Long-Term Liability For One-Time Security Breaches? 119
An anonymous reader writes "Not a month goes by where we don't hear about a theft of some organization's laptop containing sensitive personal information, not to mention the even more frequent — but often kept secret — breaches into company networks and databases. It is definitely true that you should be responsible for the security of your information when you handle it, but what happens when the theft of your information is not your fault? You have handed over this information to a company or organization and trusted them to keep is secure, but they failed. They might notify you of the breach or theft, and they might even set up a credit monitoring service for you for a year or two, but the problem is that this information may be used years from now. Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?"
And a bunker too... (Score:1)
Contract (Score:4, Insightful)
Not to sound condescending, but when you hand your stuff over to a third party generally there is a contract signed between you and them, what you are looking for *should* be in that contract.
Re: (Score:1)
Contracts simply state what is agreed to, and to some extent, what happens when what specifically agreed-to elements of the contract are not met -- usually this mostly means termination of the agreement. Contracts might contain verbiage about keeping data and equipment secure; if security is breeched, that's where the contract ends and liability law begins.
When someone makes a mistake and a laptop gets stolen because someone failed to secure it properly, this is called 'negligence' and it's an actionable t
Re: (Score:1)
s/data was secured/data wasn't secured/
Re: (Score:2)
Having dealt with a few offsite storage places I can tell you that they have SLAs that cover theft/fire/nuclear bombs/etc.
Re: (Score:2)
A nice point. (Score:1, Interesting)
Ironically, the four UK Credit Reference Agencies have announced today that you can do a web based credit check on youself for the sum of £2.00. PReviously only one of them allowed web one time (ie non annual contract) checks.
If they make it quick and also cheap then maybe more people will take responsibilty for checking their own details on a regular basis.
Posting anon for obvious reasons....
Re: (Score:2)
Re: (Score:2)
They don't necessarily have the same info and they definitely don't share "this is bogus information" notices. They are competitors.
Re: (Score:2)
Yes of course, perfectly understandable.
Re: (Score:1, Informative)
Sorry the reason for your anonymity evades me, I guess its not as obvious as you think.
The reason reason for my anonymity is because I don't have a Slashdot account (I've never been able to decide on a pseudonym to use).
the real reason (Score:2, Interesting)
the real reason we hear more about it and hear of more of them every day is because they are the media topic of the moment, just like when northern rock was in trouble, suddenly, all the banks where in trouble and everyone took their money and caused the financial meltdown.
in short, this sort of thing isnt happening more frequently than it previously was, its just being reported on more
Two oddities (Score:3, Insightful)
The first oddity is why the author believes that the data would sit around for years before being used. Like there's an "exploit bank" where you can deposit your collection of stolen data and gain interest on it until you "cash them in". I'd think far more likely it'll get used fairly rapidly, or never. How you fence or launder millions of records is kind of a mystery to begin with.
The second oddity is we are mostly dealing with the bottom percentiles of personnel, equipment, hardware, software, and design. So the article blissfully dreams "Let's hope that these reasonable measures will include the use of encryption." But you know that fools are just going to add another column to the database called "encryption key" so as to decode the other columns. Or store the key in C:\key.txt. Or go all ROT-13 or whatever the unicode version is of ROT-13. If you're dealing with screwups, adding more conditions just makes their screwups more rube goldberg and hilarious, it doesn't prevent them from screwing up.
Re: (Score:1, Insightful)
Yeah, I agree. Also this falls into the category of "Yeah, so?". Lots of things are unfair, and yeah, we should probably try to change them, but the feasibility is the issue: most people have probably been part of some security breach in the past 30 years. Do we monitor credit for everyone? Okay, where does it end?
Also these credit monitoring services, while helpful, aren't foolproof. Just look at that lifelock jackass.
I'm not saying it isn't unfair - it is - it just seems a lot like wishful thinking,
Re:Two oddities (Score:5, Insightful)
The problem is that identity theft is profitable for more than just the thief.
The credit bureaus make shitloads of money from identity thieves taking out loans and triggering credit reports.
