From britta at projectliberty.org Wed Dec 5 09:23:46 2007 From: britta at projectliberty.org (Britta Glade) Date: Wed, 5 Dec 2007 09:23:46 -0800 Subject: [SIG-IDtheft] Websites sell Britons' bank details In-Reply-To: References: Message-ID: An interesting article and subsequent thread from conversations about this with Robin, our resident expert. Nick--thoughts from you, too (I know you're out there!). From: Robin Wilton [mailto:Robin.Wilton at Sun.COM] Sent: Mon 12/3/2007 10:43 AM To: Russ DeVeau Cc: Glade, Britta Subject: Re: Websites sell Britons' bank details I had a look at the Times article and the Register website... I think both of them hit some of the interesting points and miss others. I'd been shown, some weeks ago, that if you search the web for sites who will sell you ID/payment data, that there are some which will offer you a 'valid but basic' Visa card, say, for free. "Here, take it," they say - "try it out on a few ecommerce merchants, and whne you find it's good stuff, come back and let's talk business". That appears to be basically what's going on here, and I assume that it is not all that new - maybe newer on the web, but I bet in the face-to-face black market for bulk ID data this is probably not unusual. The Register 's article notes (correctly, I think) that most of the investigations into this will quickly lead off-shore... but doesn't spell out the most likely consequences of that, namely that as soon as it does, the UK police are likely to suffer a very abrupt attack of "Someone Else's Problem" syndrome and go back to their day job. This is as Jeffrey Robinson and others have been saying for some time - ID theft and payment fraud are very globalised industries, and a country- by-country law enforcement approach will have absolutely no effect. Depressing, isn't it? R http://www.guardian.co.uk/uklatest/story/0,,-7122893,00.html Press Association Monday December 3, 2007 2:08 PM The information watchdog is considering whether to launch an investigation after it emerged that thousands of Britons' bank details are for sale on the internet. There are more than 100 websites offering to sell UK bank details, including account numbers, Pins and security codes, the Times newspaper revealed. The newspaper was able to download banking information belonging to 32 people, including a High Court deputy judge, for free. It said one fraudster was offering to sell 30,000 British credit card numbers for ?1 each. The details are unlikely to be enough to enable criminals to access people's bank accounts but they could help them to commit identify theft and apply for credit or benefits in their name, while they may also be able to use the credit card details to spend money online. The Information Commissioner is currently examining the evidence that has been given to him by the Times, before deciding whether to launch a formal investigation. A spokesman for Information Commissioner Richard Thomas said the data on offer appeared to be for accounts that were currently active. He said: "From what I have seen the information would be enough for someone to go online and spend money, but at this stage there is no way of knowing which cards are on there. "Clearly it's a matter of concern if people's personal banking details, which should remain private, are on a public website." He said the initial focus would be on what security breach, if any, had taken place to allow the information to get into the public domain. He added that if the data was acquired fraudulently, or by theft, the matter would be passed to the police as a criminal inquiry. The news comes a day before Mr Thomas is due to address the House of Commons Justice Committee over the powers that he needs to prevent breaches of data protection. Copyright (c) Press Association Ltd. 2007, All Rights Reserved. -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071205/8b3690a9/attachment-0001.html From mbarrett at paypal.com Wed Dec 5 11:44:47 2007 From: mbarrett at paypal.com (Barrett, Michael) Date: Wed, 5 Dec 2007 11:44:47 -0800 Subject: [SIG-IDtheft] Websites sell Britons' bank details Message-ID: <331233B9095E4B4397BCC86FB691DFDD01767595@SJN-EXM-01.corp.ebay.com> Here's my personal view on this issue - that there are only two possible long-term solutions to e-crime: 1) Harmonization of global e-crime regulation. That would lead, perhaps, to cases being transferred seamlessly from the jurisdiction in which the crime (against the victim) occurred to the jurisdiction where the criminal(s) is physically located. There's a related assumption here, which is that there's adequate funding for e-crime enforcement - today, that's also not true. 2) Development of a true international e-crime police force. (Unfortunately, the term "Interpol" has already been used!). In that vision, there isn't "someone else's problem". The difficulty is that making either of these happen is a political problem of extremely large proportions, and it could easily take years. The problem is that e-crime will continue to get worse until such time as these framework issues are recognized and addressed by governments globally. Thx - Michael ----- Original Message ----- From: sig-idtheft-bounces at lists.projectliberty.org To: sig-idtheft at lists.projectliberty.org Sent: Wed Dec 05 10:23:46 2007 Subject: [SIG-IDtheft] Websites sell Britons' bank details An interesting article and subsequent thread from conversations about this with Robin, our resident expert. Nick--thoughts from you, too (I know you're out there!). From: Robin Wilton [mailto: Robin.Wilton at Sun.COM ] Sent: Mon 12/3/2007 10:43 AM To: Russ DeVeau Cc: Glade, Britta Subject: Re: Websites sell Britons' bank details I had a look at the Times article and the Register website... I think both of them hit some of the interesting points and miss others. I'd been shown, some weeks ago, that if you search the web for sites who will sell you ID/payment data, that there are some which will offer you a 'valid but basic' Visa card, say, for free. "Here, take it," they say - "try it out on a few ecommerce merchants, and whne you find it's good stuff, come back and let's talk business". That appears to be basically what's going on here, and I assume that it is not all that new - maybe newer on the web, but I bet in the face-to-face black market for bulk ID data this is probably not unusual. The Register < http://www.theregister.co.uk/2007/12/03/id_trading/ > 's article notes (correctly, I think) that most of the investigations into this will quickly lead off-shore... but doesn't spell out the most likely consequences of that, namely that as soon as it does, the UK police are likely to suffer a very abrupt attack of "Someone Else's Problem" syndrome and go back to their day job. This is as Jeffrey Robinson and others have been saying for some time - ID theft and payment fraud are very globalised industries, and a country- by-country law enforcement approach will have absolutely no effect. Depressing, isn't it? R http://www.guardian.co.uk/uklatest/story/0,,-7122893,00.html Press Association Monday December 3, 2007 2:08 PM The information watchdog is considering whether to launch an investigation after it emerged that thousands of Britons' bank details are for sale on the internet. There are more than 100 websites offering to sell UK bank details, including account numbers, Pins and security codes, the Times newspaper revealed. The newspaper was able to download banking information belonging to 32 people, including a High Court deputy judge, for free. It said one fraudster was offering to sell 30,000 British credit card numbers for ?1 each. The details are unlikely to be enough to enable criminals to access people's bank accounts but they could help them to commit identify theft and apply for credit or benefits in their name, while they may also be able to use the credit card details to spend money online. The Information Commissioner is currently examining the evidence that has been given to him by the Times, before deciding whether to launch a formal investigation. A spokesman for Information Commissioner Richard Thomas said the data on offer appeared to be for accounts that were currently active. He said: "From what I have seen the information would be enough for someone to go online and spend money, but at this stage there is no way of knowing which cards are on there. "Clearly it's a matter of concern if people's personal banking details, which should remain private, are on a public website." He said the initial focus would be on what security breach, if any, had taken place to allow the information to get into the public domain. He added that if the data was acquired fraudulently, or by theft, the matter would be passed to the police as a criminal inquiry. The news comes a day before Mr Thomas is due to address the House of Commons Justice Committee over the powers that he needs to prevent breaches of data protection. Copyright (c) Press Association Ltd. 2007, All Rights Reserved. -- Britta Glade Liberty Alliance 925-254-4233 From koneil at cyva.com Wed Dec 5 13:52:50 2007 From: koneil at cyva.com (Kevin O'Neil) Date: Wed, 5 Dec 2007 13:52:50 -0800 Subject: [SIG-IDtheft] Websites sell Britons' bank details In-Reply-To: <331233B9095E4B4397BCC86FB691DFDD01767595@SJN-EXM-01.corp.ebay.com> References: <331233B9095E4B4397BCC86FB691DFDD01767595@SJN-EXM-01.corp.ebay.com> Message-ID: <002a01c83789$2f8e47c0$4201a8c0@CYVA03> I like the idea of international bounty hunters...with a global license