Government-Aided Phishing

Anonymous writes "A Florida county is posting the Social Security numbers, bank account info and other sensitive data of hundreds of thousands of current and former residents on its public Web site, Computerworld is reporting. A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records." From the article: "The breach stems from the county's failure to redact or remove sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents that are publicly available are dates of birth and Social Security numbers of minors, images of signatures. passport numbers, green card details and bank account information."

let's open some bank accounts

i think it's time for me to head to the local bank.

what's going to convince them that this is a bad idea?

Re:let's open some bank accounts

what's going to convince them that this is a bad idea?

maybe someone posting a link [205.166.161.12] to the broward county public records site...

Re:let's open some bank accounts

Well... It WAS working. Then i did a search for 'Johnson' and now the webserver seems to be stuck in never-never land.

*sigh*

Re:let's open some bank accounts

It's still working fine. What's worse, if you don't give a first name, it gives you by last name only, so you can just do a dictionary attack on last names,

I just randomly picked a last name, and a couple of clicks later I know that (I've removed the names) L.A.P and A.J.P got a mortgage for 141,999.00 on 5/14/2004 from the CITY FEDERAL SAVINGS BANK.

So, if I were a phisher, I now have two names, and a dollar amount. I already know approximately where, and by clicking on the other records I know that they've been there for about 20 years, and that they also had some legal problems back in 1991, again, I'm leaving out the details.

W.T.F ?!?!?!?!

I would be humongously upset that this sort of stuff is available just by clicking.

Worse, by searching on the same two names + broward county plus a good guess as to another term, I found a link to a dump of 756k from google's cache. http://www.google.com/search?num=20&hl=en&lr=&safe =off&q=www.co.broward.fl.us%2Fdatabase%2Frecords%2 F03-24nme.txt&btnG=Search [google.com]

If I were a phisher, a few minutes with perl would give me a decent dictionary with which to start ...

Re:let's open some bank accounts

I'm doing a search now to test a theory:
The site is an .aspx page, which means that it's probably an IIS server back-ended by a MSSQL database. Given that they would want the text search to be case insensitive, it is quite possible that they were sloppy and used a SELECT * WHERE [last_name] LIKE @search_string (ok, they probably listed only the columns they wanted, you get the idea though). It is also possible that there is no limit defined for the number of records to return.
If all of the above is true, then the search I started should return everything between 1/1/1978 and 4/10/2006 in the database, assuming that their server survives the request. If this is true, this means that getting everything in their database is a trivial task, and that they are exposing a lot of people to identity theft, very easily. Further, even if they go through and redact the data later, it is probably too late, as the data would have been long since scraped. This is one time that I hope a slashdotting kills a server.

Local Politicians

Anyone want to bet information of local politicians have been exempt from this? Hmmm? Anyone?

Re:Local Politicians

I'd love to bet, but that's only because I enjoy losing.

Re:Local Politicians

They are not. Was able to look up records of at least one elected official.

Make checks payable to... well you can look up that info yourself!

Re:Local Politicians

No, they're definately in there. Some quick Googling (heck, one name is in TFA) finds them pretty quick. I was kind of suprised that I could access the site from a foreign IP, as its pretty routine nowadays to limit that (I can't get my own credit report

Re:Nope

Funny thing, they are public docments. Altering then to hide the information is illegal.

Funny thing is, you are wrong. The Privacy Act of 1974 covers what to do with private data in government records at the federal level, and many states have similar provisions. Essentially the documents are public property, but specific personal details are not. For example, citing a court case, evidence, its outcome, etc. is public record. Giving the SSN of the person found guilty and the bank account number used to pay the fine is NOT public record.

Another example is declassified documents. Yes, they are public, but usually redacted. For example, giving information on an old military operation while redacting information that identifies the specific people involved. People that may very well still be in the military performing similar operations.

Altering public documents to the extent of redacting personal information, which is what this article is about, most certainly is legal and often required. However, you are an anonymous coward -- obviously someone redacted your user account so I don't know who you are.

Florida: comic relief for a stressed-out nation!

Really, does it surprise anyone that it's Florida doing this?

Re:Florida: comic relief for a stressed-out nation

Obligatory:

<Homer>Florida? But that's America's wang!</Homer>

FLORIDA

From the same people who brought you Indecision 2000... here comes Identity Theft-O-Rama. 3 days in the future: 10:00 News: "For what seems to be no reason, thousands of individuals in Florida seem to be buying things online in mass. Oddly enough, none of the orders are being delivered to Florida. We'll have a video for you after the break. Over to you, Bob."

Re:FLORIDA

Nah, that's just grannies spending spring break with their relatives to get away from those crazy teens partying.

Re:It's sorta obvious if you think about it..

That's right Broward County, home of all those Republican officials... oh wait, what's that, the county is heavily Democrat without any elected Republican officials, as in all nine of the County Commissioners are Democrats? [bcdec.org] Well... must be Bush's fault som

Re:It's sorta obvious if you think about it..

