Forgot your password?
typodupeerror

Government-Aided Phishing 222

Posted by Zonk
from the i-like-hiding-personally dept.
Anonymous writes "A Florida county is posting the Social Security numbers, bank account info and other sensitive data of hundreds of thousands of current and former residents on its public Web site, Computerworld is reporting. A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records." From the article: "The breach stems from the county's failure to redact or remove sensitive data from images of public documents such as property records and family court documents, Hogman said. Included in the documents that are publicly available are dates of birth and Social Security numbers of minors, images of signatures. passport numbers, green card details and bank account information."
This discussion has been archived. No new comments can be posted.

Government-Aided Phishing

Comments Filter:
  • i think it's time for me to head to the local bank.

    what's going to convince them that this is a bad idea?
    • what's going to convince them that this is a bad idea?

      maybe someone posting a link [205.166.161.12] to the broward county public records site...
      • Well... It WAS working. Then i did a search for 'Johnson' and now the webserver seems to be stuck in never-never land.

        *sigh*
        • by tomhudson (43916) <`moc.nosduh-arab ... `nosduh.arabrab'> on Monday April 10, 2006 @08:27PM (#15102611) Journal
          It's still working fine. What's worse, if you don't give a first name, it gives you by last name only, so you can just do a dictionary attack on last names,

          I just randomly picked a last name, and a couple of clicks later I know that (I've removed the names) L.A.P and A.J.P got a mortgage for 141,999.00 on 5/14/2004 from the CITY FEDERAL SAVINGS BANK.

          So, if I were a phisher, I now have two names, and a dollar amount. I already know approximately where, and by clicking on the other records I know that they've been there for about 20 years, and that they also had some legal problems back in 1991, again, I'm leaving out the details.

          W.T.F ?!?!?!?!

          I would be humongously upset that this sort of stuff is available just by clicking.

          Worse, by searching on the same two names + broward county plus a good guess as to another term, I found a link to a dump of 756k from google's cache. http://www.google.com/search?num=20&hl=en&lr=&safe =off&q=www.co.broward.fl.us%2Fdatabase%2Frecords%2 F03-24nme.txt&btnG=Search [google.com]

          If I were a phisher, a few minutes with perl would give me a decent dictionary with which to start ...

        • by Sylver Dragon (445237) on Monday April 10, 2006 @08:36PM (#15102657) Journal
          I'm doing a search now to test a theory:
          The site is an .aspx page, which means that it's probably an IIS server back-ended by a MSSQL database. Given that they would want the text search to be case insensitive, it is quite possible that they were sloppy and used a SELECT * WHERE [last_name] LIKE @search_string (ok, they probably listed only the columns they wanted, you get the idea though). It is also possible that there is no limit defined for the number of records to return.
          If all of the above is true, then the search I started should return everything between 1/1/1978 and 4/10/2006 in the database, assuming that their server survives the request. If this is true, this means that getting everything in their database is a trivial task, and that they are exposing a lot of people to identity theft, very easily. Further, even if they go through and redact the data later, it is probably too late, as the data would have been long since scraped. This is one time that I hope a slashdotting kills a server.

    • what's going to convince them that this is a bad idea?

      You mean aside from the fact that you just posted your intentions on Slashdot? ;)
    • For X-billion dollars. Send a link to your "favorite" law-shark. I presume grotesque stupidity and wanton negligence bordering on malfeasance(?) is actionable. Any lawyers have an opinion on this crap?
    • "what's going to convince them that this is a bad idea?"

      That's easy. Identify who "them" is, and narrow down all the SSN's, driver's license info, etc. and just publish that for the people who are responsible for posting this stuff. If you really wanted change the situation, just add a few of the high ranking politicians for the county to the list.

      There are even ways of making this stuff a permanent part of the Internet, though I'll refrain from giving the less technically clueful some ideas.

      I have a

    • by Anonymous Coward
      You don't need to go to your bank. Just print up a "demand draft" on your printer with the holder's account information (available on any check) and home address. If you can get the account holder to answer "yes" to any question about their account (in my grandma's case, "Is your bank account held in this city?"), the banks won't even go after you for fraud. That's sufficient authorization.

