[gnso-rds-pdp-wg] Fwd: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc

John Horton john.horton at legitscript.com
Tue Feb 13 21:49:17 UTC 2018 

Theo, as to your earlier question re: ccTLDs -- all I can offer is my own
experience and analysis (but we've got a lot of data, so here goes). There
is quite a bit of abuse there as well, but to the extent it's less or more
than .COM or other gTLDs, it's often a result of some policy directly
related to Whois.

   - .US, with a nexus requirement and no privacy/proxy (historically, at
   least, can't remember if that went away) was easier from our perspective to
   address abuse on. In my world, if you want to sell Vicodin without a
   prescription online and can't hide behind p/p, have to have a US nexus and
   know that there's a Whois validity requirement...you aren't going to use
   .US. :) Those that did were pretty easy to address -- you didn't even
   necessarily have to address content, but could just show that the Whois was
   inaccurate in many cases.
   - Unless there's a lot of pre-validation of meeting a nexus requirement,
   there's more abuse we see where a ccTLD has unavailable Whois. Who knows if
   they are really meeting the nexus requirement or not! So yeah, there's
   abuse in ccTLDs, some more than others, largely depending on Whois policy
   and nexus requirements, in my view.

I agree with Tim's larger point. You simply can't, in my view, have
accountability and prevent certain types of abuse without transparency as
to the right to operate the domain name, which (due to the nature of abuse
and crime being mostly money-motivated) chiefly plays out with registrants
acting as legal, not natural persons. Hence, the need for the registrar
community, in my view, to consider a bifurcated solution. You make a
totally credible argument as to the obvious need to comply with the GDPR.
Many of us simply object to the notion that this is supposed to become the
new global standard.

Why not just add a question to the registration form as to whether the
registrant is in the EU or is a EU citizen, and whether they are a legal or
natural person (or plan to use the domain name for commercial purposes)? If
they are in the EU or a citizen, and are natural persons not using the
domain name commercially, give them free privacy/proxy, and keep Whois the
same for anyone for which the answers to the above aren't "TRUE". I know
that's inconvenient for registrars to update their forms, but that's not a
good reason not to implement that solution. (What's convenient about the
GDPR in the first place?) And let me be clear -- I want to make sure
registrars are protected from liability here, but it's not a credible
argument to say that the only way to protect you from liability is a
blanket global solution.

John Horton
President and CEO, LegitScript


*Follow LegitScript*: LinkedIn
<http://www.linkedin.com/company/legitscript-com>  |  Facebook
<https://www.facebook.com/LegitScript>  |  Twitter
<https://twitter.com/legitscript>  |  *Blog <http://blog.legitscript.com/>*
  |  Newsletter <http://go.legitscript.com/Subscription-Management.html>




On Tue, Feb 13, 2018 at 1:14 PM, theo geurts <gtheo at xs4all.nl> wrote:

> I am off target?
> I think I am very on target since the very start of this WG trying to
> bridge data protection and fighting abuse.
>
> Theo
> On 13-2-2018 21:56, Chen, Tim wrote:
>
> Theo - this comment is off target on many levels and takes us well outside
> of Whois.    The #1 abuse-driving issue is cheap domains, due to pricing
> schemes and business models of registrars and registries.  Bad actors
> target COM bc it's popular and well-known.  Lots of tools we need to fight
> abuse, Whois is but one.  But a powerful one.
>
> On Tue, Feb 13, 2018 at 9:56 AM, Theo Geurts <gtheo at xs4all.nl> wrote:
>
>> John,
>>
>> I think some of us are still mystified that there are no "huge" issues in
>> 147 million ccTLDs while there seems to be "huge" issues with 181 million
>> gTLDs ,25% of them using privacy proxy services.
>>
>> Personally I am more mystified why we keep on relying on WHOIS to combat
>> such issues while the abuse rate goes up in the gTLD space each year.
>> Perhaps time to come up with something better? It looks like we rather
>> patch up the boat sinking deeper down each year, as opposed to create a new
>> sea worthy vessel.
>>
>> Theo
>>
>>
>>
>> On 13-2-2018 18:43, John Horton via gnso-rds-pdp-wg wrote:
>>
>> I am mystified as to why some people in this group don't recognize that
>> while (that's US for "whilst," for my European friends!) legitimate
>> business may do that -- and indeed, may be required to in Ireland and Japan
>> and a few other countries, a) there is no requirement in other locations to
>> do so, and b) the bad actors either don't publish it or put falsified
>> information on their website...but the Whois record, whether accurate or
>> falsified (and sometimes even with privacy protection) is helpful in
>> anti-money laundering, consumer protection, certification, anti abuse and
>> trust and safety. Let's all acknowledge that we live in a world where there
>> are many, many legitimate e-commerce businesses but many illicit ones as
>> well! Our solutions have to accommodate for all of the above.
>>
>> John Horton
>> President and CEO, LegitScript
>>
>>
>> *Follow LegitScript*: LinkedIn
>> <http://www.linkedin.com/company/legitscript-com>  |  Facebook
>> <https://www.facebook.com/LegitScript>  |  Twitter
>> <https://twitter.com/legitscript>  |  *Blog
>> <http://blog.legitscript.com/>*  |  Newsletter
>> <http://go.legitscript.com/Subscription-Management.html>
>>
>>
>>
>>
>> On Tue, Feb 13, 2018 at 9:33 AM, Volker Greimann <
>> vgreimann at key-systems.net> wrote:
>>
>>> John, if businesses want to publish their information, they should do it
>>> on their website, as they are legally required to (at least over here). No
>>> need for whois for that. So that purpose is out the window already.
>>>
>>> Volker
>>>
>>> Am 13.02.2018 um 18:07 schrieb John Bambenek via gnso-rds-pdp-wg:
>>>
>>> No it doesn't because there are large incentives for institution and
>>> individuals to continue to publish information. Businesses, for instance,
>>> WANT to be contacted. If you want mail delivered, certain best practices
>>> are imposed.
>>>
>>> If consent is not the solution, YOU are deciding what the rest of the
>>> world can and cannot do with their data. Who exactly made ICANN the arbiter
>>> of what I can do with my data?
>>>
>>> On 2/13/2018 11:04 AM, Volker Greimann wrote:
>>>
>>> I am not sure you want that, because that means completely dark whois.
>>>
>>> I'd prefer an approach where we do not need to rely on consent (but can
>>> still offer it as an option). The hard bit is finding the right principles
>>> of who gets access to what and how even when there is no consent.
>>>
>>> Consent is not the solution.
>>>
>>> Am 13.02.2018 um 18:00 schrieb John Bambenek via gnso-rds-pdp-wg:
>>>
>>> Ok, so you agree with my in principle and we're just haggling over the
>>> details now. Flip a coin for all I care, opt-in/opt-out and move forward.
>>>
>>> So let's do that. When can we implement?
>>>
>>> On 2/13/2018 10:58 AM, Volker Greimann wrote:
>>>
>>> You are still looking at the wrong end of the horse. Privacy is not the
>>> choice, it is the default. Divulging data is the choice.
>>>
>>> Am 13.02.2018 um 17:57 schrieb John Bambenek via gnso-rds-pdp-wg:
>>>
>>> Exactly right. As far as I'm concerned if we made privacy a free choice,
>>> make the fields optional for all I care, and whatever they do make is
>>> public... we have solved this problem.
>>>
>>> People who ACTUALLY protect society against privacy threats have the
>>> data to do their jobs, consumers who want privacy have a free option for
>>> it, and registrars can be in compliance with the law.
>>>
>>> On 2/13/2018 10:54 AM, DANIEL NANGHAKA wrote:
>>>
>>> This is just an example but there is a lot of damage that can be caused
>>> with data being exposed. In our case we have phone numbers, addresses,
>>> emails which is required to verification.
>>>
>>> This takes us to issue of consent.
>>>
>>> On Tuesday, February 13, 2018, John Bambenek via gnso-rds-pdp-wg <
>>> gnso-rds-pdp-wg at icann.org> wrote:
>>>
