Forgot your password?
typodupeerror
Privacy

Experian, Ford, and Identity Theft 193

Posted by michael
from the run-over-by-the-canyonero dept.
corebreech writes "The mighty New York Times (I think they might want you to register) is reporting that hackers posing as Ford employees have managed to pilfer some 13,000 credit reports (Quality is Job 1.) Supposedly the info isn't restricted to merely credit card numbers, but rather includes such delectable delights as address, SSN, bank account info and creditworthiness. Glad I take the subway." The original story was from the Boston Globe.
This discussion has been archived. No new comments can be posted.

Experian, Ford, and Identity Theft

Comments Filter:
  • uhoh (Score:1, Offtopic)

    I suppose there will be many flames pointing out that the word "crackers" should have been used instead- damn Jargon File noobs.

    graspee
  • My payment is due tomorrow and I was planning on enrolling for electronic payment. Hmm, how much is next day air?

    • Bah. Just mail it it in. Most creditors give you a few days grace period and/or require the envelope be postmarked on or before the due date

      Even if they charge you a small late fee, it's likely to be less than next day air shipping charges

  • by Anonymous Coward
    Login to the New York Times website as:
    billclinton

    likescigars

    No need to give them your email address!
  • I'd be happy... (Score:4, Insightful)

    by jedrek (79264) on Friday May 17, 2002 @07:10AM (#3536184) Homepage
    In the land of the great lawsuit, which is America at the turn of the millenium, I'd be more than happy to have Ford leak my info. In a flash I'd have a family member sell of my identity to someone (or have a good friend assume my identity) and rock my credit record for all it's worth.

    Then I'd just sue Ford for lossing my info. They've already admited to doing it, so there's pretty much no burden of proof. Corporate neglegence should be pretty easy to prove.

    That sound you hear is lawyers sharpening their claws.
    • Re:I'd be happy... (Score:4, Interesting)

      by berzerke (319205) on Friday May 17, 2002 @09:44AM (#3536960) Homepage

      Burden of proof isn't the problem. Damages are. In my case, Experian (gee, the same company mentioned in the article), has royally screwed up my report with incorrect info. I did everything proper to try and get them to correct it. They flattly refused. I went to a lawyer specializing in these matters. He told that while I did have a strong case, suing would be a bad idea. Unless I could prove damages, I wouldn't even recover my attorney fees, let alone be compensated. You have to sue in federal court BTW. Expensive.

  • From Mr. Girard, Experian spokesman: "It just shows that today, even big companies can be victimized," he said. "it's a never-ending struggle against the bad guys."

    I don't even know where to begin with that one.

    • As someone who has been credit black listed in the UK (for the offence of letting a mobile phone company know that someone was using my address to sucker them, i.e. I was being the good guy).

      And then having to fire fight the unholy amount of shit that Experian et al caused me, over a period of months I have to wonder, what their definition of a bad guy is.

      As businesses go, these guys are really (, really, really) one sided, they sell information electronically about me for sod all to all and sundry (in the blink of an eye), but when they get it wrong, I can only contact them by snail mail, they take an age to fix the problem, and the problem is expected to "percolate" to their customers as they get their monthly/quarterly/half-goddam-yearly updates. They keep no record of who has the latest version of your information and see no obligation upon themselves to supply corrections to those that have bad data.

      In effect they wipe their hands of all responsibility, for propagating a lie about you!

      Sorry, rant over :)

      Does my anger come through here?
      • Yes. I guess my point is that consumer rating companies are pointing the finger, but it's their system that allows consumers to be exploited. They are casting Ford as a victim here, and Ford had the insecure information. Not to mention Ford's host of other general business practices that make me queasy. Let's not forget the tires on those SUV's that killed hundreds. This guy has a really twisted idea of victimization.
      • Tell me about it. I've had crap from Experian too.

        What really sucks is some of the algorithms they use to determine your credit references. This includes the credit references of people who live / lived in the same house as you - even flat mates who you hardly knew - even flat mates who _moved in after you moved out_.

        I don't know whether it's commendable or not, but they actually named the people who'd lived at the addresses I'd lived at in my copy of my credit report. Weird.

        So, yeah, credit reference agencies suck. They are the bad guys. I've never defaulted on a payment in my life, and I got turned down for credit cards because I'd lived at the same address as people with debts. It's just weird.

    • Re:Best Quote (Score:2, Insightful)

      You might want to start with the fact that it took these guys 10 months just to figure out they had a problem and another 2 months to get around to telling anybody about it. Then you might go on to point out that anybody who lets anyone automatically deduct money from their credit account needs to have their head examined. And you might conclude with a suggestion that companies that put their customers at risk shouldn't have to be sued by those customers to receive satisfaction. They should automatically be held responsible for their lapses.

      This all comes down to something I've been painfully aware of for most of my life, though it doesn't seem to be terribly obvious to those who need to recognize it. Which is the very essence of the problem itself: The guys at the top don't know what's going on at the bottom. They have their little meetings where they talk to the guys just under them in the corporate hierachy who in turn have had their little meetings with the folks under them and so on and so forth until you get to the bottom where the first line supervisors are more concerned with protecting their own butts than communicating anything of importance to their own supervisors. The former head of the company where I work once called this an "inversion layer," implying that there was some particular point where communications break down. This is how it looks, but it's not how it is. The lack of communications results from the fact that each individual level of organization in a company is not totally transparent to the level above it. It is simply the accumulation of many layers of less than complete transparency that results in the appearance of this mythical inversion layer. The real problem is too many levels of management and more precisely the whole multi-layered managerial system itself, where the guys at the top really don't won't to "dirty their hands" looking at anything more than one level below them. Not only is it impossible for them to know what's happening using the current organizational model, they don't really want to do anything that would allow them to know.

      If they did know, they would have to take responsibility. And nobody sitting behind an expensive desk making obscene amounts of money for having little meetings about his "vision" of the future wants to have to worry about being responsible.
      • What model do you suggest to replace the "multi-layered managerial system"? At large companies like Ford, I think that it's not a question of not wanting to dirty one's hands, but how does a CEO run a company with a few hundred thousand employees in a flat managerial hierarchy? Those management levels are in place not because he doesn't want to get in the "trenches", but because there aren't enough hours in the day.