      Surely, I must be exaggerating. Sadly, no. See:
      http://wamublamesgrandma.blogspot.com/2006/03/wamu s-response-to-my [blogspot.com]
  • Local Politicians (Score:5, Insightful)

    by DigiShaman (671371) on Monday April 10, 2006 @07:05PM (#15102122) Homepage
    Anyone want to bet information of local politicians have been exempt from this? Hmmm? Anyone?
    • I'd love to bet, but that's only because I enjoy losing.
      • Re:Local Politicians (Score:3, Informative)

        by HaeMaker (221642)
        They are not. Was able to look up records of at least one elected official.

        Make checks payable to... well you can look up that info yourself!
    • Nice idea though. Make information you find on decision takers public and see if they still think there is "no problem".

      Do this during a live TV show:
      - So you do not think there is a problem with the release of information
      * Absolutely not. There is no security risk.

      Have a scroller at the bottom with all the politicians information. Have several politicians. The neat part is that they will not know that they are agreeing to have their information on TV at that very moment.
      • LOL...if only a TV progam had the balls to do it. But it would be rather funny. You wouldn't even have to use real information. You ought to tell Comedy Central, I am sure that the Daily Show could enjoy that one.
    • Re:Local Politicians (Score:3, Interesting)

      by patio11 (857072)
      No, they're definately in there. Some quick Googling (heck, one name is in TFA) finds them pretty quick. I was kind of suprised that I could access the site from a foreign IP, as its pretty routine nowadays to limit that (I can't get my own credit reports without using a US based proxy, presumably because they were worried about fraud, and I had a devil of a time reading Dubya's campaign site during the 2004 election) for sensitive sites. Now, generally when we're talking about, say, e-mail delivery I'm
  • Really, does it surprise anyone that it's Florida doing this?
  • FLORIDA (Score:5, Funny)

    by dteichman2 (841599) on Monday April 10, 2006 @07:11PM (#15102166) Homepage
    From the same people who brought you Indecision 2000... here comes Identity Theft-O-Rama. 3 days in the future: 10:00 News: "For what seems to be no reason, thousands of individuals in Florida seem to be buying things online in mass. Oddly enough, none of the orders are being delivered to Florida. We'll have a video for you after the break. Over to you, Bob."
    • Nah, that's just grannies spending spring break with their relatives to get away from those crazy teens partying.
    • ... individuals in Florida seem to be buying things online in mass

      I was unaware that the Catholic Church was providing online access for its members. Perhaps you meant "en masse"?
      • Dude, it's Florida. There are enough religious zealots there to make the original writing of the statement "in mass" to be likely. Especially at a Catholic church (where the damned souls buy their way out of their sins; as if God accepts Visa, MasterCard, or a personal check... Is there any more corrupt form of Christianity? Seriously - I mean, these are the same people who molest and fuck little boys because their religion says they can't marry and can't have pre-marital sex... *ducks*)
    • I'm never surprised to see that it's from Florida. What's with those people? Is corruption and stupidity among governmental officials, like, MORE prevalent there than everywhere else?
  • old news (Score:3, Interesting)

    by Prophetic_Truth (822032) on Monday April 10, 2006 @07:12PM (#15102173)
    Have you ever been sued for a bad debt? If so, chances are your signature, along with your application for whatever loan or credit you defaulted on is all public record. That usually contains a whole lot of personal information, not just limited to your SSN.
    • I got a bit of a surprise - I sent some registered mail - and now I have an "electronic copy" of their signature, sutiable for cut-n-paste.

      I am NEVER AGAIN going to accept registered mail, or if I do, I'm signing someone else's name. This is getting ridiculous!

    • Do you think identity thieves and other scammers are interested in people with bad credit?
      • Given the huge amount of poor people with massive debt, sure.

        The problem with having bad credit isn't not being able to get credit, it's not being able to get credit at a reasonable interest rate. Identity theives, not planning on paying the bills, don't give a shit about the interest rate.
  • Identity theft (Score:2, Interesting)

    by thomaswahl (94657) *

        When you are the victim of identity theft you know who to sue: Sue Baldwin,
      Broward County, and the State of Florida. Two out of three deep-pockets isn't bad.

    • Broward County and Sue Baldwin are only doing what is required by Florida Law. They cannot be a target, but that does leave the largest of the 3.
    • When you are the victim of identity theft you know who to sue: Sue Baldwin

      No no no.... It says right on the mortgage that her name is VERNA Sue Baldwin.