Stupidity and corruption transcend petty human notions of party lines.

old news

Have you ever been sued for a bad debt? If so, chances are your signature, along with your application for whatever loan or credit you defaulted on is all public record. That usually contains a whole lot of personal information, not just limited to your SSN.

Re:Like that's a problem

Given the huge amount of poor people with massive debt, sure.

The problem with having bad credit isn't not being able to get credit, it's not being able to get credit at a reasonable interest rate. Identity theives, not planning on paying the bills, don't

Identity theft

    When you are the victim of identity theft you know who to sue: Sue Baldwin,
  Broward County, and the State of Florida. Two out of three deep-pockets isn't bad.

bad year for boward

this is the same county who's police intimidated, threatened, and were just plain jerks to an undercover journalist attempting to find a "police officer complaint form":
http://cbs4.com/topstories/local_story_033170755.h tml [cbs4.com] (watch part 1 and 2, videos on the right)

and then retaliated against the journalist after the piece aired:
http://cbs4.com/local/local_story_086232143.html [cbs4.com]

Re:bad year for boward

Just because they put a disclaimer on it doesn't mean they're not responsible. Back in the '50s, you started to see those "not responsible" signs in parking lots because the owners were tired of paying damages when people's cars were hit. The law hadn't changed, they were (I don't know if they still are) legally liable, but people believd the signs and stopped making claims. Same thing here. If they say they won't accept liability, most people won't try for compensation, even if they're eligable.

C'mon, the least Slashdot could do...

...is post a link to the information! How else are we to know if the data is genuine?

Re:C'mon, the least Slashdot could do...

http://www.broward.org/records/ [broward.org] great starting point

Why am I not surprised.

Yeah, hello, Spain? You can have it back now.

No way

You break it you buy it!

Re:Why am I not surprised.

I need to get out more, that was the funniest thing I've read in a week.

-:sigma.SB

They must do it!

Editing out the SSNs and DOBs is not only not required by law, it, likely, is against the law.

This info was Public Records since, well, always :-)

Anybody could go to town hall and browse the registry of deeds and other repositories. It just became more convenient to do it, but it was always possible.

In a way, we always relied on "security through obscurity" keeping this information (kinda) private, and are now all upset at the obscurity withering out.

Re:They must do it!

Yup, its only 'cause someone out there decided that they'd let the govenment generate unique id numbers for their customer/patient/client/whatever database. From then on, it was all down hill...

Re:They must do it!

Its not that it was ever private.
Its that the criminals have found a use for the information.

Re:They must do it!

It violates federal law, which trumps state law. Specifically, the privacy act of 1974

Wrong. The Privacy Act of 1974 only applies to the executive branch of the federal government.

Maybe not Phishing but...

I don't know if this could be considered "phishing" in the sense that I'm trying to lure people into giving me their information. It's right out there for all to see without going through all the bothersome effort of setting up a fake website and sending o

Bill Gates SSN

I remember that this became an issue when someone got credit cards issued in Bill Gates's name. His SSN was listed on SEC filings because he was a majority holder of Microsoft stock. They have since changed the listing requirement with the SEC.

From the website itself....

Defending Yourself Against Identity Theft

According to the Federal Trade Commission (FTC), identity theft occurs when someone uses your personal information such as your name, Social Security number, credit card number or other identifying information, without your permission to commit fraud or other crimes. The FTC reports that there were 161,819 victims of identity theft in calendar year 2002. Florida has one of the highest

Back to top

Tips to Avoid Identity Theft
-Do not respond to phone calls or emails from unknown solicitors seeking personal information.
-Do not leave documents containing identifying information lying around your house or workplace. Keep them in a secure location.
-When discarding documents containing your social security number, credit or debit card information, or utility and phone bills, shred or destroy them. Don't just throw them away.
...
-Limit the contents of your wallet. Do not carry extra credit cards or important identity documents (social security card, passport, etc.) except when needed. Never carry passwords or PIN numbers in your wallet. -Photocopy, scan, or make a list of the contents of your wallet and keep it in a safe place. Copies or scans should include both sides of each item. A list should include account numbers, expiration dates, and customer service phone numbers for each item.

Maybe someone could point them to their own site? And why make copies if you can download for free???

Attacking the wrong people

Virginia has your SSN and a lot of information up too, in the virginia courts database that has everyone's criminal record, including traffic.

Most states have this.

Don't attack the wrong people, the blame lies squarely with the credit card companies for using your SSN as identification and trusted authentication.

These are all public records and always were public records. It just saves you a drive to the court house of the respective county (or paying a PI network to do same) to have them online.

Yeah, I admit Florida is one fucked up state in so many ways, but don't blow this out of proportion.

The more SSN's out there the better?