        A CEO (or whatever you call the top person) must trust the lower level managers; the alternatives are micromanagement of each tier, or fire all managers and have EVERYONE report directly to the top person.

        Now, highly paid executives probably DON'T want to get their hands dirty, but that doesn't mean they are shirking responsibility. Again, flatter hierarchies can work, depending on the size of the corporation, but what do you do for the really huge ones?

  • What? (Score:1, Funny)

    by Arminius (84868)
    Ford do something wrong?

    BTW, i have a nice set of Firestone tires that came new on my Explorer to sell.
  • He got it wrong (Score:5, Insightful)

    by tshoppa (513863) on Friday May 17, 2002 @07:20AM (#3536221)
    From the NYT:
    It just shows that today, even big companies can be victimized
    No, it shows that every once in a while that the big companies will publicize that their security has been compromised. Of course, we all know that for every such case that makes the New York Times, there are thousands where they don't. And for every one of those, there are ten where the news of the security breach never leaves the company. And for every one of those there are probably a hundred where nobody at the company knows that they have gaping security holes.
    • Mr. Girard, the Experian spokesman, said ... "It just shows that today, even big companies can be victimized," he said. "it's a never-ending struggle against the bad guys."
      ___

      A never-ending struggle? Think about it. It seems that Ford and Experian have an agreement so that Ford can get credit information from Experian. The only thing needed is this security ID. A "never-ending struggle" seems to suggest it took them some time for Experian to come up with this system. How did it used to work?

      Ring Ring.

      Experian: "Hello Experian Credit Inquiry Line, whose personal details would you like?"

      Caller: "Err, I didn't say who I worked for yet."

      Experian: "Sorry what company are you calling from?"

      Caller: "Ford"

      Experian: "Whose personal details would you like?"

      Caller "Err, don't you want me to prove I work for Ford?"

      Experian: "Who would pretend they worked for Ford?"

      The mind boggles!!!

      Bob.
    • Hey... Are you talking about Microsoft? No discussing the security holes, dammit! We'll be secure if nobody finds out about them!
  • Just In Case... (Score:5, Informative)

    by LISNews (150412) on Friday May 17, 2002 @07:21AM (#3536227) Homepage
    www.ftc.gov/bcp/conline/pubs/credit/fcra.htm [ftc.gov] here's an FTC FAQ on credit reports.
    Experian [experian.com] , Transunion [transunion.com] and Equifax [equifax.com] are the big 3 for reports.
  • by maharg (182366) on Friday May 17, 2002 @07:22AM (#3536228) Homepage Journal
    From the original Boston Globe story (couldn't be bothered to register at NYT) :

    Van Leeuwen of Ford said he thought the company had done everything it could to help the individuals affected by the security breach, and didn't plan to offer them any financial assistance.

    Surely Ford have broken some law here ? In the U.K. there is something called the Data Protection Act, c'mon the U.S. has got to have some equivalent legislation.. They're not blaming it on hackers, they admit they don't know how the access code or whatever was taken !
    • Law?? *WHAT* law? (Score:3, Interesting)

      by darkonc (47285)
      I don't think that Ford did anything illegal. If anybody did anything illegal it would be the credit reporting companies that allow any company or group with enough money to generate identity theft kits with just a victim^w customer's home address.
    • Nope, the data protection act has no US equivalent. Are you feeling ressured?



      Basically, for those of you in the US, the data protection act, amongst other things, means you have to be careful with people's data. If you're not, they can revoke your license to hold personal data on people, very effectively killing off most
      businesses.

    • Surely Ford have broken some law here?

      Well, it's not clearn that it's Ford's problem. Sounds like some group managed essentially to get hold of Ford's password to the Experian database.

      • Yes Mr. President the nuclear missels have been launched. No we are not responsible some group managed essentially to get hold of the passwords, keys, and access.


        Give me a brake!!!! It IS FORDS responsibility!!! This has gone on for over a year before they found out. Do the passwords not change on a regular basis? If not then this will ahppen again and both these companies should be held responsible.


        Class action anyone?

  • by awharnly (183017) on Friday May 17, 2002 @07:23AM (#3536233)

    Read the article again. They didn't just steal the personal financial information of Ford owners.

    Only 400 of the 13,000 victims were customers of Ford Credit, he said.

    They just pretended to be Ford so that they could access the credit reports of thousands of people. Subway-riders included.

    • Glad someone go to that distinction before I popped off. FMC lends to almost anybody.

      Glad I drive a hydrogen powered Jeep ;-) and loan was through Chrysler Credit.

      Oh wait! They probably had the same breach but did not report it! Crap! Third thought, good thing my credit is already worthless and nobody would get very far stealing it!
      • Glad someone go to that distinction before I popped off. FMC lends to almost anybody.

        Even if they did make loans just for Ford cars and trucks, you wouldn't have to be a Ford customer, just a potential customer, for the inquiry to appear valid. Taking the subway doesn't shield you from this kind of fraud.

        --Jim
  • by z_gringo (452163) <z_gringo@hotmCUR ... minus physicist> on Friday May 17, 2002 @07:24AM (#3536238)
    The group that handles most of the credit processing for Ford Motor Company is The Associates [theassociates.com]. At least it was a few years ago. They were recently purchased by Citigroup. They also do home loans etc, and incidentally, are having some controversy regarding discrimination in loan practices (redlining). At any rate, security there was never what it should have been. There were quite a few systems around the various building where anyone could just walk up and access that kind of information. You could cross-reference by address also, or last name. What was worse, you didn't need a password, because it was embedded in the software. Some of my co-workers would occasionally run reports for their family and friends. All in all, I can't say I'm too surprised by this.

  • Come on, Where's my no-login link, Karma Whores?
  • by Seth Finkelstein (90154) on Friday May 17, 2002 @07:29AM (#3536264) Homepage Journal
    This isn't in the NYT or Boston Globe articles, but it's good info from another story on the theft [yahoo.com]:

    Experts urge consumers to check their credit file once a year. Call Experian at (888) 397-3742 for a credit report, and review it for an unauthorized inquiries.

    Also, contact the remaining two credit bureaus, Equifax at (800) 685-1111 and Trans Union at (800) 916-8800.

    Ford Credit said that it has reinforced the security of their credit inquiry access process to prevent future occurrences.