Re:Two oddities (Score:5, Informative)
The first oddity is why the author believes that the data would sit around for years before being used. Like there's an "exploit bank" where you can deposit your collection of stolen data and gain interest on it until you "cash them in". I'd think far more likely it'll get used fairly rapidly, or never. How you fence or launder millions of records is kind of a mystery to begin with.
There are - and it's been covered here, even if not called those terms. There are "organizations" that do nothing but collect this info and then sell it off over time to whoever wants to buy it. I'm sure they dont put expiration dates on their data, and will gladly sell you a collection of records with 10 day old data and 10 year old data, all mixed together.
Re:Two oddities (Score:5, Informative)
There are - and it's been covered here, even if not called those terms. There are "organizations" that do nothing but collect this info and then sell it off over time to whoever wants to buy it. I'm sure they dont put expiration dates on their data, and will gladly sell you a collection of records with 10 day old data and 10 year old data, all mixed together.
You beat me to it. Why would we expect exploit lists to differ substantially from marketing lists - and just how separated do we really think these groups are? I'd expect that data to get passed around like a bottle of cheap wine.
As to using it - it may be true that CC#s for exploitation are only used from "fresh" lists. But what about all your other data, depending on where they got it? You probably won't move due to this event. Your SSN won't expire - or if it does, you have bigger problems than identity theft. So yeah, if your ID gets out there it's not good news, and not something I'd expect to cease being a threat.
Incidentally, some might be surprised how long lists stay in the wild. I recall once getting snail mail spam addressed to the previous owner of the house. This wouldn't have been remarkable, except that *we'd* lived in the house 20 years or so.
Re: (Score:1)
A record "encryption key" column in a database is fine as long as that encryption key is (A) generated in a sufficiently strong manner that it cannot be guessed, for example a SHA256 hash of a strong shared key salted with a pseudorandom value and the record id, and (B) accompanied by an initialization vector generated from truly random data, and (C) the encryption key in the enc. key column is itself encrypted using a strong public crypto, and (D) the secret key is not stored in the database, is prefera
Re: (Score:2)
The first oddity is why the author believes that the data would sit around for years before being used
Some stolen information does. Credit cards and the like ("short term" data) usually is 'use as fast as possible' due to its nature (not going to be around long). However, when it comes to data that cannot be changed/very difficult to change, ie, Social Security Numbers, they sometimes sit around for years before ever being used.
My local paper ran an article about this a year or two ago. A man in his 20's apparently had his SSN stolen when he was 13, and it just started getting used. The paper covered
Re: (Score:2)
The first oddity is why you think data would stop being used after some finite time period.
The second oddity is that you clearly don't understand how corporate organizations use encryption on laptops once they decide to do it.
Re: (Score:2)
Life isn't fair because the money men running the show make it that way.
Its a cost we all must bear (Score:1, Insightful)
The more financial liability we push off to those who make the mistakes, the more we will pay in the costs of goods and services and/or the more companies will play organizational games like incorporating overseas or contracting out data-gathering to "independent third parties" who can simply file liquidation bankruptcy in the event of a too-expensive data breach.
Or, when that is not possible, goods and services may not be offered at all because no company will sell them at a price that the public will pay
Re: (Score:1)
The more financial liability we push off to those who make the mistakes, the more we will pay in the costs of goods and services and/or the more companies will play organizational games like incorporating overseas or contracting out data-gathering to "independent third parties" who can simply file liquidation bankruptcy in the event of a too-expensive data breach.
Or, when that is not possible, goods and services may not be offered at all because no company will sell them at a price that the public will pay after factoring in liability costs.
Great idea. Let's just let all corporations do anything they want. After all, we wouldn't want them to actually be accountable for anything, would we?
Re: (Score:2)
Re: (Score:3, Insightful)
The cost of a company's mastakes are a cost of doing business. Why should I pay for your mistakes? I'd rather the company go out of business, even all companies like it, than let them continue with shoddy security that may cost me dearly. If they aren't made to pay for their mistakes, the mistakes will continue to be made.
You have morals, but corporations do not.
Screwup? (Score:4, Insightful)
Your security should be more costly to bypass than what the security is protecting. If you can't do this, you're making a business proposition to the world: "Hey, free profit at my expense. Inquire Within." If you don't want to pay to protect it properly, then the best you can hope for is that someone else's stuff is more shiny than yours.
