In other words... "We leaked a bunch of your personal information, but at least it's not enough data to steal your money!"
All of these leaks have the cumulative effect of making ineffective very commonly used security verification questions: "Can I verify that last 4 of your social? And the last 4 of your credit card?"
How long will it take for us to accept that this kind of data can no longer be assumed private? The sooner, the better, mainly so companies stop using it as a secondary form of identity verification.
I'll give an example: if I get a phishing email claiming to be from my bank, and end up wiring them $1000, I'm out $1000 for not having done the due diligence for verifying that it in fact was my bank; my bank doesn't suddenly owe me $1000. Somehow, though, if some 3rd party convinces the bank they're me, and withdraws $1000 from my account, I'm at fault as a victim of "identity fraud" (and am again out $1000, but this time as a result of my bank's incompetence).
If the onus for verifying your identity were on institutions (and, consequently, the losses in cases of failure to do so) I'm confident that we would have much more reliable means of personal identification magically pop into existence.
This isn't true, though. The bank is the one on the hook.. eventually. The problem, of course, is that you have to get the bank to agree that it wasn't you who made the withdraw..
While it sucks, I am struggling to figure out alternative solutions.
Let's suppose we did the opposite; if you tell the bank that it wasn't you, then they have to prove it was, and in the meantime they give you the money. Sounds great, but this makes fraud about as easy as you can get - open an account, deposit $50,000, then transfer it somewhere else and withdraw it to cash. Then, tell the first bank that it wasn't you that did it. Sure, they will be able to prove it was you eventually.... but according to our new rules, they have to return the money while they figure it out... you withdraw it all and flee.
There would be literally NOTHING the bank could do to prevent this sort of fraud. They could put a million checks in place, but since they would still need to 'prove' it was you when you claim it was fraudulent, and make you whole in the meantime, you could still steal the money during that time. You claim fraud, they put the money back into your account.. and then they show someone (who? an arbiter? the gov?) that they have video evidence of you making the withdraw. While the ruling is happening, you skip town with the money.
It really sucks, and I really can't think of a solution.
Credit card companies are by law on the hook for any fraud committed with your credit card. Everything you just wrote applies to credit cards, and yet Visa and Mastercard are doing just fine. They aren’t going bankrupt just because you can file a chargeback whenever you want as a consumer.
There doesn’t seem to be any doubt Banks can handle this, because they already do.
Also, when you dispute a charge, they are able to put the money in 'escrow', basically, while they investigate... since they control both sides of the transaction (both merchant and customer), they 'keep' the money while they resolve it. If they find in the card user's favor, they deduct it from the merchant account and credit it back to the card user. Otherwise, they release the hold and the merchant can withdraw the money.
It doesn't feel like your money is being held as a card holder, because the 'money' in this case is credit, and it doesn't effect your bank account while it is being resolved. However, it DOES count against your credit limit while they resolve the issue, so it shows you that the money is still 'frozen' while they resolve it. They aren't allowed to charge interest during the dispute, but if you lose the dispute you will have to pay the interest.
This is the same thing that happens when your bank account is defrauded.. the money is frozen, and you can't withdraw it until the dispute is resolved.
> It doesn't feel like your money is being held as a card holder, because the 'money' in this case is credit, and it doesn't effect your bank account while it is being resolved. However, it DOES count against your credit limit while they resolve the issue, so it shows you that the money is still 'frozen' while they resolve it. They aren't allowed to charge interest during the dispute, but if you lose the dispute you will have to pay the interest.
I knew roughly how this worked before, but it didn't occur to me until I read your explanation that this allows the credit card company or bank to invest the money while it's in escrow. So it actually benefits them when fraud happens on your account.
...of course that's a thing. The bankers always win.
By extending someone a line of credit, they are investing some percentage of that line of credit as their money, because they have to have money on hand in case the person decides to use their credit card. They obviously don't have to keep the whole balance of every line of credit they extend on hand, because most people won't max out all their lines of credit. But they do have to keep some percentage. That money is invested, but only pays out money if the person uses their credit card and then rolls over a balance to accrue interest.
But let's say someone uses a credit card, and then someone disputes the charge (these are different people if the charge was fraudulent). The credit card company holds that money in escrow. While it's in escrow, they don't pay it to the merchant, so they still have it, and they don't count it toward their customer's credit limit, so it decreases the amount of money they have to keep on hand. However, they're still charging interest for it in the case that the charge is found to not be fraudulent. So their investment is paying off.