    To contact Ford Credit with questions, call (888) 838-8176 between the hours of 7 a.m. and 8 p.m. CDT, Monday through Saturday.

    Sig: What Happened To The Censorware Project (censorware.org) [sethf.com]

    • by w.p.richardson (218394) on Friday May 17, 2002 @07:39AM (#3536306) Homepage
      If you can't document that you have been a victim of identity theft (or a similar type of crime), then you have to shell out about $10 per report. Thats $30 per year, simply to make sure someone isn't screwing you over. This seems ridiculous to me.

      These credit bureaus have too much centralized data on citizens. They are a one stop shop for crooks, be they crackers or whatever.

      • by tweek (18111) on Friday May 17, 2002 @07:59AM (#3536403) Homepage Journal
        Actually some states have laws requiring the credit report companies to give out a certain number of free reports a year. In Georgia (where I live) I get up to two free reports a year. Also, if you've been denied credit or employment based on information from your credit report, you are entitled to a free copy of the report from the reporting company the card provider/employer used.

        As to your second point, I agree completely. At one point, Equifax was trying to gain control of medical records for people to link with the existing stuff. I'm not a fan of big government but Equifax,Transunion and Experian need to have STRICT government regulation because of the impact the information they carry can have on an individuals life. Forget that stupid cracker shit in "The Net". All it takes is a fucked up keystroke and you can't even rent an apartment.

        The biggest piece of legislation I would love to see is this: Private companies are forbidden to use SSN's as customer identifiers. How fucking hard is it for a company to generate a random account number?
        • The biggest piece of legislation I would love to see is this: Private companies are forbidden to use SSN's as customer identifiers. How fucking hard is it for a company to generate a random account number?

          You do have a choice: don't provide the SSN. Businesses are free to ask for you SSN. Unless there is a compelling reason (financial transaction with a bank, safety of the President is at stake, or access to government confidential information), you don't have to provide it.

          Granted, the business can say "sorry, we don't want to do business with you" but I've only had two places (an apartment complex, and Verizon, when I tried to cancel my service with them after they bought Powertel even though I had a document which said that would not be considered a valid form of identification. Bastards.) absolutely refuse to do business with me.

          If you have alternate forms of identification, they're almost always more than willing to do business with you.
          • Granted, the business can say "sorry, we don't want to do business with you"

            The legislation has to forbid asking you for it and forbid denying goods or services based on refusal to give it to them even if they ask.

            It should ONLY be required for tax or social security identification purposes, and only if required by law. Otherwise it should remain private to the SS# holder.

      • you can't document that you have been a victim of identity theft (or a similar type of crime), then you have to shell out about $10 per report.

        Just lie and say that your wallet was stolen. You are then entitled to a free credit report. This worked for me.

    • Experts urge consumers to check their credit file once a year. Call Experian at (888) 397-3742 for a credit report, and review it for an unauthorized inquiries.

      Of course they urge you to check your credit file once a year. These "experts" are - shock amazement - people who benefit from your credit report being up to date.

      When a consumer requests their credit report, they want your address so they can mail it to you. Of course, they could just provide it to you on the 'net once you verify your identity, and this would be no less secure, as the same information is used to verify either way. A web validation program would probably be MORE restrictive and picky about your credentials than a human who is subject to social engineering. But they want your contact information so that people can track you down to collect your debt.

      Credit reports list your addresses and the dates you've been living there, as you report them. Any time you apply for credit, your information gets attached to the record. Credit reports are easy to get given a SSN. Credit reports always list the SSN used on the report because it's the only meaningful identifier; Go take a look in the merlin databases (You can get access by giving money to flatrateinfo.com) and see how many times even unusual names come up. It's fairly astounding.

      So of COURSE they want you to check your credit report. Just make sure to get it mailed to a PO box.

      • So of COURSE they want you to check your credit report. Just make sure to get it mailed to a PO box.

        Oh geez....if you have any account that reports to a credit bureau, they have your current address.
        Let's see, do you rent an apartment or have a mortgage? Most apartment management companies report to credit bureaus, and of course mortgage co.s do.

        Credit card?

        Loan? Be it student, car, or whatever, the holder reports.

        Cell phone?

        Utilities?

        There are all kinds of companies you deal with every day, who already have your correct address and give it to the credit bureaus.
  • by kipple (244681) on Friday May 17, 2002 @07:30AM (#3536275) Journal
    I'm sure that if there was a national ID card system they would have been caught immediately.

    • I'm sure that if there was a national ID card system they would have been caught immediately.

      Dude, I know this was meant to be funny, but instead it's really sad - because few people ever look at ID, even in face to face transactions.

      My next-door-neighbor recently told me that someone had found a single check in her trash, and used it to buy stuff at the local Fred Meyer (grocery store that also sells home stuff and clothes). Nobody bothered to ask for ID... for over US$500 worth of stuff! She was able to convince her bank it wasn't her, but jeez. I went to Fry's the next day and finally got a paper shredder =) Suddenly tearing up my mail didn't seem good enough any more...
  • by mister sticky (301125) on Friday May 17, 2002 @07:36AM (#3536299)
    Van Leeuwen of Ford said he thought the company had done everything it could to help the individuals affected by the security breach, and didn't plan to offer them any financial assistance.

    Clearing up the mess created by identity theft can take significant time and money. Victims often lose access to credit. Some end up in jail. Several insurance companies now sell coverage offering financial and legal protection in such cases.

    It seems to make sense (well, to me at least) that the corporations charged with the information of your identity should be forced to have this identity insurance. Sure people could get it, so if they gave up their identities by accident (people going through their trash) they would be covered.
    However, corporations like Ford saying "oops, sorry! but i'm not paying for our mistake" is unacceptable. They should be required by law to have identity theft insurance, and reimburse those who's identity has been stolen through the identity insurance.
    • But was it Ford or this Experian place that was at fault? Where did the passwords leak? Or was some system cracked? If so, which?

      Ford sent out the warning of unauthorized access, but that's not really proof that they were the hole. Merely that they are taking a bit of responsible action.

      I will admit that it's likely that the leakage happened at Ford. But if it happened at the credit agency, this may only be the tip of the iceberg. The Ford account has now been patched, but if some other passwords were stolen at the same time ... I wonder how often Experian changes the passwords on their accounts?

