[gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

Chen, Tim tim at domaintools.com
Tue Feb 13 20:56:32 UTC 2018 

Theo - this comment is off target on many levels and takes us well outside
of Whois.    The #1 abuse-driving issue is cheap domains, due to pricing
schemes and business models of registrars and registries.  Bad actors
target COM bc it's popular and well-known.  Lots of tools we need to fight
abuse, Whois is but one.  But a powerful one.

On Tue, Feb 13, 2018 at 9:56 AM, Theo Geurts <gtheo at xs4all.nl> wrote:

> John,
>
> I think some of us are still mystified that there are no "huge" issues in
> 147 million ccTLDs while there seems to be "huge" issues with 181 million
> gTLDs ,25% of them using privacy proxy services.
>
> Personally I am more mystified why we keep on relying on WHOIS to combat
> such issues while the abuse rate goes up in the gTLD space each year.
> Perhaps time to come up with something better? It looks like we rather
> patch up the boat sinking deeper down each year, as opposed to create a new
> sea worthy vessel.
>
> Theo
>
>
>
> On 13-2-2018 18:43, John Horton via gnso-rds-pdp-wg wrote:
>
> I am mystified as to why some people in this group don't recognize that
> while (that's US for "whilst," for my European friends!) legitimate
> business may do that -- and indeed, may be required to in Ireland and Japan
> and a few other countries, a) there is no requirement in other locations to
> do so, and b) the bad actors either don't publish it or put falsified
> information on their website...but the Whois record, whether accurate or
> falsified (and sometimes even with privacy protection) is helpful in
> anti-money laundering, consumer protection, certification, anti abuse and
> trust and safety. Let's all acknowledge that we live in a world where there
> are many, many legitimate e-commerce businesses but many illicit ones as
> well! Our solutions have to accommodate for all of the above.
>
> John Horton
> President and CEO, LegitScript
>
>
> *Follow LegitScript*: LinkedIn
> <http://www.linkedin.com/company/legitscript-com>  |  Facebook
> <https://www.facebook.com/LegitScript>  |  Twitter
> <https://twitter.com/legitscript>  |  *Blog
> <http://blog.legitscript.com/>*  |  Newsletter
> <http://go.legitscript.com/Subscription-Management.html>
>
>
>
>
> On Tue, Feb 13, 2018 at 9:33 AM, Volker Greimann <
> vgreimann at key-systems.net> wrote:
>
>> John, if businesses want to publish their information, they should do it
>> on their website, as they are legally required to (at least over here). No
>> need for whois for that. So that purpose is out the window already.
>>
>> Volker
>>
>> Am 13.02.2018 um 18:07 schrieb John Bambenek via gnso-rds-pdp-wg:
>>
>> No it doesn't because there are large incentives for institution and
>> individuals to continue to publish information. Businesses, for instance,
>> WANT to be contacted. If you want mail delivered, certain best practices
>> are imposed.
>>
>> If consent is not the solution, YOU are deciding what the rest of the
>> world can and cannot do with their data. Who exactly made ICANN the arbiter
>> of what I can do with my data?
>>
>> On 2/13/2018 11:04 AM, Volker Greimann wrote:
>>
>> I am not sure you want that, because that means completely dark whois.
>>
>> I'd prefer an approach where we do not need to rely on consent (but can
>> still offer it as an option). The hard bit is finding the right principles
>> of who gets access to what and how even when there is no consent.
>>
>> Consent is not the solution.
>>
>> Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
>>
>> Ok, so you agree with my in principle and we're just haggling over the
>> details now. Flip a coin for all I care, opt-in/opt-out and move forward.
>>
>> So let's do that. When can we implement?
>>
>> On 2/13/2018 10:58 AM, Volker Greimann wrote:
>>
>> You are still looking at the wrong end of the horse. Privacy is not the
>> choice, it is the default. Divulging data is the choice.
>>
>> Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
>>
>> Exactly right. As far as I'm concerned if we made privacy a free choice,
>> make the fields optional for all I care, and whatever they do make is
>> public... we have solved this problem.
>>
>> People who ACTUALLY protect society against privacy threats have the data
>> to do their jobs, consumers who want privacy have a free option for it, and
>> registrars can be in compliance with the law.
>>
>> On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
>>
>> This is just an example but there is a lot of damage that can be caused
>> with data being exposed. In our case we have phone numbers, addresses,
>> emails which is required to verification.
>>
>> This takes us to issue of consent.
>>
>> On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg <
>> gnso-rds-pdp-wg at icann.org> wrote:
>>
