Identity Theft & Privacy: , Opinion:

Up to 100,000 Social Security numbers have been easily accessible for years

Let's start with the press release from the company that is exposing the problem:

Think Finds Flaw Revealing Up To 100,000 Social Security Numbers

BOSTON, MA -- February 23, 2005 -- Think Computer Corporation has released another security-related White Paper detailing how anywhere from 25,000 to 100,000 Social Security numbers may have been accessible to the public for several years. The discovery of the flaw is particularly timely given the recent controversy surrounding similar problems at ChoicePoint, Inc., as well as changes in California state law that require companies to notify California residents whose Social Security numbers may have been compromised.

Though PayMaxx, Inc., the company responsible for the problem, was contacted repeatedly and urged to remedy the problem, a representative responded by saying, "we already cooperate with a significantly experienced testing agency and have been tested several times for security issues." (NOTE: Emphasis added)

Since PayMaxx, Inc. provides payroll services to its clients, salary data and home addresses were also exposed.

The paper is available at:

http://www.thinkcomputer.com/corporate/news/identitycrisis.pdf

About Think Computer Corporation

Think was founded in 1998 with the long-term goal of developing simple, useful computer software. From its inception through 2001, the company offered IT consulting services to over 150 clients. Today, it writes software programs that make businesses and organizations worldwide more productive. Think is on the web at http://www.thinkcomputer.com.

Payroll site closes on security worries
Published: February 23, 2005, 3:54 PM PST
By Robert Lemos
Staff Writer, CNET News.com

Online payroll service provider PayMaxx shuttered its automated W-2 site on Wednesday after a researcher claimed that two security holes had exposed data on more than 25,000 people.

A description of the problem posted on Think Computer's Web site by Aaron Greenspan, president of the software start-up, said the security issues could allow anyone to view the W-2 forms generated for employees of PayMaxx's clients for the last five years.

PayMaxx did not acknowledge or deny the problems, saying that a third-party security company was investigating the allegations.

"No system in the world is 100 percent secure from a sophisticated and determined hacker," the Tennessee-based payroll company said in a statement sent to CNET News.com. "PayMaxx has made and continues to make every effort to secure its system against any breach."

Greenspan, a former PayMaxx customer, said he discovered the alleged problems in the company's system more than two weeks ago, after he received notification from the company that his W-2 tax form was available online for download and printing. The link to access the W-2 included an ID number, and he wondered whether the company had protected against an obvious security problem: adding one to the ID number to get the next form.

Instead of being denied access, Greenspan found that another person's W-2 was downloaded and readable. Sequential, rather than randomized, ID numbers made it easy to call up numerous customers' data.

The hole could have allowed employees at PayMaxx's clients to access more than 25,000 W-2 forms for last year and the W-2 forms for years back to 2000, he said.

He said his investigation revealed that PayMaxx's database contained a record for testing purposes that contained a Social Security number of 000-00-0000 and a password of all zeros. That could allow anyone to log into the site and then use the lack of authentication to sequentially download all the W-2 forms, Greenspan said.

"Anyone could have been exploiting these security issues for years, and no one would have known about it," he said.

This is beyond incompetent.

This isn't the only newly revealed problem, however. From the weblog Become the Media:

Thank You Bank of America

First it was ChoicePoint. Then it was PayMaxx. Now, 1.2 million federal workers may be at risk of identity theft because Bank of America lost computer tapes which contained sensitive information such as Social Security numbers.

When are these companies that collect and hold our personal information going to be held responsible for their actions? As it is, we don't even own the data that these companies keep on us. We have no control over what they can do with it. If they want to sell it to the highest bidder, they can. As a matter of fact, they already do. The only solution it seems is to hit them where it hurts - in the wallet. One woman in California is already suing ChoicePoint for fraud and negligence.

I have questioned if we can effectively say we have any privacy. That question has been answered, and the answer is "No."

Even discounting the economic impact and negative effects on lives due to identity theft, we should be concerned about this from the standpoint of terrorism, which is said by everyone to be a priority.

It's easy to get a LOT of things with a valid Social Security number, especially if you have access to other data directly related to that number.

Do the math...

After the "No" response to questioning if we have any privacy at all, I have another question: Is this really the way we want it?

Essentially no privacy, companies are free to collect and sell our personal information without our permission.

Millions of dollars stolen by identity thieves and millions of hours of lives wasted in dealing with the problem.

Providing terrorists and other criminals easy means of hiding their identities.

Instead we focus on huge fines for broadcast swear words or nipples, fines higher than for willful death or human testing of pesticides.

Again, do the math...

What are our priorities?