Ameritrade Data Breach

Tuesday, April 30th, 2019 (No comments yet)
Businesses, Privacy
(Image is in the Public Domain)

There's just nothing more I can say about this so I'll stick with pointing you to the news articles and just shut up.

Update:

On second thought, here's an interesting article stating that they knew about the breach since last May!

Tags: ,

Monster and USAJOBs Hacked

Tuesday, September 4th, 2007 (No comments yet)
Ars Technica reports that the database for the Internet job search site, Monster.com has been hacked. Though they say that only resumes were stolen (so no SSNs), it's still a problem because the data on people's resumes can be used for spear-phishing. Something they forgot to mention is something I learned though other sources. USAJOBs, the site used by the government to post jobs and such, is run with Monster technology. Therefore, the hack affects both sites. Be especially aware of phishing attempts in the near future should you use either of these sites. Tags:

FTC Seeks Comments on Use of Social Security Numbers

Wednesday, August 1st, 2007 (No comments yet)
I wonder if it will do any good this time, but the FTC is requesting comments on how SSNs tie into ID theft. I wasn't too excited by the results of their last attempt to seek comments.
Yes, I know that I'm complaining about the ID Theft Task force and not the FTC directly, but the head of the FTC was the co-chair of the task force so I'm going to lump them together. So there.
Tags:

Use Virtual Credit Cards to Control How Companies Use and Store Your Credit Card

Wednesday, July 25th, 2007 (No comments yet)
A virtual credit card is a short term working credit card that has restrictions such as payout amounts, time of use, or merchants who are allowed to debit it. Using these, if the company you're buying from data-brokerings you for your card number, it won't matter because the number they have is worthless after the set period of time or number of transactions etc. JTAG ERROR: No lifehacker_ht index defined Tags:

SAIC Security Goof Threatens 580,000 Military Personnel

Monday, July 23rd, 2007 (No comments yet)
A common story. With a common worthless response:
SAIC spokespeople said that several employees were placed on leave after the incident was disclosed, and that it contracted data security company Kroll Inc. to provide free identity theft protection for all affected individuals for one year.
Aww. How nice. Now it looks like they're doing something. Tags:

Another Day, Another Hidden Data Breach Exposed

Wednesday, July 18th, 2007 (No comments yet)
Pfizer lost data, blah, blah, blah. All these reports do is strengthen the arguments for credit freezes and against data brokering. If we could freeze our credit reports, this wouldn't be a problem and if they didn't rape us for our data, this wouldn't have happened (oversimplified, yes, but it's the basic idea). Tags:

Maryland Gets Credit Freezes!

Thursday, July 12th, 2007 (No comments yet)
I feel pretty dumb for not noticing this new law, but now Maryland residents will get credit freeze protection! It doesn’t go into effect until Jan 1st, 2008, but as soon as it does, people in Maryland will no longer have to worry about most ID theft or data breaches. Here’s a link to the PDF describing the process for implementing the freeze: Consumer’s Union Writeup of Maryland Credit Freeze procedures. Tags: ,

New Firefox 3 Feature Makes it Easier to Spot Phishing

Thursday, July 12th, 2007 (No comments yet)
The Firefox team has decided to include a user-written plugin into the standard release of Firefox 3. This plugin highlights the domain name making it easier for normal users to see and understand what site they’re actually on versus what they think they’re on. For example, most people think that just because the url says yourbank.com anywhere means that’s the site they’re on. The reality is that it must be in this format: http://[anything at all].yourbank.com/[anything else] to be valid. Any other arrangment is a phishing attack: http://yourbank.loans.com http://12.293.28.18/yourbank.com etc. This plugin will make it easier to spot by highlighting the valid part of the URL which is the domain (which is easily confused by less techie users who don’t understand that the domain section of the URL is backwards). Tags: ,

TJX Blames Weak Wireless Security

Thursday, March 14th, 2019 (No comments yet)
Businesses, Security
Darn those hackers... so clever.
(Image used under: Creative Commons 2.0 [SRC])

This is so, so stupid. It's not weak security, its that you data-abused us for all our customer data that we didn't want you to keep anyway. If you hadn't stored all the data on us, you couldn't have lost it.

In addition to pilfering over 45 million—and possibly as many as 200 million—credit card and debit card numbers, the hackers were also able to obtain other personal data from over 450,000 customers. This included driver's license numbers and Social Security numbers.

I already know they don't need to store our credit cards, but licenses and SSNs?

Tags: , ,

ID Theft Taskforce Issues Final Recommendations and Strategic Plan

Wednesday, March 13th, 2019 (No comments yet)
Federal Trade Commission
(Image is in the Public Domain)

On April 23rd, the ID Theft Task Force that's chaired by Alberto Gonzales (the US Attorney General) and co chaired by Deborah Platt Majores (the chairwoman of the FTC) has released their final recommendations for reducing identity theft.

