Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

100,000 More Social Security Numbers Exposed

Zonk posted more than 9 years ago | from the that-why-we-use-these-password-things dept.

Security 325

ThinkComp writes "PayMaxx, Inc. is a web-based payroll processing company, and they recently notified me that my on-line form W-2 was available. And so it was, along with the W-2 (including SSN and salary data) of every other one-time PayMaxx customer dating back at least five years, possibly 100,000 in all. Through news.com, PayMaxx reports, 'PayMaxx has made and continues to make every effort to secure its system against any breach,' which is why part of their site has been down now for several days."

cancel ×

325 comments

Sorry! There are no comments related to the filter you selected.

it's my turn! (-1, Offtopic)

unkaggregate (855265) | more than 9 years ago | (#11781809)

First Post!

Re:it's my turn! (1)

HTTP Error 403 403.9 (628865) | more than 9 years ago | (#11781953)

Who thinks the first call was to the lawyers and not to the programmers?

Credit report monitoring (4, Insightful)

BWJones (18351) | more than 9 years ago | (#11781813)

These guys (and everybody who violates the privacy laws like them) should be required to pay for in depth fraud monitoring and credit report monitoring. If you are going to warehouse our data especially without our knowledge, then they should pay for their own screwups.

Re:Credit report monitoring (5, Insightful)

Anonymous Coward | more than 9 years ago | (#11781844)

required to pay for in depth fraud monitoring and credit report monitoring.

Why stop there... if my identity is stolen through the theft of their ideas; and someone cleans out my accounts the LAST thing I'm going to care about is them paying for "monitoring".

I want them to pay for the damages they caused by essentially being an accomplice to the thieves.

MOD AC UP (0)

Anonymous Coward | more than 9 years ago | (#11781882)

These companies should be held accountable for their gross negligence.

Re:Credit report monitoring (2, Insightful)

mordors9 (665662) | more than 9 years ago | (#11782035)

The more of this stuff that goes on, the more likely it is going to bring the big foot of the Federal Gov down on these people. It moves slow but when it does, it is going to hurt somebody.

Use of SSN fundamentally flawed. (4, Insightful)

pavon (30274) | more than 9 years ago | (#11782149)

Why stop there... if my identity is stolen through the theft of their ideas;

The fact that this (very real) failure by PayMaxx to protect thier customer's privacy escalated into the potential for identity theft is the fault of the government not PayMaxx. This is because the use of social security numbers as an authenticator is fundamentally flawed and insecure.

Every authentication system needs at least one identifier and one secret. The former is public information while the latter, obviously, must remain private. However, when the US government and other institutions use SSNs as a way to authenticate who you are, they are attempting to use a single piece of information as both the identifier and the secret. Since it is impossible for something to public and private at once, this is bound for failure.

For years, the "solution" to this problem has been to avoid giving-out your SSN unless at all necisarry. While this is a very good idea for privacy reasons, it is worthless advice for protecting your security. Imagine your computer admin telling you that you should "only" give out your password when necissary. And that meant writing it on every government, healthcare, banking, and educational form you fill out. Then imagine that admin expecting your account to be secure. If an computer admin instituted a policy like that he would be fired, and yet that is the policy we are using to secure our very identities!

The government needs to step up and institute a new secure way to authenticate people, as well as begin a campain to inform the public that SSN are not suitable for authentication, by any organization. We cannot expect to have any security of identity if everyone in the country autenticates our identity using a fundementally flawed manner.

Re:Credit report monitoring (1)

0x461FAB0BD7D2 (812236) | more than 9 years ago | (#11781865)

How does that help the victims? There is no way that any company could conceivably recompense all 100,000 victims.

Re:Credit report monitoring (4, Insightful)

BWJones (18351) | more than 9 years ago | (#11781915)

There is no way that any company could conceivably recompense all 100,000 victims.

You can't cover your ass if you screw up big time? It's simple......you......should.....NOT......be.....al lowed.....to......keep.......records on vast numbers of human beings with lives and financial histories to protect.

Re:Credit report monitoring (1)

lakerdonald (825553) | more than 9 years ago | (#11781921)

That's what insurance is for.