  • Ford Really Sucks [fordreallysucks.com]

  • Blaming Ford is like being accused of murder when somebody steals your credit card, buys a gun with it and kills somebody else.

    • Bad association.

      If you want to use a gun analogy, it is more like storing your gun in a bank vault and the bank allowing somone posing as an employee to steal the gun, shooting someone and framing your for the crime.

      Ford had information that was their duty to protect. They failed to protect it. Not really that complicated of an issue.
    • Blaming Ford is like being accused of murder when somebody steals your credit card and your credit card is in this room that is locked with a combination lock and your mom posts the combo on the fridge, and the cable guy comes over and sees it , buys a gun with it and all the bullets from the gun have your name, address, phone number, social security number, date of birth, current pay rate, address of workplace, present and past debts, spouse's name, number of kids, and length of your johnson engraved on every single one. and kills somebody else. And even when the cable guy is caught, the gun is never recovered, since unlimited copies of this gun are floating around waiting to be used by any other cable guy.

      So I can see how you wouldn't want to blame Ford. It can't be their fault. This must have happened when they were making exploding cars, or covering up a tire saftey issue on the Ford Exploder. Sure.

    • The way I read it is this:

      Blaming Ford is like being accused of murder when you put your gun in a safe deposit box, J. Random Criminal says "I'm Amazing Quantum Man", and the bank gives them the gun, and J. Random Criminal kills someone.
  • no SSN (Score:2, Insightful)

    This is exactly why I hate the way so many companies require you give them so much personal info. I can understand why a car dealer would need it, but what about Blockbuster who wants you to give your SSN to some pimple faced teenager behind the counter. I don't think so.
    • This is waaay off topic, but just so you know. You do not have to give blockbuster your social security number. They ask for it but you don't have to give it to them and they will still give you a card. I know because I asked. A lot of places are like this, they may ask for ss# but your not required to give it to them
      • Unfortunatly that may be the company policy, but it seems like either many of the pimple faced video lackys don't know about this, or they are too lazy to do it another way. I have a friend who spent a consideralble amount of time in Blockbuster arguing about the SSN thing, and they refused to give him one with out it. The same thing happenes at the University that I went to. They used SSN numbers as student ID's and default passwords. You would always hear that you didn't have to, and that they would take another 9 digit number, but when I asked the minimum wage help desk lady, she was adament about how there isn't any other way. Does this happen to anyone else? Is this out of ignorance or lazyness?
      • You do not have to give blockbuster your social security number. They ask for it but you don't have to give it to them and they will still give you a card.

        The last time I put in for a card at Blockbuster, I left that part of the form empty. They didn't even ask me for it when they went to plug everything into their computer system.

        (I haven't rented from them in months...Netflix [netflix.com] has a much better selection and is cheaper and more convenient.)

  • Just goes to show (Score:1, Redundant)

    by gillbates (106458)
    That it is dangerous to give any personal information to a company, regardless of their privacy policy...

    The unfortunate reality of the information age is that information is power - though you may not realize it, giving out personal information, no matter how well-intentioned the recipient is, can have adverse side effects. Systems get hacked; judges can order spyware to track users; businesses can be bought and sold. Worse, we live in a society in which someone's creditworthiness, that is, their ability to get loans, and even find work, is very much dependent on the accuracy of a credit reporting company's data; a simple keystroke error or a bug in a computer program could literally put an otherwise good employee out on the street.

    Oh, and one last thing - never give anyone your social security number. Or your mother's maiden name.

    • "Oh, and one last thing - never give anyone your social security number. Or your mother's maiden name
      "


      Are they not necessary to open a bank account in america? or to get a credit card? or a hotel room or a train ticket? or to file a tax return on the internet?

      I can't wait to see the governments' look of surprise when people start using cash again for serious things. "Airline ticket by cash? Right, bodily-search for you, boy. We'll not have anyone who doesn't trust the Credit Corporation"

    • do you mean don't give your SSN to anybody/company/form/request, etc, or to people on the street? Mother's maiden name doesn't get asked as often, but as a college student, my Student ID (=SSN for most) is my only tie to the entire system (Registrar, Bursar, Financial Aid, every facility, etc.).


      Not giving out personal info is great, and should be done when possible (I should have asked for a unique Student ID, like i did for my driver's license), but very often it's highly, highly inconvenient, and a person would miss out on things by sticking to it. For the vast majority of people, the [fairly] small risk of identity theft is worth the convenience (which sounds like the way the gen public feel about most security issues).

    • by sphealey (2855) on Friday May 17, 2002 @08:08AM (#3536446)
      Oh, and one last thing - never give anyone your social security number. Or your mother's maiden name.
      Social Security Numbers are public records. They are not, and never were intended to be, secret. If any organization builds a system which depends on keeping the SSN "secret" for security, it is incompetent (and possibly criminally neglegant), but if you depend on your SSN being secret for anything you are being foolish.

      Mother's maiden names are similarly public records. In practice they have been harder to track down in the past, but wiht various records including those of the Mormon church coming on-line that information is not fully accessible as well. See first paragraph for implications.

      sPh

      • Social Security Numbers are public records. They are not, and never were intended to be, secret.

        What they may have been intended for, and what innumerable private companies use them for, may not be the same thing.

        SSNs seem to be the stock in trade as unique IDs. I know my old bank's automated phone service would ID you with a) your account number (found on any check you've every given out), your SSN, and a private pin which defaulted to the last four of your SSN. With that you could do just about anything, including transfer funds.

        Did I mention that is was my OLD bank. 8) It also took them about a year and a half to catch on that someone else was writing and signing my checks, but that's wandering off topic. (It was my wife, so I knew about it, otherwise I would of caught it.)

        Because it's a ready made unique identifier, that people will most likely remember, businesses love to use it. I think that you don't have to give it our if it doesn't involves taxes (like interest bearing accounts, jobs, etc), but that doesn't stop companies from asking you - you need to police it, they will try and get away with as much as they can.

        It seems pitifully simple to steal an identity today.

        =Blue (23)
        • The thing is, SSNs aren't unique IDs. Oh, they're supposed to be, but screw-ups by the SSA and by people innocently using numbers that weren't theirs means that there are plenty of duplicates around.