      Personally I love her oath to "uphold and defend the Constitution of the United States and the Constitution of Florida." Priceless...
  • bad year for boward (Score:5, Interesting)

    by tehwebguy (860335) on Monday April 10, 2006 @07:13PM (#15102180) Homepage
    this is the same county who's police intimidated, threatened, and were just plain jerks to an undercover journalist attempting to find a "police officer complaint form":
    http://cbs4.com/topstories/local_story_033170755.h tml [cbs4.com] (watch part 1 and 2, videos on the right)

    and then retaliated against the journalist after the piece aired:
    http://cbs4.com/local/local_story_086232143.html [cbs4.com]
    • by Anonymous Coward
      They also managed to misplace 58,000 absentee ballots [local10.com].

      Dammit, why'd I have to take a job down here? I did some digging and, sure enough, there are documents about me freely available on the web.
    • Extra points for using the public database to get information on the police officer referenced in those articles.
    • Nice. Unfortunately, thugs with badges like that are all too common. The job attracts power-trippers like those in the video, and the low pay pretty much screens out all but the most corrupt or the most dedicataed.
      • Since the corruption goes all the way to the top, the "most dedicated" don't last. That leaves only the corrupt. I sold my last house to move out of a city where the mayor had a police officer call me and threaten me.

        Note to self: When a city is trying to drive residents from their homes, don't take pictures of a hit and run.
    • from http://205.166.161.12/OncoreV2/ [205.166.161.12]
      "The Broward County Records Division shall not be liable for errors contained herein or for any damages in connection with the use of the information contained herein ." [emphasis added]
      • by techno-vampire (666512) on Monday April 10, 2006 @10:19PM (#15103123) Homepage
        Just because they put a disclaimer on it doesn't mean they're not responsible. Back in the '50s, you started to see those "not responsible" signs in parking lots because the owners were tired of paying damages when people's cars were hit. The law hadn't changed, they were (I don't know if they still are) legally liable, but people believd the signs and stopped making claims. Same thing here. If they say they won't accept liability, most people won't try for compensation, even if they're eligable.
  • ...is post a link to the information! How else are we to know if the data is genuine?
  • by Sir Unimaginative (967464) <sir_unimaginative&sbcglobal,net> on Monday April 10, 2006 @07:19PM (#15102223)
    Yeah, hello, Spain? You can have it back now.
  • They must do it! (Score:5, Insightful)

    by mi (197448) on Monday April 10, 2006 @07:19PM (#15102226) Homepage
    Editing out the SSNs and DOBs is not only not required by law, it, likely, is against the law.

    This info was Public Records since, well, always :-)

    Anybody could go to town hall and browse the registry of deeds and other repositories. It just became more convenient to do it, but it was always possible.

    In a way, we always relied on "security through obscurity" keeping this information (kinda) private, and are now all upset at the obscurity withering out.

    • Yup, its only 'cause someone out there decided that they'd let the govenment generate unique id numbers for their customer/patient/client/whatever database. From then on, it was all down hill...
    • Its not that it was ever private.
      Its that the criminals have found a use for the information.
    • Editing out the SSNs and DOBs is not only not required by law, it, likely, is against the law.

      It violates federal law, which trumps state law. Specifically, the privacy act of 1974
      • It violates federal law, which trumps state law. Specifically, the privacy act of 1974
        I doubt it, because this supposed violation always existed -- since 1974 anyway.

        It just became more harmful, because of the Internet, but the nature of it did not change.

        So, people, don't let your 2000-election wounds open up again :-)

      • Re:They must do it! (Score:3, Interesting)

        by Detritus (11846)
        It violates federal law, which trumps state law. Specifically, the privacy act of 1974

        Wrong. The Privacy Act of 1974 only applies to the executive branch of the federal government.

    • This is because showing a number to identify yourself is a stupid idea to begin with. Public cryptography gives methods to prove to someone that you own a secret without having to disclose that secret. THAT'S the kind of ID we should be using.
    • In a way, we always relied on "security through obscurity" keeping this information (kinda) private, and are now all upset at the obscurity withering out.

      The obscurity was never there. Only the stupid or lazy didn't look.