to seek and destroy (well detain and extradite if feasible) Kevin O'Neil CYVA Research Corporation 3525 Del Mar Heights Rd., Ste. #327 San Diego, CA 92130 858 793 8100 (direct) koneil at cyva.com www.cyva.com Confidentiality Notice The information contained in this communication is confidential and may be legally privileged. It is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance of the contents of this information is strictly prohibited and may be unlawful. CYVA Research is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. -----Original Message----- From: Barrett, Michael [mailto:mbarrett at paypal.com] Sent: Wednesday, December 05, 2007 11:45 AM To: britta at projectliberty.org; sig-idtheft at lists.projectliberty.org Subject: Re: [SIG-IDtheft] Websites sell Britons' bank details Here's my personal view on this issue - that there are only two possible long-term solutions to e-crime: 1) Harmonization of global e-crime regulation. That would lead, perhaps, to cases being transferred seamlessly from the jurisdiction in which the crime (against the victim) occurred to the jurisdiction where the criminal(s) is physically located. There's a related assumption here, which is that there's adequate funding for e-crime enforcement - today, that's also not true. 2) Development of a true international e-crime police force. (Unfortunately, the term "Interpol" has already been used!). In that vision, there isn't "someone else's problem". The difficulty is that making either of these happen is a political problem of extremely large proportions, and it could easily take years. The problem is that e-crime will continue to get worse until such time as these framework issues are recognized and addressed by governments globally. Thx - Michael ----- Original Message ----- From: sig-idtheft-bounces at lists.projectliberty.org To: sig-idtheft at lists.projectliberty.org Sent: Wed Dec 05 10:23:46 2007 Subject: [SIG-IDtheft] Websites sell Britons' bank details An interesting article and subsequent thread from conversations about this with Robin, our resident expert. Nick--thoughts from you, too (I know you're out there!). From: Robin Wilton [mailto: Robin.Wilton at Sun.COM ] Sent: Mon 12/3/2007 10:43 AM To: Russ DeVeau Cc: Glade, Britta Subject: Re: Websites sell Britons' bank details I had a look at the Times article and the Register website... I think both of them hit some of the interesting points and miss others. I'd been shown, some weeks ago, that if you search the web for sites who will sell you ID/payment data, that there are some which will offer you a 'valid but basic' Visa card, say, for free. "Here, take it," they say - "try it out on a few ecommerce merchants, and whne you find it's good stuff, come back and let's talk business". That appears to be basically what's going on here, and I assume that it is not all that new - maybe newer on the web, but I bet in the face-to-face black market for bulk ID data this is probably not unusual. The Register < http://www.theregister.co.uk/2007/12/03/id_trading/ > 's article notes (correctly, I think) that most of the investigations into this will quickly lead off-shore... but doesn't spell out the most likely consequences of that, namely that as soon as it does, the UK police are likely to suffer a very abrupt attack of "Someone Else's Problem" syndrome and go back to their day job. This is as Jeffrey Robinson and others have been saying for some time - ID theft and payment fraud are very globalised industries, and a country- by-country law enforcement approach will have absolutely no effect. Depressing, isn't it? R http://www.guardian.co.uk/uklatest/story/0,,-7122893,00.html Press Association Monday December 3, 2007 2:08 PM The information watchdog is considering whether to launch an investigation after it emerged that thousands of Britons' bank details are for sale on the internet. There are more than 100 websites offering to sell UK bank details, including account numbers, Pins and security codes, the Times newspaper revealed. The newspaper was able to download banking information belonging to 32 people, including a High Court deputy judge, for free. It said one fraudster was offering to sell 30,000 British credit card numbers for ?1 each. The details are unlikely to be enough to enable criminals to access people's bank accounts but they could help them to commit identify theft and apply for credit or benefits in their name, while they may also be able to use the credit card details to spend money online. The Information Commissioner is currently examining the evidence that has been given to him by the Times, before deciding whether to launch a formal investigation. A spokesman for Information Commissioner Richard Thomas said the data on