Identity Theft from University Computers 259
Different River writes "Someone broke into the administrative computers at George Mason University and accessed personal information, including social security numbers, of 30,000 students, faculty, and staff. "Before the hacking, the university was in the process of replacing students' Social Security numbers with other internal numbers to protect against identity theft." Looks like they just missed it."
To be honest.. (Score:3, Interesting)
Re:To be honest.. (Score:2)
Is this a store, or some other company you deal with voluntarily? Drop them if they won't drop the SSN issue - find someone else to deal with. Let them know why, and give them a chance to change the policy, but dump them and stick to it...
Re:To be honest.. (Score:3, Informative)
Re:To be honest.. (Score:2)
Now I understand. There was a store in the area a few years ago that was demanding my ssn be written on any checks they took. I've no idea if they still do, I left my things on the counter and walked...
You're right, it's crazy to print that. Unfortunately it may take a case of ID theft to get him to stop.
Congrats on dodging the credit system, I'm working my way in that direction (a whole lot harder when you
Re:To be honest.. (Score:2)
That's nuts. I can see them trying to require your driver's license, as that's the form of picture ID they'd use to identify you (if they bother, and most don't), but not SSN.
Re:To be honest.. (Score:2)
IANAL, but as I recall it's against the law to require a SSN as identification for things like checks. I'd check into it and report them, not that anything's likely to happen, but maybe it will. Identify theft is becoming a massive problem.
My bank tries this on me whenever I call to talk to someone they want my account number
Re:To be honest.. (Score:5, Informative)
I'm curious why you have a problem with this? The bank already has your SSN on file (IIRC it's a tax requirement), so it's not like you are giving them any new information, merely confirming something that they can see on the screen in front of them.
Re:To be honest.. (Score:2)
Re:To be honest.. (Score:2)
Clue: if your *department* does not report taxes to the government, it has no use for SSNs. They confer no significant benefit and are a heapin' helpin' of bad press waiting for just the wrong moment.
Re:To be honest.. (Score:2)
This just goes to show.... (Score:5, Insightful)
Re:This just goes to show.... (Score:3, Interesting)
Re:This just goes to show.... (Score:2)
Fingerprint reader, any comments? (Score:2)
Re:Fingerprint reader, any comments? (Score:3)
-Jesse
Re:This just goes to show.... (Score:2)
Re:This just goes to show.... (Score:2, Insightful)
Re:This just goes to show.... (Score:2, Insightful)
Privacy Act of 1974 (Score:2, Informative)
I always hated giving the SSN (Score:5, Interesting)
Re:I always hated giving the SSN (Score:5, Informative)
As for that incident, I ended up having two university accounts, they signed me up for health insurance despite my declining it, etc etc. Basically, they manually merged the two accounts using default options for everything. This after complaining to the registrar's office and such... I assume it occurred because the financial aid office had my SSN and that account was being used. It's all taken care of now. 901-xx-xxxx. Completely invalid. (900's don't work.)
The other incident was at Michigan Technological University -- saw no option to not have my SSN as my everything-number. In this instance, I gave it because I didn't want to risk not being accepted. Later, I went to the registrar's office to try and get the so-called "M" number that they gave in place of SSNs. At the time I was told that I could only do it if I declared my account confidential -- have to show photo ID, everything done through the mail and so forth; a real pain in the ass. I put that off, but went back a month later with the intent to declare my account confidential. Lo and behold, magically, I no longer had to declare my account confidential and walked out with an M number. M0026xxxx. Still remember it, two years later, even. There's something about numbers...
But, those're my stories. Really, you CAN change from your SSN after the fact. Many people have bitched, "That's the trouble when you don't stick with your SSN" and such, but I just start talking to them as though they're stupid. That's because they are.
Go tomorrow, get it changed; keep your confidential data confidential.
