[HN Gopher] Geico data breach exposed customers' driver's licens...
___________________________________________________________________
Geico data breach exposed customers' driver's license numbers
Author : PretzelFisch
Score : 121 points
Date : 2021-04-20 14:20 UTC (8 hours ago)
(HTM) web link (www.theverge.com)
(TXT) w3m dump (www.theverge.com)
| adolph wrote:
| _In a data breach notification to impacted individuals, the
| company reveals that, between January 21 and March 1, 2021, using
| customer information acquired elsewhere, fraudsters managed to
| gain unauthorized access to driver's license numbers by abusing
| the online sales system on Geico's website._ [0]
|
| 0. https://www.securityweek.com/car-insurance-company-geico-
| dis...
|
| It took them 6 weeks to report to CA AG:
|
| Organization Name Date(s) of Breach Reported Date Government
| Employees Insurance Company 01/21/2021, 03/01/2021 04/15/2021
|
| https://oag.ca.gov/privacy/databreach/list?field_sb24_org_na...
| cschneid wrote:
| The underlying problem seems to be that companies confuse
| identification with authentication.
|
| A drivers license number is a unique ID. The physical card with
| security features and a photo is the authentication that it
| belongs to me, holding it.
|
| Same thing with social security numbers. That can be treated as
| an identifier, so the bank can talk about an individual. But not
| as authentication and authorization to open new accounts.
|
| Data breaches would be so much less scary if banks and similar
| didn't keep screwing this up.
| dheera wrote:
| They also sent me unsolicited junk mail at a new address and I
| don't know how they got that address. As such I would never use
| Geico for violating my privacy. I will only use companies that
| DON'T try to extract my personal info without me giving it to
| them explicitly.
|
| This only doubly confirms that they suck at privacy.
| icedchai wrote:
| Good luck. Privacy is an illusion. If you use your address
| for any sort of billing (utilities, cell phone, whatever) or
| government / public service (license, voter, real estate
| records) it is going to be sold, and resold...
| dheera wrote:
| Use a UPS box for billing addresses. Don't register to vote
| until THEY commit to stop handing out addresses. Or
| register to vote without your address. That should be
| possible. Homeless people can register to vote, so I should
| be able to as well.
| pxeboot wrote:
| If you submit a change of address to the USPS, they sell that
| data to marketing companies. One workaround is to submit a
| 'temporary' address change for 6 months at a time instead.
| dheera wrote:
| I don't submit change of address to USPS for this reason. I
| hate the USPS with a passion for doing that to people.
| bashinator wrote:
| Hate the politicians who cut USPS' funding to such an
| extent that this is necessary.
| mistrial9 wrote:
| USPS wasted huge money and the Union demands even bigger
| pensions, while USPS is losing market to commercial
| carriers at the same time in the open market.. no one is
| clean in that fight
| cptskippy wrote:
| The purpose of the function is to update any entity that
| legitimately has your name/address as to your new
| address. It's used by Magazine publishers to
| automatically update your subscription addresses. It's
| also used by companies you've done business with but
| might not have updated your address info such as a
| specialist doctor you visited once or your old insurance
| company.
|
| I personally think that's of more value than stopping
| junk mailers from sending me personalized junk mail.
| You're going to get the junk mail either way.
| dheera wrote:
| No, screw that. 99% of people who get updated address via
| USPS are illegitimate.
|
| If they think they're doing me a service, they're not.
|
| Specialist doctors can just e-mail me. This is 2021. My
| physical address has changed at least 8 times in the past
| 2 decades. My e-mail address hasn't changed in that whole
| time.
|
| I don't subscribe to magazines, and even if I did, you'd
| be sure as hell that I would update my address if I was
| paying for something.
| cptskippy wrote:
| > 99% of people who get updated address via USPS are
| illegitimate.
|
| Is there any evidence to back that up or is that one of
| those "Feel Facts"?
|
| So it's not beneficial to you but many people change
| their email address with greater frequency than they do
| their mailing address so your solution wouldn't work
| either.
| dheera wrote:
| In my case it's 100%. I change my address with anyone who
| needs it. Anyone who doesn't get contacted by me doesn't
| need to know.
|
| It's my personal information and before they try to do me
| a "service" by giving it away, they should ASK me.
|
| What next, give away my address to stalkers who knew
| where I lived before? Fuck that.
| throwawayboise wrote:
| I thought there was a (perhaps non-obvious) opt-out for
| that? Am I misremembering?
| perl4ever wrote:
| >if banks and similar didn't keep screwing this up
|
| They aren't "screwing it up". They eliminate the problem from
| their perspective via forcing people into binding arbitration
| and forbidding class actions, and also through promoting the
| concept of "identity theft" which eliminates the sense that
| they have any agency when there are compromises.