          And any database designer worth his paycheck should bloody well know that (there's a good summary of the problems here [cpsr.org]). And any software designer worthy of the name should include a "Generate Unique ID" button on any data entry screen that otherwise might want SSN just as a key.

          Heck, even if there's a requirement for SSN in the database (eg tax-related info), don't use that as the bloody key. Banks don't use your SSN as your account number, after all. (At least, not the ones I deal with.)
          • The thing is, SSNs aren't unique IDs.

            Which is, by all means, an issue. However, if you ask me, it's far more an issue that

            *SSN's are issued consecutively

            And why not? There only purpose was to maintain records for the Social Security administration, so what did it matter?

            Many of us who are /., and born before 1986, but not 18 in 1986, likely had their SSN issued in 1986, as a result of the Tax Reform Act of that year. As of 1987, a child needed to have an SSN in order to be claimed as a dependent on their tax form (still a source of deep anger for the anti-enumeration peeps out there.) So...if there were multiple children, all the children got their SSN at the same time--result-their SSN's are often sequential.

            Furthermore, and this gets more into the oddities of how the SSA issues SSN's at any particular time...but I'm sure there are some pretty good patterns based on region and time with regards to the first 3 digits of the SSN. So if you know location, you've got quite a lot of information (first 3 digits at least, if you have a good enough match on time and location very precisely.)

            Talk about a clusterfuck.

            Any SSN is good

            I suspect the mathematical ideas for check digits existed when SSN's were being created. However, since they were just account numbers, it hardly mattered. Add a digit to your SSN, you have another SSN, subtract a digit, you have another SSN. That's an invitation for fly-fishing through records. "Well if that one doesn't work...what about this one...?"

    • Oh, and one last thing - never give anyone your social security number.

      Guess it's too late for me, then. A number of emplyers have had possession of my social security number at one point or another, as have any number of lenders (student loans). It's a little difficult to keep your SSN from everyone. There's no reason to consider HR-types or loan processors beyond the likelihood of turning to the dark side and misusing the data to which they have access. Not as a rule, just possibly, mind you. So, what, I'm screwed for participating in payroll taxes and funding my education? :P

  • by newerbob (577746) on Friday May 17, 2002 @07:44AM (#3536326) Homepage
    Mr. Girard, the Experian spokesman, said the company would work with the F.B.I. to catch and prosecute the intruders

    While the "crackers" (who did nothing more than use a leaked password), should be held accountable, so should FORD and its executives

    I hope each and every victim files a separate multi-million dollar lawsuit. I'd bet that juries would be very sympathetic to these cases.

  • Ford credit report (Score:1, Interesting)

    by Anonymous Coward
    FYI,
    Ford uses employees social security number as employee numbers. This means every time I go visit any type of doctor. get prescription drugs, register for classes, etc. I have to give out my social security number.

    With that said, I do not believe Ford is very concern about giving out peoples
    social security number.
  • by dscottj (115643) on Friday May 17, 2002 @07:53AM (#3536376) Homepage
    It used to be:

    Found On Roadside, Dead

    Now I guess it has to be:

    Fumble Our Records, Daily
    Freak Out, Records Damaged!
    Find Our Reports, Dammit!
    Faked Our Reliability Data

    Ah well. Never reply when hungover.
  • by erpbridge (64037) <steve@ e r p b r i d g e . com> on Friday May 17, 2002 @07:59AM (#3536399) Journal
    Text of Article below, for those without accounts:

    Hackers posing as employees of the Ford Motor Credit Company have in recent months harvested a trove of 13,000 credit reports -- a virtual one-stop shop for fraud and identity theft -- with data on consumers in affluent neighborhoods across the country.

    The company said in a letter to the victims that computer intruders used an authorization code from Ford Credit to get the credit reports from Experian, one of three major reporting agencies.

    Advertisement

    "I've never seen anything of this size," a spokesman for Experian, Donald Girard, said. "Privacy is the hallmark of our business. We're extraordinarily concerned about the privacy issue here, and the trust factor."

    The inquiries gave the intruders access to each victim's personal and financial information, including address, Social Security number, bank and credit card accounts and ratings of creditworthiness, which can be used to identify the best targets.

    "This is not just a credit card number; this is the whole kazoo," said Richard Power, the editorial director for the Computer Security Institute, an industry trade group. A criminal could use the data to make credit card charges or even open bank and credit card accounts in the victim's name.

    Thefts of credit records, Mr. Power said, are far more common than is reported. "The unique thing about this one," he said, "is that it has surfaced." The theft was first reported yesterday by The Boston Globe and The Detroit News.

    Statistics on identity theft are hard to come by, with estimates ranging as high as 700,000 cases a year. Betsy Broder, the assistant director for planning and information of the Federal Trade Commission, said the commission received 86,000 complaints of identity theft last year.

    Representatives of Ford Credit said they did not know how the hackers acquired the code, which was used by the company's office in Grand Rapids, Mich. The intruders focused on addresses in affluent neighborhoods, often in numeric sequence, said Rich Van Leeuwen, executive vice president at Ford Credit.

    The company said it had sent letters via certified mail to all 13,000 people, urging them to contact Experian and the two other credit reporting giants, Equifax and TransUnion, and to report any evidence of abuse to the F.B.I.

    The company has also worked with Experian to set up a phone line to let victims get their credit reports and help them resolve discrepancies.

    Neither Ford Credit nor Experian has determined how many people have reported fraudulent charges or other problems. Mr. Girard said that Experian had received 2,700 calls since the letters started going out this month. Although the unauthorized inquiries began in April 2001, Ford first heard about the problem in February, Mr. Van Leeuwen said. Only 400 of the 13,000 victims were customers of Ford Credit, he said.

    Dawn M. Clenney, a special agent at the F.B.I. office in Detroit, said that she could not comment, except to say, "We're on the case."

    Mr. Girard, the Experian spokesman, said the company would work with the F.B.I. to catch and prosecute the intruders. "It just shows that today, even big companies can be victimized," he said. "it's a never-ending struggle against the bad guys."
  • Trash Talk (Score:2, Redundant)

    by CaptainZapp (182233)
    Gawd, how I really hat those smooth corporate jaspers, talking in press releases. Now this one is really a gem:

    Mr. Girard, the Experian spokesman, said the company would work with the F.B.I. to catch and prosecute the intruders. "It just shows that today, even big companies can be victimized," he said. "it's a never-ending struggle against the bad guys."