      From TFA: Baldwin added that the information available on the Web is also freely available for public purchase and inspection at the county offices. "Professional list-making companies have always purchased copies of records and data from recorders to use in the creation of specialized mark

  • I don't know if this could be considered "phishing" in the sense that I'm trying to lure people into giving me their information. It's right out there for all to see without going through all the bothersome effort of setting up a fake website and sending out the e-mails! Just some browsing, and then setting up the bank transfers and charging purchases!

    And to think of all the effort that's being wasted on setting up phishing schemes, when Broward County will do all the work instead!

  • Bill Gates SSN (Score:3, Informative)

    by ajakk (29927) on Monday April 10, 2006 @07:22PM (#15102240) Homepage
    I remember that this became an issue when someone got credit cards issued in Bill Gates's name. His SSN was listed on SEC filings because he was a majority holder of Microsoft stock. They have since changed the listing requirement with the SEC.
  • by bvdbos (724595) on Monday April 10, 2006 @07:24PM (#15102251)
    Defending Yourself Against Identity Theft

    According to the Federal Trade Commission (FTC), identity theft occurs when someone uses your personal information such as your name, Social Security number, credit card number or other identifying information, without your permission to commit fraud or other crimes. The FTC reports that there were 161,819 victims of identity theft in calendar year 2002. Florida has one of the highest

    Back to top

    Tips to Avoid Identity Theft
    -Do not respond to phone calls or emails from unknown solicitors seeking personal information.
    -Do not leave documents containing identifying information lying around your house or workplace. Keep them in a secure location.
    -When discarding documents containing your social security number, credit or debit card information, or utility and phone bills, shred or destroy them. Don't just throw them away.
    ...
    -Limit the contents of your wallet. Do not carry extra credit cards or important identity documents (social security card, passport, etc.) except when needed. Never carry passwords or PIN numbers in your wallet. -Photocopy, scan, or make a list of the contents of your wallet and keep it in a safe place. Copies or scans should include both sides of each item. A list should include account numbers, expiration dates, and customer service phone numbers for each item.


    Maybe someone could point them to their own site? And why make copies if you can download for free???
  • by GigsVT (208848) * on Monday April 10, 2006 @07:26PM (#15102269) Journal
    Virginia has your SSN and a lot of information up too, in the virginia courts database that has everyone's criminal record, including traffic.

    Most states have this.

    Don't attack the wrong people, the blame lies squarely with the credit card companies for using your SSN as identification and trusted authentication.

    These are all public records and always were public records. It just saves you a drive to the court house of the respective county (or paying a PI network to do same) to have them online.

    Yeah, I admit Florida is one fucked up state in so many ways, but don't blow this out of proportion.
    • Don't attack the wrong people, the blame lies squarely with the credit card companies for using your SSN as identification and trusted authentication.

      You *do* realize that credit card companies are required by law, since the 9/11 attacks (I think it was a provision in the PATRIOT Act), to collect peoples' SSNs for "anti-terrorism" purposes?

      Of course, they were doing credit checks long before then, and SSNs are useful for that too. I'm not certain, but I think the FDIC may impose regulations which require S

  • by hsmith (818216) on Monday April 10, 2006 @07:27PM (#15102274)
    Look at it this way. SSN's aren't what they were meant to be. They are your "everything" number now. In some respects, is the value of the SSN being diminished because they are so easy to use and get a hold of now? It could possibly be a big plus because now we get into a situation where they just aren't worth using so everyone stops using them for important transactions. Lets hope...
  • by Spy der Mann (805235) <spydermann@slashdot.gmail@com> on Monday April 10, 2006 @07:28PM (#15102284) Homepage Journal
    Something phishy's going on here.
    *ducks*
  • PUBLIC RECORDS (Score:2, Interesting)

    The thing is these records are required to be public. A lot of counties in Florida just decide to blank out all important information, or simply not publish the entire document on their web sites. I would have to argue that the county in question is actually do what is required by law, and nothing less.

