires you to furnish proof of your identity.

      If people can't be bothered to pick a secure password, there's no way they'll be able to keep up with a scheme like the one you've just outlined.

      Now, if you ask me if I have a

    • Not to worry! (Score:5, Insightful)

      by BLKMGK ( 34057 ) <> on Friday February 25, 2005 @05:37PM (#11781980) Homepage Journal
      The moment you decide to require ALL of those things to be validated some dumbass will put them all in a database record side by side unencrypted with no password protection. The end user will be forced to endure more hoop jumping but the sum total of added security would be quickly nullified by the morons of the IT world. It only takes one village idiot to ruin things.

      • Exactly. If you require all that information to validate your identification, then by definition the organization that needs to validate you has to have all that information stored somewhere, in such a way that it can all be retrieved at the same time. And as long as third parties are allowed to compile databases of this information, they will be vulnerable to exploitation as well.
      • It only takes one village idiot to ruin things.

        Or put another way: it takes one idiot to raze a village.
    • That was my first thought as well. When I recently opened a bank account, they asked for all that information.

      However, when everyone starts requring that information, it'll be in all the insecure databases as well.

      I think the answer is more about actually contacting the person when opening new accounts.

      • I think the answer is more about actually contacting the person when opening new accounts.

        Well that might limit fraud to the old-fashioned con artists (the ones who can actually talk a good game), but that's about it. Barring some absolute, unfalsifiable form of unique identification, identity fraud will continue. And no, biometrics as they currently exist don't count (especially if you're trying to send the prints, etc., as data over the internet).
      • ...unless there's a separate channel that goes between the purchaser and the bank, and one from the bank to the merchant to confirm authentication of the purchaser. Both would need to be secure against replay attacks and spoofing, of course.

        For a very slow-paced and not-often-used example, some banks will call you to verify anomalous purchases made with your credit card.
    • No, the problem is that big businesses have managed to free themselves of any relevant regulation. It is a felony to lie to an insurance company, yet it isn't a felony for your insurance company to lie to you, or to lie to someone else about you. Isn't that kind of absurd? A few weeks ago WalMart got in trouble for violations of labor law, and what happened as a result? They negotiated a deal where they now the Department of Labor has to notify them a week in advance if they want to have an inspection. Abus
    • Instead of improving security at the choke points - which will always be under heavy attack - why not make identity theft harder by multiplying the potential number of choke points? If someone has to have, say, my Driver's License, Passport, Social Security Number, Credit Card Number, "Personal ID Password" and, say, a "Counter-Identity-Theft Number" suddenly ID theft becomes a heck of a lot harder.

      As pointed out, the thieves would just steal all the information, however, I think this could be worked int

    • The only way to make identity checks more secure is to use a public/private key scheme. If everyone had a public key, which was a matter of public record, and where only the individual had the private key, and the necessary identification was the ability to decrypt a string of random digits, then we would have an improvement. It doesn't matter at all what the necessary identification is if anyone you identify yourself to or who is able to test whether you have identified yourself is able to steal your ident
    • One of my banks has a very tried-and-true method of authenticating me:

      They provide me with a series of indexed one-way hashes that I must successfully append to a random password (basically, S-KEY). These are physically exchanged through registered courier under separate cover to each other and all other identifying information on the account and updated either on expiration or the merest hint of compromise.

      Why the hell ALL banks don't do this is a mystery to me.
  • Finally (Score:5, Funny)

    by Monkelectric ( 546685 ) <slashdot@mon k e l e c t r i c . com> on Friday February 25, 2005 @05:30PM (#11781869)
    An upside to being unemployed.
  • What is it with corporations today? When a customer points out that you are making a horrible mistake there is only one option.

    Acknowledge it, say that you're sorry, and fix it!

    Everyone makes mistakes - the question is what you do to make things right.

    "Nah, let's insult the customer, ignore them, and hope that problem will just go away. Surely no-one else will ever notice."

    "Hey - what's that lawyer doing here?"
  • by Anonymous Coward on Friday February 25, 2005 @05:30PM (#11781871)
    just by going thru your trashcan. By the way, you really should ask for a raise.

    Rocky Raccoon.

    p.s., please stop dumping the bathroom trash can in with the kitchen's. Thanks.
  • 100,001 (Score:2, Funny)

    by Anonymous Coward
  • by borawjm ( 747876 )
    I guess it's a good thing that I can get free credit reports [] from each of the nationwide consumer credit reporting companies starting March 1st.
    • And the funny thing is, its not online!

      You fill out a form, they send you (via snail mail) *another* form, you fill that in and send it back, then wait 4 - 8 weeks for your free report.