Re:Credit report monitoring (2, Insightful)

TripMaster Monkey (862126) | more than 9 years ago | (#11782033)

There is no way that any company could conceivably recompense all 100,000 victims.

Casinos have to have enough cash on hand to cover every chip in play (at least in Nevada)...why can't data warehousing companies be held to at least similr expectations? It would certainly provide a little incentive for them to actually try to secure the data...

Re:Credit report monitoring (0)

Anonymous Coward | more than 9 years ago | (#11781904)

Guess what OS they were running [netcraft.com] .

Re:Credit report monitoring (1)

aspx (808539) | more than 9 years ago | (#11782042)

Oh, they will pay for that and more. Just as soon as you sign your legal agreement that includes phrases like "save and hold harmless"

Re:Credit report monitoring (1)

ackthpt (218170) | more than 9 years ago | (#11782098)

If you are going to warehouse our data especially without our knowledge, then they should pay for their own screwups.

The thing that gets me is these firms say most of this information is public and gathered thusly. What I'd like to know is where all this is that's got all my stuff on it.

The upswing is that often it's completely wrong, as the example on the radio this morning of a fellow who is confused with about six other people, including women. It comes with the downside that getting these busybodies to correct erroneous data is nearly impossible.

Uh oh... (4, Funny)

Faust7 (314817) | more than 9 years ago | (#11781827)

Man, I hope Jon Stewart's wasn't in there!

Oh wait...

Re:Uh oh... (4, Funny)

kill-hup (120930) | more than 9 years ago | (#11781930)

I'll bet Ted Hitler was watching and knows what it is ;)

Re:Uh oh... (1, Informative)

learn fast (824724) | more than 9 years ago | (#11781947)

This is a reference from yesterday's Daily Show.

But, I noticed, that couldn't be Jon Stewart's real social security card, because the name that would appear would be his real name, which is Jonathan Stuart Leibowitz.

Re:Uh oh... (0)

Anonymous Coward | more than 9 years ago | (#11782003)

also Jon was born in NY, not CA (the SS # given was a CA one) still funny as hell.

He changed his name (1, Informative)

Anonymous Coward | more than 9 years ago | (#11782094)

From: http://www.answers.com/topic/jon-stewart

Stewart married long-time girlfriend Tracey McShane in 2000, at which time they both legally changed their last names to "Stewart." The couple had their first child, Nathan Thomas, on July 3, 2004.

Re:Uh oh... (4, Insightful)

GillBates0 (664202) | more than 9 years ago | (#11782038)

Good one :)

I liked the way how he subtly hinted at the folly of using identifiers as passwords. An identifier is supposed to be public (akin to a login)... but it is increasingly being treated as a password....something which it was never designed to be.

I have the same problem with credit card numbers too. They aren't supposed to be secret - a variety of persons have an opportunity to read/record/duplicate them every time you use it at a restaurant/merchant/online/etc. There should be some other "secret" mechanism to (the written signature is overrated, outdated and ineffective) Some debit cards do require a PIN (unfortunately not always), which is the proper way to go about it (assuming the swiping mechanism, keypad etc are not rigged).

If enough news outlets spread awareness about this issue and enough people stop treating their SSN's as a secret or atleast protest against businesses using them as an authentication mechanism, maybe we could have a better system.

Idiots (1)

Anonymous Coward | more than 9 years ago | (#11781834)

Don't put it on the web unless you can secure it. Period

Define "breach" (4, Insightful)

chill (34294) | more than 9 years ago | (#11781836)

Does it mean something along the lines of "we were actively attacked by skilled persons who exploited a little-known/unknown flaw" or does it mean "we were sloppy".

-Charles

Re:Define "breach" (5, Informative)

Ironsides (739422) | more than 9 years ago | (#11781965)

Well, since their security consisted of "So long as no one increments their unique number we assigned them by 1 in the browser location bar", I'd say that they were pretty much dumb idiots. Sloppy doesn't begin to cover this.

Re:Define "breach" (1, Insightful)

Tackhead (54550) | more than 9 years ago | (#11781968)

> Does it mean something along the lines of "we were actively attacked by skilled persons who exploited a little-known/unknown flaw" or does it mean "we were sloppy".

