[Dataloss] At Least 20 Big-Name Passports Breached

Max Hozven mhozven at tealeaf.com
Thu Mar 27 23:33:28 UTC 2008 

Well, I don't know if we'll ever find a way to hide our contact info
(name, address, phone, etc) from public databases as this inevitably
ends up in county records, etc and gets sucked into databases.

Regarding identity theft for the purpose of siphoning off bank-accounts
(which is one of the worst-case end result risks), etc, maybe
corporations need to add an option of "anonymous" accounts, like the
"Swiss Bank Accounts" where you are only identified by a number.
They could also issue you an electronic card, where you would enter your
account-number and it would generate you an "effective" account number
to use for customer service like a cell-phone, that communicates back to
the company's base for keys/instructions).  Similar to a cryptographic
card some companies use for VPN access, etc.

So if John Smith opened an account (at a branch, where some
identification was provided), they would issue him account number
123456789 and an electronic card.  When he calls the bank to do a
transaction, he enters 123456789 on his personal electronic card, and
gets his effective account number for the day "358749123"). 

So, for someone to pose as John Smith, so siphon some money out of his
account, they'd have to jump a number of hurdles.  In the end,
everything is hackable, but adding hurdles, should lower the probability
of an effective hack.
Adding the overhead of electronic cards, etc, isn't cheap, adds
complexity, etc, but would be a nice option for some people.

And this doesn't solve the problem of people opening up new accounts, to
perpetrate identity theft.

-Max
 Note: Opinions expressed are solely my own.

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Allan Friedman
Sent: Thursday, March 27, 2008 11:59 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] At Least 20 Big-Name Passports Breached

>  Another seemingly simple solution would be to flag certain 
> high-profile  accounts with  an option that requires a supervisor's 
> electronic okay to open a record.


Flagging or escalating is fine for presidential candidates and probably
academy award winners, but where does that leave you and me, who happen
to live next door to anyone with access to a major database. Access
control and least privilege are huge privacy issues that we haven't even
started to get into: they are human scale rather than technical.



>  Another seemingly simple solution would be to flag certain 
> high-profile  accounts with  an option that requires a supervisor's 
> electronic okay to open a record.
>  It seems like what they have now is that certain accounts are flagged

> as  high-profile  (government officials, celebrities, etc) and the 
> management is notified  AFTER somebody  pulls up the record.  Kind of 
> like closing the barn door after the cows  have left.
>
>  -Max

More information about the Dataloss mailing list