Now where this gets tricky, is now that money is invested, because they're charging interest for it, but they know they won't have to pay out that investment until the fraud investigation completes. So until then, they can invest it again! They always have to keep some money on hand in preparation for a fraud investigation to finish, but there is always some amount of money being tied up in escrow for ongoing fraud investigations, so they can invest that money twice.
It even is stamped on CC that it is property of the issuing bank. So you made it such way that skimmer can copy your card at gas station and empty someones account in few minutes but you are not part of the problem at all? Then what is the point of of plastic other that milking fees?
> If the onus for verifying your identity were on institutions
Your two situations are really the same situation.
1. You give your money to another party, and then claim they committed fraud. You can't just instantly seize $1000 from them; you must prove that they committed fraud.
2. You give your money to another party to manage, and then claim they breached contract. You can't just instantly seize $1000 from them; you must prove they violated the contract.
In both cases, the legal onus is on the accuser to demonstrate criminal activity ("innocent until proven guilty"). Otherwise, you could walk around claiming people and banks owe you money and simply be presumed correct.
(Also, in both cases, it would be have been better for you to not to trust those particular parties.)
Of course, this does not mean that being a victim of identity theft does not suck.
The stolen information has some other severe side effects, which are not directly personal. The stolen credit card information and the drivers licenses are typically used for things like human trafficing. You buy some airline tickets with fake passport and stolen credit card, and travel as someone else.
No, it falls on the bank or what have you. If the bank or what have you gets defrauded they lose the money.
As an unfortunate side effect the fraud might affect a consumers credit, but not due to any kind of responsibility for the fraud.
In what scenario could this take years? Honestly anything beyond a month sounds pretty unlikely unless your identity was abused for an extended period (as in by a family member or such), and even then I don't see how.
As far as I understand the process for getting fraudulent accounts removed from credit reports typically takes less than a week.
I had a fraudulent charge on my bank account via a “demand draft” (essentially a check without my signature). Yes, I had to spend significant time resolving the issue: going to the bank, having them insist they needed to close my account and reopen a new one, plus changing all my ACH drafts. But, I was very angry with the bank, because their proposed solution caused me hassle and doesn’t protect me from whatever attack vector compromised my account. They would not let me have them refuse to honor such instruments without prior authorization, either.
And, this was over a $40 charge. Had it been $4000, I wouldn’t have been any less angry with them for failing to protect me.
We really need to rethink all this. Until then, it feels like mere luck that today wasn’t the day someone decided to social engineer their way into your life.
Everything is so precarious.
If I had $40B to budget on cyber warfare I'm finding out how to hack nuclear plants or cause hydroelectric dam overloads, not tinker with the Amazon accounts of the flyover states.
Always comes down to "we don't have enough time". Then when it leaks we have all the time in the world.
At the top, we'd have in-person verification using physical documents, such as passport, driver's license, birth certificate, and similar. A good candidate to handle this level is banks and credit unions, at their branch offices.
To handle people who can't come in in-person to set up their account at a top level verification service, there could be top level providers that send a notary to you to check your documents.
Online access to top level accounts should require 2FA. Account recovery in the case of lost passwords or lost second factor or lost recovery codes would require another in-person verification.
Next down in the hierarchy would be services like email providers. When you set up your account with them, you should be able to associate it with one of your accounts at a top level provider, and there should be a way for the email provider to verify with the top level provider and with you that you really are the owner of that top level account.
Account recovery for these accounts requires re-verifying with the associated top level provider.
Below that are services that use your email address as your identity. They verify you the usual way--sending an email and requiring you to prove that you received it. Account recovery requires the same kind of verification.
The idea is that everything is ultimately rooted with your top level providers. If you can protect those accounts, then everything below has protection. Someone might still temporarily hijack your Twitter account or even your email account, if you aren't using strong 2FA and your password leaks, but you can do an account recovery using the account that is above it in the identity hierarchy.
For banks that serve as top level verification services, this should be separate from online banking accounts. People need to routinely log into online banking, but should only very rarely need to use their verification account. The verification account generally only needs to be used when creating a new account one step down the hierarchy, such as a new primary email account or a new account at a domain registrar, or when recovering a lost or hijacked email or domain account.
It should thus be feasible to not store your top level password online at all. It can be on a printed document kept where you store other important documents, such as in your fire proof safe with your passport and birth certificate.
