this post was submitted on 07 Aug 2024
1 points (100.0% liked)

Technology

59672 readers
2930 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] Fredselfish@lemmy.world 0 points 3 months ago (3 children)

Oh well I feel at this point every man woman and child already had this done to them in United States and our government not doing shit about it.

[–] thesohoriots@lemmy.world 0 points 3 months ago (3 children)

Stack on another “Free monitoring, 2 years”

[–] Lifecoach5000@lemmy.world 0 points 3 months ago (2 children)

Just got this bullshit offer from Ticketmaster for one of their breaches and they are only offering 1 year free credit monitoring.

[–] Rhaedas@fedia.io 0 points 3 months ago (2 children)

I read "free credit monitoring" as allowing your name to get on another list to be sold.

[–] Lifecoach5000@lemmy.world 0 points 3 months ago (1 children)

Yeah not sure I even care enough to take advantage.

[–] KnightontheSun@lemmy.world 0 points 3 months ago (1 children)

Just freeze your credit. It is the simplest and easiest solution. It sucks, but it seems to be the best utensil to eat the shit sandwich we’ve been fed.

[–] anonymouse2@sh.itjust.works 0 points 3 months ago

It doesn't even suck that bad. Last time I had to unlock mine, I saw that the previous unlocking had been two years earlier. Each time I have to do it, I set an end date and it automatically relocks. Whole process takes maybe 10 minutes for the big 3 credit bureaus.

[–] IllNess@infosec.pub 0 points 3 months ago (1 children)

Don't worry. Their is a service that monitors your information that you give credit monitors. You just have to give them your information.

load more comments (1 replies)
load more comments (1 replies)
load more comments (2 replies)
[–] fmstrat@lemmy.nowsci.com 0 points 3 months ago

This one is way more than just the US.

[–] Telorand@reddthat.com 0 points 3 months ago (2 children)

A complaint submitted to the US District Court for the Southern District of Florida claims the exposed personal data belongs to a public records data provider named National Public Data, which specializes in background checks and fraud prevention.

What's with these companies nobody has heard of causing massive fuck ups?

[–] db2@lemmy.world 0 points 3 months ago (1 children)

It's capitalism. Do you hate America or something?

[–] doodledup@lemmy.world 0 points 3 months ago

Do you hate America or something?

Who doesn't

[–] Telodzrum@lemmy.world 0 points 3 months ago (1 children)

Because companies you've never heard of are the ones doing the infrastructure and data warehousing for the public-facing companies you have heard of.

[–] Telorand@reddthat.com 0 points 3 months ago

Seems like a good way to have an infosec weak spot...oh...

[–] Spotlight7573@lemmy.world 0 points 3 months ago (4 children)

With a breach of this size, I think we're officially at the point where the data about enough people is out there and knowledge based questions for security should be considered unsafe. We need to come up with different authentication methods.

[–] QuarterSwede@lemmy.world 0 points 3 months ago (2 children)

Passkeys. They’re amazing.

[–] ag10n@lemmy.world 0 points 3 months ago* (last edited 3 months ago) (7 children)

Tying a password to a browser or device isn’t going to make it any easier. Use a password manager and set unique string passwords for everything. If the app supports it, use FIDO physical keys instead of Passkeys

[–] 1984@lemmy.today 0 points 3 months ago (1 children)

Even better would be to use certificates instead of passwords. What if every website gave you a certificate signed by them, and you store that in your password manager automatically.

Maybe that's what passkeys are.. Haven't read up on them at all.

load more comments (1 replies)
load more comments (6 replies)
load more comments (1 replies)
[–] fmstrat@lemmy.nowsci.com 0 points 3 months ago (2 children)

Private keys for everyone.

load more comments (2 replies)
[–] Uli@sopuli.xyz 0 points 3 months ago (2 children)

Pirate keys for sure. Not using one is just asking for a stranger to grab your booty.

[–] ThePantser@lemmy.world 0 points 3 months ago

But I enjoy a booty grabbing.

[–] scottmeme@sh.itjust.works 0 points 3 months ago

I want a stranger to grab my ass sometime

[–] floofloof@lemmy.ca 0 points 3 months ago (1 children)

We have different authentication methods. The hard bit is persuading people to use them.

load more comments (1 replies)
[–] Ebby@lemmy.ssba.com 0 points 3 months ago (4 children)

Alrighty, brainstorming time people. If you could write some practical laws, what protections do we need to stop these from happening.

I'm thinking 3 categories: Reporting, oversight, and accountability.