|
| Every user agreement I see goes on and on about how you the
| consumer are responsible for any compromises on _your_ end, so
| there 's no question that the concept of being responsible for
| security is widely understood. It simply is not applied to
| corporations because they are able to reject it where
| individuals have no bargaining power.
| foobiter wrote:
| at this point i have very little data that hasn't been exposed
| from various leaks and honestly it makes me feel a little
| helpless - I've had my drivers license number, phone numbers,
| unhashed passwords, personal health info, health insurance,
| credit card numbers, my social security number, home address,
| security questions... and more! all leaked/hacked. All I've
| gotten for this poor data handling is a few years of credit
| monitoring.
| tibiahurried wrote:
| Something is fundamentally wrong if a driver license number can
| pose an identity security threat.
| myself248 wrote:
| Lots is fundamentally wrong.
|
| Have you been paying attention?
| 1-6 wrote:
| Here's yet another instance where a blockchain could possibly
| solve the identity crisis of Americans.
| Guest42 wrote:
| I would lean more towards better use of encryption and
| firewalls for the sake of simplicity and thoroughness. Can
| anyone with familiarity describe a solution/strategy?
| mindslight wrote:
| Exactly! Publish all the leaks of this needlessly-sensitive
| non-secret information into a blockchain, so that companies and
| governments are unable to ignore the obvious reality. Right now
| they're free to continue sticking their head in the sand and
| acting like anybody who gets a hold of their lists is a witch.
| So many companies refused to take code seriously security until
| the rise of full disclosure. We need a similar watershed for
| fallacious identification procedures.
| trashcan wrote:
| I need to put my personal information in a public ledger, and
| then waste energy to prove it is correct?
| specialist wrote:
| Yup, more or less.
|
| Misc central authorities issue you secure enclaves. Dept of
| licensing, health care system, banks, github, employer, etc.
|
| You then create key pairs as needed.
|
| Publish those public keys to misc web's of trust, as needed.
|
| Then use private digitally sign anything you think worth
| signing.
|
| Log those transactions to the misc blockchains, as needed.
|
| --
|
| The alternative to authenticity is our current Freedom
| Speeches(tm) dystopia. Bots, sock puppets, identity theft
| industry, fraud, etc.
|
| For all the naysayers: Would you install unsigned, untrusted
| code? If you answer yes, then stuff like privacy and
| authenticity isn't really your priority.
|
| Choose wisely.
| nonameiguess wrote:
| Babies, indigent and homeless, institutionalized,
| imprisoned, extreme rural, or people who just don't want to
| use electronic devices (Amish, etc.) all still have legal
| identities. Some of those people are even allowed to be
| employed and have bank accounts.
| specialist wrote:
| Since some of us can't or won't have privacy &
| authenticty, then no one can?
| mindslight wrote:
| The problem is that any such system needs to be designed
| such that an individual can't be forced to give up their
| ironclad identity to a grocery store for loyalty discounts,
| to a webstore simply to make a purchase, or even to an
| online discussion forum - eg through blinding, nyms, and
| legal restrictions. But we lack the political will to
| mandate this, because corporate interests will sponsor
| loopholes that eliminate any such protections. We have the
| current state of affairs precisely because the law failed
| to include any prohibition on companies demanding SSNs/DLs
| for arbitrary purposes.
|
| > _Would you install unsigned, untrusted code?_
|
| Yes. I trust javascript from https://google.com the same as
| javascript from http://dodgywarez.example.com. Both get
| executed in a javascript VM, nested in a KVM VM, off of my
| main desktop machine. Security based on making sure that
| there is someone to sue just doesn't scale.
| specialist wrote:
| Somewhat sandboxed scripting vs operating system is like
| coupon flyers vs notarized legal documents.
|
| Would you bank online via HTTP (vs HTTPS)?
|
| When I was doing nodejs work, npm artifacts still weren't
| being signed. Sure, _some_ people play in traffic. Doesn
| 't mean we all should.
|
| People arguing against privacy & authenicity always
| remind me of a coworker who emphatically opposed password
| managers or any system whatsoever for managing secrets.
| Something something "single point of failure".
| mindslight wrote:
| You seem to have referenced that example merely for a way
| of saying things should be secure, but I took it and tied
| it into the larger point about the futility of stronger
| identification.
|
| The thing about security is that it's inherently a multi
| party problem. Some party that is able to identify me is
| increasing _their own_ security, but likely at the
| expense of decreasing _my own_ security. You speak of
| authenticity, yet there is a good reason chat protocols
| don 't stop at naive signatures, but rather actually
| increase their complexity for additional properties like
| repudiation.