On another topic--sites really should clearly document how things like account recovery works. If a site that requires 2FA for login allows configuring whether that is via SMS, TOTP, or U2F...but then it turns out that you can always do account recovery via SMS even if you disabled that as a 2FA method for login, I want to know that up front, so that I know that switching to TOTP or U2F doesn't actually protect me against account theft. At many sites, the only way to actually find out how account recovery works is to go through it, and that is annoying.
They use them to create new accounts to move money that way.
I think it's been clear since Equifax that private data can't be used to prove identity. I honestly wish the hacker behind that attack just gave away the entire dataset to the public. It would have stung a little at first, but it would have saved society a ton of time and money on the long run.
You can process charges without the cvv, but it costs your more to process them and is supposed to lower the risk.
Some big players like Amazon still process payments without the need of providing a cvv.
For example, you could build your own database of millions of records of name/phone/addr just looking up WHOIS info on every domain name you come across.
And I'm reminded of how you can get into someone's Amazon account by feeding WHOIS information to their customer support, even if the address is bogus but is in the same city that Amazon has on file. https://medium.com/@espringe/amazon-s-customer-service-backd...
HN takes out its pitch forks for every leak, but the outrage is often misdirected.
For example, why do we have this idiotic system where you can make purchases on my credit card with the same credentials I hand out multiple times a day, even for a $5 hotdog, and as a result I need to remain eternally vigilant to find fraud on my monthly statements? Why can you get into my Amazon account if you know a single address that approximates one of the addresses I've ever shipped product to?
Leaking is inevitable. The problem is that our system and thus our expectations are built as if it's not.
Besides maybe the bank
High graduation rates at EADS HS, for the record.
If they get hacked... well, say goodbye to maiden name as a verification!
- Andy Fang
- Evan Moore
- Stanley Tang
- Tony Xu
They decided our security and privacy wasn't worth as much as hur hur hur growth hacking startup hur hur next uber, and couldn't be arsed to even give us a proper apology.
Look at their blog post: not one mention of the words "we sorry, we fucked up".
It's all about the other guys.
The bad guys.
The guys who stole your data not us, and you should change your password with us to protect your account with us.
No. That's wrong. Look at the 295 million people who weren't affected -- all the people who don't use doordash at all!
That means the best way to protect yourself is to simply not use doordash. Delete it. Delete the email account and the bank/credit card you used with them (ask your bank/credit card company for a new number). Move if you've got to (drivers license details!?!?!?) You have no other protection now- you're fucked. They have your data, and they're only going to risk it again.
And remember how difficult it is to get in control of your data again when the next breach happens, the next time you're thinking about signing up with something, or you're getting ready to vote.
It turned out that until recently, that was not the case; drivers would get a wage to deliver food to you, and if you specified a tip through the application, then the driver would have money deducted from their wage equal to the amount of the tip up until tips made up one hundred percent of their wages, at which point tips would increase their take-home.
So in effect, Doordash was using tips to subsidize worker pay as opposed to augmenting worker pay, and this was in no way communicated to customers who reasonably expected that a tip would increase the worker's compensation.
That is extremely misleading. Another reason to tip in cash, I suppose :/
That's kind of the point. And par for the course in any tipped job.
If DoorDash had actually wanted to make it consistent, they would've just removed tipping, like everyone else does that wants to do that.
What they did was shady as hell, and they know it which is why they are changing it.
* There is the common, legally mandated practice for employees where minimum wage is paid instead of tips, until base pay plus tips meets that. You could make the argument that DoorDash base pay is simply $0.
But (A) base pay of $0 is never done (B) base plus tips don't typical fall below minimum wage (C) this doesn't really apply anyway since DoorDash doesn't pay wages; it pays contractor fees.
Edit: A common complaint with these type of announcements is the lack of owning the mistake. Just wanted to point out that this is almost certainly a result of the company contact their insurance carrier about the incident, and the insurance carrier instructing the company how to respond to the event (in order to remain eligible for benefits under the policy). It’s not a great excuse, but there is a reason that’s slightly outside the control of management.
How to deactivate: https://help.doordash.com/consumers/s/article/How-to-deactiv...
Where to deactivate:
*for what its worth, deactivation and deletion are mostly semantics if the point is to send a message to a company that their mismanagement erodes trust with users. "churn" is a metric that very much matters to executives and "deactivation" impacts that.