      Almost as if, at every step of the way, the credit bureaus wanted to make it hard and inconvenient for you to get this info for free, rather than paying $30 to do it online.
    • Annual, imnsho, isn't often enough. Further, the reports you get DO NOT SHOW ALL THE INFORMATION CREDITORS SEE. Yes I'm shouting. You could still be a victim of ID theft and not know until you tried to make a major purchase, because even though the report you see shows your history is perfect, it's a squeaky-clean version. Creditors can ask for all the data. You can't. Bob Sullivan is right. []
  • Sophisticated? (Score:5, Insightful)

    by kill-hup ( 120930 ) on Friday February 25, 2005 @05:31PM (#11781885) Homepage
    "No system in the world is 100 percent secure from a sophisticated and determined hacker"

    I can't see what is so highly sophisticated about incrementing an ID passed as a URL parameter.

    I think they are lucky to not have been visited by some real "sophisticated hackers"...
  • Alternate link (Score:3, Informative)

    by caryw ( 131578 ) <> on Friday February 25, 2005 @05:32PM (#11781900) Homepage
    There is a more in-depth article about this at the Boston Globe [].
    First ChoicePoint now this? How long until a major government database like one from the IRS gets hacked and information on almost every US citizen is available? Scary thought.
    - Cary
    --Fairfax Underground []: Where Fairfax County comes out to play
    • Well, fortunately, the IRS computers are secure because:

      1. No one knows EBCDIC anymore.
      2. It's hard to cause a buffer overrun in 80 columns.
      3. It takes a long time to download information at 300 Baud.

      Seriously, their computers can process over nine tax returns per day. Do you really think you can crack them?
  • Does PayMaxx do business in California? If so, it too may be subject to criminal liability for failing to protect individuals' information.
  • Anyone else think that Slashdot is starting to look like the 'News' section from the Uplink game..?
  • by Anonymous Coward

    (just to freak out the Christians of course)

  • These companies don't get paid to be secure, and in the related Choicepoint case, Choicepoint only makes money by selling your data.
    The more people they sell to, the more money they make.
    this case, keeping your data secure costs money, so it just doesn't pay.

    Oh, you think they should care about you? For a price, maybe they will... :-)
  • by Ironsides ( 739422 ) on Friday February 25, 2005 @05:34PM (#11781929) Homepage Journal
    I'm thinking that it's time to write to my state and federal congressmen to get California's Security Breach Information Act (S.B. 1386) amended into state or national law. That way when this shit happens I can find out if any of my info is at risk.

    When will these idiot companies start taking security seriously instead of being idiots about it? Time to take a page out of the "If I were an Evil Overlord List": One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation. and My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords. Source []

    On a side note, all this stuff just keeps reminding me about the No Networked Systems requirement in BattleStar Galactica.
    • federal law mandates that you can reqeust a auditor of your health and financial information from a company at any time...HIPPA which is a health privacy law and Graham-Leach-Biley act ( which we use all the here at work) mandate that a person can request in writing to a company any time that his /her financial info was released to another company/person and the reasons behind it...these things are in place..its just getting companies to follow it
  • by dmccarty ( 152630 ) on Friday February 25, 2005 @05:34PM (#11781935)
    There's a common misconception here in the US that "my" social security number and "my" income data is personal information that belongs to me only. Breaking news: it's not. Once you file your taxes, buy stock, etc. these become public records. And public records, thanks to the FOIA (Freedom of Information Act), are documents that can be accessed by the public at large.

    Do you think it's bad that PayMaxx shows people's personal information on the web? Of course it is. But how about if you get it legally from the IRS instead []?

    • US tax returns are private and are available only to authorized IRS personnel and the filer. From IRS form 4506:

      I declare that I am either the taxpayer whose name is shown on line 1a or 2a, or a person authorized to obtain the tax return requested. If the request applies to a joint return, either husband or wife must sign. If signed by a corporate officer, partner, guardian, tax matters partner, executor, receiver, administrator, trustee, or party other than the taxpayer, I certify that I have the autho

    • Your misguided. FOIA has nothing to do with personal information. FOIA has entirely everything to do with tax payer supported (FEDERAL) projects as a means to let the tax payers know what is going on with the government they fund and support and pay for. Corporations don't have "Freedom" over personal information and infact there are strict privacy acts that enforce rules upon them to protect such.
  • by Weaselmancer ( 533834 ) on Friday February 25, 2005 @05:36PM (#11781960)

    From the article:

    "No system in the world is 100 percent secure from a sophisticated and determined hacker," the Tennessee-based payroll company said in a statement sent to CNET


    Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company's system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.

    Instead of being denied access, Greenspan found that another person's W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers' data.

    Sophisticated and determined my ass!!