    Look mate, if anybody is victimized here it's those 13000 er! customers while you guys obviously didn't protect their data adequately.

    No need to thank me

  • by darkonc (47285) <stephen_samuel.bcgreen@com> on Friday May 17, 2002 @08:17AM (#3536493) Homepage Journal
    When these people got Ford's 'access codes' they essentially got their ID within the credit bureau. The credit bureaus trusted that Ford was 'honest' with their credit requests -- not asking for any sort of proof that the people for whom the credit reports were being requested had given their assent to have that data released.

    As a result. these script kiddies^w^w^w Ford was able to get identity theft kits on a truckload of (mostly) rich people just based on their home addresses.

    If anything is going to put a big "oomph" behind online privacy initiatives in the states, I think that this may be it.

  • by Quixote (154172) on Friday May 17, 2002 @08:39AM (#3536584) Homepage Journal
    is reporting that hackers posing as Ford employees

    Repeat after me: this is not hacking.
    Repeat after me: this is not hacking.
    Repeat after me: this is not hacking.

    This kind of activity is cracking, theft, robbery, a crime; but it is most definitely not hacking.

    • If everyone calls it hacking, it's hacking by definition. Just like the vast majority of commonly used words, this word has multiple definitions. Deal with it.
      • If everyone calls it hacking, it's hacking by definition

        Boy, this takes the cake for lameness. "If everyone calls it..". Who is everyone? If everyone around you calls you a fool, would that make you one?
        What are these "multiple definitions" you speak of? Is stealing anything "hacking"? Should we let the ignorant in the media label anything as they see fit, and just follow them like sheep? Use your brains, for cryin' out loud.

        • If everyone around you calls you a fool, would that make you one?

          If that happened, I'd have to consider that there was a distinct possiblity that I was in fact a fool.

          What are these "multiple definitions" you speak of?

          I should have said multiple meanings. IIRC, the most overloaded word in English is "set", which has 1 or 2 dozen meanings. I have no problem distinguishing the difference between "setting an option", a "TV set", a "union of sets", "game set and match", "setting a glass on the table", etc. using the context around the word.

          "Hack" has at least the meanings:

          Striking with a sharp implement like an ax
          An incompetent practitioner of a skill
          Programming computers in a "cool" fashion
          Attacking the security of computer systems

          It's just not that big of a deal. If English language scholars can't hold back the masses from changing the usage of "shall" and "will" over the last century, a few computer geeks won't convince the general population to drop the word "hack" in favor of a term easily confused with a crispy biscuit.

    • Repeat after me: this is not hacking.

      This kind of activity is cracking


      Repeat after me: The purpose and culture of hacking are about thinking for yourself, and not following authority blindly, so put down the jargon file and think.

      Creating dichotomy helps no one. "Cracking" is a useless and harmfull term. This situation involved no hacking (or cracking, by definition), but in general we should not create the image that the use of computers is bad. If someone figures out some amazing new concept to break down TCP/IP trust and codes an example, and uses that exploit to get into a bank and move funds around, is he a hacker? Yes. Absolutely. He's also a thief, but that doesn't take away from his insightful and impressive computer skills. It just means he's also an asshole. By applying terms like "cracker", it makes people think the actual use of a computer is somehow wrong or bad, which is very dangerous, considering how few people understand computers or hacking.
      • This situation involved no hacking (or cracking, by definition),

        Okay, so I'm waaaaay too bored (hey, it's 4:30 on Friday), but if you wanted to give it a 1337 term other than the boring "fraud" I think it would fall under phreaking [tuxedo.org] (emphasis mine):

        "1. The art and science of cracking the phone network (so as, for example, to make free long-distance calls). 2. By extension, security-cracking in any other context (especially, but not exclusively, on communications networks)"

        Shayne

  • Quality (Score:2, Funny)

    by auroran (10711)
    Looks like although quality is job 1, Security is job 3.74rc3 :)

    Seriously though a big company has more to worry about from people you thought were employees than from any computer system breach.
  • 13,000 Credit Reports Stolen by Hackers By JOHN SCHWARTZ ackers posing as employees of the Ford Motor Credit Company have in recent months harvested a trove of 13,000 credit reports -- a virtual one-stop shop for fraud and identity theft -- with data on consumers in affluent neighborhoods across the country. The company said in a letter to the victims that computer intruders used an authorization code from Ford Credit to get the credit reports from Experian, one of three major reporting agencies. "I've never seen anything of this size," a spokesman for Experian, Donald Girard, said. "Privacy is the hallmark of our business. We're extraordinarily concerned about the privacy issue here, and the trust factor." The inquiries gave the intruders access to each victim's personal and financial information, including address, Social Security number, bank and credit card accounts and ratings of creditworthiness, which can be used to identify the best targets. "This is not just a credit card number; this is the whole kazoo," said Richard Power, the editorial director for the Computer Security Institute, an industry trade group. A criminal could use the data to make credit card charges or even open bank and credit card accounts in the victim's name. Thefts of credit records, Mr. Power said, are far more common than is reported. "The unique thing about this one," he said, "is that it has surfaced." The theft was first reported yesterday by The Boston Globe and The Detroit News. Statistics on identity theft are hard to come by, with estimates ranging as high as 700,000 cases a year. Betsy Broder, the assistant director for planning and information of the Federal Trade Commission, said the commission received 86,000 complaints of identity theft last year. Representatives of Ford Credit said they did not know how the hackers acquired the code, which was used by the company's office in Grand Rapids, Mich. The intruders focused on addresses in affluent neighborhoods, often in numeric sequence, said Rich Van Leeuwen, executive vice president at Ford Credit. The company said it had sent letters via certified mail to all 13,000 people, urging them to contact Experian and the two other credit reporting giants, Equifax and TransUnion, and to report any evidence of abuse to the F.B.I. The company has also worked with Experian to set up a phone line to let victims get their credit reports and help them resolve discrepancies. Neither Ford Credit nor Experian has determined how many people have reported fraudulent charges or other problems. Mr. Girard said that Experian had received 2,700 calls since the letters started going out this month. Although the unauthorized inquiries began in April 2001, Ford first heard about the problem in February, Mr. Van Leeuwen said. Only 400 of the 13,000 victims were customers of Ford Credit, he said. Dawn M. Clenney, a special agent at the F.B.I. office in Detroit, said that she could not comment, except to say, "We're on the case." Mr. Girard, the Experian spokesman, said the company would work with the F.B.I. to catch and prosecute the intruders. "It just shows that today, even big companies can be victimized," he said. "it's a never-ending struggle against the bad guys."
  • by 3ryon (415000)
    The mighty New York Times (I think they might want you to register) is reporting that hackers posing as Ford employees...

