
PayPal says personal data may be compromised for 1.6M TIO users - michaelmwangi
http://www.foxbusiness.com/markets/2017/12/01/paypal-says-personal-data-may-be-compromised-for-1-6-million-tio-users.amp.html
======
bardworx
> PayPal hasn't integrated TIO with its platform, so PayPal users aren't
> affected by the security vulnerabilities at TIO.

Most relevant line considering the title. PayPal wasn’t compromised.

------
iamthirsty
> PayPal will offer affected TIO consumers free credit-monitoring services
> through Experian Plc, the spokesman said.

What's the point anymore? This has happened so many times this year I've got
more credit monitoring than I could ever _need_. Now I just need them to
actually redo the "identity" system into something I can actually _use_ with
peace of mind.

~~~
onion2k
If Experian were _really_ sneaky they'd pay teams of hackers to steal personal
data from businesses so the affected businesses would then have to buy huge
contracts for free credit monitoring for their users from Experian. That's not
what's happening here, obviously, but it'd make a great Hackers-esque movie.

~~~
thanksgiving
I didn't even think PayPal has to pay Experian money for this... Wow. Likely a
bulk deal too like you said.

------
nafizh
Isn't it time we criminalize any kind of data leaks by a company? This has to
be seriously discussed now. That is the only way we can make these companies
keep data security at the top of their priority list.

I know it is a subsidiary of paypal, not paypal itself, but that is
irrelevant.

~~~
blattimwind
FTFY: That is the only way we can make sure companies will avoid disclosing
breaches for sure and to have them pursue a burnt-and-salted-earth-approach
towards anyone who might turn up evidence of a breach.

~~~
cwbrandsma
Pretty much becomes “blame the messenger” in a hurry. That and these comments
quickly become “why didn’t they just do it the ‘right’ way...as if such a
thing existed. With security there is no right way, just many known wrong
ways.

I got into a discussion once about how to properly handle passwords (cause
somebody has to do it). There is no right answer, just lots and lots of wrong
ones. Don’t encrypt, hash. But not that hash, use another...and not any of
those over there; and sure as shit don’t write one yourself. Use an off-the-
shelf hash...just not any that you have access to now. Not that one either, we
don’t recognize the author by name...and not the other one because we don’t
like the owner of the company (who is not a developer).

TL:DR, if you write code that needed security...eventually you are fucked.

~~~
aseipp
If your development priorities are so unbelievably messed up they can't look
into basic fundamentals like PBKDF2 or bcrypt, and you hoard large amounts of
personal data, and you get compromised, and you think it's not your fault --
your company should not exist.

> Not that one either, we don’t recognize the author by name...and not the
> other one because we don’t like the owner of the company (who is not a
> developer).

This is quite obviously bad rhetoric (outright dumb, I'd say.) But let's say
it's remotely true: you think "complete dysfunction, and inability to analyze
root problems" \-- that it's a reason why we _shouldn 't_ crack down these
people?

Doctors make mistakes. Everyone knows that. Sometimes it's negligence,
sometimes it's tragedy, sometimes it's just random happenstance or Friday the
13th or whatever. But for some reason, we don't interpret this as a blank
cheque to let any jackass on the street legally operate on people, risking
their lives, and then -- when they hurt someone -- we all throw up our hands,
sigh, and say -- "well dang, at least Frito Pendejo, he tried really hard,
tried his best and doctors, y'know, medicine is crazy and uncertain!!! there
are no right answers!!!"

------
toomanybeersies
It seems we're at the point now where we can assume that any data we put
online is going to get leaked.

What we need to do is figure out a way that even if our data is leaked, it
doesn't have substantial negative effects. How exactly we do that, I don't
know. But if a website is hacked, it shouldn't compromise our credit or our
personal information.

------
Caligatio
I really don't know what it is going to take to shift people from thinking "oh
no, my private data leaked" to "I really don't have any private data."
Honestly, look at the stuff that was leaked:

\- Names: this is public information

\- Addresses: this is public information

\- Bank Account Details: this is on every check you've ever written

\- SSN: this is on so many applications for things and compromised so many
times it can't be realistically called private

\- Account Login Details: not to be pedantic but this is a shared secret and
should be treated as such

I know there have been some rumblings about actually trying to change the
financial identification system in the US but really this needs to be the
focus. We've been pretending that we have any sort of "secure" identification
system for too long and now it's finally catching up to us. Solutions exist
for a majority of these problems:

\- For stolen credit card numbers: Force the issuers to add one-time CC number
generation and have that one-time number locked to a merchant. Discover _had_
this years ago and got rid of it; I'm sure others had it as well. This
effectively solves the online merchant problem. Things like Visa Checkout and
Masterpass also can help here by eliminating the need to give merchants your
actual number (as can Android Pay, Apple Pay, Samsung Pay, PayPal, etc)

\- For stolen credit cards: Actually change over to chip and pin

\- For online financial identification: Issue smart+national ID cards like
Estonia that can provide digital authentication. Is it perfect? No. If people
don't like the concept of a smart+national ID card, put the risk of doing
anything online on them. [https://www.login.gov/](https://www.login.gov/) is a
baby step in this direction.

~~~
coldtea
> _\- Names: this is public information - Addresses: this is public
> information - Bank Account Details: this is on every check you 've ever
> written - SSN: this is on so many applications for things and compromised so
> many times it can't be realistically called private - Account Login Details:
> not to be pedantic but this is a shared secret and should be treated as
> such_

Those may not be difficult for an adversary that targets someone personally to
get. They'll have some trouble getting a few of them (something being on
"every check you've ever written" doesn't mean I can see it easily if I'm not
a person making business with you. Besides few write checks anymore anyway),
but they will be able to gather most.

That's completely different than anybody who doesn't know you at all having
all those details for millions of people in a large data dump - that is, any
scammer worldwide.

~~~
sametmax
That, and linked together, in a nice clean, easily automatically exploitable
package.

------
em3rgent0rdr
Aside: a downside of Know-Your-Customer laws (and anything else that requires
your to upload personal data to web services) is now that data can be
compromised as well. Maybe there should be less such requirements.

~~~
michael_storm
Or requirements to not _keep_ data unless for a legitimate business purpose.

~~~
ben_w
That sounds like the UK’s Data Protection Act, soon to be replaced with an EU
successor that will apparently cause _all sorts_ of interesting times if the
UK tries to get rid of it post-Brexit.

------
aalleavitch
This is ridiculous. Does anyone have any insight into how these security
breaches keep happening? Is it rampant carelessness on the part of the
companies, some new technology that's opening a significant number of new
exploits, or is it an escalation on the efforts/persistence of hackers?

~~~
codazoda
Software is imperfect, and therefore vulnerable, and it's also pervasive. Data
for all our providers will probably be compromised. It's not if, but when. We
need to make plain facts, like name, address, birthday and, ssn, less
valuable.

------
mrmondo
Now that title confused me, if you’re not the USA - FYI: they’re not talking
about the ‘Telecommunications Industry Ombudsman’ as I thought.

------
NetOpWibby
This is a shitty title. BOOOOO