Re: (Score:3, Insightful)
This isn't security in the first place. True information security would be a situation where even if someone had all your "authentication data" it wouldn't be possible to abuse. (I'm not claiming I know how to obtain such security, and I admit it is an idealized statement.)
It seems to me that the current situation we experience related to (financial) authentication is due to the fact that we have traded the necessity of actually knowing your banker or clients personally for what are essentially anonymous tr
infinite lifetime considered harmful (Score:5, Insightful)
That all of the really useful data tends to have infinite life (birthdate, SSN or equiv for non-US, place of birth) compounds the problem (the "use case" that comes to mind is some aged drive surfaces in the used parts market and some scofflaw procures it and uses it long after the breach itself).
Obviously, each organization should have their own ID numbers, and any given "customer" ID should be able to be associated with various time varying external credentials and really good stuff which isn't time varying shouldn't be in the hands of third parties.
Regulators (e.g. SOX, HIPPA, UK data protection act(s)) all seem to miss the boat about limiting the scope of breeches. Legislating that no breech ever occur is laudable, but impractical. So minimizing the harm done should be the focus.
when IRS or Social Security loses data? (Score:2)
Their main protection is government systems are "self-encrypting", that is written mostly in pre-1980 OS-360 COBOL.
Of course (Score:4, Insightful)
> Is it fair that you have to worry for decades and pay for further credit
> monitoring when they are to blame for your information ending up in the
> wrong hands?
You are liable for the actions of your agents. If they screwed up you can sue them but you are still responsible to your customers.
They should be penalized for failure to disclose. (Score:2)
I'm 99.44% sure that my check card info was compromised in a data theft incident but I have no proof. One day, I got a call from my bank saying that my current check card was susceptible to fraud and that a new card had been sent to my mailing address. Please call if you have not received this card.
That set off a couple WTF questions in my head. First of all, it was implied that my replacement card should have arrived which means they'd sent it at least 2-3 days earlier. If fraudulent activity had been
Re: (Score:1, Flamebait)
Anybody who uses a card with the Visa or MasterCard logo which is connected directly to his bank account (a so-called "check card") deserves what he gets.
important links (Score:2, Informative)
TFA is the summary segued into mentioning the Data Accountability and Trust Act is before the Sentate. Here is the tracking site for that act, and the important Summary:
http://www.govtrack.us/congress/bill.xpd?bill=h111-2221 [govtrack.us]
http://www.govtrack.us/congress/bill.xpd?bill=h111-2221&tab=summary [govtrack.us]
It's fairly straightforward. It defines terms and requires the information holders to follow a structured method of protection and reporting. Places oversight with the FTC. Notably "Prohibits the FTC ... from requirin
Why do they need so much private info anyway? (Score:2, Insightful)
I feel that the information I share is at my own peril. Perhaps we should worry less about data security and invest more energy in learning how to get stuff done without the need to share important info in the first place.
NASD fines go back 5 to 10 years (Score:2)
The NASD has been known to levy multimillion dollar fines and pull dealer licenses for offenses made by previous staff. Their reasoning is that any competent professional would see and correct pre-existing issues. To be fair, they gave me and my staff 6 months to fix some stuff related to email auditing and retention and even made suggestions...
Independent ID-Checking Service (Score:4, Insightful)
Why is it still possible to get these things in the US without going into e.g. a bank and showing them a valid photo ID (passport, driver license,
If you've got a problem with a bank seeing you in person (why?), maybe a new institution could be founded that does only that: Check IDs of people for others. Like this:
1. Request a loan
2. Get a unique magic number of your bank that doesn't carry any information but the bank knows it belongs to you and that loan
3. go to the ID-check-service and let them sign that number, e.g. with: "Person xyz has proven his identity" (if paperwork, or better get a digital signature)
4. Give signed number back to the bank
Bank knows you are you, without you ever going there in person and the ID-check-service doesn't know what you needed that signature for (they just got a "random" number and signed it for a fee).
Expand this scheme for other services (governmental, etc.) and you get all the privacy you got now with a whole bunch of more security.