Yes. Anybody who thinks there's a difference between those two choices shouldn't be allowed to set security policy, data retention policy, or have input into the design of any web application on any system that stores private (personally-identifiable) customer data.

I'd go further: they shouldn't be allowed within an airgap's distance of any system with confidential data on it. If you cannot explain, or worse, if it takes you less than 30 seconds to explain the distinction between poor design and being cracked, you, and everyone who works under you, use the sneakernet.

If you can't explain the difference - it's obvious that you're too clueless to be trusted with customer data. If you can explain the difference in soundbite fashion: "It's always because we were hacked!", you're part of the PR operation, and have been trained to speak in soundbites, and you're too slimy to be trusted with customer data.

If you come up with this post -- starting with a one-line quip, and then taking more than 30 seconds to explain it -- you might be enclued enough to come up with a trustworthy design that might be worth looking into implementing.

Re:Define "breach" (0)

Anonymous Coward | more than 9 years ago | (#11782169)

So you're only competent if it takes you more than 30 seconds to explain that there is no difference?

Oops - took me less than 20 seconds to type that. I guess that I'm clueless. But what strange planet are you from?

Re:Define "breach" (3, Insightful)

jonbrewer (11894) | more than 9 years ago | (#11781999)

Does it mean something along the lines of "we were actively attacked by skilled persons who exploited a little-known/unknown flaw" or does it mean "we were sloppy".

It means they were sloppy. People play with URL strings all the time.

It's trivial, especially so in ColdFusion, to make sure that the browser you authenticated is the only one you'll serve a particular document to. PayMaxx and their developer were negligent here without question.

Terrifying quote ... (4, Insightful)

gstoddart (321705) | more than 9 years ago | (#11781837)

"we already cooperate with a significantly experienced testing agency and have been tested several times for security issues."


That they weren't even willing to listen when someone pointed this out to them is appaling.

I wonder if their failure to actually do their job might land them in trouble. Saying that you've been audited for security and therefore no problem exists is kind of a cop-out.

ALL YOUR DATA ARE BELONG TO US! (2)

Thud457 (234763) | more than 9 years ago | (#11781840)

With guardians like this, pretty soon the whole XXX-XX-XXXX range will be p0wn3d!

Re:ALL YOUR DATA ARE BELONG TO US! (0)

Anonymous Coward | more than 9 years ago | (#11782029)

With guardians like this, pretty soon the whole XXX-XX-XXXX range will be p0wn3d!

Which actually wouldn't be a bad thing, because then no one would trust it as secure information anymore. Other means would be required to prove authenticity of an identity.

On Your Way To Destruction (1)

ackthpt (218170) | more than 9 years ago | (#11782176)

With guardians like this, pretty soon the whole XXX-XX-XXXX range will be p0wn3d!

This is nothing. Insiders are still the biggest threat. A few years back some people were found in posession of complete sets of CD's containing DMV information from all drivers in a state (I forget which: Oregon or Washington) that sort of thing was most likely an inside job.

They dont want o pay for syadmins (3, Insightful)

sundru (709023) | more than 9 years ago | (#11781843)

Usually financial companies like this feel its a waste to pay a good experienced sysadmin to keep their shit secure. Its only recently that all companies have started adopting IT as part of thier Business Model.

But will this matter... (4, Funny)

popo (107611) | more than 9 years ago | (#11781845)

...if President W does away with Social Security?

Re:But will this matter... (1)

Procrastin8er (791570) | more than 9 years ago | (#11781932)

His proposed plan does not do away with SS, but allows you to control how a small (15% I think) portion is invested.
I like the idea of controlling how my money is invested.

Re:But will this matter... (4, Insightful)

popo (107611) | more than 9 years ago | (#11782061)

YOU ARE A SUCKER.

S.U.C.K.E.R.

First off: By his own acknowledgement, a self-directed system of investment does nothing to resolve the financial problems facing social security.

Secondly: The problems facing social security are a direct result of decreases to taxes which require decreases in social spending.

