In message
<!&!AAAAAAAAAAAYAAAAAAAAAIfCFjaFV0BEsFq4L0YKekfCgAAAEAAAAJoJ+OwcqSlMti4e8
[log in to unmask]>, at 10:51:53 on Tue, 20 Jun
2006, Tim Trent <[log in to unmask]> writes
>"Today, I received a letter from a student loan provider notifying me that
>my name and social security number
><http://idtheft.about.com/od/2006/p/TG_Breach.htm> had been stolen along
>with a contractor's computer. This makes -four- agencies that have lost my
>personal information, in the last year. Today's letter was the most
>disappointing yet: the company, Texas Guaranteed, did not offer any credit
>report monitoring like the previous three had. Their advice? Send a letter
>to the credit bureaus. Gee, thanks. Clearly, mass identity theft is
>completely out of hand and there doesn't seem to be any government
>regulation for handling these situations, nor does there seem to be any
>punitive action against businesses that lose customers' data. Do we, as
>consumers, have any recourse against these businesses?"
>
>It made me think a lot about the reasons why the USA is not a safe haven for
>EEA data.
What makes the USA a hostile environment for data is the way in which a
Credit Card *number* (quite detached from a bit of plastic) or a Social
Security Number (which like your CC number is effectively public
information) is treated as a Password by so many organisations. It seems
that if you know someone's SS number, you can pretend to be them, with
little other authentication.
What needs fixing is the lack of robustness in the authentication
process (a system that relies upon Security by [not very much]
Obscurity), rather than trying to maintain the elusive obscurity of
things like SS (or National Insurance) number being regarded as a
"secret".
--
Roland Perry
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|