[gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
Theo Geurts
gtheo at xs4all.nl
Tue Feb 13 17:13:07 UTC 2018
Exactly, ICANN should have never mandated registrant data to register a
domain name in the first place, a big mistake. Technically it is not
required anyways.
On 13-2-2018 18:07, John Bambenek via gnso-rds-pdp-wg wrote:
>
> No it doesn't because there are large incentives for institution and
> individuals to continue to publish information. Businesses, for
> instance, WANT to be contacted. If you want mail delivered, certain
> best practices are imposed.
>
> If consent is not the solution, YOU are deciding what the rest of the
> world can and cannot do with their data. Who exactly made ICANN the
> arbiter of what I can do with my data?
>
>
> On 2/13/2018 11:04 AM, Volker Greimann wrote:
>>
>> I am not sure you want that, because that means completely dark whois.
>>
>> I'd prefer an approach where we do not need to rely on consent (but
>> can still offer it as an option). The hard bit is finding the right
>> principles of who gets access to what and how even when there is no
>> consent.
>>
>> Consent is not the solution.
>>
>>
>> Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
>>>
>>> Ok, so you agree with my in principle and we're just haggling over
>>> the details now. Flip a coin for all I care, opt-in/opt-out and move
>>> forward.
>>>
>>> So let's do that. When can we implement?
>>>
>>>
>>> On 2/13/2018 10:58 AM, Volker Greimann wrote:
>>>>
>>>> You are still looking at the wrong end of the horse. Privacy is not
>>>> the choice, it is the default. Divulging data is the choice.
>>>>
>>>>
>>>> Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
>>>>>
>>>>> Exactly right. As far as I'm concerned if we made privacy a free
>>>>> choice, make the fields optional for all I care, and whatever they
>>>>> do make is public... we have solved this problem.
>>>>>
>>>>> People who ACTUALLY protect society against privacy threats have
>>>>> the data to do their jobs, consumers who want privacy have a free
>>>>> option for it, and registrars can be in compliance with the law.
>>>>>
>>>>>
>>>>> On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
>>>>>> This is just an example but there is a lot of damage that can be
>>>>>> caused with data being exposed. In our case we have phone
>>>>>> numbers, addresses, emails which is required to verification.
>>>>>>
>>>>>> This takes us to issue of consent.
>>>>>>
>>>>>> On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg
>>>>>> <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>> wrote:
>>>>>>
>>>>>> Let's be honest here, we're talking about phone numbers and
>>>>>> email addresses. The threat model is RADICALLY different with
>>>>>> the data we are talking about.
>>>>>>
>>>>>>
>>>>>> On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
>>>>>>>
>>>>>>> Undeterred by the fact that noone has responded to my last
>>>>>>> post, I offer the following update to the Equifax breach to
>>>>>>> further illustrate my point. As many companies have found
>>>>>>> out, you don't find out what you've got till it's gone.....a
>>>>>>> further reason for data minimization and short retention
>>>>>>> periods.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> To:
>>>>>>>
>>>>>>>
>>>>>>> http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
>>>>>>> <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/>
>>>>>>>
>>>>>>>
>>>>>>> *Equifax hack worse than previously thought: Biz kissed
>>>>>>> goodbye to card expiry dates, tax IDs etc*
>>>>>>> Pwned credit-score biz quietly admits more info lost
>>>>>>> By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
>>>>>>>
>>>>>>> Last year, Equifax admitted
>>>>>>> https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/
>>>>>>> <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/>
>>>>>>> hackers stole sensitive personal records on 145 million
>>>>>>> Americans and hundreds of thousands in the UK
>>>>>>> https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/
>>>>>>> <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/>
>>>>>>> and Canada.
>>>>>>>
>>>>>>> The outfit already said cyber-crooks "primarily" took names,
>>>>>>> social security numbers, birth dates, home addresses,
>>>>>>> credit-score dispute forms, and, in some instances, credit
>>>>>>> card numbers and driver license numbers. Now the
>>>>>>> credit-checking giant reckons the intruders snatched even
>>>>>>> more information from its databases.