Here are a few of their better recommendations:

  • Decrease the unnecessary use of social security numbers in the public sector
    For example, the federal Office of Personnel Management (OPM) has already done an internal review and realized that they were using SSNs in many cases where it wasn't necessary. They havebegun issuing employee numbers instead of just using SSNs. Dang straight! Stopping data brokering is a very good first step.
  • Develop comprehensive record on private sector use of SSNs
    What they mean by this is that they need to study how SSNs are used in businesses to determine how much is legitimate use and how much should be stopped, controlled, or altered. They plan to have completed this study and made recommendations to the president by first quarter '08. Ditto above: Stopping data brokering is a very good first step.
And here are some of their less-thought-out ones:
  • Educate Federal Agencies on how to Protect Their Data and Monitor Compliance With Existing Guidance
    Okay… Granted, bringing laptops home to get stolen was stupid the first time and got successively stupider as time went. Theoretically, by teaching the agencies obvious security and then monitoring compliance, we should be able to stop or reduce that particular type of data loss. The important point to note here is that if an agency fails to protect data properly, they will be harshly punished by having that fact noted on their PMA scorecard *rolls eyes*. What this means and what the consequences are (if any), I have no idea.
  • Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies
    This means they're going to develop a set of guidelines on how to handle breaches and issue it to all agencies (which they've already done). The guidlines will (emphasis mine):
    set forth the factors that should be considered in deciding whether, how, and when to inform affected individuals of the loss of personal data that can contribute to identity theft, and whether to offer services such as free credit monitoring to the persons affected.
    Ugh. So they might not even tell you that they messed up by losing your data now? That's some good accountability there. And credit monitoring? Are they still going on about this? I find it so hard to trust the opinion of someone who suggests credit monitoring as any kind of response to a data breach.
  • Establish National Standards Extending Data Protection Safeguards Requirements and Breach Notification Requirements
    They want to create a national standard of safeguards that applies to all "private entities that maintain sensitive consumer information". More importantly, they say that all such entities must be required to notify law enforcement and consumers of a breach. Though this requirement would only come into effect if there was "significant risk of identity theft" due to the breach. Their justification for this is that consumers wouldn't want to be "overwhelmed" by breach notifications. That's crap. If a company has to send out an "overwhelming" amount of breach notifications, perhaps enough people would leave that company to make said company actually implement some security. This loophole also fails in that there's a lot of wiggle room in "significant risk". Who decides what's significant risk or not? The company? If so, I bet all breaches will be labeled "low risk". Ah yes, and let's not forget our favorite clause. This legislation will preempt state laws on data breaches.

Where's the Freeze recommendation?

For those who don't know my site, I am a big proponent of credit security freezes. I am severely disappointed in this final set of recommendations in that they softened the language from their initial recommendations from
For residents of states in which state law authorizes a credit freeze, consider placing a credit freeze on their credit file.7 This option is most useful when the breach includes information that can be used to open a new account, such as SSNs. A credit freeze cuts off third party access to a consumer’s credit report, thereby effectively preventing the issuance of new credit in the consumer’s name.
to
Among the state-enacted remedies without a federal counterpart is one granting consumers the right to obtain a credit freeze. Credit freezes make a consumer’s credit report inaccessible when, for example, an identity thief attempts to open an account in the victim’s name. State laws differ in several respects, including whether all consumers can obtain a freeze or only identity theft victims; whether credit reporting agencies can charge the consumer for unfreezing a file (which would be necessary when applying for credit); and the time allowed to the credit reporting agencies to unfreeze a file. These provisions are relatively new, and there is no "track record" to show how effective they are, what costs they may impose on consumers and businesses, and what features are most beneficial to consumers. An assessment of how these measures have been implemented and how effective they have been would help policy makers in considering whether a federal credit freeze law would be appropriate. Accordingly, the Task Force recommends that the FTC, with support from the Task Force member agencies, assess the impact and effectiveness of credit freeze laws, and report on the results in the first quarter of 2008.

This is very weak and isn't even a recommendation of it's own, just a sub-component of "Assess Efficacy of Tools Available to Victims". So it went from the nice, solid (and correctly worded) "effectively preventing the issuance of new credit in the consumer’s name" to "there is no 'track record' to show how effective they are, what costs they may impose on consumers and businesses, and what features are most beneficial to consumers". Alberto Gonzales and Deborah Platt Majores should be ashamed of themselves for putting their names on this worthless report.

Update 9/27/2007

It looks like the credit reporting companies are starting to read the bones and pre-emptively offer credit freezes before they get legislated into having to provide it on worse terms and lower fees. Two out of three have jumped onto the bandwagon with only one holding out so far.

Tags: , , ,

Loading...

If you want to learn more about my professional background, click here to learn more.

Check out one of my guides/tutorials:

web posting dangers Tutorial
|INDEX|next: Spyware Scanners
Chat, Instant Messaging, Forums, and Internet Blogs are fun, but make sure you post carefully.
Sometimes spyware gets in your computer and the anti-virus won't stop it. Use a spyware scanner to find and remove spyware and adware.
Use a software firewall to detect bad code on your computer when it tries to connect to the Internet.
Always keep your system up to date with security patches or none of the rest of your security software will matter.
Use an encryption tool to protect your important data when storing or transmitting it.
Switch to Firefox for your web browsing and you'll be better protected from Internet threats.

... or check out any of my other guides and tutorials by clicking here!

Spyware Scanners

Learn how to detect and remove spyware and adware using a free scanning tool.

[Click for full description]

Software Firewall

Learn what a firewall is and why you want one on your computer.

[Click for full description]

Operating System Updates

Make sure to keep your operating system up-to-date with security patches or else none of the rest of your security software will be able to protect you.

[Click for full description]

File Encryption

Learn how to protect your important files on your computer or when transmitting them with free tools for file encryption.

[Click for full description]

Mozilla Firefox - Internet Browser

There are many browser choices out there. Read why I think Firefox is one of the best.

[Click for full description]