Re: (Score:2)
In Switzerland, the country with super-seekrit-numbered accounts (at least according to some bad fiction writers) it is impossible to open an account (even a super-seekrit one) without personally identifying yourself to the bank with proper documents (i.e. passport).
While you may find a more shady financial institution that takes a more flexible approach on the "know your customer" rule, this will not
Re: (Score:1)
Online Banks and other internet companies in Germany use Post-Ident for this.
It's a service by the post office where you have to go to the next shop, show your personal identification card and they send the post-ident back to the company:
http://www.deutschepost.de/dpag?tab=1&skin=hi&check=yes&lang=de_EN&xmlFile=1016309
Google (Score:2)
We ditched Google for Faculty and Staff at our university and this was one of the reasons why. Too much information given to a third party and no true liability if some of it were lost or stolen. If you're working on potentially patentable research, and you send it through Google's servers, and some "glitch" lets someone else look at your email...well, you might have lost a patent. And Google doesn't pay. And Google could argue that, well, what do you want for free? At which point, we say, "Nothing, th
The "secret information game" (Score:5, Insightful)
This is a ridiculous game we keep playing over and over again. We have "secret information" we entrust to every business entity with which we do transactions. They aren't quite as secret any longer. And these other entities have people in them... not all of them can be trusted and you will never know who or how many whos have had access to the information. It's a very flawed system especially in light of modern communications technologies available today.
We need a system in which credentials for transactions are good for one-time-only. I present my credit/debit card and this information doesn't change again until either the expiration date arrives or I have it changed. But if I do something with my account "device" that issues a payment ticket number (rather like a cheque in many respects) that is then presented to the business entity to be used only by that business entity and only works once, twice or however often it can be used as approved by you. That code would only be useful for the other side of the transaction because of their encryption key token must work with the ticket number I issued. Then these stupid open secrets won't need to be a concern any longer.
The big problem isn't that people can or can't securely store this information because we already know it can't ever be stored safely and also be useful. So it needs to be stored "safely enough" but also with limited usability. What it all comes down to is a system that requires end-to-end user accountability. As it stands now, "identity theft victims" are held accountable for EVERYONE's mistakes. It's just not fair.
Re: (Score:2)
As far as I know a number of banks offer virtualised credit cards with a specified limit and expiration date. If you generate those cards with the exact amount of money your transaction is worth then the card is useless their database gets hacked.
Re: (Score:2)
Yup. My bank offers this as well, and I've started making use of it after having some invalid charges show up on my account a couple of times. It's quite simple and useful, though only useful for online purchases.
Re: (Score:2)
About a decade ago I got a research grant for a system for generating one-time per-transaction keys -- you had a card you carried with you with a display sufficient to display the price of the item you authorized and to allow a PIN to be entered if you wanted to approve a transaction; the card had a public identifier, a private key, and a counter; it generated a token consisting of the public identifier and a hash of the private key, the counter and the transaction data.
Didn't go anywhere -- not economicall
Re: (Score:1)
Actually, the victims of identity impersonation aren't even held accountable, which is why it keeps going on. The victims of course are the banks, who mistook someone else for you and gave out some of their money. They say it was you who are at fault, so they don't give a shit.
"Breach", not "Breech" (Score:3, Informative)
The correct term is "data breach", not "data breech."
A "breech" is either a pair of short pants ("breeches"), the hind end of the body or a birth where the baby is coming out backward ("breech birth"), or the rear of the barrel of a firearm.
So the term "data breech" means short pants made from data, data that is coming out of a system backward, or the back end of an Ethernet cable, I suppose.
This teaching moment sponsored a chunk of my karma from the inevitable "Offtopic" and "Troll" mods this post will undoubtedly earn me.
Re: (Score:2)
Well, considering that companies are losing data out their rear-ends, maybe that spelling is more accurate than you thought.
Re: (Score:1)
I find your argument... compelling. :)
Thee points. (Score:2)
2. If the financial fraud was all that mattered, then this wouldn't really be a big deal. But the huge problems certain people have wh
Re: (Score:2)
FFS... (Score:2)
Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?