    Some people will argue loudly that the press should understand the difference between Hackers and Crackers. Be careful of these people, as they are the worst Crackers of them all. :>

  • by Lumpy (12016)
    ANYONE can get a credit report on anyone else. you just have to pay for it... Credit reporting companies are not secure by any means and their database is regulary full of gross inaccuracies. On average your credit report is only 50% accurate.. this is figured from across the board and figured by the number of errors on people's credit reports.

    It blows my mind that any company would take a credit report as anything but mild information that is suspect. It is really easy to wipe your credit report clean, and to seed it with "good credit reporting"... hell there are companies that will for $9.95 a month post a good payment history every month to your credit report (They report that they lent you $1000.00 and you are paying it on time and are a perfect client.... after 6 months pay them $19.95 to close the account and they report you paid it off and you are A+)

    Credit reports are wildly inaccurate.. other than the SSN (of which I have 2 credit reports I found out.. they mis-typed my SSN once and attached it to my Drivers License number.. Again that entire credit history was deleted because the SSN was not mine.)

    • It blows my mind that any company would take a credit report as anything but mild information that is suspect.

      My understanding is that scoring algorithims taken that into consideration. Take person x, who has a great payment history on her car, mortgage, credit cards, gas bill, et cetera, but for some reason has a $500 credit card in default on her account. The computer will just throw that out as an anomaly and score normally. If it were a $10,000 card, the computers should think that something is clearly wrong, and flag the history for deeper research.

      I say this because I believe that the good identity theft artists are not getting caught (though, few are getting caught anyway.) The way someone gets caught for identity theft is by destroying an entire credit record, then law enforcement gets on the paper trail. However, I believe the future is in "copying and pasting" credit report data...identity theft person gets out a credit card, defaults on it, makes sure it's associated with only one credit report, then does the same to another credit report. Or is copying and pasting good data into another credit history file "for some reason this credit card is showing up under SSN xyz, but my SSN is really xyz, can you make the change for me?"

      On a side note, i used to live at a dormitory that also held about 14 floors of university offices. for some reason, my credit report said I worked for the university travel agency located in that building. amusingly, i never got my credit reports to say where i actually worked.

      anyway, the worst part of the credit report system is this: the bear of it is the data, data coming in, data going out, processing hundreds of millions of records, giving data to hundreds of thousdands of different companies, and receiving the same data from the same companies. with all that in mind, it simply is impossible to be in control of the data...i don't think that anybody here would disagree with the concept that you could, with the proper information, do anything you want with someone else's credit history--make it better, ruin in, copy and paste from it, et cetera.

      Experian is not in control of the data...they simply keep the computer powered up. the problem is, they *think* they are in control of the data, and the way they treat you whe you have a claim indicates this. nothin causes identity theft more than the fact that these bozos have legitimacy. (their downfall is more arrogance than anything if you ask me.)

  • It happened to me (Score:4, Informative)

    by angryrobot (223166) on Friday May 17, 2002 @09:00AM (#3536700)

    I was the victim of ID theft. You do not want this to happen to you. Ever. It involves filing police reports, calling every company that showed up on your credit reports and providing all kinds of info to their fraud departments. It took me over a year and a half of phone calls, faxes and emails to straighten everything out. I'm still getting calls from creditors about unpaid credit cards and such that clearly aren't mine.

    I think it's obvious that if the only thing between theives and your identity is your mom's maiden name, your address, and your SS number, that it's been made pretty freakin' easy for them.(Granted it's not quite that simple, but it's damn close)

    One thing that struck me throughout the entire process of cleaning up my credit reports was that I was doing the cleaning up. Here are 3 companies that basically control whether you can ever buy a house, and when they screw up and allow someone to assume your identity using their services, it's the victim that's left picking up the pieces.


    • I was also a victim of identity theft. Someone with the same first and last names as me, living in another state, began forwarding my home mail to his address. Then he began contacting my online brokerage directly and changing my account address to HIS address! I immediately changed my address information back, but he changed it again.. EIGHT TIMES! My online brokerage did not care. The postal inspector in my state did not care. The postal inspector in his state did not care. The local police in my state did not care. The local police in his state did not care. The FBI did not care. He was committing inter-state mail fraud, threatening my brokerage accounts, and repeatedly giving us his REAL HOME ADDRESS but still no law enforcement agency cared. The postal inspector in my state even had his handwriting and fingerprints on the change-of-address postcard he mailed, but the postal inspector did not care.

      One year later, he tried to apply for credit card using my SSN. Because I had put a warning on my credit report accounts (at my hassle and cost), the credit card company called to warn me. Finally, the police were interested. They nabbed him the next day. After not showing up in court once, he eventually was sentenced to three months in jail. I later found hundreds of dollars of HIS debts on my credit report. I called the police again, but they did not care. They said that since he already spent three months in jail, he has done his time. Nevermind that he went to jail for the credit card fraud, a separate instance of a different crime!

      After these two stressful years, this "gub'mint-fearing liberal hippy" has lost any shadow of confidence that our impotent law enforcement can protect the innocent from the criminal. Or that they even care to try.

  • IMPORTANT - Opt out (Score:5, Informative)

    by Permission Denied (551645) on Friday May 17, 2002 @09:01AM (#3536706) Journal
    (888) 567-8688

    Call this telephone number. This number is maintained by the three credit reporting agencies and it allows you to "opt-out" of certain marketing games; basically, this means the three credit reporting agencies will no longer be allowed to give your credit report to marketers, but only to people with whom you actually have business.

    Ford is a legitimate business; if you don't "opt-out," they can get a credit report on you. I opted out and I've never done business with Ford, so this story doesn't affect me.