-DrkShadow
Re:I always hated giving the SSN (Score:2)
Re:I always hated giving the SSN (Score:2, Interesting)
So anyway, I went to get my student ID changed after the proberbial straw broke the camel's back: I had received a letter in the mail from the university, addressed to me, with my student ID (SSN) printed on the outside of the envelope. Boy was I pissed. So, I went down to the registr
Re:I always hated giving the SSN (Score:4, Funny)
It actually saved time. It was the next thing they were going to ask for anyways, and they wouldn't do anything to my records until I told it to them. They didn't need to know my name, and if they did, it'd be on the first screen they pulled up if they felt the need to use my first name to make me feel like a person.
Kirby
Re:I always hated giving the SSN (Score:2)
Re:I always hated giving the SSN (Score:2)
I always hated that about college
With good reason too. I once consulted to an unamed college and could not believe how disorganized, how poorly planed and how lax security was. But the Dean responsible was worried more about what other things and what I cost him than getting a decent set of backups. The kicker was we game him very low rates as I was between larger projects.
Deans should not manage I/T and computer infrastructure. I/T manager needs to answer to the board/directors and have their ow
Re:I always hated giving the SSN (Score:2)
Yeah, it's a very bad system. The way we use SSNs nowadays is an outgrowth of the increasing need for a national id #, and the government's complete unwillingness to administrate such identification in the face of "big government" paranoia. To work (and in my case go to school as well) you have to show two of the following: Social Security card, driver's license, or birth certificate. And what you say about, "Here. Take my money. Please, have it," totally rings true: I tried to pay my electricity bill (whic
Re:I always hated giving the SSN (Score:2)
Max
Re:I always hated giving the SSN (Score:2)
The officially recognized uses of a general-purpose personal ID card backed by the word of the government would be easily seen as worth stealing, and hence worthy of vigorous protection.
OTOH we probably shouldn't spin up another big government program just to encourage private laziness. How many organizations' need to identify people ever goes beyond "this is the same person who initiate
soooo (Score:5, Funny)
Suspicious? (Score:2, Interesting)
And that's the one you know about... (Score:5, Interesting)
How many of these incidents happen with no one the wiser. Just guessing, but I'd wager at least 10 major silent exploits for every 1 publicized event. How many employees of Big Corporation are doing a ZIP of the company database onto a USB key "just in case", and how many servers are silently owned month after month.
The worst thing about this (Score:3, Interesting)
Stock up on canned goods, folks.
Re:The worst thing about this (Score:2)
And use someone else's credit card?
Re:The worst thing about this (Score:3, Interesting)
There are probably a lot of cases just like this where either the hacked party isn't even aware they got hacked, or the hacked party knows they got hacked and isn't talking about it. Which makes you wonder how long our credit system can stand up to rampant large-scale ID theft.
Stock up on canned goods, folks.
Americans have one of the lowest savings rates for a developed nation. There are several studies which indicated many Americans spend more than they earn. Even worse, other than home ownership
Re:The worst thing about this (Score:2)
Max
Re:The worst thing about this (Score:2)
What's annoying is most of the country makes it hard to save on some things, for instance where I live a car is an absol
I'm less worried over this.. (Score:3, Insightful)
How many cases of internal theft do we know?
As someone who once created and maintained my high school information database, I know how easy the system can be abused.
What's very imporant is that Universities have strict and applied policies dealing with information and database handling.Limiting the numbers that have access is paramount.
Background checks for personnel involved should be done too.
Re:I'm less worried over this.. (Score:2)
Of course, no laws prevent an academic instituion from doing dumb things like not using quality security strategies or outsou
wow too bad.... (Score:5, Informative)
It wouldn't have mattered. (Score:5, Informative)
Re:It wouldn't have mattered. (Score:2)
but that would have assumed them to have a clue, or having cared..