For fuck's sake, is it fair that someone stole your data in the first place? No, of course it isn't. But ultimately, it's your problem and nobody else's. Trying to make it someone else's problem is childish and irresponsible. They did their best (at least for the amount of money you spent on the service), but there hasn't been a security system invented that is 100% foolproof. So now you have to watch your information like a hawk because someone is a thief. You can hire that out too if you want, but t
Re: (Score:2)
Yes, it is arguably the case that it is the submitter's fault that somebody made off with some personal trivia concerning him. However, are those trivia valuable in themselves? No. They are just some random chunks of data. Why are they valuable? Because all kinds of third parties will, idiotically, accept knowledge of them as being identical to being the submitter, and do things like hand out loans. The value and the danger of what
Re: (Score:2)
Its not even "arguably correct". If someone makes off with my SSN etc., even if it is my fault, having this information is not a crime AFAIK and I am neither culpable for exposing it nor a victim of someone obtaining it. The crime occurs when some other party is defrauded, and they are a victim of both the fraud and their own lack of diligence.
This only becomes a problem for me when these third parties take their problem and make it mine via a central credit reporting system that I am forced to be subject
Easy... (Score:2)
If you store someone's sensitive information, and their ID is compromised using any of the information you store, you're liable (along with everyone else that stores that info) for reimbursing any costs or lost assets that the victims incur.
As a bonus, this system would be a strong disincentive to storing crap about us that companies don't absolutely require.
How can this problem even exist? (Score:1)
Re: (Score:3, Insightful)
What if you're trying to get your first mobile phone?
A reason to use foreign banks... (Score:1)
At worst, you'll only find such a bank account abroads - however, they're easy to find anywhere else but in the US. Put your savings there, use the national account only for more frequent pay
Information wants to be free (Score:2, Interesting)
But we give it too much power to allow that. A much more fundamental change is needed. Until then, long term liability is probably the only alternative. It should never cost the victim anything at all. All costs should be laid on the leaker. And "Trust no one" with your info still applies.
Re: (Score:1)
"Trust no one" with your info still applies.
I agree with you, but in this day and age I can't seem to go two days without some website asking for personal information. Whether I'm signing up for paperless billing from the electric company or ordering a pizza from papajohns.com. I don't use my real info whenever I can, but I couldn't tell you how many companies have my home address or phone number
Re:Information wants to be free (Score:5, Funny)
Did you seriously just complain that you have to give out your home address in order to have something delivered to you?
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re:Information wants to be free (Score:5, Insightful)
Whoever came up with the concept of "identity theft" needs to be given an award for sheer chutzpah, then clubbed to death. The problem isn't "identity theft", an "identity" in this context is simply a bunch of information that is only copied, not destroyed or removed when compromised. The problem is bank fraud and various other sorts of fraud perpetrated by people using those data, against institutions who, in a masterful display of doublethink, simultaneously ask you for your SSN when you do anything more sophisticated than taking 20 bucks out of the ATM and treat the SSN like a double-secret-super password that only you could possibly know, on the strength of which loans will be granted, accounts opened, and so forth.
However, by using the term "identity theft", the implication is created that you are the responsible party. As a token, whoever was responsible for the breach might be forced by law or bad PR to offer you a year of credit monitoring or something; but that doesn't address the root problem: banks, and other such institutions will accept laughably trivial factoids as incontrovertible evidence that somebody is you, and then try to stick you with the bag when the mistake is discovered. The problem isn't that somebody knows my mother's maiden name and my SSN, the problem is that numerous financial institutions and other such entities will happily accept possession of those facts as evidence that just about anybody is actually me. However, because it is "identity theft", I'm the one who has to watch my credit vigilantly forever, and wonder what might bubble up on a background check done in my name, rather than it being "bank fraud" or "inadequate police work", which would place the burden of responsibility on the party who ought to be responsible.
Between public records and massive data breaches, virtually all "identity" information is effectively public knowledge. Any institution who treats possession of that information as proof of identity should be treated as guilty of gross negligence, and responsible for the consequences. The idea that if those pesky consumers were just a little more careful, we wouldn't have this issue, is as elegantly malicious as it is utterly wrong.