Thirdly: Social Security is SUPPOSED to be money you can't fuck up. Its supposed to be money that isn't at risk. That's the definition of the word "SECURITY" you dumbass. If you turn it into "Risk Capital" you've got no security at all.

Do you also like the idea of homeless old people? Because if you get rid of social security that's EXACTLY what we'll have again. (Yes, its what we had before Social Security).

Once again the administration has fooled the gullible American public into believing that a correlation exists between his policy and some impending problem. World Trade Center get attacked? Let's invade Iraq. (total non sequitor). Social Security in Financial Jeopardy? Let's create private accounts. (and another non sequitor)

Want to control how your money is invested? Open a friggin e*trade account. Want to synthesize a bull market so you and your banker buddies can get rich? Flood the market with the biggest private investment in the history of the world.

I call bullshit. And so should you.

When will you dumbasses learn.

Re:But will this matter... (1)

Thud457 (234763) | more than 9 years ago | (#11782147)

Then how come it's titled GW Bush's "How to eat seniors" plan?!!!

Re:But will this matter... (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11782156)

Not quite 15%...

The plan is supposedly 1/3 of the current payroll tax that you are responsible for (6.2% of your payroll; the company you work for is responsible for the other 6.2%) will be allowed to be diverted into private accounts.

Do the math.

In the year 2000, the average per capita income was $42,000 per household.

$42,000 x (1/3) x 6.2% = $868 per year

If you work for 30 years,

$868 x 30 = $25140 (assuming no interest or income increase of course).

Lets say you made out like a king on your interest/payroll increses and your account had even $50k in it. What good is that going to do you over your next 20-30 years of retirement life? Absolutely squat. Plus you'll have the proportion of people who are too stupid to manage that $50k themselves and they will blow it.

In short, people are dumb, and they need SS to provide them at least enough to pay a heating bill and buy food staples.

Re:But will this matter... (1)

BlakeCaldwell (459842) | more than 9 years ago | (#11782164)

actually, pay attention, the plan hasn't been described yet.

you're either a soundbite whore, or a dubya whore... either way you're mindless if you support a plan you don't have the details for...

i'll bet if we had such a super "it's my money let me invest it" social security plan back in 1929, thousands of americans would have done very well in retirement... get ready, cause there's another crash coming someday... i'll bet you'd rather have the guaranteed money than to stake your retirement in the stock market...

As this becomes commonplace... (5, Interesting)

Anonymous Coward | more than 9 years ago | (#11781846)

You know, the more of this I see, the more annoyed I become.

We're taking the wrong tack here... the problem isn't that SSNs and CC#s are so insecure - the problem is that we have become so dependent upon just one or two pieces of information that identity theft has to defeat only one or two "choke points" to screw us.

Instead of improving security at the choke points - which will always be under heavy attack - why not make identity theft harder by multiplying the potential number of choke points? If someone has to have, say, my Driver's License, Passport, Social Security Number, Credit Card Number, "Personal ID Password" and, say, a "Counter-Identity-Theft Number" suddenly ID theft becomes a heck of a lot harder.

Seriously... are we burying our heads in the sand and attacking the wrong thing here?

--AC

Re:As this becomes commonplace... (2, Insightful)

TripMaster Monkey (862126) | more than 9 years ago | (#11781977)

If someone has to have, say, my Driver's License, Passport, Social Security Number, Credit Card Number, "Personal ID Password" and, say, a "Counter-Identity-Theft Number" suddenly ID theft becomes a heck of a lot harder.

It certainly does...along with just about everything else that requires you to furnish proof of your identity.

If people can't be bothered to pick a secure password, there's no way they'll be able to keep up with a scheme like the one you've just outlined.

Now, if you ask me if I have a better idea, sadly, the answer is no. If I did have a better idea, I'd be making money off it by now.

Caveat Webitor is pretty much the only suggestion I have on the topic, and it's woefully inadequate.

Not to worry! (4, Insightful)

BLKMGK (34057) | more than 9 years ago | (#11781980)

The moment you decide to require ALL of those things to be validated some dumbass will put them all in a database record side by side unencrypted with no password protection. The end user will be forced to endure more hoop jumping but the sum total of added security would be quickly nullified by the morons of the IT world. It only takes one village idiot to ruin things.