Look at it this way. SSN's aren't what they were meant to be. They are your "everything" number now. In some respects, is the value of the SSN being diminished because they are so easy to use and get a hold of now? It could possibly be a big plus because now we get into a situation where they just aren't worth using so everyone stops using them for important transactions. Lets hope...

OK it had to be said

Something phishy's going on here.
*ducks*

This is good!

The federal government needs to do this on a nationwide scale. The SSA should give a deadline, say one year, then publish all SSN data. SSN is not supposed to be used as an identifier, nor as a secret. Doing this will force organizations to change their procedures, thus hampering identity thefts and other security issues that result from treating a public, non-unique identifier as a secret.

Re:This is good!

No it won't. Congress will have to do it by making use of the Social Security number for anything but governmental purposes illegal. If a corporation wants to assign me a unique I.D. number ... that's fine so long as that number exists only within that organization's database. The credit bureaus like the SSN as a sort of personal GUID that allows them to track us more easily. Tough, I say: they feel entitled to our personal financial data but they're not, and given how badly they're mismanaging it maybe it's time for some changes. The system as it stands is becoming more and more dangerous to individuals every day, and unfortunately we don't really have the option to opt out of it. If you have a bank account you're part of the system, like it or not.

This is not Phishing

This is not Phishing.

Phishing is the attempt to get someone to submit information to you by pretending to be someone else.

What the government is doing is publicizing information.

These two activities have almost nothing in common.

Florida.Query("Verna Sue Baldwin")

Links to Broward County's database lead directly to tiff images. To get the full records, copy the bracketed instrument number and search by instrument [205.166.161.12].

Broward County Bar Association [browardbar.org]:
Verna Sue Baldwin
Broward County Records Division
115 South Andrews Avenue
Suite 120
Fort Lauderdale, Fl 33301
954-357-7271 Voice
954-357-5573 Fax
sbaldwin@broward.org
www.broward.org/records

According to the Broward County Phone Directory [broward.org], the above phone number is the director's number, not the general dept. number. This is further evidence that Verna is Sue.

Here is Verna Sue Baldwin's Notary Certificate, notary ID 620591 [92386313] [205.166.161.12].

In November 1994, Verna Sue Baldwin and David D. McLauchlin (her husband) sold their condo to [name withheld]. Warranty deed [94569014] [205.166.161.12].

Verna Sue Baldwin then purchased a home:
4011 Thomas Street
Hollywood, FL 33021-3540
Parcel number 11208-11-03500
Folio number 514208110350
Warranty Deed for 4011 Thomas Street [94565427] [205.166.161.12].

According to that warranty deed, Verna Sue Baldwin's Social Security Number is 234-74-8234 [94565427] [205.166.161.12].

In May 2000, she added a 14x28 swimming pool [100293267] [205.166.161.12].

In July 2004, Verna Sue Baldwin and David D. McLauchlin paid off their mortgage [104151876] [205.166.161.12].

Note: I didn't list all of Sue Baldwin's loans. Be sure to do that before ordering her credit report. Equifax uses that information for "security".

It looks like Verna Sue Baldwin still lives at 4011 Thomas Street. Parcel sales history [bcpa.net]. 2005 property taxes [broward.fl.us]. Map [66.55.51.198].

Verna Sue Baldwin's mother is Dora B. Baldwin, as stated in her Durable Family Power of Attorney document [101676908] [205.166.161.12]. Dora isn't currently married, so Baldwin might be her maiden name. Perhaps try searching West Virginia's public records.

Re:next news story

Hmm... posting it on slashdot DEFINATELY won't draw phisher's attention to it...

What the hell made Florida ever think that this was a good idea?

Re:next news story

What the hell made Florida ever think that this was a good idea?

I think you answered your own question.

Re:next news story

What the hell made Florida ever think that this was a good idea?

The fact that it's FLORIDA. Florida would be a lovely place, if not for the people who live there - especially the politicians!

This data breach is, without question, criminally irresponsibl

Re:next news story

I'm a Canadian computer geek who wants American citizenship

You must have a fever or something... Wanting to move to a country like that.

Certainly devs earn more money in places like NYC, but they also pay obscene amounts of rent too. And due, the Vancouv

Re:next news story

"I'm not a complete asshole."

But I am :-)
-nB

Re:next news story

Speaking of attracting undesireables, I appear to have picked up a stalker, nyahahah! Eh any ACs or GuloGulo (959533) that respond to this message, everyone remember the name, this one is truly half baked.

Hah! Stalkers? Gimme a break. Try carrying around

Re:Devaluing SSN & account numbers

You mean, like a driving license as a proof of ID or a proof of a stay permit?

Re:Wanted Posters

I was looking at wanted posters, and each one had an SS number on it.

Yeah, but were you really tempted to steal the identity of someone the police were looking for?

Re:Wanted Posters

were you really tempted to steal the identity of someone the police were looking for?

What better identity to commit a crime under could there possibly be?

Re:Privacy Act

Try reading it again. It doesn't apply to the states.