Re: (Score:3, Insightful)
Between public records and massive data breaches, virtually all "identity" information is effectively public knowledge. Any institution who treats possession of that information as proof of identity should be treated as guilty of gross negligence, and responsible for the consequences.
I assume you have a better idea, then? About the only thing I can think of is government-signed (and revokable, such as in case of theft/loss) physical tokens that can do public-key cryptography, which (1) is only recently somewhat feasible, and (2) might not be that great an idea given how intertwingled all the functions of the government are.
Re: (Score:3, Informative)
The system in place for internet banking in sweden is (usually) based around you being issued basically just ssuch a device. That is, you have a pin code (which is blocked after three wrong inputs) to log in to the device, and get a one-time code to log in with to the actual system. Any transaction are then further validated against the device, with transfers to a previously unknown person requiring you to not only validate the transaction, but the recipient as well.
However, this is not the whole truth, as
Re: (Score:2)
Basically the same is true in Latvia - the only true root document is your government-issue passport. Only after the bank teller has seen you with you passport in hand and matched your face to the photo in the passport (and verified the passport as valid and also taken a photocopy of the passport for long term records), only then the bank can consider you to be the person you claim to be. Only then you can sign contracts, open accounts or withdraw money.
For the electronic transactions the banks issue you a
Re: (Score:3, Insightful)
Ok, a better idea. No more central credit reporting. They all rely on that, and it is exactly what the information leads to. So if every bank had to manage there own credit reporting and rely on there report with the customer then there would be no identity theft.
If the local branch of XYZ bank knows Joe Smith then it is hard for Jack to walk in and convince them that he is Joe. Add to it that Jack going to ABC bank and saying he is Joe does not get him any better chance of credit as he would have to take t
Re: (Score:2)
The problem is that organisations with the write privileges to the system do not bother to check if the person is who he claims to be. If the SSN was printed in your passport and everyone was required to show the passport (with the SSN and a photo inside) for any action that would require a credit check, then all these identity theft problems would simply disappear.
Re:Information wants to be free (Score:4, Insightful)
The fact that a bank will hand somebody a loan for some thousands because they know a couple pieces of biographic trivia about me is idiotic; but I am OK with that. It's their money, if they think that they can maximize profits by trading off security for convenience, more power to them. What really pisses me off, though, is that, after they do that, I am the "victim of identity theft" who has to watch his credit report forever, and fight an endless battle by certified mail with some Kafkaesque division of Equifax in order to rectify things. In a remotely just world, the response would be "You, a financial institution who really ought to know better, gave some guy ten grand because he knew a few pieces of public information? You dumb shit, I guess you are out the money."
There is no perfect defense against fraud; but I bet they'd come up with something better than what we currently have, if the costs fell on them.
Re:Information wants to be free (Score:5, Funny)
Actually, it should be "The CEO of your bank has agreed to waive the alleged debt, pay my outstanding legal and other costs and indemnify me against any future, plus an ex-gratia payment of fifty grand for my trouble. I have it in writing, with his photo ID right here. All witnessed and notarized".
You then hand over a note written with a crayon in childish writing, with a picture of a smiling face at the top and the bank officer's name scrawled underneath. In a different coloured crayon it says "it tru dat, signed my best pal", superimposed with a mucky handprint.
Well why not? Basically, that's what they've got against you.
Re: (Score:2)
A system like that got implemented in Spain a few years ago. All new Spanish national ID cards are smartcards which allow you to cryptographically sign documents with similar validity to a physical signature. It is expected that they will be increasingly used by banks and the like (and they are already being used in order to e.g. file tax documents on-line). The card is protected by a "PIN" (actually a password) and locks you out after a few incorrect attempts.
It's by no means perfect, but it will be intere
Re: (Score:2)
How about requiring a notary public's seal on loan documents for them to be enforceable? That would require lending institutions to reasonably verify someone's identity before issuing them credit, and works with 17th century technology.
It's not impossible to fool -- you could also have false ID, etc. -- but it's a lot more reliable than simply writing down a different SSN, and requires an additional fraud against the government to pull off.
Re: (Score:2)
Re: (Score:2)
It is pretty retarded to trust a digital document without a digital signature verification or a trust chain. Either you are in the bank in person with your photo-id in hand, or the document can be used for information purposes only and is not legally binding.
