[gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
theo geurts
gtheo at xs4all.nl
Tue Feb 13 21:14:40 UTC 2018
I am off target?
I think I am very on target since the very start of this WG trying to
bridge data protection and fighting abuse.
Theo
On 13-2-2018 21:56, Chen, Tim wrote:
> Theo - this comment is off target on many levels and takes us well
> outside of Whois. The #1 abuse-driving issue is cheap domains, due
> to pricing schemes and business models of registrars and registries.
> Bad actors target COM bc it's popular and well-known. Lots of tools
> we need to fight abuse, Whois is but one. But a powerful one.
>
> On Tue, Feb 13, 2018 at 9:56 AM, Theo Geurts <gtheo at xs4all.nl
> <mailto:gtheo at xs4all.nl>> wrote:
>
> John,
>
> I think some of us are still mystified that there are no "huge"
> issues in 147 million ccTLDs while there seems to be "huge" issues
> with 181 million gTLDs ,25% of them using privacy proxy services.
>
> Personally I am more mystified why we keep on relying on WHOIS to
> combat such issues while the abuse rate goes up in the gTLD space
> each year. Perhaps time to come up with something better? It looks
> like we rather patch up the boat sinking deeper down each year, as
> opposed to create a new sea worthy vessel.
>
> Theo
>
>
>
> On 13-2-2018 18:43, John Horton via gnso-rds-pdp-wg wrote:
>> I am mystified as to why some people in this group don't
>> recognize that while (that's US for "whilst," for my European
>> friends!) legitimate business may do that -- and indeed, may be
>> required to in Ireland and Japan and a few other countries, a)
>> there is no requirement in other locations to do so, and b) the
>> bad actors either don't publish it or put falsified information
>> on their website...but the Whois record, whether accurate or
>> falsified (and sometimes even with privacy protection) is helpful
>> in anti-money laundering, consumer protection, certification,
>> anti abuse and trust and safety. Let's all acknowledge that we
>> live in a world where there are many, many legitimate e-commerce
>> businesses but many illicit ones as well! Our solutions have to
>> accommodate for all of the above.
>>
>> John Horton
>> President and CEO, LegitScript
>>
>>
>> *FollowLegitScript*: LinkedIn
>> <http://www.linkedin.com/company/legitscript-com> | Facebook
>> <https://www.facebook.com/LegitScript> | Twitter
>> <https://twitter.com/legitscript> | _Blog
>> <http://blog.legitscript.com/>_ |Newsletter
>> <http://go.legitscript.com/Subscription-Management.html>
>>
>>
>>
>>
>> On Tue, Feb 13, 2018 at 9:33 AM, Volker Greimann
>> <vgreimann at key-systems.net <mailto:vgreimann at key-systems.net>> wrote:
>>
>> John, if businesses want to publish their information, they
>> should do it on their website, as they are legally required
>> to (at least over here). No need for whois for that. So that
>> purpose is out the window already.
>>
>> Volker
>>
>>
>> Am 13.02.2018 um 18:07 schrieb John Bambenek via gnso-rds-pdp-wg:
>>>
>>> No it doesn't because there are large incentives for
>>> institution and individuals to continue to publish
>>> information. Businesses, for instance, WANT to be contacted.
>>> If you want mail delivered, certain best practices are imposed.
>>>
>>> If consent is not the solution, YOU are deciding what the
>>> rest of the world can and cannot do with their data. Who
>>> exactly made ICANN the arbiter of what I can do with my data?
>>>
>>>
>>> On 2/13/2018 11:04 AM, Volker Greimann wrote:
>>>>
>>>> I am not sure you want that, because that means completely
>>>> dark whois.
>>>>
>>>> I'd prefer an approach where we do not need to rely on
>>>> consent (but can still offer it as an option). The hard bit
>>>> is finding the right principles of who gets access to what
>>>> and how even when there is no consent.
>>>>
>>>> Consent is not the solution.
>>>>
>>>>
>>>> Am 13.02.2018 um 18:00 schrieb John Bambenek via
>>>> gnso-rds-pdp-wg:
>>>>>
>>>>> Ok, so you agree with my in principle and we're just
>>>>> haggling over the details now. Flip a coin for all I care,
>>>>> opt-in/opt-out and move forward.