If anyone says "total security is impossible" you just say: So fucking what? That's not an excuse for spending as little on security as possible, and you know someone isn't serious about security if they avoid admitting they are responsible for the security in the first place.
<b>Days Since Last Breach: 0</b>
I can't find a reference but when I first learned about this I was actually surprised the number was that low. That was before I realized that working with computers and databases for so long has totally desensitized me to the fact that we are dealing with stupendous amounts of data on a daily basis and that what we IT people see as 'small' is likely not what entities such as the ICO or other DPAs see as small.
Owns a huge swath of land someplace remote. Only deals in cash. (His special skills are such that his employer gladly pays him in cash.) Doesn't trust cars with electronics, so he builds his own motorcycles to get around. As far as I know, the only record of him existing is property tax and income tax.
I went to visit once, and he doesn't even have a mailbox. I assume he has a PO Box somewhere. He built his own house. It's not a very good house, but it's good enough for him and his wife. The only electronics he has is a TV that runs off of some kind of tiny water mill in the creek. It only gets over-the-air channels.
I guess he's happy, but it's not the kind of happiness I could bear. He also seems to have lost all interest in shaving.
As long as there are no serious consequences for leaking user's data these things are going to continue to happen.
Edit: I’m not sure I’ve ever heard anyone suggest “regulatory capture” as a reason to not levy fines against companies who held breached data. HN discussions on this topic seem to trade in the same repeated points—“identity theft” is bank failure/fraud masquerading as the customer’s problem; there should be consequences and/or fines for the party who held the data; the frequency of breaches should make us rethink how private PII really is; etc.
So it's probably some service that they no longer use and doesn't really need to be fixed or investigated, since all the data they had has already been taken and they (probably) stopped giving them more data a year and a half ago.
They should really say who the third party was though. Hopefully that information comes out.
A more sinister explanation is that DoorDash knew back then who is leaking their data and removed their access. But chose to disclose only just now.
The safe assumption would then be to not trust any accounts created online without some good old KYC processes in place requiring live verification of identity.
We've gone to great lengths to secure ID and DL information and have even built a watermarking service to track all access to these images: https://docs.berbix.com/docs/transactions#section-watermarki...
From the techcrunch article: "It’s not clear why it took almost five months for DoorDash to publicly reveal the breach. DoorDash spokesperson Mattie Magdovitz say why [sic]."
Pretty bad. If personal identity info is exposed, it is irresponsible not to notify users immediately so they can freeze credit and watch for suspicious activity. The blog post did mention a third-party vendor, so it's possible there was a delay, but it's a whole other problem if it took this long to find a breach.
This sounds like it could be "flipboard-itis". Flipboard stored passwords insecurely in the beginning (SHA-1), but switched to bcrypt as it scaled. The passwords breached were before 2015, so possibly a similar thing here where they started out with bad security and improved with scale (but left the old stuff behind). I'm guessing Doordash did something similar and improved security as it scaled.
(And the 2015 reference in the comment you're replying to is about a Flipboard breach, not DoorDash)
> “We take security seriously”, otherwise known as “We didn’t take it seriously enough”
Someone should make a Tumblr for data breach marketing copy.
I used to work for a third-party service provider that merchants send this sort of data to for lots of users. Considering there weren't lots of customers using this provider making similar posts, and Doordash didn't call out the provider, it wouldn't surprise me if a Doordash employee account with that provider got compromised. The blog post was carefully worded to not throw the provider under the bus, but also avoid taking blame, themselves.
The telling bit is that the last four digits of credit card numbers were sent. There are only a few types of vendors you'd send that data to.
Now if they could just completely die so a more ethical competitor can take its place it would be even better.
The honest thing to do would have been to raise the delivery fees across the board, but that doesn’t attract customers. The seemingly optional “tip” preys on the customer’s mistaken assumptions and was used as a sneaky way to achieve the same thing.
If a more ethical competitor can't match or exceed these, they won't be a competitor for long.
Doordash? They're just a shitty startup trying to "disrupt" the market by forgetting laws and morals and are only surviving thanks to VC money. People are not obliged to use them, and since they're essentially providing a commodity people can easily choose to use a competitor, only accelerating Doordash's inevitable demise. People aren't always reasonable, and such incidents can sway them towards other competitors (even though I doubt the competitors are any better in terms of security).
Perhaps it's different elsewhere, but out of the services I use here in Houston, Doordash is consistently the best experience. Obviously if one of those competitors can best them in categories that matter (cost, speed, and accuracy) I'll switch.