>>>>>>>
>>>>>>> According to documents provided by Equifax to the US Senate
>>>>>>> Banking Committee,
>>>>>>> and _revealed this month by Senator Elizabeth Warren (D-MA)_,
>>>>>>> https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc
>>>>>>> <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc>
>>>>>>> the attackers also grabbed taxpayer identification numbers,
>>>>>>> phone numbers, email addresses, and credit card expiry dates
>>>>>>> belonging to some Equifax customers.
>>>>>>>
>>>>>>> Like social security numbers, taxpayer ID numbers are useful
>>>>>>> for fraudsters seeking to steal people's identities or their
>>>>>>> tax rebates, and the expiry dates are similarly useful for
>>>>>>> online crooks when linked with credit card numbers and other
>>>>>>> personal information.
>>>>>>>
>>>>>>>
>>>>>>> *Contradictory*
>>>>>>>
>>>>>>> "As your company continues to issue incomplete, confusing
>>>>>>> and contradictory statements and hide information from
>>>>>>> Congress and the public, it is clear that five months after
>>>>>>> the breach was publicly announced, Equifax has yet to answer
>>>>>>> this simple question in full: what was the precise extent of
>>>>>>> the breach?" Warren fumed in a missive late last week.
>>>>>>> https://www.warren.senate.gov/?p=press_release&id=2317
>>>>>>> <https://www.warren.senate.gov/?p=press_release&id=2317>
>>>>>>>
>>>>>>> Equifax spokeswoman Meredith Griffanti stressed to The
>>>>>>> Register today that the extra information snatched by
>>>>>>> hackers, as revealed by Senator Warren, belonged to "some"
>>>>>>> Equifax customers. In other words, not everyone had their
>>>>>>> phone numbers, email addresses, and so on, slurped by crooks
>>>>>>> just some. How much is some? Equifax isn't saying, hence
>>>>>>> Warren's (and everyone else's) growing frustration.
>>>>>>>
>>>>>>> The senator is a cosponsor of the _proposed Data Breach
>>>>>>> Prevention and Compensation Act, _
>>>>>>> https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/
>>>>>>> <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/>
>>>>>>> which, if passed, would impose computer security regulations
>>>>>>> on credit reporting agencies, with mandatory fines that
>>>>>>> would have led to Equifax coughing up $1.5bn for its IT blunder.
>>>>>>>
>>>>>>> Some regulation or punishment is obviously needed.
>>>>>>>
>>>>>>> No senior Equifax executives were fired over the attack
>>>>>>> instead the CEO, CSO and CIO were all allowed to retire with
>>>>>>> multi-million dollar golden parachutes. The US government's
>>>>>>> Consumer Financial Protection Bureau promised a full
>>>>>>> investigation into the Equifax affair, and then gave up. On
>>>>>>> February 7, an open letter [PDF]
>>>>>>> https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18.pdf
>>>>>>> <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18.pdf>
>>>>>>> from 32 senators to the bureau asked why the probe was
>>>>>>> dropped, and the gang has yet to receive a response. ®
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>>
>>>>>> --
>>>>>> --
>>>>>>
>>>>>> John Bambenek
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Regards
>>>>>> Nanghaka Daniel K.
>>>>>> Executive Director - ILICIT Africa / Chair - FOSSFA / Community
>>>>>> Lead - ISOC Uganda Chapter / Geo4Africa Lead / Organising Team -
>>>>>> FOSS4G2018
>>>>>> Mobile +256 772 898298 (Uganda)
>>>>>> Skype: daniel.nanghaka
>>>>>>
>>>>>> ----------------------------------------- /"Working for Africa"
>>>>>> /-----------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> --
>>>>>
>>>>> John Bambenek
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>> --
>>> --
>>>
>>> John Bambenek
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> --
> --
>
> John Bambenek
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/4c48c466/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list