PayPal says personal data may be compromised for 1.6M TIO users
foxbusiness.com> PayPal hasn't integrated TIO with its platform, so PayPal users aren't affected by the security vulnerabilities at TIO.
Most relevant line considering the title. PayPal wasn’t compromised.
> PayPal will offer affected TIO consumers free credit-monitoring services through Experian Plc, the spokesman said.
What's the point anymore? This has happened so many times this year I've got more credit monitoring than I could ever need. Now I just need them to actually redo the "identity" system into something I can actually use with peace of mind.
And all of the data breach sites seem to go out of their way to make them seem scammy as all get out.
www.databreach-settlement.com is for the Anthem data breach.
The Uber driver breach sends you to www.experianidworks.com.
The Equifax incident sends you to www.equifaxsecurity2017.com.
And those are just the three "we can't do security" cards/letters sitting on my desk.
I'd be fuming if I was opted in to any product from Experian without direct consent, I've seen php bitcoin exchanges with more credibility than those cunts
If Experian were really sneaky they'd pay teams of hackers to steal personal data from businesses so the affected businesses would then have to buy huge contracts for free credit monitoring for their users from Experian. That's not what's happening here, obviously, but it'd make a great Hackers-esque movie.
I didn't even think PayPal has to pay Experian money for this... Wow. Likely a bulk deal too like you said.
Absolutely. Such a remedy is completely inadequate as compensation for the damage done to those whose personal information has been compromised.
There was never an actual point. It was the only plausible-sounding thing that could be given and neither regular folks nor industry journalists called them out.
Isn't it time we criminalize any kind of data leaks by a company? This has to be seriously discussed now. That is the only way we can make these companies keep data security at the top of their priority list.
I know it is a subsidiary of paypal, not paypal itself, but that is irrelevant.
FTFY: That is the only way we can make sure companies will avoid disclosing breaches for sure and to have them pursue a burnt-and-salted-earth-approach towards anyone who might turn up evidence of a breach.
Pretty much becomes “blame the messenger” in a hurry. That and these comments quickly become “why didn’t they just do it the ‘right’ way...as if such a thing existed. With security there is no right way, just many known wrong ways.
I got into a discussion once about how to properly handle passwords (cause somebody has to do it). There is no right answer, just lots and lots of wrong ones. Don’t encrypt, hash. But not that hash, use another...and not any of those over there; and sure as shit don’t write one yourself. Use an off-the-shelf hash...just not any that you have access to now. Not that one either, we don’t recognize the author by name...and not the other one because we don’t like the owner of the company (who is not a developer).
TL:DR, if you write code that needed security...eventually you are fucked.
If your development priorities are so unbelievably messed up they can't look into basic fundamentals like PBKDF2 or bcrypt, and you hoard large amounts of personal data, and you get compromised, and you think it's not your fault -- your company should not exist.
> Not that one either, we don’t recognize the author by name...and not the other one because we don’t like the owner of the company (who is not a developer).
This is quite obviously bad rhetoric (outright dumb, I'd say.) But let's say it's remotely true: you think "complete dysfunction, and inability to analyze root problems" -- that it's a reason why we shouldn't crack down these people?
Doctors make mistakes. Everyone knows that. Sometimes it's negligence, sometimes it's tragedy, sometimes it's just random happenstance or Friday the 13th or whatever. But for some reason, we don't interpret this as a blank cheque to let any jackass on the street legally operate on people, risking their lives, and then -- when they hurt someone -- we all throw up our hands, sigh, and say -- "well dang, at least Frito Pendejo, he tried really hard, tried his best and doctors, y'know, medicine is crazy and uncertain!!! there are no right answers!!!"
Yes, security is hard. If there were real consequences to data breaches, then maybe companies would think twice before collecting every scrap of personal information that they can get their hands on. Large databases of personal information need to be seen as liability, not as an asset.
The "how to hash passwords" discussion should be easy: use PBKDF2, which is an IETF standard specified in RFC 8018 (originally specified in 2898 from the year 2000).
Perhaps if the penalty is based on days since exposure--immediately revealing the breach gets you a minimal fine, but waiting six weeks is enough to cause a major fine (or add to sentences for fraudulent trading related to the incident), and years is even bigger?
Don't blame the victim. But hiding that there was a leak? Sure.
The victim is not the company. It is the users - people like you and me. Let me say it again - companies are NOT the victims.
Companies have a reasonable obligation to protect our data, so I'm with you if they were negligent in prevention, detection, mitigation, or revelation. If they took reasonable measures to prevent, and were forthcoming if compromised anyway, and took measures to minimize damage to users, there's no reason to blame them.
"We used best practices to protect your data" is such a bullshit excuse. If a bank gets robbed its customers aren't told "sorry your money is gone, but we had it behind a locked door, so we're not liable".
If a company decides to collect, store and profit off of my personal data and they lose it, I really don't care about "best practices". They profited from my data, they have to pay if they lose it. The company always has the choice of not storing the data in the first place, if they can't bear the risk of a substantial fine in case my data is disclosed.
It's OUR data, and WE as individuals are the ones who have to clean up the mess after aggregators spill it.
Perfect security is impossible, but let's not forget 1) who is harmed, or 2) who is getting rich and who will in a worst case will cut their losses, go bankrupt, then start another company with the accumulated weath.
Then don't give your data to anyone. Perfect security doesn't exist, no matter how hard you try or how much money you throw at the problem. Breaches happen, end of story.