offer appeared to be for accounts that were currently active. He said: "From what I have seen the information would be enough for someone to go online and spend money, but at this stage there is no way of knowing which cards are on there. "Clearly it's a matter of concern if people's personal banking details, which should remain private, are on a public website." He said the initial focus would be on what security breach, if any, had taken place to allow the information to get into the public domain. He added that if the data was acquired fraudulently, or by theft, the matter would be passed to the police as a criminal inquiry. The news comes a day before Mr Thomas is due to address the House of Commons Justice Committee over the powers that he needs to prevent breaches of data protection. Copyright (c) Press Association Ltd. 2007, All Rights Reserved. -- Britta Glade Liberty Alliance 925-254-4233 _______________________________________________ This is a public mailing list. Content is NOT confidential. Sig-idtheft mailing list Sig-idtheft at lists.projectliberty.org http://lists.projectliberty.org/mailman/listinfo/sig-idtheft_lists.projectli berty.org From britta at projectliberty.org Wed Dec 19 09:14:44 2007 From: britta at projectliberty.org (Britta Glade) Date: Wed, 19 Dec 2007 09:14:44 -0800 Subject: [SIG-IDtheft] Google Toolbar Flaw: IDTheft Risks (eWeek article) Message-ID: List serve has been quiet of late. Just saw this story and thought it might be of interest to folks here: http://www.eweek.com/article2/0,1895,2236655,00.asp Unpatched Google Toolbar Flaw Presents ID Theft Risk By Ryan Naraine December 18, 2007 *A hacker finds a way to use a booby-trapped Web page to trick Google Toolbar users into adding malicious buttons to the browser.* Be the first to comment on this article A dialog spoofing vulnerability in the popular Google Toolbar could be exploited by malicious hackers to execute malicious files or launch identity theft attacks, according to a warning from security researcher Aviv Raff. ADVERTISEMENT Raff, a well-known hacker who regularly finds and reports software vulnerabilities, figured out a way to use a booby-trapped Web page to trick Google Toolbar users into adding malicious buttons to the toolbar. In an IM interview with eWEEK, Raff said multiple versions of the toolbar allows spoofed information to be presented to the user when adding a new browser toolbar icon/button. [image: eWEEK.com Special Report: Exploiting Google] "This can allow an attacker to convince the users that his button comes from a trusted domain. This button can then be used to download malicious files or conduct phishing attacks," Raff said in an advisory. eWEEK has confirmed the bug on the Google Toolbar 5 beta for Internet Explorer. Raff said the production version (Google Toolbar 4) for both Microsoft's Internet Explorer and the open-source Firefox browsers is also affected. Google has been notified and is working on a fix, Raff said. [image: eWEEK.com Special Report: Browser Security] "An attacker can use this vulnerability to gain the victim's trust to add and use the button, and by that the victim will trust the files that the button offer, or enter private information. In the new beta version of the toolbar, it is also possible to alert the user every few seconds to click on the button," Raff said. The researcher has released a proof-of-concept exploitto demonstrate how a specially rigged Web page can trick a user into believing third-party toolbar buttons are being downloaded from Google's domain. In the absence of a fix, Raff suggested that Google Toolbar users avoid adding new buttons. -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071219/2ed8e400/attachment.html From britta at projectliberty.org Wed Dec 26 08:36:43 2007 From: britta at projectliberty.org (Britta Glade) Date: Wed, 26 Dec 2007 08:36:43 -0800 Subject: [SIG-IDtheft] Interesting EOY wrap up story from SearchSecurity.com Message-ID: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1287543,00.html *For data minders, 2007 was a year of living dangerously* By Bill Brenner, Senior News Writer 26 Dec 2007 | SearchSecurity.com *RSS FEEDS: * Security Wire Daily News [image: Add to Google] It used to be that industry experts would talk about ways for companies to prevent a data security breach. But by the end of 2007, with the Privacy Rights Clearinghouse tally of exposed records blowing past 217 million, most were instead talking about how to survive one. *Events point clearly to the fact that no company is immune to the threat of data breach.