Re:Not to worry! (1)

DCheesi (150068) | more than 9 years ago | (#11782121)

Exactly. If you require all that information to validate your identification, then by definition the organization that needs to validate you has to have all that information stored somewhere, in such a way that it can all be retrieved at the same time. And as long as third parties are allowed to compile databases of this information, they will be vulnerable to exploitation as well.

Re:As this becomes commonplace... (1)

slashkitty (21637) | more than 9 years ago | (#11782099)

That was my first thought as well. When I recently opened a bank account, they asked for all that information.

However, when everyone starts requring that information, it'll be in all the insecure databases as well.

I think the answer is more about actually contacting the person when opening new accounts.

asdfdasf (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11781848)

asdfasdf

Socials? (1)

TripMaster Monkey (862126) | more than 9 years ago | (#11781853)

Holy crap...one can do so much with a SSN.

I hate to say it, but I think it's time the Government steps in. Tis sort of thing simply cannot be allowed to continue. These data warehousing companies must be held to account.

Re:Socials? (4, Insightful)

Soko (17987) | more than 9 years ago | (#11782122)

No kidding. Hey, let's put Carnivore to good use for once - let's put this into terms that will send a red flag up over Washington:

Think about the following, in terms of being a terrorist, or just someone who wants to gain illegal entry into a country un-noticed:

With a W-2 (which is a statement of income for last year, I presume, like a T4 in Canada where I live) you now have:

- A valid name of a US Citizen
- That citizen's SSN
- thier place of employment complete with job title
- last years earnings, which should allow you to look the part if you decide to impersonate them
- thier home address

All of this put together would allow for the easy forging of identiy papers. Yup, it could allow a terrorist un-fettered entry into the US with a great degree of anonymity and secrecy.

Hi, Mr. Rumsfeld - feeling OK now?

Soko

W-2??? (0, Troll)

BlakeCaldwell (459842) | more than 9 years ago | (#11781856)

omg, this is getting bad... now salaries are out there...

"begin humiliation sequence..."

Re:W-2??? (1)

Rude Turnip (49495) | more than 9 years ago | (#11782073)

Salaries don't matter, not that it's anyone's business to know. It's the SSN that really counts.

Re:W-2??? (1)

BlakeCaldwell (459842) | more than 9 years ago | (#11782103)

well... i disagree...

now the homeless guy i walk past on the way to work will know that i really can afford to give him a quarter!!

Finally (5, Funny)

Monkelectric (546685) | more than 9 years ago | (#11781869)

An upside to being unemployed.

Re:Finally (1)

Quixote (154172) | more than 9 years ago | (#11782166)

I'm sure the designers of the PayMaxx system will experience this benefit firsthand pretty soon.

MSN censors Scientology search results [buffalo.edu]

Apologize and fix it! (1)

rueger (210566) | more than 9 years ago | (#11781870)

What is it with corporations today? When a customer points out that you are making a horrible mistake there is only one option.

Acknowledge it, say that you're sorry, and fix it!

Everyone makes mistakes - the question is what you do to make things right.

"Nah, let's insult the customer, ignore them, and hope that problem will just go away. Surely no-one else will ever notice."

"Hey - what's that lawyer doing here?"

Re:Apologize and fix it! (1)

TripMaster Monkey (862126) | more than 9 years ago | (#11782088)

"Nah, let's insult the customer, ignore them, and hope that problem will just go away. Surely no-one else will ever notice."

Sounds like Micro$oft's Public Relations strategy.

(Sorry, but someone had to say it...)

Hell, I already knew all that. info (3, Funny)

Anonymous Coward | more than 9 years ago | (#11781871)

just by going thru your trashcan. By the way, you really should ask for a raise.

Rocky Raccoon.

p.s., please stop dumping the bathroom trash can in with the kitchen's. Thanks.

100,001 (2, Funny)

Anonymous Coward | more than 9 years ago | (#11781877)

324-12-1125

Not the only mistake... (0)

Anonymous Coward | more than 9 years ago | (#11781878)

You wally, when you posted this your username was exposed!