  • Remember how cool those collapsing credit card company buildings looked at the end of Fight Club []? Well, the personal info copyright violators have flipped the script on us. They're profiting mightily, while trashing our identities. Time to fight the power [].
  • It's time to make this company Paymaxx! Mistakes like this are simply unacceptable and should be treated as crime IMO.
  • by kajoob ( 62237 )
    I mean it's on the main page []
  • Yeah, but (Score:2, Funny)

    by oliana ( 181649 )
    Did you get any of the names and numbers? Where do I buy them??
  • and choicepoint ?articleID=60403673/ [] news article on about how congress wants the california law to be aended and spread over all the states, should fix this nicely hmm any complaints?
  • Back the bus up... (Score:3, Informative)

    by XorNand ( 517466 ) on Friday February 25, 2005 @05:54PM (#11782218)

    If you check the article [] that's been posted by another user, you'll see that "Think Computer" was demanding payment to tell them about this bug. This sounds a little bit like extortion, don't you think? What gets even more interesting, is that I recognized this guy from an earlier story [] on Slashdot. He wrote a rambling, alarmist "whitepaper" about how unsecure WiFi was in the Boston subway. Furthermore, searching Massachusetts business filings [] doesn't show that any "Think Computer" corporate entity exists.

    I believe that this is just some young kid who desperatly wants for himself to be seen as some sort of security expert. His techniques are highly unprofessional and insulting to those of us in the industry who do, in fact, have a clue as to how IT consulting works.

  • That's a really bad summary.
  • Do Over! (Score:3, Insightful)

    by Dark Coder ( 66759 ) on Friday February 25, 2005 @06:00PM (#11782296)
    This identity theft is an impending train wreck on the Social Security Number.

    I think its time to adopt something like a Sweden model of smartcards for a national id.

    No smartcard is worth its salt without a personal user-definable PIN number.

    And forget this Bio-authentication crap. Bio-authentication is never revokable once stolen.
  • by G4from128k ( 686170 ) on Friday February 25, 2005 @06:01PM (#11782308)
    The old scheme of authenticating people using readily and widely copied information is a recipe for identity theft. If someone stores data on you, that data should be only sufficient for verification and insufficient for the opening of new lines of credit. Some form of encryption/hash should be used that lets someone verify that you are you, but does not let them take that info and reuse/abuse it for their own purposes. Moreover, in an ideal world, each copy of "your information' should be uniquely associated with the collector of that information. That way breaches would be readily traceable back to the leaky database.
  • For us non-Americans here, will someone please explain how companies like this and choicepoint get people's Social Security Numbers and what these companies do with these Social Security Numbers?
    • Here in the states, your Social Security number has been turned into an ID number for everything. Banks, insurance companies, driver's license, etc..

      Computer records have replaced paper filing systems in most organizations. Since more than one person may share the same name, accurate retrieval of information works best if each file is assigned a unique number. Many businesses and government agencies believe the Social Security number is tailor-made for this purpose.

  • Since my first computer class, that binary systems will never be completely secure.

    There's some myth that is out there, that it's possible to secure our data.

    The truth is that everything is down to a question of bits. Either it's a 1 or a 0.

    and so it's not really out of the realm of possibility to find and break encryption.

    And anyone who suggests otherwise is trying to sell you a Yugo.
  • Bank of America just misplaced the SSNs of 1.2 million federal employees: Data on 1.2 million federal charge card holders goes missing []
  • by shanen ( 462549 ) on Friday February 25, 2005 @06:34PM (#11782667) Homepage Journal
    The fundamental problem here is that these companies are selling something that belongs to you, *YOUR* personal information. Who suffers if they screw up and let the wrong people get it? How many guesses do you need? Hint: It isn't them.

    This is not really a new problem. Technology has just changed the way we deal with it. Before all of this computerization, if someone wanted to know about you, they had to ask you questions. The dialog might go like this:

    "What is your salary?"

    "Why do you want to know?"
    "Well, if you want to borrow money from our bank, then you must provide us with the certain information and evidence."
    "Okay. In that case I am willing to tell you..."

    Nowadays, you are not involved in any of this process. All of your personal information is flowing around behind the scenes between companies that trust each other, but *NOT* you. However, the amount of personal information is increasing to the point that the resulting questions might be more like this:

    "From checking our records, we see that you had dinner in El Torito on the night of February 22nd. Did you know that a suspected terrorist was dining with you? Were you really there for a secret rendezvous? We also see that on the previous Saturday..."

    The catch is "our records" really is "your records" that they have collected without mentioning to you.

    Solution: We need a legal principle that it is *YOUR* data and it is *YOUR* right to decide who knows it and what is done with it. (This is actually implicit in the Fifth and Sixth Amendments of the Bill of Rights.) We also need a technical principle that *YOUR* data should be stored on *YOUR* own computer. (This is the old "Possession is nine points of the law.")

    How it works: If someone wants to record information about you, they should contact *YOUR* computer and store it there. They can include whatever signature they like to insure that you can't tamper with the content. They can include a binding request that you back up the data. However, if they want to see that information later, they must ask *your* computer to provide it, and *your* computer will only provide the information if *YOU* agree. (Actually, this means you would define privacy policies for your computer to enforce, including such things as "doublecheck with me anytime someone claims I owe them more than $10", etc.)

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.