* Larry Ponemon, founder and chairman, Ponemon Institute Indeed, data breaches have become such a common occurrence that some believe it's futile to even entertain the notion that a company could achieve 100% protection. A lot of the pessimism has centered around the massive breach retail giant TJX first disclosed in January . The TJX story continued to unravel throughout the year, exposing weaknesses in the company's wireless security, its failure to meet the basic requirements of the Payment Card Industry Data Security Standard (PCI DSS), and what many saw as a shaky PR response on the company's part . The biggest lesson of the breaches at TJX and elsewhere is that no company is immune from the threat and businesses need to develop better response plans. "One of the big missing pieces is the plan for external communications in the event of a data breach," Jim Maloney, former global head of information security at Amazon.com and current CEO of Cyber Risk Strategies, said during one panel discussionon the topic in Boston last fall. "When a data breach happens, you don't want to be scrambling and trying to decide who to talk to and how to restore confidence. You can't just try to wing it." *Data breach news of '07:* Data security breach at Pfizer affects thousands: A Pfizer employee removed files exposing 34,000 people to potential identity fraud, according to the company. It was the third data breach at the company in three months. Gap security breach exposes data on 800,000: The latest retailer to suffer a security breach is Gap Inc., which blames the exposure of data on 800,000 job applicants on a third-party vendor that manages the information. Did TJX take the right steps after data breach? Security experts are mixed on whether TJX acted properly following a massive data breach last month. One expert says potential victims should have been notified sooner. New database forensics tool could aid data breach cases: Database security researcher, David Litchfield of UK-based NGS Software will release a free Forensic Examiners Database Scalpel, he says could aid data breach investigations. Banks agree to settle lawsuits against TJX: Several banking associations have agreed to settle lawsuits connected to the TJX data breach. Specific details of the deal are being kept under wraps. When TJX first disclosed its data breach in January, the retailer came under heavy criticism for what many considered a sloppy response. The company didn't disclose the breach until a month after it was first discovered, and few accepted its explanation that investigators recommended the period of silence. TJX also seemed to have trouble getting an accurate assessment of the damage. For example, the company initially said that attackers had access to its network between May 2006 and January 2007. Later it admitted that thieves were inside the network several other times, beginning in July 2005. The came word that the stolen data covered transactions dating all the way back to December 2002. One of the first considerations for a company that may have had a data breach is when and if to disclose the incident. Of course, doing so is the law in many states. But at the CSI 2007 security conferencein Arlington, Va. the first week of November, experts urged companies not to move too quickly, since a poorly-executed notification can make matters worse. In a nutshell, Burton Group analyst Eric Maiwald said, the best bet for any IT shop is to store as little data as possible, examine the risk of what the company does need to store; install and use the necessary controls; and "put plans in place so that you know what to do when you have a breach." Larry Ponemon, founder and chairman of the Ponemon Institute, said each security breach is different but that it all amounts to the loss of confidence and trust, which in turn means a loss of money. Asked about the common failure among data breach victims, he described the "it can't happen here" mentality. "The attitude is epidemic, but events point clearly to the fact that no company is immune to the threat of data breach," he said. "Failure to take sufficient preventative measures is widespread, and ? following a data breach, most companies will invest in the very preventative technologies and programs that might have helped avoid the incident in the first place." While industry experts agree companies need to start assuming they will someday suffer a breach and must have a plan in place to soften the blow, they note that it's still possible to prevent a breach with some common-sense technological measures. The best example reflects the growing trend of laptops getting stolen or lost. If companies automatically used full-disc encryption on the devices, the loss of one would become a much smaller issue. "If you allow sensitive information to be stored on mobile computers of any type, encryption is a good idea because it can get you out of