Free credit reports... (2, Informative)

borawjm (747876) | more than 9 years ago | (#11781881)

I guess it's a good thing that I can get free credit reports [annualcreditreport.com] from each of the nationwide consumer credit reporting companies starting March 1st.

Re:Free credit reports... (1)

ChaosCube (862389) | more than 9 years ago | (#11781958)

Isn't that just for a few pilot states? I was under the impression that there would be 13 or so states with that access for the first year. However, I am often wrong and this could be one of those times. Anyone know?

Re:Free credit reports... (3, Informative)

borawjm (747876) | more than 9 years ago | (#11782139)

I believe they are doing it in phases.

From ftc.gov [ftc.gov] ...
Free reports will be phased in during a nine-month period, rolling from the West Coast to the East beginning December 1, 2004. Beginning September 1, 2005, free reports will be accessible to all Americans, regardless of where they live.

Consumers in the Western states -- Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, and Wyoming -- can order their free reports beginning December 1, 2004.

Consumers in the Midwestern states -- Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, and Wisconsin -- can order their free reports beginning March 1, 2005.

Consumers in the Southern states -- Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, Oklahoma, South Carolina, Tennessee, and Texas -- can order their free reports beginning June 1, 2005.

Consumers in the Eastern states -- Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, Pennsylvania, Rhode Island, Vermont, Virginia, and West Virginia -- the District of Columbia, Puerto Rico, and all U.S. territories can order their free reports beginning September 1, 2005

Re:Free credit reports... (1)

EvilMagnus (32878) | more than 9 years ago | (#11782089)

And the funny thing is, its not online!

You fill out a form, they send you (via snail mail) *another* form, you fill that in and send it back, then wait 4 - 8 weeks for your free report.

Almost as if, at every step of the way, the credit bureaus wanted to make it hard and inconvenient for you to get this info for free, rather than paying $30 to do it online.

Re:Free credit reports... (1)

bavander (316929) | more than 9 years ago | (#11782129)

I'm in Arizona, and I managed to get one easily online, no paper forms at all. I am doing one every 4 months, so it will be a bit before I try the other two.

Re:Free credit reports... (1)

eikonoklastes (530797) | more than 9 years ago | (#11782170)

Nope. I just got my free ones (I pulled two of three possible) last week. Both were done online as quickly as I could validate myself.

Sophisticated? (5, Insightful)

kill-hup (120930) | more than 9 years ago | (#11781885)

"No system in the world is 100 percent secure from a sophisticated and determined hacker"

I can't see what is so highly sophisticated about incrementing an ID passed as a URL parameter.

I think they are lucky to not have been visited by some real "sophisticated hackers"...

Re:Sophisticated? (0)

Anonymous Coward | more than 9 years ago | (#11781993)

Look [slashdot.org] ! My sophisticated and determined hacking skills have fixed the color scheme for the IT section!

Re:Sophisticated? (1)

gorbachev (512743) | more than 9 years ago | (#11782084)

Obviously it was way too sophisticated for PayMaxx and their "security" experts.

Re:Sophisticated? (1)

B3ryllium (571199) | more than 9 years ago | (#11782134)

I think maybe they read the man page for wget. That's pretty damn sophistimacated. ;-)

School SSN (1)

Virtual Karma (862416) | more than 9 years ago | (#11781888)

This is exactly why its mandatory for universities to change their systems to use a separate school ID and not the SSN

Social insecurity (2, Funny)

nahnkari (732424) | more than 9 years ago | (#11781889)

Looks like social security is really in trouble. Lets rename SSN to Social Insecurity Number (SIN).

fine! (0, Redundant)

charon_1 (562573) | more than 9 years ago | (#11781890)

These guys should be fined to Hell for that. If the government lets this go without any punishment, it will just keep happening.

Whew (0)

Anonymous Coward | more than 9 years ago | (#11781894)

All I can say is thank God that I've been unemployed since the dot-com crash!