>>>>>
>>>>> So let's do that. When can we implement?
>>>>>
>>>>>
>>>>> On 2/13/2018 10:58 AM, Volker Greimann wrote:
>>>>>>
>>>>>> You are still looking at the wrong end of the horse.
>>>>>> Privacy is not the choice, it is the default. Divulging
>>>>>> data is the choice.
>>>>>>
>>>>>>
>>>>>> Am 13.02.2018 um 17:57 schrieb John Bambenek via
>>>>>> gnso-rds-pdp-wg:
>>>>>>>
>>>>>>> Exactly right. As far as I'm concerned if we made
>>>>>>> privacy a free choice, make the fields optional for all
>>>>>>> I care, and whatever they do make is public... we have
>>>>>>> solved this problem.
>>>>>>>
>>>>>>> People who ACTUALLY protect society against privacy
>>>>>>> threats have the data to do their jobs, consumers who
>>>>>>> want privacy have a free option for it, and registrars
>>>>>>> can be in compliance with the law.
>>>>>>>
>>>>>>>
>>>>>>> On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
>>>>>>>> This is just an example but there is a lot of damage
>>>>>>>> that can be caused with data being exposed. In our case
>>>>>>>> we have phone numbers, addresses, emails which is
>>>>>>>> required to verification.
>>>>>>>>
>>>>>>>> This takes us to issue of consent.
>>>>>>>>
>>>>>>>> On Tuesday, February 13, 2018, John Bambenek via
>>>>>>>> gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org
>>>>>>>> <mailto:gnso-rds-pdp-wg at icann.org>> wrote:
>>>>>>>>
>>>>>>>> Let's be honest here, we're talking about phone
>>>>>>>> numbers and email addresses. The threat model is
>>>>>>>> RADICALLY different with the data we are talking about.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
>>>>>>>>>
>>>>>>>>> Undeterred by the fact that noone has responded to
>>>>>>>>> my last post, I offer the following update to the
>>>>>>>>> Equifax breach to further illustrate my point. As
>>>>>>>>> many companies have found out, you don't find out
>>>>>>>>> what you've got till it's gone.....a further
>>>>>>>>> reason for data minimization and short retention
>>>>>>>>> periods.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> To:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
>>>>>>>>> <http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *Equifax hack worse than previously thought: Biz
>>>>>>>>> kissed goodbye to card expiry dates, tax IDs etc*
>>>>>>>>> Pwned credit-score biz quietly admits more info lost
>>>>>>>>> By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
>>>>>>>>>
>>>>>>>>> Last year, Equifax admitted
>>>>>>>>> https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/
>>>>>>>>> <https://www.theregister.co.uk/2017/09/07/143m_american_equifax_customers_exposed/>
>>>>>>>>> hackers stole sensitive personal records on 145
>>>>>>>>> million Americans and hundreds of thousands in the UK
>>>>>>>>> https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/
>>>>>>>>> <https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/>
>>>>>>>>> and Canada.
>>>>>>>>>
>>>>>>>>> The outfit already said cyber-crooks "primarily"
>>>>>>>>> took names, social security numbers, birth dates,
>>>>>>>>> home addresses, credit-score dispute forms, and,
>>>>>>>>> in some instances, credit card numbers and driver
>>>>>>>>> license numbers. Now the credit-checking giant
>>>>>>>>> reckons the intruders snatched even more
>>>>>>>>> information from its databases.
>>>>>>>>>
>>>>>>>>> According to documents provided by Equifax to the
>>>>>>>>> US Senate Banking Committee,
>>>>>>>>> and _revealed this month by Senator Elizabeth
>>>>>>>>> Warren (D-MA)_,
>>>>>>>>> https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc
>>>>>>>>> <https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc>
>>>>>>>>> the attackers also grabbed taxpayer identification
>>>>>>>>> numbers, phone numbers, email addresses, and
>>>>>>>>> credit card expiry dates belonging to some Equifax
>>>>>>>>> customers.