>>>> Let's be honest here, we're talking about phone numbers and email
>>>> addresses. The threat model is RADICALLY different with the data we are
>>>> talking about.
>>>>
>>>> On 2/13/2018 10:45 AM, Stephanie Perrin wrote:
>>>>
>>>> Undeterred by the fact that noone has responded to my last post, I
>>>> offer the following update to the Equifax breach to further illustrate my
>>>> point.  As many companies have found out, you don't find out what you've
>>>> got till it's gone.....a further reason for data minimization and short
>>>> retention periods.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> To:
>>>>
>>>> http://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
>>>>
>>>>
>>>> *Equifax hack worse than previously thought: Biz kissed goodbye to card
>>>> expiry dates, tax IDs etc*
>>>> Pwned credit-score biz quietly admits more info lost
>>>> By Iain Thomson in San Francisco 13 Feb 2018 at 02:13
>>>>
>>>> Last year, Equifax admitted
>>>> https://www.theregister.co.uk/2017/09/07/143m_american_equif
>>>> ax_customers_exposed/
>>>> hackers stole sensitive personal records on 145 million Americans and
>>>> hundreds of thousands in the UK
>>>> https://www.theregister.co.uk/2017/10/10/equifax_uk_records_update/
>>>> and Canada.
>>>>
>>>> The outfit already said cyber-crooks "primarily" took names, social
>>>> security numbers, birth dates, home addresses, credit-score dispute forms,
>>>> and, in some instances, credit card numbers and driver license numbers. Now
>>>> the credit-checking giant reckons the intruders snatched even more
>>>> information from its databases.
>>>>
>>>> According to documents provided by Equifax to the US Senate Banking
>>>> Committee,
>>>> and *revealed this month by Senator Elizabeth Warren (D-MA)*,
>>>> https://apnews.com/2a51e3e5f9a945978df4ad96246b8ecc
>>>> the attackers also grabbed taxpayer identification numbers, phone
>>>> numbers, email addresses, and credit card expiry dates belonging to some
>>>> Equifax customers.
>>>>
>>>> Like social security numbers, taxpayer ID numbers are useful for
>>>> fraudsters seeking to steal people's identities or their tax rebates, and
>>>> the expiry dates are similarly useful for online crooks when linked with
>>>> credit card numbers and other personal information.
>>>>
>>>>
>>>> *Contradictory*
>>>>
>>>> "As your company continues to issue incomplete, confusing and
>>>> contradictory statements and hide information from Congress and the public,
>>>> it is clear that five months after the breach was publicly announced,
>>>> Equifax has yet to answer this simple question in full: what was the
>>>> precise extent of the breach?" Warren fumed in a missive late last week.
>>>> https://www.warren.senate.gov/?p=press_release&id=2317
>>>>
>>>> Equifax spokeswoman Meredith Griffanti stressed to The Register today
>>>> that the extra information snatched by hackers, as revealed by Senator
>>>> Warren, belonged to "some" Equifax customers. In other words, not everyone
>>>> had their phone numbers, email addresses, and so on, slurped by crooks just
>>>> some. How much is some? Equifax isn't saying, hence Warren's (and everyone
>>>> else's) growing frustration.
>>>>
>>>> The senator is a cosponsor of the *proposed Data Breach Prevention and
>>>> Compensation Act, *
>>>> https://www.theregister.co.uk/2018/01/10/credit_reporting_ag
>>>> encies_fines/
>>>> which, if passed, would impose computer security regulations on credit
>>>> reporting agencies, with mandatory fines that would have led to Equifax
>>>> coughing up $1.5bn for its IT blunder.
>>>>
>>>> Some regulation or punishment is obviously needed.
>>>>
>>>> No senior Equifax executives were fired over the attack instead the
>>>> CEO, CSO and CIO were all allowed to retire with multi-million dollar
>>>> golden parachutes. The US government's Consumer Financial Protection Bureau
>>>> promised a full investigation into the Equifax affair, and then gave up. On
>>>> February 7, an open letter [PDF]
>>>> https://www.schatz.senate.gov/imo/media/doc/CFPB%20Equifax%2
>>>> 0Letter%202-7-18.pdf
>>>> from 32 senators to the bureau asked why the probe was dropped, and the
>>>> gang has yet to receive a response. ®
>>>>
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>
>>>>
>>>> --
>>>> --
>>>>
>>>> John Bambenek
>>>>
>>>>
>>>
>>> --
>>>
>>> Regards
>>> Nanghaka Daniel K.
>>> Executive Director - ILICIT Africa / Chair - FOSSFA / Community Lead -
>>> ISOC Uganda Chapter / Geo4Africa Lead / Organising Team - FOSS4G2018
>>> Mobile +256 772 898298 <+256%20772%20898298> (Uganda)
>>> Skype: daniel.nanghaka
>>>
>>> ----------------------------------------- *"Working for Africa" *
>>> -----------------------------------------
>>>
>>>
>>>
>>>
>>> --
>>> --
>>>
>>> John Bambenek
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>>
>>> --
>>> --
>>>
>>> John Bambenek
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>>
>>> --
>>> --
>>>
>>> John Bambenek
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing listgnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/167c9470/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list