|
| Sure, many activities prudently require a way to
| reasonably identify people and have an acceptable
| downside. And sometimes when individuals' security is
| broken, society benefits (eg DKIM being used to verify
| leaked email authenticity). But there are many more that
| do not need such things, and in fact doing so would harm
| our freedom (the examples I gave).
|
| You seem to be staking out the position that some sort of
| universal identity would be a good thing, including for
| casual Internet communication ("Bots, sock puppets"). I
| wholeheartedly disagree with this.
| 2OEH8eoCRo0 wrote:
| Nah. I think that companies need to verify identities better.
| All information about me is probably out there in some form but
| there is still only one "me". Verify "me" better.
|
| Companies who are tricked into doing things with stolen
| credentials should be held accountable.
| eloff wrote:
| Or you know, a centralized database.
|
| The problem is not that your SSN can be leaked, the problem is
| that it shouldn't be trusted in the first place.
|
| How is it a thing that a bank can give a loan to anyone
| claiming to have my name and SSN, without verifying that, and
| then hold me legally responsible for their lack of judgment?
| And the court protects the bank?
|
| The problem here is the banks are being dumb, and rather than
| letting them suffer the consequences of that stupidity - the
| court makes it my problem. The legal system has seriously
| failed Americans here.
| jdsully wrote:
| The problem is rarely with the courts most people don't lose
| lawsuits like that. The problem is when the real person goes
| to the bank for credit and can't get it because the bank
| thinks you are already in default.
| eloff wrote:
| And it could take up to a decade to sort out in the courts
| at your own expense.
|
| The courts and regulators have completely failed the people
| here. Why do they not slap the banks and credit rating
| agencies down for this behavior? They are failing
| egregiously to protect the little guy here.
| throwawayboise wrote:
| > How is it a thing that a bank can give a loan to anyone
| claiming to have my name and SSN, without verifying that, and
| then hold me legally responsible for their lack of judgment?
|
| They can't. That's not to say that it doesn't happen, or that
| it might not be a PITA to sort it out. But in court they
| would need to have more than a name and SSN to prove that you
| took out the loan.
| adolph wrote:
| How would a "centralized database" solve "a bank can give a
| loan to anyone claiming to have my name and SSN?"
| eloff wrote:
| How does a blockchain solve it in a way that a centralized
| db does not?
|
| The choice of db does nothing to address the underlying
| problems. Which was my point.
| idiotsecant wrote:
| In pretty much the same way that a decentralized database
| like a blockchain would. You interact with the centralized
| database to permit the transaction requested by the loan
| distributor, probably via 2FA.
|
| The only difference in the schemes is whether you need to
| trust the centralized database or not. Most people would
| much rather trust a large institution than have
| responsibility for managing their key.
| pmiller2 wrote:
| Or, how about we just don't publish everyone's legal identity
| in the same exact place? Sure, they won't be breaking into
| Geico to steal drivers' license numbers anymore, but just
| wait until this wonderful "centralized database" gets
| compromised....
| christophilus wrote:
| Hopefully Geico has cyber insurance. If it's insured by
| Berkshire, that'd be a tad recursive.
| thablackbull wrote:
| Internal retrocession is a normal practice in insurance
| companies. The larger entity can pool money and absorb losses
| better.
| christophilus wrote:
| Berkshire really doesn't think that way, though. Their
| operations are largely distinct and don't really inter-
| communicate or plan. Fairly recently, one of their businesses
| sustained a large loss, and the casualty insurer paid out a
| handsome sum, so the business actually came out ahead. But
| the downside was that the insurer was one of Berkshire's
| subsidiaries. This was evidently unplanned and unknown ahead
| of time at the top level, but shows the decentralized
| structure of Berkshire is not just in name only.
| ripply wrote:
| Some states driver's license numbers are deterministically
| computed with your name, date of birth and gender.
|
| If you live in one of those states and your data is already out
| there (through a previous breach) then your driver's license
| number is already public knowledge to hackers.
|
| According to an online calculator this applies to these states:
|
| Florida
|
| Illinois
|
| Maryland
|
| Michigan
|
| Minnesota (Prior to December 13, 2004 only)
|
| Nevada (Prior to January 1998 only)
|
| New Hampshire
|
| New Jersey
|
| New York (Prior to September 1992 only)
|
| Washington
|
| Wisconsin
|
| http://www.highprogrammer.com/alan/numbers/dl_us_shared.html
| foolfoolz wrote:
| > to hackers
|
| to everyone
| andrewmunsell wrote:
| Back in college in Washington, I had a presentation to give in
| a class about privacy. To illustrate how very little of it we
| really have, I essentially doxxed the professor in front of
| everyone (of course, with his permission-- he had final say on
| what was actually shown to the class in the presentation) and
| demonstrated how public most people have their social media
| settings set to and what information was actually in the public
| record.