Re: (Score:2)
How about "government-signed (and revokable, such as in case of theft/loss) physical tokens" also know as PASSPORTS!!! And then you go to a bank and show your passport to get a physical token to allow you to get access to your account in that bank! It is a fantastic idea, right!
Re: (Score:2)
banks, and other such institutions will accept laughably trivial factoids as incontrovertible evidence that somebody is you, and then try to stick you with the bag when the mistake is discovered.
Not to mention that it's more of an annoyance to the end user than it is security. I can never remember exact capitalization/spacing/punctuation to those "security questions". And sometimes I wonder if there's someone out there, compiling a list of these trivial factoids. One day, they will know more about me than I do myself.
It's the same story it's been for the last decade. Massive problems with current methods of government/financial institution/credit bureau validating your identity, better technicial s
Re: (Score:2)
Re: (Score:1)
As a twice victim of identity theft (once stolen checks, once false credit cards), I have strong circumstantial evidence that "insiders" were involved in both cases. One might wonder if that is not the norm...
Vigilance can only limit the damage. If the criminals are within the banking/credit system, it is not even theoretically possible for you to fully protect the banks from themselves in your name.
Based on my experience I am a strong believer in NEVER using debit
Re: (Score:2)
You must have pretty stupid banks.
It is much safer to refuse all checks and all credit cards and use only one debit card with overdraft explicitly forbidden. At least it is so in the EU where government regulations actually protect the consumers against lazy banks.
Re: (Score:2)
Of course, sometimes the thief doesn't know the right mother's maiden name and the financial institution still approves the new line of credit.
And then the thief changes the address immediately (before the card is even activated) and the financial institution doesn
Re: (Score:2, Insightful)
Yes, seriously, if the informations is that important, why is it on a unencrypted laptop HDD ??
Re:Is it fair? (Score:4, Insightful)
Not everyone has the choice to "man up".
I could go on numerous examples but the biggest would be mandatory disclosure of information to an incompetent government.
And don't even think of telling me that "I could always choose to go to jail" when doing so means I get my prints and mug shot forcibly taken anyway.
Re: (Score:1, Insightful)
No. Who told you life was fair?
You're responsible for protecting yourself. Don't expose your data unless you need to; then change it if you can. Don't put your money where it can be stolen. Etc. (Wo)Man up. The world is not here to wrap you in cotton balls.
Yes. Don't ever accept a job (you'll have to show some sort of ID.) Likewise, don't ever open an account with a bank or credit union. Don't ever attend an institution of higher learning.
As for living, just move into a cardboard box. Not only is it cheap, which you'll need with no job, but you'd need to provide tax information to buy a residence, and apartments won't lease to you without some sort of proof employment, which you won't have. Or move to some third-world country and live in a shack.
And for best
30 million illegals prove it isn't so (Score:1, Informative)
There are thrity million illegal aliens in the US. They work without showing ID or showing laughable ID. I have personally watched one open a bank account without showing a single blessed thing. Stood right there and watched the entire sign up process, the bank did NOT ask for any ID, took the illegals word on everything, and had a convenient foreign language speaker teller do the assisting. I was three feet away standing in line, saw it happen. They get drivers licenses in a lot of places, and all sorts of
Re: (Score:2)
Or move to EU, where the information on your ID is not enough to do you any kind of damage. It is just a login name, and the physical ID document with your real world face next to it is the password.
Re: (Score:1)
Is it fair that you have to worry for decades and pay for further credit monitoring when they are to blame for your information ending up in the wrong hands?
you're demanding fair credit? what gives you the right? you don't have any credit. if you want credit, there are terms. if you don't like the terms, you don't get credit. this has nothing to do with "fair".
Well, if someone uses your personal info to get a big loan in your name that you then have to pay back, it can be a bit of a problem. Sorry if understanding simple things like this is too difficult for you.
Re: (Score:1)
You specifically spewed forth:
So, you basically think that banks should be able to give out credit on whatever terms they want, even if it involves giving out loans in other people's names. That's why, in an actual civilized society, we have thes
Re: (Score:2)
Let me guess... the bank you're CEO of got a government bailout?