Reporting: all entities holding personally identifiable information (PII) must reach out once every 12 months. This hopefully unveils seedy brokers relying on obscurity. Maybe a policy to postpone notification up to 5 years (something like that) may be available as opt-in.

Oversight: targets of PII have oversight of what is collected/used. Sensitive information may be purged permanently upon request.

Accountability: set minimum fines for types of data stored. This monetary risk can then be calculated and factored into business operations. Unnecessary data would be a liability and worth purging.

[–] Telorand@reddthat.com 0 points 3 months ago

Oversight: I would add a mandatory security audit annually, that they have to pay for, and which occurs during a given quarter at random (so you can't "put on your best face" for a single day).

The security audit cost is partially subsidized if they agree to a second audit 6-9 months after the first (tax funded).

Accountability: I would add Prison time as a minimum penalty for the CEO and CIO, and the punitive damages must be a percentage of their profits (no flat rates), which is in addition to any compensatory damages awarded to plaintiffs. The penalty shall be used to help pay for future audits.

[–] BrianTheeBiscuiteer@lemmy.world 0 points 3 months ago (1 children)

PII data at rest (i.e. in a database) must be encrypted.

[–] fmstrat@lemmy.nowsci.com 0 points 3 months ago (1 children)

If the DB is running, it's not at rest. Clients side encrypted data would be the way.

load more comments (1 replies)
[–] RegalPotoo@lemmy.world 0 points 3 months ago* (last edited 3 months ago) (1 children)

Ok, bit of an outlandish idea, but how about something like:

  • Decree that information about a person is the property of that person, and therefore cannot be possessed without compensation. Think of it like intellectual property, but for your personal information
  • Set a standard royalty - say $0.05/year - that must be paid to the owner of that information for as long as that information is held. This forms an incentive to not hold information you don't need, and gives visibility to all the places that are now forced to contact you every year to pay you the royalty
  • Places where you have an explicit contractual relationship with (utilities, banks, ...) could have a clause to set the royalty at $0.00, but this can't be extended to third parties - strong incentive not to transfer information to third parties
  • Unauthorised transfer or loss of information could be considered IP theft, and result in significant civil penalties
load more comments (1 replies)
[–] SwingingTheLamp@midwest.social 0 points 3 months ago (2 children)

How about a government-sponsored, non-profit authentication service? That is, it should be impossible to get a loan, open a line of credit, or anything else in somebody's name, without the lending institution verifying that it's actually on behalf of the named individual. Eliminate the security-through-obscurity technique of using bits of easily-leaked personal information as a poor substitute for actual authentication.

I mean, (as a comparative example) I have to go through an OAuth2 consent dialog to connect a third-party app to my email account, yet somebody can saddle me with huge debts based on knowing a 9-digit number that just about everybody knows? It's the system that's broken, tightening up the laws on PII is just a band-aid.

[–] Brkdncr@lemmy.world 0 points 3 months ago

This so much. In fact, go a step further and have a few competing auth services, with some regulatory oversight for managing that much pii.

[–] dgriffith@aussie.zone 0 points 3 months ago (1 children)

The US system is broken. I have a tax file number in Australia, which is the broad equivalent of a US SSN, and you know what someone can do with it if they also have my name and DOB? Fuck-all, except file my taxes for me, because you can't use it as an identifier anywhere else than the Australian tax office.

If I want a loan or a credit card or to open a bank account or any number of things , I need enough verifiable documents including photo ID to satisfy the other party that I am really them. Basically it's a points system where any form of government photo ID gives you about 80 points and any other item of identifiable data gives you 10-20 points and usually you have to clear 100 points to be "identified".

So my passport plus my driver's licence is enough. My driver's licence plus my non photo ID government Medicare card or my official original copy of my birth certificate is enough. My driver's licence and two bank or credit cards is enough. About 5 or 6 things like my birth certificate, electricity bills in my name or local government rates notices and bank cards is sometimes enough, although photo ID from somewhere is usually required, or you need a statutory declaration from someone in good standing saying that you are who you say you are.

This kind of thing, while slightly more inconvenient, requires a number of physical items that can't be easily stolen en-masse. I carry enough of them in my wallet that I can do anything I need to do, as my driver's licence provides photo ID. People who don't drive or have a passport can scrape together enough bits and pieces to usually get by.

So it's time for a change. But it doesn't have to involve technology or a huge shift in the way of doing things. It just requires a points system similar to what I describe. Whether the US can effect that change now with the millions of systems that rely on a SSN for a trivial key in a database in some small retailer somewhere, I don't know.