Re:It wouldn't have mattered. (Score:2)
In Australia.... (Score:5, Interesting)
Re:In Australia.... (Score:2)
Private parties and organizations don't have the right to demand your SSN. Nonetheless,
Re:In Australia.... (Score:2)
Re:In Australia.... (Score:2)
Exactly, the government doesn't even enforce the law so it's become entrenched and abused. Only now are companies starting to realize that it's not only illegal but a Bad Idea(tm) to use SSNs to identify everyone. It's sad that someone had the foresight to see this would be a problem (thus the law was created in the first place) but it took it actuall
Re:In Australia.... (Score:2)
Inquiring minds want to know... (Score:2, Interesting)
Re:Inquiring minds want to know... (Score:2)
IT majors (Score:2)
Alternatively just say they had a fully patched windows machine, both works fine.
Re:IT majors (Score:2, Insightful)
Kind of ironic that they would have a graduate program there for information security and they just got hacked.
I think it might be an inside job though.
FYI (Score:2, Insightful)
The fact that the machine may have been unpatched reflects poorly on University Administration (ITU) but not on the CS or IT programs.
Disclaimer: I work and go to school at GM
Someone follow that example. (Score:5, Funny)
My mother a few years back pointed out that once upon a time, our politicians actually said, boldly, in front of the entire nation, that in Soviet Russia, the government numbered the citizens. They said this was proof that the soviets were an evil dictatorship sort of country, and not a democracy, where we can vote for naked petrified persons (so long as they are American-born).
She challenged me to imagine a beowulf cluster of Social Security numbers, and how easily such a cluster could be abused (a near-limitless supply of identities to steal).
Now, sadly, all our base are belong to the myriad entities that have our Social Security number (along with mother's maiden name, date of birth, income, and all the other things identity thieves might want). You'd expect us, as a society, to be smarter than that.
Hopefully others will follow the example of this school, and migrate away from using social security numbers for illegitimate purposes.
Re:Someone follow that example. (Score:2)
Re:Someone follow that example. (Score:2)
I'm a Student at GMU (Score:5, Informative)
and
Re:I'm a Student at GMU (Score:2)
Timing like that could be more than coincidental.
By the same token, it could be a coincidence that only one student in the Computer Security Fundamentals 101 course was passed by a hoary professor.
Re:I'm a Student at GMU (Score:2)
Were this a network-based crime, I'd think the police wouldn't be on it - but the FBI.
suspiciosity (Score:3, Interesting)
Re:suspiciosity (Score:3, Informative)
Sue the bastards... (Score:2)
You'll also notice that the asshole of a VP didn't even apologize for the situation. Just that he regrets it. Mak
Sue the bastards? (Score:2)
Re:Sue the bastards... (Score:2, Interesting)
Re:Sue the bastards... (Score:2)
In effect it's government assigned name. Most of the problem is idiots treating it as though it is a "secret".
Re:Sue the bastards... (Score:3, Interesting)
1) The thief
2) The creditors for their lack proper verification al
Re:Sue the bastards... (Score:2, Interesting)
Where would the money come from? From the school of course. This would just raise tuition you say? Well sure, but why would you want to goto a schoo like this after an incident of this magnitude. I wouldn't trust them. And there are other options. Its not like we're talking about Waterloo or MIT here.
Universities are security risk (Score:3, Interesting)
On top of that, network security in general is weak and so there are all these students using unencrypted shell logins, and exchanging sensitive data over email. Or doing online banking on public machines, where key loggers could easily be installed. Lots of students live at the university, so they have to use computers for sensitive tasks like banking (unless they happen to have a laptop).
The whole experience made me resolve to keep tight control of aspects of my privacy. If someone tries to hijack your identity, the tell tale signs are: money disappearing, and new accounts being opened. So you must keep accurate records of where your money is, and watch those balances. Also order yearly credit checks, which are free to do. If someone is opening accounts under your name, you can at least catch it.
US Army and identity theft (Score:3, Informative)
Some of the information freely available to anyone who cared to look at it was:
Re:US Army and identity theft (Score:2)
Interesting (Score:2)
Prosecution (Score:2)
After all, it's an information society: abusing personal information harms the fabric of this society, as well as the specific individuals and organizations involved.