    Another nice thing about using this number to "opt-out": I no longer receive any junk mail. No more pre-approved credit cards, no more free offers, no more anything. I now look forward to checking my mail every day, as it only contains only bills and personal correspondence. I also say "put me on your do-not-call list" to telemarketers and I don't watch TV, so live in an almost completely ad-free world. It's a very nice world and I invite you in.

    • ...an almost completely ad-free world. It's a very nice world and I invite you in.

      I think I'm going to have to Opt-out. Thanks though.

    • by Anonymous Coward
      How do I know this is not a social engeneering trick ?

      :)
    • I filled this [junkbusters.com] out last summer. Not only does it cut down the junk mail and telemarketing calls (I've had three calls since August, and can check my mailbox for bills once a week), but the reporting agency letters request that many casual inquiry requests not be honored.

      If you request your credit report, you can deny access to specific companies (I banned Providian [state.ca.us] many years ago).

  • "A criminal could use the data to ... open bank ... accounts in the victim's name."

    Really? So, if I could find the account with my name on it, I could close it out and take the cash? Sounds like an item for News of the Weird's Least Competent Criminals category. :-)
  • "Hackers stealing personal information from the databases of large companies! Read all about it at the web site of a large company (which first requires your personal information.)"

    Anyone else think this is dumb? Please stop linking to NYTimes already! There's plenty of other places out there also carrying these stories.
    • Is it me, or are people too lazy to put in a bunch of fake info to register? I mean, coming up with a fake name & a fake address is not *that* hard. Plus, it helps point out the folly of asking for so much personal info anyway.
  • is why does Ford and its employees have access to SSN? Why would a credit bureau need such info? Are they paying you a salary? What stops an employee of Ford or any other company from selling this information?


    This is negligence in Fords part and they should be held accounatble. They should pay ALL legal fees to clear up this mess. What has ever happened to resposibility?


    But then again I hate Ford due to past experiance with a LEMON...the AREOSTAR. What a peice of sh1t. The first year the van spent 6 months at the dealership due to transmission and engine problems. Did they take responsibility? No!


    Yes the second part is a little offtopic but the attitude of the company is on topic. They refuse to take responsibility. Why do we accept this? Because legally it would cost too much to fight back and I think that is what is wrong with our society today.


    /END OF RANT

  • Wow. So some crackers got information that any normal business/corporation can already get about consumers. Credit reports.

    Why does the editor lump credit reports with credit card numbers? Not the same thing.

    This is not some crackers who broke into ford and stole customer data!
    It is some guys who posed as ford employees in order to get credit reports from the nation's largest credit bureau. (Hint: Many, many businesses can get this information).

    OH NO! Some kids got the same info your bank, car company, and just about any other place can get about you! Heaven forbid!

    Hello! That's the kind of info credit bureaus keep and hand out to the highest bidder. It's not like these kids ripped you off.

    It's also not like your SSN is a private, secret number. Anyone who treats it as such is being dumb.

  • Experian has an entire division [experian.com] that deals with the automotive industry. Of late, they've been pushing hard their ASP model of Dealer Management Systems (DMS).

    Back Story: I am the IT administrator for a midwestern dealership that sells German luxury cars. I am the first person at this dealership to be a dedicated IT person, and I've only been here for a few months. Approximately 20% of dealers nationwide have dedicated IT staff, and even then, it's usually the multi-location/multi-franchise operations, with one IT admin spread across an entire metro area. This isn't overly significant, until you realize that the average level of technological competence at the dealer level is just barely above room temperature. A handful of companies, such as ADP, EDS, Reynolds & Reynolds, and UCS, have figured out how to exploit this particular niche market.

    Dealer Management Systems are BIG bucks. What you do is you put together a package of desktop systems (originally, green-screen dumb terminals, but more recently, PCs), a server (Usually Unix-based - Reynolds & Reynolds uses Irix on their older systems and Linux on their newer ones), software that does soup to nuts, and a network to tie the whole thing together. They sell this to a dealership, and then lock them into a support and maintenance contract. Changes, updates, etcetera all cost large sums of money (we spent 6 figures with our vendor last year). They'll also sell you preprinted forms and everything that work with their software - checks, service orders, coupons, you name it.

    Experian is pushing the ASP model, because it means that a dealer doesn't have to worry about a server in a closet, swapping backup tapes, and so forth. As part of the hook, Experian is promoting its vast mine of data as a major benefit. As one of the Big Three credit bureaus, they have detailed financial, credit, and personal data on jsut about everyone in the country. They also have a database of (according to them) 335 million vehicles. This is great for doing history checks and such, but it can get very scary very quickly.

    Picture this. You want to find out who lives within 15 miles of your dealership and makes enough money to afford your luxury automobiles (when it's luxury, it's more than just a car, it's an automobile). "No problem", says Experian, "we've got all that right here!". They can also tell you if they're credit-worthy, what they drive, and which of your competitors they bought their current vehicle from, and what it's worth as a trade-in. It goes downhill from there. None of the other companies operating credit bureaus have a division catering directly to the automotive business like this.

    Let's face it, your personal data isn't personal anymore, it's an asset, and it belongs to companies like Experian.

  • protect yourself.. (Score:2, Insightful)

    by phaserx (574470)
    I had my wallet with my life in it stolen about 7 months ago.. my health insurance company is brilliant enough to assign us ID's that are our social security numbers.. I was so paranoid about identity theft, but after talking to a lot of people, I found it's very easy to make it much more difficult for someone to steal your identity. The best thing to do is call all the major credit beareaus, such as Experian, Equifax and there are a few others, and tell them to "red flag" your account. When you "red flag" your account, then any place opening a new account that effects your credit will have to speak personally with you and verify that your account is flagged for whatever reason you specified when you flagged the account. Since I did this, I have received 3 phone calls from major credit card companies asking me to verify my recent credit card application. I don't think this will totally protect you, but it will definatley make it much harder for someone to steal your life.
  • % ftp reports.experian.com
    Connected to ilovedancing.org.
    220 ProFTPD 1.2.0rc3 Server (ProFTPD Default Installation) [reports.experian.com]
    User (reports.experian.com:(none)): ford
    331 Password required for ford.
    Password: 12345
    230 User ford logged in.
    ftp> prompt
    Interactive mode Off.
    ftp> mget *

    Don't pass that around!

Maternity pay? Now every Tom, Dick and Harry will get pregnant. -- Malcolm Smith

Working...