[–] catloaf@lemm.ee 0 points 3 months ago

That's basically how it works in the US too. For example, for a form I-9, Employment Eligibility Verification, you need a passport, OR both proof of identity and proof of citizenship: https://www.uscis.gov/i-9-central/form-i-9-acceptable-documents

It's similar for stuff like state drivers' licenses.

The thing is, a federal domestic ID is all but prohibited. We have to have passports for international travel, but too many people are against federal ID because of "muh privacy", even though it means we just end up misusing SSNs and companies like this one compensate by collecting multiple data points on each person.

[–] werefreeatlast@lemmy.world 0 points 3 months ago

Otherwise, how would the republicans get enough votes.

[–] solrize@lemmy.world 0 points 3 months ago (3 children)

There are only 1 billion SSNs possible with 9 digits, and at most around 350M living people who have them (the US population). This breach is international but SSN is a US thing.

[–] catloaf@lemm.ee 0 points 3 months ago

Do TINs overlap with SSNs? Because businesses and non-citizen taxpayers have TINs instead of SSNs, but they're used just the same.

[–] floofloof@lemmy.ca 0 points 3 months ago* (last edited 3 months ago) (1 children)

And not all 9-digit numbers are used, so there are fewer than a billion. It sucks when organizations store them because the search space is so small it's relatively easy to unhash them in a stolen database.

[–] prime_number_314159@lemmy.world 0 points 3 months ago

A lot of businesses use the last 4 digits separately for some purposes, which means that even if it's salted, you are only getting 110,000 total options, which is trivial to run through.

[–] JohnEdwa@sopuli.xyz 0 points 3 months ago* (last edited 3 months ago)

9 digit social security number specifically might be, but a unique number tied to you that is often used as identification when it really shouldn't isn't, it's a shitshow that has been implemented in many countries around the world.
The Finnish version was called an SSN originally for example, though now its a "henkilötunnus", personal identity code.

https://en.wikipedia.org/wiki/National_identification_number

[–] pineapplelover@lemm.ee 0 points 3 months ago (8 children)

I tried freezing my credit but I think transunion and equifax wouldn't let me create an account for some reason. Asking me to call them. Anybody else running into the same issue?

[–] return2ozma@lemmy.world 0 points 3 months ago (1 children)

I know Ticketmaster just sent out millions of "sorry we got hacked, freeze your credit for free with this code" letters. Maybe they're struggling to keep up with demand.

[–] pineapple_pizza@lemmy.dexlit.xyz 0 points 3 months ago

Mine was for credit monitoring. You should be able to freeze your credit for free at any time

[–] ohlaph@lemmy.world 0 points 3 months ago (1 children)

I did previously and had to wait until a weekday to talk to someone. It was a huge pain. Fuck those agencies.

load more comments (1 replies)
load more comments (6 replies)
[–] A_A@lemmy.world 0 points 3 months ago (4 children)

the U.S. and other countries "around the world"

meaning, for those of us living on other planets, we are completely safe ... such a relief ! /s

load more comments (4 replies)
[–] grte@lemmy.ca 0 points 3 months ago (3 children)

The personal data of 2.9 billion people, which includes full names, former and complete addresses going back 30 years, Social Security Numbers, and more, was stolen from National Public Data by a cybercriminal group that goes by the name USDoD. The complaint goes on to explain that the hackers then tried to sell this huge collection of personal data on the dark web to the tune of $3.5 million. It's worth noting that due to the sheer number of people affected, this data likely comes from both the U.S. and other countries around the world.

What makes the way National Public Data did this more concerning is that the firm scraped personally identifiable information (PII) of billions of people from non-public sources. As a result, many of the people who are now involved in the class action lawsuit did not provide their data to the company willingly.

What exactly makes this company so different from the hacking group that breached them? Why should they be treated differently?

[–] ricecake@sh.itjust.works 0 points 3 months ago (2 children)

I feel like that might be bad phrasing on the part of the article. They mainly aggregate public records, like legal document style public records, and they also scrapped data from not-(public record) data, which isn't the same as (not-public) record data.

I feel like I would want more details to be sure though, but scrapping usually refers to "generally available" data.

load more comments (2 replies)
load more comments (2 replies)
[–] CallateCoyote@lemmy.world 0 points 3 months ago (1 children)

Dang, that’s quite a few people. Maybe we can stop linking our identity to a simple number in the US sometime? That would be swell.

load more comments (1 replies)
load more comments
view more: next ›