|
| Apart from things like public Facebook photos and things like
| public mortgage records and salary info for public school
| professors, I used the fact the DL number was deterministic to
| make a really good (and apparently correct) guess as to what
| the number really was.
|
| The professor was a really good sport about it.
| SilasX wrote:
| >Some states driver's license numbers are deterministically
| computed with your name, date of birth and gender.
|
| Hm, I thought that couldn't be possible: if that were true, the
| system would be hosed the moment two people are born that match
| on all three. (Insert "falsehoods programmers believe about
| ...")
|
| Reading through to the link, it claims that some states do have
| issues with collisions like that (but doesn't provide enough to
| confirm independently):
|
| >>Looking at this, may become clear that it is possible for two
| people with similar names to get the exact same driver's
| license number. ... This is solved with "overflow" numbers, a
| simple sequential number can be appended to each duplicate
| number to resolve the confusion.
|
| >>...Illinois may have overflow digits, but if they do the
| information is not on your driver's license. This means that if
| Joshua William Smith is wanted by police and his driver's
| license number is flagged as such, Jack Wayne Snoddy may be
| briefly detained while the police check their records to sort
| out the shared number. I have been told that Illinois state
| databases actually include a two or three digit number to
| distinguish between different people with the same license. One
| correspondent told me that their friend was pulled over for a
| minor traffic violation and was arrested as someone else. He
| sat in the police car for a while while they sorted it out. He
| and the other person had the exact same number; the other guy
| was a wanted man, but my correspondent's friend did not.
| techsupporter wrote:
| > Washington
|
| Not for too much longer for most people. ID cards issued on or
| after September, 2018 have a random code format instead of the
| generated one from before:
| https://custhelp.courts.wa.gov/ci/fattach/get/63481/0/filena...
|
| All ID cards are being changed as they are renewed.
| pmiller2 wrote:
| > All ID cards are being changed as they are renewed.
|
| Well, _that 's_ not going to cause anybody any issues.
| downrightmike wrote:
| Also, the info can just be bought as most DOTs will see it as a
| revenue source. This is how companies find you about you're
| car's extended warranty.
| airstrike wrote:
| I don't have a car and yet still get that same call daily...
| client4 wrote:
| Hah Geico's internal claim system is a giant (internal) FTP dump
| of scans connected to a web front end. The FTP has endless scanns
| of claims checks, etc, including DL numbers.
|
| Maybe they should change their dev environment SQL passwords from
| SA.
| edoceo wrote:
| haha, first time I see MSSQL(6.x) ask the admin for the
| credentials and he tells me, "sa" and the password. so I type
| in "ese" (friend) and then we had a few minutes of confusion /
| frustration.
| gumby wrote:
| Note that these days if you go into one of many bars, pick up
| certain prescriptions, or buy alcohol at a supermarket, your DL
| is electronically scanned and all the info is read from the mag
| stripe or optical code from the back. The justification is that
| this prevents the checker (check out person, bouncer etc) from
| violating the law, protecting the business and the employee.
|
| The companies that sell sell the "age verifier" scanners collect
| all the scanned info, rather than merely verifying age. The big
| pharmacies and big supermarkets collect it all for marketing (in
| the pharmacy case it's also used for government pharmaceutical
| surveillance, in particular for the DEA).
|
| I've long been appalled that DLs contain anything more than
| required to drive (a field biometric like a photo, expiry date,
| class of service, and a confidential identifier so it can be
| checked by a cop for revocation). But that cat would be
| impossible to stuff back into the bag.
| villgax wrote:
| Same has happened with MobiKwik in India & seemingly no action
| whatsoever has happened
| killvung wrote:
| I really hate how organization nowaday just blatantly ask you for
| sensitive information then did an oopsie by breaching them out.
| ppetty wrote:
| > We recently determined that between January 21, 2021 and March
| 1, 2021, fraudsters used information about you - which they
| acquired elsewhere - to obtain unauthorized access to your
| driver's license number through the online sales system on our
| website.
|
| I wish there was some additional clarification around what
| "online sales system" is?
|
| Is that the system I use to buy insurance?
|
| Or is that the system Geico uses to sell my information (which,
| aside from breaches, might be the other way 3rd party access is
| gained to my personal information)?
| kevinpet wrote:
| You can start a quote, but down the info the they already had,
| and it will check their internal systems and say "oh, is this
| you?"
___________________________________________________________________
(page generated 2021-04-20 23:02 UTC)