having to disclose that the computer was stolen," Maiwald said. -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071226/c2f6a081/attachment-0001.html From bob at bobpinheiro.com Wed Dec 26 09:31:39 2007 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Wed, 26 Dec 2007 12:31:39 -0500 Subject: [SIG-IDtheft] Next ID Theft SIG Call Wednesday, January 9 Message-ID: <0JTO00BF13KLXEJ3@vms046.mailsrvcs.net> We will have our next ID Theft SIG call on Wednesday, January 9, at 9:30 AM PT / 12:30 PM ET / 17:30 UTC. Please note that calls will now be held on Wednesdays, to accommodate more people. Also note the new call-in numbers below, as well as the link for new international call-in numbers. Agenda will be to discuss possible SIG activities in 2008. Possible activities include: * Identity Assurance and Authentication: The Liberty Identity Assurance Framework has the goal of fostering the adoption of "identity assurance" services that could enable large-scale authentication networks. Such networks, if they support consumer authentication applications, could potentially help prevent identity theft by providing a way to authenticate the identity claims of individuals who seek to obtain identity-related services from service providers with whom they have no prior relationship. Can the SIG help to ensure that the Liberty IAF supports consumer authentication applications at appropriate assurance levels? (The Liberty Identity Assurance Framework v1.0 can be found here.) One tie-in might be the newly formed Identity Assurance SIG, which will hold its first meeting in Washington DC on January 30. Might there be opportunities for collaboration? * Privacy and Management of Personal Information: Some of the work that Liberty has done related to privacy can be found here. Is there anything the ID Theft SIG can/should do to support existing or new Liberty initiatives related to privacy of personal information? * Public Policy Expert Group: It's been suggested that the ID Theft SIG could collaborate with PPEG on some activities of joint interest. What are some of those activities? * Short Position Papers: It's been suggested that the SIG might pull together several very short position papers on relevant topics. Proposed topics include: out-of-band authentication and its implications for the Liberty technical framework; and "watermarking" of personal data. * Liberty Plenary Meeting in March: Should the ID Theft SIG plan some activity for this meeting? * Others? Although these are all potentially useful and interesting activities, the reality is that many on the SIG mailing list may have neither the time nor inclination to participate in these activities. The ability of the SIG to contribute to these or other activities really depends on whether interested people are willing to become involved. So if any of these topics, or others that may be related to identity theft, are of interest to you, please consider joining the SIG calls. Wednesday, January 9, 2008 9:30 AM PT / 12:30 PM ET / 17:30 UTC US toll-free number: 866-469-3239 US toll number: 650-429-3300 Attendee Code: 00119954 # International numbers can be found at wiki.projectliberty.org/index.php/IntlDialInNum ------------------------- Bob Pinheiro Robert Pinheiro Consulting LLC (908) 654-1939 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071226/4a6dcbec/attachment.html From britta at projectliberty.org Thu Dec 27 08:29:30 2007 From: britta at projectliberty.org (Britta Glade) Date: Thu, 27 Dec 2007 08:29:30 -0800 Subject: [SIG-IDtheft] LA Daily News Breach article Message-ID: Porn industry frets over security breach By Lisa Friedman, Washington Bureau Article Last Updated: 12/27/2007 12:05:13 AM PST * ------------------------------ LINK: For more coverage of the adult film industry, see our 2007 special report, * *Exposed: Porn in the Valley* * ------------------------------ *Appears no one is immune....though this appears to be old (Oct) and is just now getting out, so doubt people were notified properly of the breach. ** ** ** *http://www.dailynews.com/news/ci_7816784* ** *Porn industry frets over security breach* By Lisa Friedman, Washington Bureau Article Last Updated: 12/27/2007 12:05:13 AM PST WASHINGTON - A New Jersey company that helps run thousands of pornography Web sites acknowledged a major security breach Wednesday, sparking widespread concern in the adult-entertainment industry that consumers' personal data could be endangered. According to industry chat boards that have been buzzing about the problem, the violation so far appears to be limited to e-mail addresses, with an avalanche of spam e-mail hitting Web site customers' inboxes - including unique addresses created for joining specific porn sites. John Albright, owner of