So the real issue should be: When and how will a new secure form of identity be created, used, and made available. Social security numbers were never intended to be used in the manner in which they are.
It's not YOUR data. It belongs to the COMPANY. If I draw a sketch of you sitting on a subway, sorry, but you don't own the sketch.
In my country (NZ), it is my data. It's the literal law that any agent that collects personal information needs to follow a number of rules. (Search for NZ privacy Act for the gory details).
I'm allowed access to the information, and can request that it be updated. They can't keep the information longer then is necessary, they can't use it for anything other than the original collection purposes, they have to take reasonable measures to secure it, they can't disclose it etc.
I won't harp on about the details, but it's relatively well thought out (apart from some limitations regarding the reporting of breaches, but there are changes in the pipeline to patch that up).
That may be the case in the US, but here in Germany I could sue you if you made that picture public. Here people have the right to decide whether pictures of them can be made public or not (with some exceptions).
What about health data ? Children school info ? Company trades in email ? Do you really want to play that card ?
It seems we're at the point now where we can assume that any data we put online is going to get leaked.
What we need to do is figure out a way that even if our data is leaked, it doesn't have substantial negative effects. How exactly we do that, I don't know. But if a website is hacked, it shouldn't compromise our credit or our personal information.
I really don't know what it is going to take to shift people from thinking "oh no, my private data leaked" to "I really don't have any private data." Honestly, look at the stuff that was leaked:
- Names: this is public information
- Addresses: this is public information
- Bank Account Details: this is on every check you've ever written
- SSN: this is on so many applications for things and compromised so many times it can't be realistically called private
- Account Login Details: not to be pedantic but this is a shared secret and should be treated as such
I know there have been some rumblings about actually trying to change the financial identification system in the US but really this needs to be the focus. We've been pretending that we have any sort of "secure" identification system for too long and now it's finally catching up to us. Solutions exist for a majority of these problems:
- For stolen credit card numbers: Force the issuers to add one-time CC number generation and have that one-time number locked to a merchant. Discover had this years ago and got rid of it; I'm sure others had it as well. This effectively solves the online merchant problem. Things like Visa Checkout and Masterpass also can help here by eliminating the need to give merchants your actual number (as can Android Pay, Apple Pay, Samsung Pay, PayPal, etc)
- For stolen credit cards: Actually change over to chip and pin
- For online financial identification: Issue smart+national ID cards like Estonia that can provide digital authentication. Is it perfect? No. If people don't like the concept of a smart+national ID card, put the risk of doing anything online on them. https://www.login.gov/ is a baby step in this direction.
>- Names: this is public information - Addresses: this is public information - Bank Account Details: this is on every check you've ever written - SSN: this is on so many applications for things and compromised so many times it can't be realistically called private - Account Login Details: not to be pedantic but this is a shared secret and should be treated as such
Those may not be difficult for an adversary that targets someone personally to get. They'll have some trouble getting a few of them (something being on "every check you've ever written" doesn't mean I can see it easily if I'm not a person making business with you. Besides few write checks anymore anyway), but they will be able to gather most.
That's completely different than anybody who doesn't know you at all having all those details for millions of people in a large data dump - that is, any scammer worldwide.
That, and linked together, in a nice clean, easily automatically exploitable package.
So just wait until you get a stalker and that person is able to find that 'public information' with a google search.
There is a difference and it still should be secured.
My address might be public information but because i choose to not because someone else chose this for me.
Saying your physical address is private ignores the reality of the situation: it's on your driver's license that you hand over to people that you don't explicitly trust (getting carded at bars, airports, stores, etc), it's sold between companies that you don't give explicit permission, you give it out to receive goods, and there is no law to force people to remove your address (to your point, try to request removal from sites like 411.info). Given all of that, it's unfortunately a fantasy to think that this is somehow private.
Private information isn't private if you have to give it out.
>Saying your physical address is private ignores the reality of the situation: it's on your driver's license that you hand over to people that you don't explicitly trust (getting carded at bars, airports, stores, etc), it's sold between companies that you don't give explicit permission, you give it out to receive goods
None of those are arguments against making it easier for some 4chan kiddie from Iowa to fine one's details in a Google search.
Many people can't seem to understand that something possible and easy is worse than something possible.
They consider security/privacy etc a strict binary.
My address is not public information. If i give you my name, you can't google it and find my address. I'm not in the yellow pages.
You can find my address, but it will require efforts.
Aside: a downside of Know-Your-Customer laws (and anything else that requires your to upload personal data to web services) is now that data can be compromised as well. Maybe there should be less such requirements.
Or requirements to not keep data unless for a legitimate business purpose.
That sounds like the UK’s Data Protection Act, soon to be replaced with an EU successor that will apparently cause all sorts of interesting times if the UK tries to get rid of it post-Brexit.
This is ridiculous. Does anyone have any insight into how these security breaches keep happening? Is it rampant carelessness on the part of the companies, some new technology that's opening a significant number of new exploits, or is it an escalation on the efforts/persistence of hackers?
Software is imperfect, and therefore vulnerable, and it's also pervasive. Data for all our providers will probably be compromised. It's not if, but when. We need to make plain facts, like name, address, birthday and, ssn, less valuable.
Extremely shitty software and a very yolo attitude to keeping data on you private. The core business is making money off of you. Not protecting you.
Now that title confused me, if you’re not the USA - FYI: they’re not talking about the ‘Telecommunications Industry Ombudsman’ as I thought.
This is a shitty title. BOOOOO