Re:Prosecution (Score:2)
No such thing as "Just missed it" (Score:3)
Look at the students first (Score:2)
Oldest excuse on the books (Score:3, Interesting)
If they really took the problem seriously, an upgrade wouldn't take long at all. Just mechanically replace SSNs in the database with unique, randomly generated 9 digit numbers and set up a web page that maps SHA(SSN) to the new ID.
Bit more complicated than that (Score:3, Interesting)
It. Took. For. Ever.
All sorts of disconnected systems keyed to that AT&T ID # that needed to be updated and changed and the change need to happen in one fell swoop and nothing could fail.
I'm betting a university setup is even worse.
Re:Oldest excuse on the books (Score:2)
if you keep the list of assigned numbers in a heap, or sorted array it would be log(n)
Re:Oldest excuse on the books (Score:2)
Non-random approach is dangerous because you can guess ID numbers of your classmates and from then on it's much easier to access their information or worse change their class enrollment.
Coincidence? (Score:2)
it should be the other way round (Score:2)
I don't care whoever knows my SSN, I do care that a cellphone shop gives a subscrip
Re:it should be the other way round (Score:2)
FERPA (Score:2)
Simple id code for a person ... (Score:2)
echo 'Christopher Sawtell 21:30 15-Feb-1943 St. Pancras, London, England' | md5sum | cut -f1 -d' '
Which for me gives:
17f11db57259bdbdf45ed234f1b122ed
Alternativly there is the sha1sum which gives a few more digits:
ac8379e71974cca81580d29913d806b0e952f593
Now then /.ers. Anybody else get the same hashes?
We want at least a million tests. Don't be shy. This is actually a worth while experiment which doesn't involve total
back in the day... (Score:2)
State ID's (Score:2)
Re:Social Security Number (Score:2)
Re:Social Security Number (Score:3, Interesting)
Some states have solved the problem. In Texas, for example, people can "lock" their credit information. With it locked no one can get credit reports which makes it impossible to get credit, even if the person has the SSN, drivers license, birth certificate, etc.
Of course the credit companies are fighting these laws because they like the idea of fast
Re:Social Security Number (Score:2)
Don't just fry the little guys. (Score:2)
We don't know if mandates from above caused things to get forced into production without proper measures because of unrealistic deadlines or pathetic budgets, either.
Perhaps if the school as a whole had to carry information security liability insurance they'd be forced by an insurance carrier to be compliant with some security standards.
Punished badly? (Score:2)
Re:Idiots. (Score:2)
Don't know if you've seen this [dailynebraskan.com].
The sequel [journalstar.com] is a kicker.
Read the sequel! (Score:2)
Re:Idiots. (Score:2)
You obviously don't understand what rights are. It's perfectly within their right to find alternate employment. If they choose to work as a firefighter, part of the job description includes scraping dumbasses who don't wear seatbelts off the pavement. It may be their preference not to, but preferences are not rights.
Re:Idiots. (Score:2)
You think the difference between rights and preferences is semantics, and that pointing out that the position you took was factually incorrect is pedantic? Then I guess we have nothing to discuss.
Re:Bah, (Score:2)
Re:A sucker born every second? (Score:2)
Re:A sucker born every second? (Score:2)
I didn't think you'd put your own social security number on /., but I am wondering how many people in general will. You don't really need clever phishing schemes when so many people probably give away information without needing to be duped.
Re:A Blow To Mason's Public Image (Score:2)
I'd recommend putting a fraud alert on your credit data as a matter of course. I moved to the UK to teach, and within six months I had a computer fraud problem to deal with back in the USA. Apparently somebody noticed I was out of the way and decided to take advantage of it. The police an
Re:I have my doubts... (Score:2)
Hold it there, cowboy -- you're off by a factor of 1024. 30,000*9 = 270,000, which is about 264kB. Allowing 100 bytes per person, we're still only talking about 3MB of data.
In clonclusion... I think they're jumpingthe gun a bit here before they have all the facts in.
In conclusion, I think you need to check your math next time.