>>>>>>>>>
>>>>>>>>> Like social security numbers, taxpayer ID numbers
>>>>>>>>> are useful for fraudsters seeking to steal
>>>>>>>>> people's identities or their tax rebates, and the
>>>>>>>>> expiry dates are similarly useful for online
>>>>>>>>> crooks when linked with credit card numbers and
>>>>>>>>> other personal information.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *Contradictory*
>>>>>>>>>
>>>>>>>>> "As your company continues to issue incomplete,
>>>>>>>>> confusing and contradictory statements and hide
>>>>>>>>> information from Congress and the public, it is
>>>>>>>>> clear that five months after the breach was
>>>>>>>>> publicly announced, Equifax has yet to answer this
>>>>>>>>> simple question in full: what was the precise
>>>>>>>>> extent of the breach?" Warren fumed in a missive
>>>>>>>>> late last week.
>>>>>>>>> https://www.warren.senate.gov/?p=press_release&id=2317
>>>>>>>>> <https://www.warren.senate.gov/?p=press_release&id=2317>
>>>>>>>>>
>>>>>>>>> Equifax spokeswoman Meredith Griffanti stressed to
>>>>>>>>> The Register today that the extra information
>>>>>>>>> snatched by hackers, as revealed by Senator
>>>>>>>>> Warren, belonged to "some" Equifax customers. In
>>>>>>>>> other words, not everyone had their phone numbers,
>>>>>>>>> email addresses, and so on, slurped by crooks just
>>>>>>>>> some. How much is some? Equifax isn't saying,
>>>>>>>>> hence Warren's (and everyone else's) growing
>>>>>>>>> frustration.
>>>>>>>>>
>>>>>>>>> The senator is a cosponsor of the _proposed Data
>>>>>>>>> Breach Prevention and Compensation Act, _
>>>>>>>>> https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/
>>>>>>>>> <https://www.theregister.co.uk/2018/01/10/credit_reporting_agencies_fines/>
>>>>>>>>> which, if passed, would impose computer security
>>>>>>>>> regulations on credit reporting agencies, with
>>>>>>>>> mandatory fines that would have led to Equifax
>>>>>>>>> coughing up $1.5bn for its IT blunder.
>>>>>>>>>
>>>>>>>>> Some regulation or punishment is obviously needed.
>>>>>>>>>
>>>>>>>>> No senior Equifax executives were fired over the
>>>>>>>>> attack instead the CEO, CSO and CIO were all
>>>>>>>>> allowed to retire with multi-million dollar golden
>>>>>>>>> parachutes. The US government's Consumer Financial
>>>>>>>>> Protection Bureau promised a full investigation
>>>>>>>>> into the Equifax affair, and then gave up. On
>>>>>>>>> February 7, an open letter [PDF]
>>>>>>>>> https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18.pdf
>>>>>>>>> <https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%20Letter%202-7-18.pdf>
>>>>>>>>> from 32 senators to the bureau asked why the probe
>>>>>>>>> was dropped, and the gang has yet to receive a
>>>>>>>>> response. ®
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>>>> gnso-rds-pdp-wg at icann.org
>>>>>>>>> <mailto:gnso-rds-pdp-wg at icann.org>
>>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>>>>
>>>>>>>> --
>>>>>>>> --
>>>>>>>>
>>>>>>>> John Bambenek
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Nanghaka Daniel K.
>>>>>>>> Executive Director - ILICIT Africa / Chair - FOSSFA /
>>>>>>>> Community Lead - ISOC Uganda Chapter / Geo4Africa Lead
>>>>>>>> / Organising Team - FOSS4G2018
>>>>>>>> Mobile +256 772 898298 <tel:+256%20772%20898298> (Uganda)
>>>>>>>> Skype: daniel.nanghaka
>>>>>>>>
>>>>>>>> ----------------------------------------- /"Working for
>>>>>>>> Africa" /-----------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> --
>>>>>>>
>>>>>>> John Bambenek
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> gnso-rds-pdp-wg mailing list
>>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>>
>>>>> --
>>>>> --
>>>>>
>>>>> John Bambenek
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>
>>> --
>>> --
>>>
>>> John Bambenek
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/071d21cd/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list