the Too Much Media Corp., said in a statement Wednesday that no credit-card information was affected by the October incident. Officials with both Visa and MasterCard said they were unaware Wednesday of any problems in connection with the company. "An investigation is under way as to the cause and level of the security breach," Albright said in the statement. "TMM intends to prosecute to the fullest extent possible anyone responsible for any breach of its servers and programs." But many in the adult industry - based heavily in the San Fernando Valley - said the breach could unravel hard-fought attempts to change the longtime perception that the industry is shady. "The adult industry has worked for a long time to become an industry that can be trusted with personal information," said Kathee Brewer, former editor of AVN Online, the trade journal of the digital adult-entertainment industry. When customer information is leaked - even if it is only e-mail addresses - Brewer said, "consumers begin to back away because they don't trust the industry anymore. All it takes is one issue like this." Phone calls and e-mails to Albright to discuss details of the breach were not returned this week. It remains unclear how much information may have been accessed and how the incident began. But industry insiders and companies that use Too Much Media Corp. software said they have been aware since October that some customer lists belonging to porn-site networks had been stolen. They estimated that the number of victims could be in the hundreds of thousands. "You can imagine the backlash," said Ilan Michan, owner of Woodland Hills-based OC-3 Networks, a Web-hosting company that Michan said handles about 40percent of all adult-entertainment Web sites and first discovered the problem in October. Michan said employees during a monthly security check noticed that the same IP address was repeatedly trying to access his software. Michan said the company determined that someone had accessed the user name and password assigned to the Too Much Media software. That program - known as NATS for Next-Generation Administration and Tracking Software - is primarily used by Internet porn-site networks to track activity on the hundreds of thousands of advertisers that send traffic to their Web pages. Advertisers, known as affiliates, also use the software to check their own sales and traffic. About 500 affiliate networks - approximately one-third of the industry - use the software. In his statement Wednesday, Albright did not address what steps the company took to inform people of the breach and possible loss of personal information, as it is required to do under New Jersey law. "It's a big deal for them. A lot of people went with this software because it's supposed to be safe and secure. It makes the industry look bad," said Christian Amico, director of operations with Atlas Multimedia Inc., a San Fernando Valley firm that builds adult-entertainment Web sites. While there have been no reports of identity theft, many said the fact that names, e-mail addresses and the types of fetishes people enjoy might be floating around the Internet is worrisome. "Consumer confidence is shot because of this," said Jason Tucker, president of San Fernando Valley-based Falcon Foto, which he described as the "world's largest erotic library." "The industry has worked so hard in the last five years alone to make people understand that this is a real business and we operate like a real business," Tucker said. "When something like this happens, consumer confidence in the adult business drops and we're all going to suffer because of it." -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071227/be0af104/attachment.html From britta at projectliberty.org Sun Dec 30 11:22:17 2007 From: britta at projectliberty.org (Britta Glade) Date: Sun, 30 Dec 2007 11:22:17 -0800 Subject: [SIG-IDtheft] Article on California's Chief Privacy Officer Message-ID: Since much of California law and approach seems to permeate internationally, thought some of you might be interested in a story in today's SF Chronicle on Joanne McNabb. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/12/30/BU0EU2U1K.DTL&hw=privacy&sn=001&sc=1000 -- Britta Glade Liberty Alliance 925-254-4233 From britta at projectliberty.org Sun Dec 30 11:25:28 2007 From: britta at projectliberty.org (Britta Glade) Date: Sun, 30 Dec 2007 11:25:28 -0800 Subject: [SIG-IDtheft] And while I'm at it....an article on Google's Privacy Counsel Message-ID: SF Chronicle is full of privacy articles today. Here's one on Peter Fleischer, Google's global privacy counsel: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/12/30/BUVCU07VA.DTL&hw=privacy&sn=002&sc=883 -- Britta Glade Liberty Alliance 925-254-4233