FP (0)

Anonymous Coward | more than 9 years ago | (#11781899)

FP

Alternate link (3, Informative)

caryw (131578) | more than 9 years ago | (#11781900)

There is a more in-depth article about this at the Boston Globe [boston.com] .
First ChoicePoint now this? How long until a major government database like one from the IRS gets hacked and information on almost every US citizen is available? Scary thought.
- Cary
--Fairfax Underground [fairfaxunderground.com] : Where Fairfax County comes out to play

Re:Alternate link (0)

Anonymous Coward | more than 9 years ago | (#11782104)

Only when you have nothing more to lose are you completely free... Tyler Durden

Throw the book at em (1)

sulli (195030) | more than 9 years ago | (#11781903)

Does PayMaxx do business in California? If so, it too may be subject to criminal liability for failing to protect individuals' information.

...heh (1)

Renraku (518261) | more than 9 years ago | (#11781905)

Anyone else think that Slashdot is starting to look like the 'News' section from the Uplink game..?

When will they learn (0, Insightful)

Anonymous Coward | more than 9 years ago | (#11781906)

When are people going to learn to encrypt information before putting it into a database. This is so simple to do.

Get your free MacMini [freeminimacs.com]

Re:When will they learn (1)

BlakeCaldwell (459842) | more than 9 years ago | (#11782044)

nope -- false sense of security...

if we're talking about information that's shown on the web, then at the least, the php/asp/java code that displays it knows how to pull it out of the database... so if the server is compromised, a cracker that's capable enough to get in will be capable enough of getting to that script...

plus, the other hacked-in data warehouse was hacked by people posing to have valid accounts... that data they were given access to would have been decrypted at that point anyway..

everyone thinks encrypting things is the way to go -- if the door's locked, go after the guy sitting there next to it with the key...

How EXACTLY would that have solved the problem? (1)

BLKMGK (34057) | more than 9 years ago | (#11782087)

He didn't dump the RAW contents of the database tables, he didn't steal the disks. Encryption would've done absoutely ZIP to fix this issue. He was using a legit login and interface to view the data, had encryption existed (and it may have actually) then the account he was using would've dutifully decrypted the data and displayed it. A security genius you are not...

We all need to get phycially marked with a number! (2, Funny)

Anonymous Coward | more than 9 years ago | (#11781910)


(just to freak out the Christians of course)

Who needs security... (0, Troll)

geekwithglasses (734205) | more than 9 years ago | (#11781912)

when you can just unplug the darn thing?

--
sig not ready
Abort, Retry, Fail

paymaxx ? (1)

ilikeitraw (706793) | more than 9 years ago | (#11781913)

Who would use a company called PayMaXX with two X's anyway ?
At least you have a pal at Paypal !

(im retarded)

Fingerprints/retnal scan (0)

Anonymous Coward | more than 9 years ago | (#11781914)

All credit applications should require a fingerprint or retnal observed by a qualified individual.

You can still steal my identity, but if you have to use one of my fingers or eyes chances are I'll know about it.

Re:Fingerprints/retnal scan (2, Insightful)

BlakeCaldwell (459842) | more than 9 years ago | (#11781991)

you think that's much better? a fingerprint scan is just another piece of digital information that they'd have to store...

and they'd probably sell that information as well, so other services can verify your fingerprint too...

so, we're back at square one.

They don't get paid to be secure. (2, Insightful)

jimbro2k (800351) | more than 9 years ago | (#11781917)

These companies don't get paid to be secure, and in the related Choicepoint case, Choicepoint only makes money by selling your data.
The more people they sell to, the more money they make.
In
this case, keeping your data secure costs money, so it just doesn't pay.

Oh, you think they should care about you? For a price, maybe they will... :-)

Re:They don't get paid to be secure. (0)

Anonymous Coward | more than 9 years ago | (#11781990)

Yes, but if everyone can get it by hacking their servers, they don't make any money by selling it.

Your argument is akin to saying "that jewellery shop is there to sell people jewellery - not keep their stock secure".

Re:They don't get paid to be secure. (1)

ntsucks (22132) | more than 9 years ago | (#11782090)

Well then by that line people need to make it worth *their* money to improve security. Stop doing business with them. If their client list drys up, I bet their security would beef up.

Of course that assumes Joe Six-Pack knows just how stupid they are for implementing such a lax method of securing personal data.