>>> Let's be honest here, we're talking about phone numbers and email
>>> addresses. The threat model is RADICALLY different with the data we are
>>> talking about.
>>>
>>> On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
>>>
>>> Undeterred by the fact that noone has responded to my last post, I offer
>>> the following update to the Equifax breach to further illustrate my point.
>>> As many companies have found out, you don't find out what you've got till
>>> it's gone.....a further reason for data minimization and short retention
>>> periods.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> To:
>>>
>>> http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
>>>
>>>
>>> *Equifax hack worse than previously thought: Biz kissed goodbye to card
>>> expiry dates, tax IDs etc*
>>> Pwned credit-score biz quietly admits more info lost
>>> By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
>>>
>>> Last year, Equifax admitted
>>> https://www.theregister.co.uk/2017/09/07/143m_american_equif
>>> ax_customers_exposed/
>>> hackers stole sensitive personal records on 145 million Americans and
>>> hundreds of thousands in the UK
>>> https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/
>>> and Canada.
>>>
>>> The outfit already said cyber-crooks "primarily" took names, social
>>> security numbers, birth dates, home addresses, credit-score dispute forms,
>>> and, in some instances, credit card numbers and driver license numbers. Now
>>> the credit-checking giant reckons the intruders snatched even more
>>> information from its databases.
>>>
>>> According to documents provided by Equifax to the US Senate Banking
>>> Committee,
>>> and *revealed this month by Senator Elizabeth Warren (D-MA)*,
>>> https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc
>>> the attackers also grabbed taxpayer identification numbers, phone
>>> numbers, email addresses, and credit card expiry dates belonging to some
>>> Equifax customers.
>>>
>>> Like social security numbers, taxpayer ID numbers are useful for
>>> fraudsters seeking to steal people's identities or their tax rebates, and
>>> the expiry dates are similarly useful for online crooks when linked with
>>> credit card numbers and other personal information.
>>>
>>>
>>> *Contradictory*
>>>
>>> "As your company continues to issue incomplete, confusing and
>>> contradictory statements and hide information from Congress and the public,
>>> it is clear that five months after the breach was publicly announced,
>>> Equifax has yet to answer this simple question in full: what was the
>>> precise extent of the breach?" Warren fumed in a missive late last week.
>>> https://www.warren.senate.gov/?p=press_release&id=2317
>>>
>>> Equifax spokeswoman Meredith Griffanti stressed to The Register today
>>> that the extra information snatched by hackers, as revealed by Senator
>>> Warren, belonged to "some" Equifax customers. In other words, not everyone
>>> had their phone numbers, email addresses, and so on, slurped by crooks just
>>> some. How much is some? Equifax isn't saying, hence Warren's (and everyone
>>> else's) growing frustration.
>>>
>>> The senator is a cosponsor of the *proposed Data Breach Prevention and
>>> Compensation Act, *
>>> https://www.theregister.co.uk/2018/01/10/credit_reporting_ag
>>> encies_fines/
>>> which, if passed, would impose computer security regulations on credit
>>> reporting agencies, with mandatory fines that would have led to Equifax
>>> coughing up $1.5bn for its IT blunder.
>>>
>>> Some regulation or punishment is obviously needed.
>>>
>>> No senior Equifax executives were fired over the attack instead the CEO,
>>> CSO and CIO were all allowed to retire with multi-million dollar golden
>>> parachutes. The US government's Consumer Financial Protection Bureau
>>> promised a full investigation into the Equifax affair, and then gave up. On
>>> February 7, an open letter [PDF]
>>> https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%2
>>> 0Letter%202-7-18.pdf
>>> from 32 senators to the bureau asked why the probe was dropped, and the
>>> gang has yet to receive a response. ®
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>>
>>> --
>>> --
>>>
>>> John Bambenek
>>>
>>>
>>
>> --
>>
>> Regards
>> Nanghaka Daniel K.
>> Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead -
>> ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018
>> Mobile +256 772 898298 <+256%20772%20898298> (Uganda)
>> Skype: daniel.nanghaka
>>
>> ----------------------------------------- *"Working for Africa" *
>> -----------------------------------------
>>
>>
>>
>>
>> --
>> --
>>
>> John Bambenek
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>> --
>> --
>>
>> John Bambenek
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>> --
>> --
>>
>> John Bambenek
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/b9e79f60/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list