    It's really not fair at all to say that a record is "Public" if you have to drive to the office and pay $4/hr for a parking spot (if you're lucky enough to find one). Besides, most courhouses have rules li
  • This is good! (Score:4, Insightful)

    by Electrum (94638) <david@acz.org> on Monday April 10, 2006 @07:47PM (#15102404) Homepage
    The federal government needs to do this on a nationwide scale. The SSA should give a deadline, say one year, then publish all SSN data. SSN is not supposed to be used as an identifier, nor as a secret. Doing this will force organizations to change their procedures, thus hampering identity thefts and other security issues that result from treating a public, non-unique identifier as a secret.
    • Re:This is good! (Score:4, Insightful)

      by ScrewMaster (602015) on Monday April 10, 2006 @09:09PM (#15102785)
      No it won't. Congress will have to do it by making use of the Social Security number for anything but governmental purposes illegal. If a corporation wants to assign me a unique I.D. number ... that's fine so long as that number exists only within that organization's database. The credit bureaus like the SSN as a sort of personal GUID that allows them to track us more easily. Tough, I say: they feel entitled to our personal financial data but they're not, and given how badly they're mismanaging it maybe it's time for some changes. The system as it stands is becoming more and more dangerous to individuals every day, and unfortunately we don't really have the option to opt out of it. If you have a bank account you're part of the system, like it or not.
  • "A county official says there's no problem, since the postings are in compliance with state law requiring public availability of records."

    If all things in compliance with the law are perfect, then what the hell we need politicians to change/update the laws for? Fire the bastards.
  • found in five clicks (Score:2, Interesting)

    by drkich (305460)
    I started searching for my friends and family. I found a number of their documents online with just a couple of clicks. Absolutely ridiculous! I called my senator (state and federal) and I urge you to do the same.
  • I found a record dating back to 1970. I wonder how much older info is in there. Also a mortgage that was discharged may have info from I'm guessing as far back as about 1958. The one document I found was for a mortgage that was paid off before 1975 but was show as discharged in 1995.
  • Federal Gov't does it too... Pacerweb has all the details of bankruptcies online for a few cents a page.
    (At least, last I was in there a year or two ago)

  • Why bother trying to steal ID anywhere else when Broward County has offered itself up as a sacrifice for the surfing?
  • This is not Phishing (Score:4, Informative)

    by Glowing Fish (155236) on Tuesday April 11, 2006 @12:44AM (#15103711) Homepage
    This is not Phishing.

    Phishing is the attempt to get someone to submit information to you by pretending to be someone else.

    What the government is doing is publicizing information.

    These two activities have almost nothing in common.
  • by Anonymous Coward on Tuesday April 11, 2006 @02:26AM (#15103989)
    Links to Broward County's database lead directly to tiff images. To get the full records, copy the bracketed instrument number and search by instrument [205.166.161.12].

    Broward County Bar Association [browardbar.org]:
    Verna Sue Baldwin
    Broward County Records Division
    115 South Andrews Avenue
    Suite 120
    Fort Lauderdale, Fl 33301
    954-357-7271 Voice
    954-357-5573 Fax
    sbaldwin@broward.org
    www.broward.org/records

    According to the Broward County Phone Directory [broward.org], the above phone number is the director's number, not the general dept. number. This is further evidence that Verna is Sue.

    Here is Verna Sue Baldwin's Notary Certificate, notary ID 620591 [92386313] [205.166.161.12].

    In November 1994, Verna Sue Baldwin and David D. McLauchlin (her husband) sold their condo to [name withheld]. Warranty deed [94569014] [205.166.161.12].

    Verna Sue Baldwin then purchased a home:
    4011 Thomas Street
    Hollywood, FL 33021-3540
    Parcel number 11208-11-03500
    Folio number 514208110350
    Warranty Deed for 4011 Thomas Street [94565427] [205.166.161.12].

    According to that warranty deed, Verna Sue Baldwin's Social Security Number is 234-74-8234 [94565427] [205.166.161.12].

    In May 2000, she added a 14x28 swimming pool [100293267] [205.166.161.12].

    In July 2004, Verna Sue Baldwin and David D. McLauchlin paid off their mortgage [104151876] [205.166.161.12].

    Note: I didn't list all of Sue Baldwin's loans. Be sure to do that before ordering her credit report. Equifax uses that information for "security".

    It looks like Verna Sue Baldwin still lives at 4011 Thomas Street. Parcel sales history [bcpa.net]. 2005 property taxes [broward.fl.us]. Map [66.55.51.198].

    Verna Sue Baldwin's mother is Dora B. Baldwin, as stated in her Durable Family Power of Attorney document [101676908] [205.166.161.12]. Dora isn't currently married, so Baldwin might be her maiden name. Perhaps try searching West Virginia's public records.

To do nothing is to be nothing.

Working...