They got hacked (0)

Anonymous Coward | more than 9 years ago | (#11781920)

To the maxxxxxxxxxxxxxxxxxxxx!

Time to write to my Congressman (2, Interesting)

Ironsides (739422) | more than 9 years ago | (#11781929)

I'm thinking that it's time to write to my state and federal congressmen to get California's Security Breach Information Act (S.B. 1386) amended into state or national law. That way when this shit happens I can find out if any of my info is at risk.

When will these idiot companies start taking security seriously instead of being idiots about it? Time to take a page out of the "If I were an Evil Overlord List": One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation. and My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords. Source [eviloverlord.com]

On a side note, all this stuff just keeps reminding me about the No Networked Systems requirement in BattleStar Galactica.

Yeah, it's insecure. So? (3, Insightful)

dmccarty (152630) | more than 9 years ago | (#11781935)

There's a common misconception here in the US that "my" social security number and "my" income data is personal information that belongs to me only. Breaking news: it's not. Once you file your taxes, buy stock, etc. these become public records. And public records, thanks to the FOIA (Freedom of Information Act), are documents that can be accessed by the public at large.

Do you think it's bad that PayMaxx shows people's personal information on the web? Of course it is. But how about if you get it legally from the IRS instead [irs.gov] ?

It's time to admit the failure (1)

WillAffleckUW (858324) | more than 9 years ago | (#11781942)

and it's been more than four years of constant and unending failures, that just keep getting bigger and bigger and bigger.

Next they'll tattoo us with barcodes and require we use fingerprints to buy coffee - oh, wait, they already DO!

Dang, when will this failed regime END!?!

Sophisticated and determined??? (5, Interesting)

Weaselmancer (533834) | more than 9 years ago | (#11781960)

From the article:

"No system in the world is 100 percent secure from a sophisticated and determined hacker," the Tennessee-based payroll company said in a statement sent to CNET News.com

And...

Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company's system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.

Instead of being denied access, Greenspan found that another person's W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers' data.

Sophisticated and determined my ass!!

Fight Club (1)

Doc Ruby (173196) | more than 9 years ago | (#11781963)

Remember how cool those collapsing credit card company buildings looked at the end of Fight Club [imdb.com] ? Well, the personal info copyright violators have flipped the script on us. They're profiting mightily, while trashing our identities. Time to fight the power [publicenemy.com] .

common sense (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11782025)

Why not just create a national id that is not sensitive?

Everyone is just piggybacking off of the social security administration.

Atleast they could have created a password to use with your ssn so no one else can use it with the password instead of just knowing it.

Security and Windows and courts. (1, Interesting)

Anonymous Coward | more than 9 years ago | (#11782047)

If you check back on all the screw-ups, and cracked systems, you will find that they all run windows. While the screw-ups can be sued just for screwing-up, the fact that they run an insecure OS is another sign of total ineptness and easy to prove in a court.

It would be useful to see class action suits go against these companies as being run by inepts. In fact, I wonder if it is possible to hold the CIO personally responsible.

Once a few lose their homes or are thrown in jail, the bribes will no longer matter and real security will start to happen.

This explains alot (1)

KinkifyTheNation (823618) | more than 9 years ago | (#11782053)

No wonder why online trust [slashdot.org] is failing.

They're not trying to make it secure... (0)

Anonymous Coward | more than 9 years ago | (#11782067)

http://uptime.netcraft.com/up/graph/?host=www.paym axx.com

I can't find the list. (1)

eXoXe (157466) | more than 9 years ago | (#11782072)

Anyone have the list of the Social Security Numbers that were exposed?

Punishment (1)

nate nice (672391) | more than 9 years ago | (#11782078)

It's time to make this company Paymaxx! Mistakes like this are simply unacceptable and should be treated as crime IMO.

Dupe (1)

kajoob (62237) | more than 9 years ago | (#11782080)

I mean it's on the main page [slashdot.org]

no wonder (0)

Anonymous Coward | more than 9 years ago | (#11782140)

no wonder nobody trusts the internet...

Yeah, but (2, Funny)

oliana (181649) | more than 9 years ago | (#11782145)

Did you get any of the names and numbers? Where do I buy them??
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>