It's just a matter of time anyway, the VC money will dry up, they will either go down the drain right away or raise prices, which if nothing else will open the doors for another VC-fuelled competitor to overtake the market by subsidising deliveries for the next few years.
However, it doesn't seem that Doordash is struggling that much, and is outpacing it's competitors in growth rate
> they used to withhold the total tips out of a delivery drivers base compensation so essentially taking the tips for themselves
The driver's base pay was something like $1 or $2. They did not take tips out of that.
This is deceptive.
The big difference is that Doordash's calculation is redone for every order delivered. With wait staff past minimum wage the tip you give them doesn't in any way reduce the amount of money the business pays them. The business pays them the same amount if they make $1/hour above minimum wage or $20/hour above minimum wage.
With Doordash on the other hand, the tip you give _always_ reduces the amount Doordash pays. You are essentially subsidizing Doordash's payment of the driver.
This is deceptive because most people expect that when they leave a tip that the amount of the tip they leave will directly increase the income of the person they're tipping. In reality, a Doordash driver is very unlikely to make additional money because of your tip unless you tip a large amount. To top this off Doordash advertised tips as "100% goes to the driver", which is extremely scummy because it obviously is intended to trick people into this belief.
I've been considering making it a product and I wonder in this case what people would want to do when the account data gets leaked?
1. blackhole all email to the address.
2. forward all email to some email service that is never/rarely used.
3. flag messages that are not sent from the matching domain (doordash.com in this case).
4. blackhole and generate a new address so the user can go back to door dash and provide a fresh email address.
I also wonder if there is any use for meta data on who's trying to email a blackholed email addrress e.g spam blacklisting.
So your address is firstname.lastname@example.org but you could use adresses like email@example.com...
Sadly we currently lack a consumer protection bureau.
I use firstname.lastname@example.org whenever I sign up at random sites. Last night I got a bunch of spams at the just-eat  account (food delivery, operating in 13 countries so not a small operation).
Now I know they've been breached, but:
1. They haven't reported it anywhere.
2. I don't know of any meaningful action I can take.
> If ... you’re concerned about how an organisation has handled your information – if the information is wrong, they have lost it or disclosed it to someone else – tell us.
It also might not be a breach, but could of been sold via some sort marketing 'partnership'.
Also I believe Blur already does this (the company name may have changed but I forget)
Of note here, I never verified the account when the user first signed up, so DoorDash has always just been going on the first guy's word that they are who they say they are.
It’d be like someone else booking a hotel room as you. When you show up at the front desk they verify it’s you and then let you into that room because it is after all... yours.
Or whatever the hip phrase is now that FB is radioactive.
1. Personal address, DOB - $15.
2. Each social security $20.
3. Driver license number $25.
4. Bank account numbers $30.
So a loss of 4.9 million social security numbers, DOB and addresses would generate a fine of $171,500,000
Now, the company will think 100x times BEFORE collecting consumer data if they can actually PROTECT IT. Build robust security FIRST!
Unique salt per user hash < shared salt with user hash < no salt but using strong hash < no salt and a weak algorithm like MD5 or SHA-1 < plaintext
"Applebee's Coupons are clearly the best value for consumers, from savory appetizers to desserts with a kick, you're going to want to take that delicious settlement!"
Credit Bureaus are just such steaming piles of crap.
Removed payment methods from my account and reset the password, but now I assume this was done to all users?
I did not hear back from support for 3 months (no exaggeration). I asked that they delete my account back then so you can imagine my delight to receive more security-related correspondence from this company today.
There is even an RSS feed. It doesn't cover every breach but certainly significant verified ones - details in the site FAQ. There is even such a thing as faked breaches!
I also alias email addresses for every service that allows a + sign in the email field, so now I have no way to notice quickly if the email was included in a leak. But I do have a way to know which service got breached or sold info if I start getting additional emails to any particular alias.
We need a US GDPR. Even if there’s nothing like the right to be forgotten, we need data breach regs.
I don't believe for one second that they didn't know about it for five months! Can someone in the EU please report this so that it's investigated for a GDPR violation?
Edit: from the official post on blog.doordash.com:
>Earlier this month, we became aware of unusual activity involving a third-party service provider.
Of course. This is quite a bit more than the 72 hour window GDPR allows.
Get with it people! The jokes are right there.