Most relevant line considering the title. PayPal wasn’t compromised.
What's the point anymore? This has happened so many times this year I've got more credit monitoring than I could ever need. Now I just need them to actually redo the "identity" system into something I can actually use with peace of mind.
www.databreach-settlement.com is for the Anthem data breach.
The Uber driver breach sends you to www.experianidworks.com.
The Equifax incident sends you to www.equifaxsecurity2017.com.
And those are just the three "we can't do security" cards/letters sitting on my desk.
I know it is a subsidiary of paypal, not paypal itself, but that is irrelevant.
I got into a discussion once about how to properly handle passwords (cause somebody has to do it). There is no right answer, just lots and lots of wrong ones. Don’t encrypt, hash. But not that hash, use another...and not any of those over there; and sure as shit don’t write one yourself. Use an off-the-shelf hash...just not any that you have access to now. Not that one either, we don’t recognize the author by name...and not the other one because we don’t like the owner of the company (who is not a developer).
TL:DR, if you write code that needed security...eventually you are fucked.
What we need to do is figure out a way that even if our data is leaked, it doesn't have substantial negative effects. How exactly we do that, I don't know. But if a website is hacked, it shouldn't compromise our credit or our personal information.
- Names: this is public information
- Addresses: this is public information
- Bank Account Details: this is on every check you've ever written
- SSN: this is on so many applications for things and compromised so many times it can't be realistically called private
- Account Login Details: not to be pedantic but this is a shared secret and should be treated as such
I know there have been some rumblings about actually trying to change the financial identification system in the US but really this needs to be the focus. We've been pretending that we have any sort of "secure" identification system for too long and now it's finally catching up to us. Solutions exist for a majority of these problems:
- For stolen credit card numbers: Force the issuers to add one-time CC number generation and have that one-time number locked to a merchant. Discover had this years ago and got rid of it; I'm sure others had it as well. This effectively solves the online merchant problem. Things like Visa Checkout and Masterpass also can help here by eliminating the need to give merchants your actual number (as can Android Pay, Apple Pay, Samsung Pay, PayPal, etc)
- For stolen credit cards: Actually change over to chip and pin
- For online financial identification: Issue smart+national ID cards like Estonia that can provide digital authentication. Is it perfect? No. If people don't like the concept of a smart+national ID card, put the risk of doing anything online on them. https://www.login.gov/ is a baby step in this direction.
Those may not be difficult for an adversary that targets someone personally to get. They'll have some trouble getting a few of them (something being on "every check you've ever written" doesn't mean I can see it easily if I'm not a person making business with you. Besides few write checks anymore anyway), but they will be able to gather most.
That's completely different than anybody who doesn't know you at all having all those details for millions of people in a large data dump - that is, any scammer worldwide.
There is a difference and it still should be secured.
My address might be public information but because i choose to not because someone else chose this for me.
Private information isn't private if you have to give it out.
You can find my address, but it will require efforts.
